CN106921640A - Identity identifying method, authentication device and Verification System - Google Patents

Identity identifying method, authentication device and Verification System Download PDF

Info

Publication number
CN106921640A
CN106921640A CN201511001209.0A CN201511001209A CN106921640A CN 106921640 A CN106921640 A CN 106921640A CN 201511001209 A CN201511001209 A CN 201511001209A CN 106921640 A CN106921640 A CN 106921640A
Authority
CN
China
Prior art keywords
server
identity
random number
user
cryptographic hash
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201511001209.0A
Other languages
Chinese (zh)
Inventor
张梦
何丽
尹刚
罗世新
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Aisino Corp
Original Assignee
Aisino Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Aisino Corp filed Critical Aisino Corp
Priority to CN201511001209.0A priority Critical patent/CN106921640A/en
Publication of CN106921640A publication Critical patent/CN106921640A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0815Network architectures or network communication protocols for network security for authentication of entities providing single-sign-on or federations
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0876Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0863Generation of secret information including derivation or calculation of cryptographic keys or passwords involving passwords or one-time passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0869Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3236Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions
    • H04L9/3242Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions involving keyed hash functions, e.g. message authentication codes [MACs], CBC-MAC or HMAC

Abstract

The invention provides a kind of identity identifying method, authentication device and Verification System.Wherein, identity identifying method comprises the following steps:The generation checking information of user identity first;The checking information of user identity first is sent to server;Receive the server authentication information that the server is returned;The server authentication information is that server carries out subscriber authentication according to the checking information of the user identity first for receiving, and the information generated when subscriber authentication passes through;According to the server authentication information authentication service device identity for returning, if checking does not pass through, the failure of user login services device;If the verification passes, then the first condition of user login services device is met.The present invention is not only provided with checking of the server to user identity, meanwhile, it is also equipped with authentication of the user to server, the mode of the bidirectional identity authentication, it is to avoid forge the attack that server identity is caused, also resist the message replay attack of attacker.

