CN107911343B - Secure password storage verification method and device - Google Patents

Secure password storage verification method and device Download PDF

Info

Publication number
CN107911343B
CN107911343B CN201711031339.8A CN201711031339A CN107911343B CN 107911343 B CN107911343 B CN 107911343B CN 201711031339 A CN201711031339 A CN 201711031339A CN 107911343 B CN107911343 B CN 107911343B
Authority
CN
China
Prior art keywords
password
client
hash value
server
salt
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201711031339.8A
Other languages
Chinese (zh)
Other versions
CN107911343A (en
Inventor
高安存
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shenzhen Infinova Ltd
Original Assignee
Shenzhen Infinova Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shenzhen Infinova Ltd filed Critical Shenzhen Infinova Ltd
Priority to CN201711031339.8A priority Critical patent/CN107911343B/en
Publication of CN107911343A publication Critical patent/CN107911343A/en
Application granted granted Critical
Publication of CN107911343B publication Critical patent/CN107911343B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/06Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
    • H04L9/0643Hash functions, e.g. MD5, SHA, HMAC or f9 MAC
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0894Escrow, recovery or storing of secret information, e.g. secret key escrow or cryptographic key storage
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/321Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority
    • H04L9/3213Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority using tickets or tokens, e.g. Kerberos
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3236Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions

Abstract

The invention provides a safe password storage verification method and a safe password storage verification device, wherein when a password is stored, Salt is added into the password, the password is encrypted by a Hash algorithm, and then the Hash value of the password is stored in a server; when a user logs in a server to perform password verification, a token is generated by the server, and the token is used as a key to perform secondary encryption on the password hash value stored by the server and the password hash value during user login, and then comparison verification is performed. The invention can improve the safety of the user password in the process of storage and verification.

Description

Secure password storage verification method and device
Technical Field
The present invention relates to the field of network security, and in particular, to a secure password storage verification method and apparatus.
Background
At present, the common password attack means in the password storage and login verification scene mainly comprises the following steps:
dictionary and brute force attack (Dictionary and forces attacks):
the most common way to crack the Hash is to guess the password, then Hash each possible password, compare the Hash to be cracked with the guessed Hash value of the password, if the two values are the same, then the guessed password is the correct password plaintext. Common ways to guess cryptographic attacks are dictionary attacks and brute force attacks. The dictionary attack is to put the common password, word, phrase and other character strings which may be used as password into a file, then to Hash each word in the file, and to compare the Hash with the Hash of the password to be cracked. The success rate of this approach depends on the size of the cryptographic dictionary and whether the dictionary is appropriate. This attack is not effective for random and complex passwords.
Table Lookup cracking (Lookup Tables):
for a particular hash type, table lookup is a very efficient and fast way if a large number of hashes need to be broken. The idea is to pre-compute (pre-compute) the hash of each password in the password dictionary. The hash and corresponding password are then stored in a table. This attack is not effective for random and complex passwords.
Reverse Lookup table cracking (Reverse Lookup Tables):
by the method, an attacker can simultaneously carry out dictionary and brute force attack on a large number of hashes under the condition that one lookup table is not calculated in advance. Firstly, an attacker can make a user name and a corresponding hash table according to the obtained database data. Then, after the common dictionary password is hashed, the hash of the table is compared with the common dictionary password, so that the user who uses the common dictionary password can be known. This attack is effective because many users will typically use the same password. This attack is not effective for random and complex passwords.
Rainbow table (Rainbow Tables):
stored in the rainbow table are individual "hash chains".
Let us assume that we have a ciphertext hash function H and a password P. Conventionally, all outputs of H (X) are exhausted, and H (X [ y ]) is searched for H (P), resulting in P being X [ y ].