Description

Identity identifying method, authentication device and Verification System
Technical field
The present invention relates to field of computer technology, in particular to a kind of identity identifying method, authentication device and certification System.
Background technology
With the development of network technology, the quantity of Internet service is also significantly increased, people using internet when, typically First user identity is authenticated, traditional authenticating user identification system is mostly based on static identity, and user is to system registry body Part mark and password, server carry out authentication by matching the information of storage, and password is mostly preservation in plain text, attacker User's trace can be obtained by eavesdropping communication, so as to spy upon user profile, carry out forging user's attack.And it is based on dynamic ID Method, mainly smart cards for storage key and algorithm, profit is generated algorithmically by dynamic password, then believes dynamic password and user Breath is sent to server end, and certificate server calculates dynamic password and is compared, although can so be effectively prevented from attacker Tracking to specific user, but the malice forgery attack of validated user can not be resisted, even from the impersonation attack of server.
The content of the invention
In consideration of it, the present invention proposes a kind of identity identifying method, it is intended to solve in the prior art due to imitating server And the problem of the attack for causing.The invention allows for a kind of identification authentication system and identity authorization system.
On one side, the present invention proposes a kind of identity identifying method, and the method comprises the following steps:Generation user identity First checking information;The checking information of user identity first is sent to server;Receive the server that the server is returned Authentication information;The server authentication information is server according to the checking information of the user identity first for receiving Subscriber authentication is carried out, and the information generated when subscriber authentication passes through;The server identity according to returning is tested Card information authentication service device identity, if checking does not pass through, the failure of user login services device;If the verification passes, then meet The first condition of user login services device.
Further, in above-mentioned identity identifying method, generation user identity the first checking information step is further wrapped Include:The first random number is generated, and receives user identity mark, User Identity and password code, and to user's body Part mark, password code and the first random number carry out Hash calculation, obtain the first cryptographic Hash;To first random number and in advance The server identity mark of storage carries out XOR calculating, obtains the first XOR value;By first cryptographic Hash, first XOR Value and the user identity mark are defined as the checking information of user identity first.
Further, in above-mentioned identity identifying method, the server authentication information step that the server is returned is received Suddenly further include:Receive the second cryptographic Hash that the server is returned;The generation method of second cryptographic Hash is:Server The first random number is obtained from the first XOR value for receiving, and according to the user identity flag information for receiving from the use for prestoring Family information bank obtains User Identity and password code, and User Identity, password code and the first random number are carried out Hash calculation, obtains the first cryptographic Hash, and the first cryptographic Hash being calculated and first cryptographic Hash for receiving are compared Compared with, if unanimously, subscriber authentication passes through, and the second random number of generation, the second random number and server identity are entered Row Hash calculation obtains the second cryptographic Hash;Receive the second XOR value that the server is returned;Wherein, the second XOR value is The server carries out what XOR was obtained to first random number and second random number.
Further, it is described according to the server authentication Information Authentication for returning in above-mentioned identity identifying method Server step is further included:The second random number is obtained from the second XOR value;To the server identity mark and Second random number carries out Hash calculation, obtains the second cryptographic Hash;Compare the second cryptographic Hash being calculated and the service for receiving The second cryptographic Hash that device is returned, if unanimously, server authentication passes through.
Further, in above-mentioned identity identifying method, when the first condition of user login services device is met, user is determined Log in the server success.
Further, above-mentioned identity identifying method also comprises the following steps:User identity second is sent to the server Checking information;Receive the result of user identity second that the server is returned;The result of the user identity second is The information whether server passes through according to the subscriber authentication that the checking information of the user identity second for receiving is returned; When the result of the user identity second is to be verified, the second condition of user login services device, User logs in are met Server success;When the result of the user identity second does not pass through, the failure of user login services device.
Further, it is described to send user identity the second checking information step to server in above-mentioned identity identifying method Further include:Calculate the 3rd cryptographic Hash of the first random number;3rd cryptographic Hash is sent to the server;Receive institute The determination method of the result of user identity second stated in user identity the second the result step of server return is:Clothes Business device carries out Hash calculation to the first random number, obtains the 3rd cryptographic Hash, compares the 3rd cryptographic Hash that is calculated and receives The 3rd cryptographic Hash, if unanimously, subscriber authentication passes through, if inconsistent, subscriber authentication does not pass through.
In the present embodiment, server is first verified to the identity of user, if checking does not pass through, login failure, if testing Card passes through, and server can then generate one includes the server authentication information of server S ID, and sends that information to visitor Family end, after client receives the information, the identity to server is verified, if authentication failed, login failed for user;If It is proved to be successful, then meets the first condition of user login services device, now, user can direct login service device, it is also possible to again Other verification conditions are set, and when other verification conditions meet, user just can be with Successful login server.As can be seen that The present invention is not only provided with checking of the server to user identity, meanwhile, authentication of the user to server is also equipped with, should The mode of bidirectional identity authentication, it is to avoid forge the attack that server identity is caused, also resist the message replay attack of attacker.
On the other hand, the invention allows for a kind of identification authentication system, the device includes:Generation module, for generating The checking information of user identity first;Sending module, for sending the checking information of user identity first to server;Receive mould Block, for receiving the server authentication information that the server is returned, the server authentication information is server The checking information of the user identity first according to receiving carries out subscriber authentication, and subscriber authentication by when generate Information;Authentication module, for according to the server authentication information authentication service device identity for returning.
Further, in above-mentioned identification authentication system, the generation module is additionally operable to:The first random number is generated, and is received User identity mark, User Identity and password code, and it is random to the User Identity, password code and first Number carries out Hash calculation, obtains the first cryptographic Hash;The first random number is generated, to first random number and the service for prestoring Device identity carries out XOR calculating, obtains the first XOR value;By first cryptographic Hash, the first XOR value and the use Family identity tag is defined as the checking information of user identity first;The receiver module is additionally operable to:Receive what the server was returned Second cryptographic Hash;Wherein, the generation method of second cryptographic Hash is:Server obtains first from the first XOR value for receiving Random number, and User Identity and mouth are obtained from the user information database for prestoring according to the user identity flag information for receiving Password is made, and Hash calculation is carried out to User Identity, password code and the first random number, obtain the first cryptographic Hash, and First cryptographic Hash being calculated is compared with from the first cryptographic Hash for receiving, if unanimously, subscriber authentication is led to Cross, and generate the second random number, Hash calculation is carried out to the second random number and server identity and obtains the second cryptographic Hash;Connect Receive the second XOR value that the server is returned;Wherein, the second XOR value is the server to first random number Carry out what XOR was obtained with second random number;The authentication module is additionally operable to obtain from the second XOR value Two random numbers;Server identity mark according to prestoring is calculated the second random number;To the server identity Mark and the second random number carry out Hash calculation, obtain the second cryptographic Hash;Compare the second cryptographic Hash for being calculated and receive Server return the second cryptographic Hash, if unanimously, server authentication passes through.
Another aspect, the invention allows for a kind of identity authorization system, the system includes client and server;Its In, the client is used for:The generation checking information of user identity first, and the checking information of the user identity first is sent to Server;The server is used for:Receive the checking information of the user identity first, and according to the user identity for receiving the One checking information carries out subscriber authentication, and subscriber authentication by when generate server authentication information, and by institute State server authentication information and be sent to client;The client is used for:Receive the server authentication letter that the server sends Breath, and according to the server authentication information authentication service device identity for returning.
Further, in above-mentioned identity authorization system, the client is additionally operable to:The first random number is generated, and receives use Family identity tag, User Identity and password code, and to the User Identity, password code and the first random number Hash calculation is carried out, the first cryptographic Hash is obtained;First random number and the server identity for prestoring mark are carried out different Or calculate, obtain the first XOR value;First cryptographic Hash, the first XOR value and the user identity mark are sent to Server;The server is additionally operable to:Receive first cryptographic Hash and the first XOR value, and from first XOR for receiving The first random number is obtained in value, and user is obtained from the user information database for prestoring according to the user identity flag information for receiving Identity and password code, and Hash calculation is carried out to User Identity, password code and the first random number, obtain first Cryptographic Hash, and first cryptographic Hash being calculated is compared with from the first cryptographic Hash for receiving, if unanimously, user Authentication passes through, and generates the second random number, Hash calculation is carried out to the second random number and server identity and obtains the Two cryptographic Hash;XOR is carried out to first random number and second random number and obtains the second XOR value;By described Two cryptographic Hash and the second XOR value are sent to client;The client is additionally operable to:Receive second cryptographic Hash and Two XOR values, and obtain the second random number from the second XOR value;To server identity mark and the second random number Hash calculation is carried out, the second cryptographic Hash is obtained;Compare the second cryptographic Hash being calculated and the server that receives is returned the Two cryptographic Hash, if unanimously, server authentication passes through.
Because identification authentication system, identity authorization system are identical with above-mentioned identity identifying method principle, so having and body Identity authentication method identical technique effect.
Brief description of the drawings
By reading the detailed description of hereafter preferred embodiment, various other advantages and benefit is common for this area Technical staff will be clear understanding.Accompanying drawing is only used for showing the purpose of preferred embodiment, and is not considered as to the present invention Limitation.And in whole accompanying drawing, identical part is denoted by the same reference numerals.In the accompanying drawings:
Fig. 1 is the flow chart of identity identifying method provided in an embodiment of the present invention;
Fig. 2 be identity identifying method provided in an embodiment of the present invention in, generate the checking information of user identity first flow chart;
Fig. 3 be identity identifying method provided in an embodiment of the present invention in, the reception server return server authentication information stream Cheng Tu;
Fig. 4 is in identity identifying method provided in an embodiment of the present invention, the server authentication Information Authentication according to return takes The flow chart of device identity of being engaged in;
During Fig. 5 is identity identifying method provided in an embodiment of the present invention, to the flow chart of user identity certification again;
Fig. 6 is the structured flowchart of identification authentication system provided in an embodiment of the present invention;
Fig. 7 is the structured flowchart of identity authorization system provided in an embodiment of the present invention;
Fig. 8 is the workflow diagram of identity authorization system provided in an embodiment of the present invention.
Specific embodiment
The exemplary embodiment of the disclosure is more fully described below with reference to accompanying drawings.Although showing the disclosure in accompanying drawing Exemplary embodiment, it being understood, however, that may be realized in various forms the disclosure without should be by embodiments set forth here Limited.Conversely, there is provided these embodiments are able to be best understood from the disclosure, and can be by the scope of the present disclosure Complete conveys to those skilled in the art.It should be noted that in the case where not conflicting, embodiment in the present invention and Feature in embodiment can be mutually combined.Describe the present invention in detail below with reference to the accompanying drawings and in conjunction with the embodiments.
Authentication method embodiment:
Referring to Fig. 1, Fig. 1 is the flow chart of identity identifying method provided in an embodiment of the present invention.As illustrated, the method is included such as Lower step:
Step S1, generates the checking information of user identity first.Specifically, the use that user can use when client is input into and registers Family identity(English full name identity, referred to as ID), password code etc. logged in, client is receiving user After the information such as ID, password code, and the checking information of user identity first is generated according to ID, password code etc., to identify use The identity characteristic at family.
Step S2, sends the checking information of user identity first, so that server enters to first checking information to server Row checking.
Step S3, the server authentication information that the reception server is returned.Wherein, server authentication information is server The checking information of user identity first according to receiving carries out subscriber authentication, and the letter generated when subscriber authentication passes through Breath.Server receives the checking information of user identity first, and user identity is verified by first checking information, when testing When card passes through, server authentication information is generated, the identity of server should be included in the server authentication information (English full name is security identifiers, referred to as SID)Information, after the generation of server authentication information, sends To client.Server is obstructed out-of-date to the first checking information of user identity, login failure, at this point it is possible to be returned to client Return the information of login failure.It should be noted that the registrar that server herein is used when can be user's registration, Can be other certificate servers, when for other certificate servers, registrar should be with other each certificate server phases Connection, each certificate server is sent to by the log-on message of user, and each certificate server is preserved to the log-on message of user, To be verified to user login information.
Step S4, according to the server authentication information authentication service device identity for returning, if checking does not pass through, uses Family login service device failure;If the verification passes, then the first condition of user login services device is met.Specifically, client can To pre-save the SID of server, the SID of server is extracted from the server authentication information for receiving, and when extraction Server SID it is consistent with the SID confidence of the server for pre-saving when, determine that server authentication passes through, if differing Cause, then server authentication does not pass through, and user is unable to login service device.
In the present embodiment, server is first verified to the identity of user, if checking does not pass through, login failure, if testing Card passes through, and server can then generate one includes the server authentication information of server S ID, and sends that information to visitor Family end, after client receives the information, the identity to server is verified, if authentication failed, login failed for user;If It is proved to be successful, then meets the first condition of user login services device, now, user can direct login service device, it is also possible to again Other verification conditions are set, and when other verification conditions meet, user just can be with Successful login server.As can be seen that The present embodiment is not only provided with checking of the server to user identity, meanwhile, authentication of the user to server is also equipped with, The mode of the bidirectional identity authentication, it is to avoid forge the attack that server identity is caused, the message-replay for also resisting attacker is attacked Hit.