The "hash chain" in the rainbow table is to reduce the space requirement of the conventional practice. First a decay function R needs to be defined to convert the hash value into another string. By alternately operating the H function and the R function, an alternating chain of passwords and hash values is formed. For example, assuming that the password is 6 lower case letters and the hash value is 32 bits long, the chain may appear to be:
aaaaaa-H->281DAF40-R->sgfnyd-H->920ECF10-R->kiebgt
to generate a table, we select a set of random initial ciphers, each calculating a chain of fixed length K, and store only the first and last ciphers of each chain. The first password is called the start point and the last one is called the end point. In the above-exemplified chain, "aaaaaaa" is the starting point, "kiebgt" is the ending point, and other passwords (or hash values) are not saved.
Given a hash value H, we work in reverse (find the corresponding password), computing a chain starting with the application of the R function to H, then the H function, then the R function, and continuing. If at any point in the operation (after each application of R) we find that the value of this point matches an end point in the table we have generated, we have a corresponding start point with which to recalculate the chain. There is a high probability that the chain contains the value h, and if it does, the value immediately preceding h in the chain is the password p we are looking for.
For example, if we have given hash value 920ECF10, we will start the chain of computations with R applied to it:
920ECF10-R->kiebgt
since kiegbt is one of our end points, we find the beginning point aaaaaa and start following this chain until 920ECF10 is found:
aaaaaa-H->281DAF40-R->sgfnyd-H->920ECF10
thus, the password is "sgfnyd".
It is noted that the chain does not necessarily contain a hash value h. Since a chain starting with h may merge with a chain at a certain starting point. For example, a hash value FB107E70, whose chain we calculate next, will get kiebgt:
FB107E70-R->bvtdll-H->0EE80890-R->kiebgt
network monitoring:
this is not an attack on password storage, but is the most efficient means to obtain the user's password. The network card state is set to be in a 'hybrid' mode, and messages transmitted and received by all hosts in a local area can be received. Or when the control right of the router exists, all data passing through the router can be obtained through the router. If the password of the user is sent to the server side in a plaintext mode for verification, the real password of the user can be easily obtained. Even if the user password HASH is sent to the server side for verification, the HASH value of the user password can still be obtained; all the rights of the user can then be obtained by simply sending a request to the server mimicking the client's behavior.
Currently, the existing password storage authentication scheme is to digest the password of the user by MD5 once, and then store the obtained "digest information" in the database. The user name and the password plaintext are sent to the server side every time the user logs in, and the server side inquires the summary information of the password from the database through the user name. Then, the password plaintext is compared with the 'abstract information' of the password stored in the database after being subjected to MD 5; if the password is consistent with the password, the login is successful, and if the password is inconsistent with the password, the password is wrong.
The encryption mode is easy to crack by utilizing the rainbow table, and the clear text of the password is easy to obtain by an attack mode of network monitoring, so that the existing password storage and verification scheme can not resist the attack of a conventional password attack means; there is therefore a need for an encryption process that is more secure and easier to implement.
Disclosure of Invention
The technical problem to be solved by the invention is as follows: a more secure password storage authentication method is provided for resisting conventional password attack means.
In order to solve the technical problems, the invention adopts a technical scheme that: a safe password storage authentication method comprises a password storage process and a password authentication process, wherein the password storage process comprises the following steps:
s10), the client acquires the user name and the password of the user;
s11), the client acquires a Salt from the server;
s12), adding Salt to the password of the user by the client;
s13), the client calculates the code added with Salt by using a Hash algorithm to obtain a Hash value code;
s14), the client stores the user name, the Salt and the hash value password to the server;
the password authentication process comprises the following steps:
s20), the client acquires a session token of the server and a Salt stored corresponding to the user name of the user, then calculates the password of the user after adding the Salt to obtain a hash value password, then calculates a secondary hash value password by using hmac _ sha256_ hex with the token as a key, and sends the secondary hash value password to the server;
s30), the server receives the user name and the secondary hash value password sent from the client, the server takes the token of the session with the client as the key, the hmac _ sha256_ hex is used for calculating the hash value password stored in the server and corresponding to the user name sent by the client to obtain the secondary hash value password, and the server compares the secondary hash value password of the client with the hash value password of the server and feeds back the verification result to the client after verification.