Referring to Fig. 2, during Fig. 2 is above-described embodiment, the method flow diagram of the checking information of user identity first is generated.As schemed Show, the method comprises the following steps:
First calculates sub-step S11, generates the first random number, and it is close to receive user identity mark, User Identity and password Code, and Hash calculation is carried out to User Identity, password code and the first random number, obtain the first cryptographic Hash.Wherein, use Family identity and password code are log-on messages when user is registered in registrar, using hash algorithm to Family identity and password code carry out Hash calculation, obtain the first cryptographic Hash, because circular is art technology Well known to personnel, therefore do not repeat.When user identity mark is also user's registration, registrar distributes to user, is used to mark Know the identity of user, the user identity mark is corresponded with user.
Second calculates sub-step S12, and XOR calculating is carried out to the first random number and the server identity for prestoring mark, Obtain the first XOR value.Wherein, the first random number is that client is generated at random, and circular is those skilled in the art It is known, therefore do not repeat.
Determine sub-step S13, the first cryptographic Hash, the first XOR value and user identity mark are defined as user identity first Checking information.
Referring to Fig. 3, in above-described embodiment, the server authentication information that the reception server is returned may further include:
First receives sub-step S14, the second cryptographic Hash that the reception server is returned.Wherein, the second cryptographic Hash is given birth to by server Into and be sent to client, specific generation method is:Server parses the first random number from the first XOR value for receiving, And User Identity and password code are obtained from the user information database for prestoring according to the user identity flag information for receiving, And Hash calculation is carried out to User Identity, password code and the first random number, the first cryptographic Hash is obtained, and this is calculated The first cryptographic Hash for obtaining is compared with the first cryptographic Hash for receiving, if inconsistent, subscriber authentication does not pass through;If one Cause, it is determined that subscriber authentication passes through, login failure.The method that the first random number is parsed from the first XOR value is ability Well known to field technique personnel, therefore do not repeat.
Second receives sub-step S15, the second XOR value that the reception server is returned.Wherein, the second XOR value is server What XOR was obtained is carried out to the first random number and the second random number.It should be noted that first receives sub-step S14 and the Order between two reception sub-step S15 can be exchanged in no particular order.
It is further according to the server authentication information authentication service device identity for returning in above-described embodiment referring to Fig. 4 Including:Checking sub-step S16, the second random number is parsed from the second XOR value;To server identity mark and second Random number carries out Hash calculation, obtains the second cryptographic Hash;The server for comparing the second cryptographic Hash being calculated and receiving is returned The second cryptographic Hash returned, if unanimously, server authentication passes through, meets the first condition of User logs in.
When the first condition of User logs in is met, user and server have been completed and are mutually authenticated, now, Yong Huke With Successful login server, during specific implementation, for the sake of security, it is also possible to set up server recognizing again to user identity again Card, referring to Fig. 5, can also specifically comprise the following steps:
The checking information of user identity second is sent to server.Specifically, the checking information of user identity second can include:Pass through Hash algorithm calculates the 3rd cryptographic Hash of the first random number;3rd cryptographic Hash of the first random number is sent to server;And connect Receive the result of user identity second that server is returned.Wherein, the result of user identity second is server according to reception The information that whether passes through of subscriber authentication that returns of the checking information of user identity second.It is random to first during specific implementation Number carries out Hash calculation, obtains the 3rd cryptographic Hash, compares the 3rd cryptographic Hash being calculated and the 3rd cryptographic Hash for receiving, if Unanimously, then subscriber authentication passes through, if inconsistent, subscriber authentication passes through.It should be noted that in the present embodiment The step is the subsequent step after subscriber authentication passes through in the first reception sub-step S14, that is to say, that now, service Device is stored to first random number.
When the result of user identity second is to be verified, then the second condition of user login services device is met, this When user can be with Successful login server;When the result of user identity second does not pass through, the failure of user login services device.
In present embodiment, after user and server carry out two-way authentication, be additionally arranged again server to The certification again of family identity, further ensures the reliability of authentication result, it is ensured that the security of User logs in.
During specific implementation, when user is registered to registrar, in addition to sending ID and password code, may be used also To send a random number, to further determine that the uniqueness of ID, during registration, it is close that registration center can distribute to the user one Key, it will be appreciated by those skilled in the art that in above-mentioned whole verification process, all data between client and server are passed Send and all carry the key all the time, to be defined as the authentication information of same user.
During user's registration, user profile can also be stored using smart card.Specifically, client receives user input ID, random number and password code after, Hash calculation is carried out to ID, random number and password code, obtain a Kazakhstan Uncommon value A, and the cryptographic Hash is sent to registrar;It is user distribution one after registrar receives cryptographic Hash A Individual key, then server calculate the cryptographic Hash of the key, cryptographic Hash A and ID respectively, each cryptographic Hash shape being calculated Into a hash combination, the hash combination is sent to client by server, after client receives the hash combination, and generates one Individual random number b, hash combination and random number b are stored in smart card in the lump.In authentication phase, user first can insert smart card Enter client, be then input into ID and password code, when ID and password code and the storage in smart card of user input It is consistent when, client validation smart card passes through, and after checking smart card passes through, then carries out follow-up user and server identity It is mutually authenticated.Additionally, during specific implementation, the hash combination at this can be as user identity mark.
To sum up, the present embodiment is not only provided with checking of the server to user identity, meanwhile, user is also equipped with to service The authentication of device, the mode of the bidirectional identity authentication, it is to avoid forge the attack that server identity is caused, also resist attacker Message replay attack.
Identification authentication system embodiment:
Referring to the structured flowchart that Fig. 6, Fig. 6 are authentication means provided in an embodiment of the present invention.As illustrated, the device bag Include:Generation module 100, sending module 200, receiver module 300 and authentication module 400.Wherein, generation module is used to generate user The checking information of identity first;Sending module is used to send the checking information of user identity first to server;Receiver module is used to connect The server authentication information that server is returned is received, server authentication information is that server is verified according to the user identity first for receiving Information carries out subscriber authentication, and the information generated when subscriber authentication passes through;Authentication module is used for according to return Server authentication information authentication service device identity.
Further, generation module is additionally operable to:The first random number is generated, and receives user identity mark, user identity mark Know and password code, Hash calculation is carried out to User Identity, password code and the first random number, obtain the first cryptographic Hash; XOR calculating is carried out to the first random number and the server identity for prestoring mark, the first XOR value is obtained;By the first Hash Value, the first XOR value and user identity mark are defined as the checking information of user identity first;Receiver module is additionally operable to:Receive service The second cryptographic Hash that device is returned;Wherein, the generation method of second cryptographic Hash is:Server is from the first XOR value for receiving The first random number is obtained, and user identity is obtained from the user information database for prestoring according to the user identity flag information for receiving Mark and password code, and Hash calculation is carried out to User Identity, password code and the first random number, obtain the first Hash Value, and first cryptographic Hash being calculated is compared with from the first cryptographic Hash for receiving, if unanimously, user identity It is verified, and generates the second random number, Hash calculation is carried out to the second random number and server identity and obtains the second Kazakhstan Uncommon value;Receive the second XOR value that the server is returned;Wherein, the second XOR value is server to the first random number and second Random number carries out what XOR was obtained;Authentication module is additionally operable to obtain the second random number from the second XOR value;To server Identity and the second random number carry out Hash calculation, obtain the second cryptographic Hash;Compare the second cryptographic Hash for being calculated and connect The second cryptographic Hash that the server for receiving is returned, if unanimously, server authentication passes through.
Wherein, the specific implementation process ginseng of generation module 100, sending module 200, receiver module 300 and authentication module 400 See above method embodiment, the present embodiment will not be repeated here.
Because authentication method embodiment has the effect above, so the authentication device embodiment is also imitated with corresponding technology Really.
Verification System embodiment:
Referring to Fig. 7, Fig. 7 is the structured flowchart of identity authorization system provided in an embodiment of the present invention.As illustrated, the device includes Client 500 and server 600.Wherein, client is used for:The generation checking information of user identity first, and by user identity the One checking information is sent to server;Server is used for:The checking information of user identity first is received, and according to the user's body for receiving Part the first checking information carries out subscriber authentication, and subscriber authentication by when generate server authentication information, and Server authentication information is sent to client;Client is used for:The server authentication information that the reception server sends, and according to The server authentication information authentication service device identity of return.
Further, client is additionally operable to:The first random number is generated, and receives user identity mark, User Identity And password code, and Hash calculation is carried out to User Identity, password code and the first random number, obtain the first Hash Value;The first random number is generated, XOR calculating is carried out to the first random number and the server identity for prestoring mark, obtain first XOR value;First cryptographic Hash, the first XOR value and user identity mark are sent to server;Server is additionally operable to:Receive the One cryptographic Hash and the first XOR value, and the first random number is obtained from the first XOR value for receiving, and according to the user's body for receiving Part flag information obtains User Identity and password code from the user information database for prestoring, and to User Identity, Password code and the first random number carry out Hash calculation, obtain the first cryptographic Hash, and the first cryptographic Hash that this is calculated Compare with from the first cryptographic Hash for receiving, if unanimously, subscriber authentication passes through, and generates the second random number, to the Two random numbers and server identity carry out Hash calculation and obtain the second cryptographic Hash;To the first random number and described second random Number carries out XOR and obtains the second XOR value;Second cryptographic Hash and the second XOR value are sent to client;Client It is additionally operable to:The second cryptographic Hash and the second XOR value are received, and the second random number is obtained from the second XOR value;To server identity Mark and the second random number carry out Hash calculation, obtain the second cryptographic Hash;Compare the second cryptographic Hash for being calculated and receive Server return the second cryptographic Hash, if unanimously, server authentication passes through.
Further, after the authentication in client to server passes through, server can also enter to user identity Row certification again, specially:User end to server sends the checking information of user identity second, specifically, user identity second Checking information can include:The 3rd cryptographic Hash of the first random number is calculated by hash algorithm;By the 3rd Kazakhstan of the first random number Uncommon value is sent to server;And the result of user identity second that the reception server is returned.Wherein, user identity second is verified Result is the information whether server passes through according to the subscriber authentication that the checking information of user identity second for receiving is returned.Tool When body is implemented, server parses the first random number according to the 3rd cryptographic Hash for receiving, when the first random number for parsing and the When the first random number in one reception sub-step S14 is consistent, determine that subscriber authentication passes through, now, user can wait login To server.
Referring to Fig. 8, the storage mode of smart card is stored into reference to user profile, to the identity in the embodiment of the present invention Authentication method is illustrated in more detail:
Smart card is first inserted into client, and ID and password code are input into client, client receives user input ID and password code, and be compared with the ID and password code of storage in smart card, if unanimously, smart card It is verified, if inconsistent, smart card authentication does not pass through.After smart card authentication passes through, client generates the first random number, Hash calculation is carried out to ID, password code and the first random number by hash algorithm, the first cryptographic Hash M1 is obtained;To client The server S ID that prestores of end and the first random number n1 carry out XOR calculating, obtain the first XOR value M2, and by the first Hash Value M1 and the first XOR value M2 are sent to server.After server receives the first cryptographic Hash M1 and the first XOR value M2, from The first random number n1 is parsed in first XOR value M2, and sent according to the user identity mark inquiry registration center for receiving User profile, obtains user identity ID, then carries out Hash calculation to ID, password code and the first random number, obtains One cryptographic Hash, when the first cryptographic Hash being calculated is consistent with the first cryptographic Hash for receiving, subscriber authentication passes through, and The first random number n1 is stored, while generating the second random number n2, the second random number n2 and server identity SID is breathed out Uncommon to be calculated the second cryptographic Hash M3, carrying out XOR to the first random number n1 and the second random number n2 obtains the second XOR value M4, and the second cryptographic Hash M3 and the second XOR value M4 are sent to client.Client receives the second cryptographic Hash M3 and second different Or after value M4, the second random number n2 is parsed from the second XOR value M4, server identity mark and the second random number are carried out Hash calculation, obtains the second cryptographic Hash M3, when the second cryptographic Hash being calculated is consistent with the second cryptographic Hash for receiving, then Determine that server authentication passes through, now, the two-way authentication of user and server has passed through, and user can successfully step on Record server, but for the sake of security, server can also be authenticated to user identity again, that is, calculate the first random number n1 The 3rd cryptographic Hash M5;3rd cryptographic Hash M5 is sent to server, server receives the 3rd cryptographic Hash M5, and according to above The first stored random number n1 calculates the 3rd cryptographic Hash M5, when the 3rd cryptographic Hash being calculated and the 3rd cryptographic Hash for receiving When consistent, it is determined that subscriber authentication passes through, and user can be with Successful login server, when inconsistent, and subscriber authentication is not Pass through.
The present embodiment is not only provided with checking of the server to user identity, meanwhile, user is also equipped with to server Authentication, the mode of the bidirectional identity authentication, it is to avoid forge the attack that server identity is caused, also resist disappearing for attacker Breath Replay Attack.
Due to the authentication method in the present embodiment, authentication device and Verification System principle likeness in form, related part can be mutual Reference.
Obviously, those skilled in the art can carry out various changes and modification without deviating from essence of the invention to the present invention God and scope.So, if these modifications of the invention and modification belong to the scope of the claims in the present invention and its equivalent technologies Within, then the present invention is also intended to comprising these changes and modification.