Preferably, step S20 specifically includes:
s21), the client acquires the user name and the password of the user;
s22), the client sends the user name of the user to the server;
s23), the server side generates a unique token for the session;
s24), the server side sends the token and the Salt stored in the server side by the user and corresponding to the user name of the user to the client side;
s25), adding Salt to the user password by the client, and then calculating to obtain a hash value password;
s26), the client splices the hash value password with the user name;
s27), the client side takes token as key and obtains a secondary hash value password by using hmac _ sha256_ hex calculation;
s28), the client sends the twice hash value password to the server.
Preferably, step S30 specifically includes:
s31), the server receives the user name and the secondary hash value password sent by the client;
s32), the server side inquires the hash value password corresponding to the user name from the server side through the user name;
s33), the server side splices the hash value password and the user name;
s34), the server side takes the unique token generated by the session with the client side as a key, and calculates the hash value password stored in the server side by using hmac _ sha256_ hex to obtain a secondary hash value password;
s35), the server side compares the client side secondary hash value password with the server side secondary hash value password for verification;
s36), the server side sends the verification result to the client side;
if the passwords are consistent, the verification is passed;
if the passwords are not consistent, the authentication is not passed.
Preferably, the secure password storage authentication method further includes a password modification process, including:
s41), the client acquires the user name and the new password of the user;
s42), the client acquires a new Salt from the server;
s43), adding Salt to the new password of the user by the client;
s44), the client calculates a new hash value password through a hash algorithm;
s45), the client stores the username, the new Salt, and the hash password to the server.
A secure password storage authentication apparatus, characterized by: it includes password storage module and password verification module, and wherein, password storage module includes:
the registration information acquisition unit is used for acquiring a user name and a password of a user by the client and then transferring to the Salt acquisition unit;
the Salt obtaining unit is used for obtaining a Salt from the server side by the client side and then transferring the Salt to the Salt adding unit;
the Salt adding unit is used for adding Salt to the password of the user by the client and then transferring to the client encryption unit;
the client encryption unit is used for calculating the code added with the Salt by the client through a Hash algorithm to obtain a Hash value code and then transferring the Hash value code to the storage unit;
the storage unit is used for storing the user name, the Salt and the hash value password to the server side by the client side;
the password authentication module includes:
the client encryption sub-module is used for acquiring a session token of the server and a Salt stored corresponding to the user name of the user by the client, calculating a hash value password after adding the Salt to the password of the user, calculating a secondary hash value password by using hmac _ sha256_ hex with the token as a key, sending the secondary hash value password to the server, and then transferring the secondary hash value password to the server encryption verification sub-module;
the server side encryption and verification submodule is used for receiving the user name and the secondary hash value password sent from the client side by the server side, the server side takes token conversation with the client side as key, the hmac _ sha256_ hex is used for calculating the hash value password stored in the server side and corresponding to the user name to obtain the secondary hash value password, and the server side compares the secondary hash value password of the client side with the hash value password of the server side for verification and then feeds back a verification result to the client side.
Preferably, the client encryption sub-module includes:
the login information acquisition unit is used for acquiring a user name and a password of a user by the client and then transmitting the user name and the password to the information sending unit;
the information sending unit is used for sending the user name of the user to the server side by the client side and then transferring the user name to the token generating unit;
the Token generating unit is used for generating a unique Token for the session by the server side and then transferring the unique Token to the server side sending unit;
the server side sending unit is used for sending the token and the Salt stored by the user in the server side and corresponding to the user name of the user to the client side together by the server side, and then turning to the verification encryption unit;
the verification encryption unit is used for calculating a hash value password after the client adds Salt to the password of the user, and then transferring the hash value password to the client splicing unit;
the client side splicing unit is used for splicing the hash value password and the user name by the client side and then transferring the hash value password and the user name to the client side secondary encryption unit;
the client secondary encryption unit is used for calculating to obtain a secondary hash value password by using hmac _ sha256_ hex by taking token as key at the client, and then transferring the secondary hash value password to the password sending unit;
and the password sending unit is used for sending the secondary hash value password to the server side by the client side.