Claims (11)

1. a kind of identity identifying method, it is characterised in that comprise the following steps:
The generation checking information of user identity first;
The checking information of user identity first is sent to server;
Receive the server authentication information that the server is returned;The server authentication information be server according to The checking information of the user identity first for receiving carries out subscriber authentication, and the letter generated when subscriber authentication passes through Breath;
According to the server authentication information authentication service device identity for returning, if checking does not pass through, User logs in Server failure;If the verification passes, then the first condition of user login services device is met.
2. identity identifying method according to claim 1, it is characterised in that the checking information of generation user identity first Step is further included:
The first random number is generated, and receives user identity mark, User Identity and password code, and to user's body Part mark, password code and the first random number carry out Hash calculation, obtain the first cryptographic Hash;
XOR calculating is carried out to first random number and the server identity for prestoring mark, the first XOR value is obtained;
First cryptographic Hash, the first XOR value and the user identity mark are defined as user identity first and verify letter Breath.
3. identity identifying method according to claim 2, it is characterised in that receive the server body that the server is returned Part checking information step is further included:
Receive the second cryptographic Hash that the server is returned;The generation method of second cryptographic Hash is:Server from receive The first random number is obtained in first XOR value, and according to the user identity flag information for receiving from the user information database for prestoring User Identity and password code are obtained, and Hash calculation are carried out to User Identity, password code and the first random number, The first cryptographic Hash is obtained, and the first cryptographic Hash being calculated and first cryptographic Hash for receiving are compared, if unanimously, Then subscriber authentication passes through, and generates the second random number, and Hash calculation is carried out to the second random number and server identity Obtain the second cryptographic Hash;
Receive the second XOR value that the server is returned;Wherein, the second XOR value is the server to described first Random number and second random number carry out what XOR was obtained.
4. identity identifying method according to claim 3, it is characterised in that described according to the server identity for returning Checking information authentication server step is further included:
The second random number is obtained from the second XOR value;
Hash calculation is carried out to server identity mark and the second random number, the second cryptographic Hash is obtained;
Compare the second cryptographic Hash of the second cryptographic Hash being calculated and the server return for receiving, if unanimously, server Authentication passes through.
5. identity identifying method according to any one of claim 1 to 4, it is characterised in that meeting User logs in clothes During the first condition of business device, server success described in User logs in is determined.
6. identity identifying method according to claim 4, it is characterised in that also comprise the following steps:
The checking information of user identity second is sent to the server;
Receive the result of user identity second that the server is returned;The result of the user identity second is the clothes The information whether business device passes through according to the subscriber authentication that the checking information of the user identity second for receiving is returned;
When the result of the user identity second is to be verified, the second condition of user login services device, user are met The success of login service device;When the result of the user identity second does not pass through, the failure of user login services device.
7. identity identifying method according to claim 6, it is characterised in that
It is described to be further included to server transmission user identity the second checking information step:Calculate the 3rd Kazakhstan of the first random number Uncommon value;3rd cryptographic Hash is sent to the server;
Receive the result of user identity second in user identity the second the result step that the server is returned really The method of determining is:Server carries out Hash calculation to the first random number, obtains the 3rd cryptographic Hash, compares the 3rd Hash being calculated The 3rd cryptographic Hash for being worth and receiving, if unanimously, subscriber authentication passes through, if inconsistent, subscriber authentication is not led to Cross.
8. a kind of identification authentication system, it is characterised in that including:
Generation module, for generating the checking information of user identity first;
Sending module, for sending the checking information of user identity first to server;
Receiver module, for receiving the server authentication information that the server is returned, the server authentication letter Cease for server carries out subscriber authentication according to the checking information of the user identity first for receiving, and in subscriber authentication By when the information that generates;
Authentication module, for according to the server authentication information authentication service device identity for returning.
9. identification authentication system according to claim 8, it is characterised in that
The generation module is additionally operable to:The first random number is generated, and it is close to receive user identity mark, User Identity and password Code, and Hash calculation is carried out to the User Identity, password code and the first random number, obtain the first cryptographic Hash;It is raw Into the first random number, XOR calculating is carried out to first random number and the server identity for prestoring mark, obtain first XOR value;First cryptographic Hash, the first XOR value and the user identity mark are defined as into user identity first to test Card information;
The receiver module is additionally operable to:Receive the second cryptographic Hash that the server is returned;Wherein, the life of second cryptographic Hash It is into method:Server obtains the first random number from the first XOR value for receiving, and according to the user identity mark letter for receiving Cease from the user information database for prestoring and obtain User Identity and password code, and to User Identity, password code Carry out Hash calculation with the first random number, obtain the first cryptographic Hash, and the first cryptographic Hash that this is calculated with from reception The first cryptographic Hash compare, if unanimously, subscriber authentication passes through, and generate the second random number, to the second random number Hash calculation is carried out with server identity obtain the second cryptographic Hash;Receive the second XOR value that the server is returned;Its In, the second XOR value is obtained for the server carries out XOR to first random number and second random number 's;
The authentication module is additionally operable to obtain the second random number from the second XOR value;According to the service for prestoring Device identity is calculated the second random number;Hash calculation is carried out to server identity mark and the second random number, is obtained To the second cryptographic Hash;
Compare the second cryptographic Hash of the second cryptographic Hash being calculated and the server return for receiving, if unanimously, server Authentication passes through.
10. a kind of identity authorization system, it is characterised in that including client and server;Wherein,
The client is used for:The generation checking information of user identity first, and the checking information of the user identity first is sent To server;
The server is used for:The checking information of the user identity first is received, and according to the user identity first for receiving Checking information carries out subscriber authentication, and subscriber authentication by when generate server authentication information, and will be described Server authentication information is sent to client;
The client is used for:The server authentication information that the server sends is received, and according to the server for returning Checking information authentication server identity.
11. identity authorization systems according to claim 10, it is characterised in that
The client is additionally operable to:The first random number is generated, and it is close to receive user identity mark, User Identity and password Code, and Hash calculation is carried out to the User Identity, password code and the first random number, obtain the first cryptographic Hash;It is right First random number and the server identity mark for prestoring carry out XOR calculating, obtain the first XOR value;By described One cryptographic Hash, the first XOR value and the user identity mark are sent to server;
The server is additionally operable to:Receive first cryptographic Hash and the first XOR value, and from the first XOR value for receiving The first random number of middle acquisition, and user's body is obtained from the user information database for prestoring according to the user identity flag information for receiving Part mark and password code, and Hash calculation is carried out to User Identity, password code and the first random number, obtain the first Kazakhstan Uncommon value, and first cryptographic Hash being calculated is compared with from the first cryptographic Hash for receiving, if unanimously, user's body Part is verified, and generates the second random number, carries out Hash calculation to the second random number and server identity and obtains second Cryptographic Hash;XOR is carried out to first random number and second random number and obtains the second XOR value;By described second Cryptographic Hash and the second XOR value are sent to client;
The client is additionally operable to:Second cryptographic Hash and the second XOR value are received, and is obtained from the second XOR value Second random number;Hash calculation is carried out to server identity mark and the second random number, the second cryptographic Hash is obtained;Compare meter The second cryptographic Hash that the second cryptographic Hash for obtaining and the server for receiving are returned, if unanimously, server authentication leads to Cross.
CN201511001209.0A 2015-12-28 2015-12-28 Identity identifying method, authentication device and Verification System Pending CN106921640A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201511001209.0A CN106921640A (en) 2015-12-28 2015-12-28 Identity identifying method, authentication device and Verification System

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201511001209.0A CN106921640A (en) 2015-12-28 2015-12-28 Identity identifying method, authentication device and Verification System

Publications (1)

Publication Number Publication Date
CN106921640A true CN106921640A (en) 2017-07-04

Family

ID=59455100

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201511001209.0A Pending CN106921640A (en) 2015-12-28 2015-12-28 Identity identifying method, authentication device and Verification System

Country Status (1)

Country Link
CN (1) CN106921640A (en)

Cited By (15)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108632295A (en) * 2018-05-09 2018-10-09 湖南东方华龙信息科技有限公司 The method for preventing terminal attack server repeatedly
CN109347887A (en) * 2018-12-17 2019-02-15 郑州云海信息技术有限公司 A kind of identity authentication method and device
CN109391474A (en) * 2018-12-25 2019-02-26 武汉思普崚技术有限公司 A kind of safety certifying method and system of non-encrypted link
CN110198316A (en) * 2019-05-30 2019-09-03 全链通有限公司 Auth method, equipment and storage medium based on alliance's block chain
CN110784466A (en) * 2019-10-29 2020-02-11 北京汽车集团有限公司 Information authentication method, device and equipment
CN111740982A (en) * 2020-06-18 2020-10-02 深圳市今天国际物流技术股份有限公司 Server anti-attack method and system based on computing power certification
CN111901346A (en) * 2020-07-29 2020-11-06 北京奇艺世纪科技有限公司 Identity authentication system
CN112086176A (en) * 2020-07-29 2020-12-15 重庆市人口和计划生育科学技术研究院 Data acquisition analysis and feedback system for sperm library
CN112383535A (en) * 2020-11-10 2021-02-19 平安普惠企业管理有限公司 Method and device for detecting Hash transfer attack behavior and computer equipment
CN113254898A (en) * 2021-05-13 2021-08-13 谢利珍 Chinese teaching interactive system with teaching effect feedback function
CN113347143A (en) * 2021-04-14 2021-09-03 西安慧博文定信息技术有限公司 Identity authentication method, device, equipment and storage medium
CN113722686A (en) * 2021-08-17 2021-11-30 深圳市新国都股份有限公司 Debugging bridge authorization method, device, equipment and computer readable storage medium
CN113765856A (en) * 2020-06-04 2021-12-07 中移(成都)信息通信科技有限公司 Identity authentication method, device, equipment and medium
WO2022135401A1 (en) * 2020-12-26 2022-06-30 西安西电捷通无线网络通信股份有限公司 Identity authentication method and apparatus, storage medium, program, and program product
CN117056976A (en) * 2023-08-22 2023-11-14 哈尔滨商业大学 Financial data processing method, device and system