Preferably, the server-side encryption verification sub-module includes:
the server side receiving unit is used for receiving the user name and the secondary hash value password sent by the client side and then transmitting the user name and the secondary hash value password to the query unit;
the query unit is used for the server side to query the hash value password corresponding to the user name from the server side through the user name and then transfer the hash value password to the server side splicing unit;
the server side splices the hash value password and the user name and then transfers the hash value password to a server side secondary encryption unit;
the server-side secondary encryption unit is used for calculating the hash value password stored in the server side by using hmac _ sha256_ hex to obtain a secondary hash value password by taking the only token generated by the session with the client side as a key, and then transferring the secondary hash value password to the verification unit;
the verification unit is used for comparing and verifying the secondary hash value password of the client and the secondary hash value password of the server by the server and then switching to the verification result feedback unit;
the verification result feedback unit is used for the server side to send the verification result to the client side;
if the passwords are consistent, the verification is passed;
if the passwords are not consistent, the authentication is not passed.
Preferably, the secure password storage authentication apparatus further comprises a password modification module, comprising:
a new information acquisition unit, which is used for the client to acquire the user name and the new password of the user and then transfer to a new Salt acquisition unit;
the new Salt obtaining unit is used for obtaining a new Salt from the server side by the client side and then transferring to the new Salt adding unit;
the new Salt adding unit is used for adding Salt to the new password of the user by the client and then transferring to the new encryption unit;
the new encryption unit is used for the client to calculate a new hash value password through a hash algorithm and then transfer the new hash value password to the new storage unit;
and the new storage unit is used for storing the user name, the new Salt and the hash value password to the server side by the client side.
When the password is stored, Salt is added to the password, the password after Salt is added is encrypted by a Hash algorithm, then the password Hash value is stored in a server, the difficulty of password cracking can be increased, when a user logs in the server to perform password verification, the server generates a token, the token is used as a key, the password Hash value stored in the server and the password Hash value when the user logs in are secondarily encrypted, then comparison verification is performed, the password security is increased again, and the scheme can ensure that the user password is safer during storage and verification.
Drawings
The detailed structure of the invention is described in detail below with reference to the accompanying drawings
FIG. 1 is a diagram of the password storage of the present invention;
FIG. 2 is a user authentication diagram of the present invention;
FIG. 3 is a diagram of password modification according to the present invention.
Detailed Description
In order to explain technical contents, structural features, and objects and effects of the present invention in detail, the following detailed description is given with reference to the accompanying drawings in conjunction with the embodiments.
A safe password storage authentication method comprises a password storage process and a password authentication process, wherein the password storage process comprises the following steps:
s10), the client acquires the user name and the password of the user;
s11), the client acquires a Salt from the server;
s12), adding Salt to the password of the user by the client;
s13), the client calculates the code added with Salt by using a Hash algorithm to obtain a Hash value code;
s14), the client stores the user name, the Salt and the hash value password to the server;
the password authentication process comprises the following steps:
s20), the client acquires a session token of the server and a Salt stored corresponding to the user name of the user, then calculates the password of the user after adding the Salt to obtain a hash value password, then calculates a secondary hash value password by using hmac _ sha256_ hex with the token as a key, and sends the secondary hash value password to the server;
s30), the server receives the user name and the secondary hash value password sent from the client, the server takes the token of the session with the client as the key, the hmac _ sha256_ hex is used for calculating the hash value password stored in the server and corresponding to the user name sent by the client to obtain the secondary hash value password, and the server compares the secondary hash value password of the client with the hash value password of the server and feeds back the verification result to the client after verification.
The invention provides a safe password storage and verification method, when a password is stored, Salt is added to a user password, the password added with Salt is encrypted by using a hash algorithm, and then a password hash value is stored in a server end, so that the password stored in the server end is an encrypted password, the encrypted password is obtained by encrypting after a random character string is added, the difficulty of password cracking can be increased, when the user logs in the server for password verification, the server generates token, the token serves as key, after the password hash value stored in the server end and the password hash value when the user logs in are encrypted for the second time, comparison and verification are performed, the security of the password is increased again, and the scheme can ensure that the user password is safer during storage and verification.
The first embodiment is as follows:
preferably, step S20 specifically includes:
s21), the client acquires the user name and the password of the user;
s22), the client sends the user name of the user to the server;
s23), the server side generates a unique token for the session;
s24), the server side sends the token and the Salt stored in the server side by the user and corresponding to the user name of the user to the client side;
s25), adding Salt to the user password by the client, and then calculating to obtain a hash value password;
s26), the client splices the hash value password with the user name;
s27), the client side takes token as key and obtains a secondary hash value password by using hmac _ sha256_ hex calculation;
s28), the client sends the twice hash value password to the server.
In the embodiment, the client sends the acquired user name and the user password to the server, the server generates the token and sends the token to the client, the token is valid when the conversation is completed, the conversation between the client and the server is invalid, the token is used as a parameter after the user password is spliced by the client, secondary encryption is performed, the password after the secondary encryption is more difficult to crack, and the password security is ensured.
Example two:
preferably, step S30 specifically includes:
s31), the server receives the user name and the secondary hash value password sent by the client;
s32), the server side inquires the hash value password corresponding to the user name from the server side through the user name;
s33), the server side splices the hash value password and the user name;
s34), the server side takes the unique token generated by the session with the client side as a key, and calculates the hash value password stored in the server side by using hmac _ sha256_ hex to obtain a secondary hash value password;
s35), the server side compares the client side secondary hash value password with the server side secondary hash value password for verification;
s36), the server side sends the verification result to the client side;
if the passwords are consistent, the verification is passed;
if the passwords are not consistent, the authentication is not passed.
In this embodiment: the server receives the twice encrypted hash value password of the client, the user password stored in the server is compared with the twice encrypted password of the client after the twice encryption for verification, the twice encrypted password is compared after the twice encryption, the security of the password can be effectively ensured, the twice encryption takes the session token as the key, only the verification is effective, and the security of the password verification process is improved.
Example three:
preferably, the secure password storage authentication method further includes a password modification process, including:
s41), the client acquires the user name and the new password of the user;
s42), the client acquires a new Salt from the server;
s43), adding Salt to the new password of the user by the client;
s44), the client calculates a new hash value password through a hash algorithm;
s45), the client stores the username, the new Salt, and the hash password to the server.
In this embodiment, when the password is modified, the client acquires a new Salt, the Salt is generated randomly by the server and is not easy to leak, the new password and the Salt are encrypted by a hash algorithm and then stored in the server, the password of the user is updated, and the old password stored in the server is overwritten and invalidated.
Example four
Referring to fig. 1, when a user registers an account and inputs a user name and a password, a server side first randomly generates a salt, adds the salt to a password psw to obtain a psw _ salt, calculates a hash value password p _ hash through a hash algorithm sha256, and then stores the user name, the salt, and the hash value password p _ hash to the server side.
Referring to fig. 2, when a user logs in, a client sends a current user name to a server to query a salt value of the user name, the server generates a token and sends the salt corresponding to the queried user name back to the client, the client adds a user password psw into the salt to obtain a psw _ salt, the client encrypts the hash value password p _ hash through a hash algorithm sh 256 to obtain a hash value, the token of the client is a key to perform hmac _ sha256 on the p _ hash to obtain a secondary encryption password, the client sends the user name and the password to the server, the server queries the p _ hash value of the server according to the name, the server performs hmac _ sha256 on the p _ hash value by using the token to obtain a secondary encryption password _, and the client compares the password with the password _ to obtain a verification result.