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102195782A (en) * 2011-06-07 2011-09-21 吉林大学 Two-way identity authentication method with integration of identity and password for mailing system
CN103905437A (en) * 2014-03-22 2014-07-02 哈尔滨工程大学 Remote protocol authentication method based on passwords
CN105072110A (en) * 2015-08-06 2015-11-18 山东科技大学 Two-factor remote identity authentication method based on smart card

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102195782A (en) * 2011-06-07 2011-09-21 吉林大学 Two-way identity authentication method with integration of identity and password for mailing system
CN103905437A (en) * 2014-03-22 2014-07-02 哈尔滨工程大学 Remote protocol authentication method based on passwords
CN105072110A (en) * 2015-08-06 2015-11-18 山东科技大学 Two-factor remote identity authentication method based on smart card

Cited By (21)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108632295A (en) * 2018-05-09 2018-10-09 湖南东方华龙信息科技有限公司 The method for preventing terminal attack server repeatedly
CN108632295B (en) * 2018-05-09 2020-11-24 湖南东方华龙信息科技有限公司 Method for preventing terminal from repeatedly attacking server
CN109347887A (en) * 2018-12-17 2019-02-15 郑州云海信息技术有限公司 A kind of identity authentication method and device
CN109391474A (en) * 2018-12-25 2019-02-26 武汉思普崚技术有限公司 A kind of safety certifying method and system of non-encrypted link
CN110198316A (en) * 2019-05-30 2019-09-03 全链通有限公司 Auth method, equipment and storage medium based on alliance's block chain
CN110784466B (en) * 2019-10-29 2022-07-12 北京汽车集团有限公司 Information authentication method, device and equipment
CN110784466A (en) * 2019-10-29 2020-02-11 北京汽车集团有限公司 Information authentication method, device and equipment
CN113765856A (en) * 2020-06-04 2021-12-07 中移(成都)信息通信科技有限公司 Identity authentication method, device, equipment and medium
CN113765856B (en) * 2020-06-04 2023-09-08 中移(成都)信息通信科技有限公司 Identity authentication method, device, equipment and medium
CN111740982A (en) * 2020-06-18 2020-10-02 深圳市今天国际物流技术股份有限公司 Server anti-attack method and system based on computing power certification
CN111740982B (en) * 2020-06-18 2022-02-11 深圳市今天国际物流技术股份有限公司 Server anti-attack method and system based on computing power certification
CN111901346A (en) * 2020-07-29 2020-11-06 北京奇艺世纪科技有限公司 Identity authentication system
CN112086176A (en) * 2020-07-29 2020-12-15 重庆市人口和计划生育科学技术研究院 Data acquisition analysis and feedback system for sperm library
CN112383535B (en) * 2020-11-10 2022-10-25 平安普惠企业管理有限公司 Method and device for detecting Hash transfer attack behavior and computer equipment
CN112383535A (en) * 2020-11-10 2021-02-19 平安普惠企业管理有限公司 Method and device for detecting Hash transfer attack behavior and computer equipment
WO2022135401A1 (en) * 2020-12-26 2022-06-30 西安西电捷通无线网络通信股份有限公司 Identity authentication method and apparatus, storage medium, program, and program product
CN113347143A (en) * 2021-04-14 2021-09-03 西安慧博文定信息技术有限公司 Identity authentication method, device, equipment and storage medium
CN113254898A (en) * 2021-05-13 2021-08-13 谢利珍 Chinese teaching interactive system with teaching effect feedback function
CN113722686A (en) * 2021-08-17 2021-11-30 深圳市新国都股份有限公司 Debugging bridge authorization method, device, equipment and computer readable storage medium
CN117056976A (en) * 2023-08-22 2023-11-14 哈尔滨商业大学 Financial data processing method, device and system
CN117056976B (en) * 2023-08-22 2024-03-08 哈尔滨商业大学 Financial data processing method, device and system

Similar Documents

Publication Publication Date Title
CN106921640A (en) Identity identifying method, authentication device and Verification System
CN104378206B (en) A kind of virtual desktop safety certifying method and system based on USB Key
KR101853610B1 (en) Digital signature authentication system based on biometric information and digital signature authentication method thereof
CN101340437B (en) Time source regulating method and system
CN104579649B (en) Personal identification method and system
CN104283885B (en) A kind of implementation method of many SP secure bindings based on intelligent terminal local authentication
CN106533696A (en) Block chain-based identity authentication methods, authentication server and user terminal
JP2018501567A (en) Device verification method and equipment
CN103345690B (en) Anti-counterfeiting method based on RFID and physical unclonable function
CN103679436A (en) Electronic contract security system and method based on biological information identification
CN102271042A (en) Certificate authorization method, system, universal serial bus (USB) Key equipment and server
CN103338201B (en) The remote identity authentication method that under a kind of environment of multi-server, registration center participates in
CN101765108A (en) Safety certification service platform system, device and method based on mobile terminal
CN103929425B (en) A kind of identity registration, identity authentication method, equipment and system
CN112165382B (en) Software authorization method and device, authorization server side and terminal equipment
CN106330838A (en) Dynamic signature method, client using the same and server
CN105207776A (en) Fingerprint authentication method and system
CN106411950A (en) Block-chain transaction ID based authentication method, device and system
CN106850207A (en) Identity identifying method and system without CA
CN109347875A (en) Internet of things equipment, platform of internet of things and the method and system for accessing platform of internet of things
CN102281138A (en) Method and system for improving safety of verification code
CN102982603A (en) Internet lottery secure transaction and awarding method based on iris recognition
CN108667801A (en) A kind of Internet of Things access identity safety certifying method and system
Jan An improved lightweight privacy preserving authentication scheme for SIP-Based-VoIP using smart card
CN106911700A (en) A kind of method that RFID label tag group proves

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20170704