Referring to fig. 3, when modifying the password, the client obtains a new salt from the server, adds the new salt to the new password psw to obtain a psw _ salt, performs sha256 on the psw _ salt to obtain a p _ hash, sends the name, the new salt, and the p _ hash to the server, and the server updates the salt and the p _ hash of the current user.
A secure password storage authentication apparatus, characterized by: it includes password storage module and password verification module, and wherein, password storage module includes:
the registration information acquisition unit is used for acquiring a user name and a password of a user by the client and then transferring to the Salt acquisition unit;
the Salt obtaining unit is used for obtaining a Salt from the server side by the client side and then transferring the Salt to the Salt adding unit;
the Salt adding unit is used for adding Salt to the password of the user by the client and then transferring to the client encryption unit;
the client encryption unit is used for calculating the code added with the Salt by the client through a Hash algorithm to obtain a Hash value code and then transferring the Hash value code to the storage unit;
the storage unit is used for storing the user name, the Salt and the hash value password to the server side by the client side;
the password authentication module includes:
the client encryption sub-module is used for acquiring a session token of the server and a Salt stored corresponding to the user name of the user by the client, calculating a hash value password after adding the Salt to the password of the user, calculating a secondary hash value password by using hmac _ sha256_ hex with the token as a key, sending the secondary hash value password to the server, and then transferring the secondary hash value password to the server encryption verification sub-module;
the server side encryption and verification submodule is used for receiving the user name and the secondary hash value password sent from the client side by the server side, the server side takes token conversation with the client side as key, the hmac _ sha256_ hex is used for calculating the hash value password stored in the server side and corresponding to the user name to obtain the secondary hash value password, and the server side compares the secondary hash value password of the client side with the hash value password of the server side for verification and then feeds back a verification result to the client side.
When the password is stored, the Salt adding unit adds Salt to the user password, the encryption unit encrypts the password added with Salt, the storage unit stores the password hash value to the server side, the comparison password is stored to the server after encryption, the risk of stealing the password is reduced, when the user logs in the server to perform password verification, the server generates a token, the token serves as a key, the password hash value stored at the server side and the password hash value during user login are secondarily encrypted and then subjected to comparison verification, the token is only valid in the verification, the safety of the password verification process is increased again, and the scheme can ensure that the user password is safer during storage and verification.
Example five:
preferably, the client encryption sub-module includes:
the login information acquisition unit is used for acquiring a user name and a password of a user by the client and then transmitting the user name and the password to the information sending unit;
the information sending unit is used for sending the user name of the user to the server side by the client side and then transferring the user name to the token generating unit;
the Token generating unit is used for generating a unique Token for the session by the server side and then transferring the unique Token to the server side sending unit;
the server side sending unit is used for sending the token and the Salt stored by the user in the server side and corresponding to the user name of the user to the client side together by the server side, and then turning to the verification encryption unit;
the verification encryption unit is used for calculating a hash value password after the client adds Salt to the password of the user, and then transferring the hash value password to the client splicing unit;
the client side splicing unit is used for splicing the hash value password and the user name by the client side and then transferring the hash value password and the user name to the client side secondary encryption unit;
the client secondary encryption unit is used for calculating to obtain a secondary hash value password by using hmac _ sha256_ hex by taking token as key at the client, and then transferring the secondary hash value password to the password sending unit;
and the password sending unit is used for sending the secondary hash value password to the server side by the client side.
In the embodiment, the client sends the acquired user name and the user password to the server, the token generation unit of the server generates the token, the server sending unit sends the token to the client, the secondary encryption unit of the client carries out secondary encryption on the user password, the password after the secondary encryption is more difficult to crack, and the password security is ensured.
Example six:
preferably, the server-side encryption verification sub-module includes:
the server side receiving unit is used for receiving the user name and the secondary hash value password sent by the client side and then transmitting the user name and the secondary hash value password to the query unit;
the query unit is used for the server side to query the hash value password corresponding to the user name from the server side through the user name and then transfer the hash value password to the server side splicing unit;
the server side splices the hash value password and the user name and then transfers the hash value password to a server side secondary encryption unit;
the server-side secondary encryption unit is used for calculating the hash value password stored in the server side by using hmac _ sha256_ hex to obtain a secondary hash value password by taking the only token generated by the session with the client side as a key, and then transferring the secondary hash value password to the verification unit;
the verification unit is used for comparing and verifying the secondary hash value password of the client and the secondary hash value password of the server by the server and then switching to the verification result feedback unit;
the verification result feedback unit is used for the server side to send the verification result to the client side;
if the passwords are consistent, the verification is passed;
if the passwords are not consistent, the authentication is not passed.
In this embodiment, the server-side secondary encryption unit performs secondary encryption on the hash value password stored in the server side, the verification unit compares the client-side secondary encrypted hash value password with the server-side secondary encrypted hash value password for verification, and feeds back a verification result to the client side.
Example seven:
preferably, the secure password storage authentication apparatus further comprises a password modification module, comprising:
a new information acquisition unit, which is used for the client to acquire the user name and the new password of the user and then transfer to a new Salt acquisition unit;
the new Salt obtaining unit is used for obtaining a new Salt from the server side by the client side and then transferring to the new Salt adding unit;
the new Salt adding unit is used for adding Salt to the new password of the user by the client and then transferring to the new encryption unit;
the new encryption unit is used for the client to calculate a new hash value password through a hash algorithm and then transfer the new hash value password to the new storage unit;
and the new storage unit is used for storing the user name, the new Salt and the hash value password to the server side by the client side.
In this embodiment, when the password is modified, the information obtaining unit of the client obtains a new Salt, the Salt is generated randomly by the server and is not easy to leak, the new password and the Salt are encrypted by the encryption unit and then stored in the server, the password of the user is updated, and the old Salt and the password stored in the server are invalid.
In summary, the following steps: when the password is stored, Salt is added to the user password, the password is encrypted by using a hash algorithm, then the password hash value is stored to a server side, the Salt is generated randomly and is not easy to leak, the difficulty of password cracking can be increased, when the user logs in the server to perform password verification, the server generates a token, and after the password hash value stored at the server side and the password hash value during user login are encrypted for the second time by using the token as a key, comparison verification is performed, after each verification is completed, the token can fail, and the safety of the password verification process is improved; when the password is modified, the server regenerates a new Salt to be encrypted with the new password, and the old Salt is invalid, so that the security of the password is ensured, and the password is safer in the storage and verification processes.
The above description is only an embodiment of the present invention, and not intended to limit the scope of the present invention, and all modifications of equivalent structures and equivalent processes performed by the present specification and drawings, or directly or indirectly applied to other related technical fields, are included in the scope of the present invention.

Claims (8)

1. A secure password storage authentication method is characterized in that: the method comprises a password storage flow and a password verification flow, wherein the password storage flow comprises the following steps:
s10), the client acquires the user name and the password of the user;
s11), the client acquires a Salt from the server;
s12), adding Salt to the password of the user by the client;
s13), the client calculates the code added with Salt by using a Hash algorithm to obtain a Hash value code;
s14), the client stores the user name, the Salt and the hash value password to the server;
the password authentication process comprises the following steps:
s20), the client acquires a session token of the server and a Salt stored corresponding to the user name of the user, then calculates the password of the user after adding the Salt to obtain a hash value password, then calculates a secondary hash value password by using hmac _ sha256_ hex with the token as a key, and sends the secondary hash value password to the server;
s30), the server receives the user name and the secondary hash value password sent from the client, the server takes the token of the session with the client as the key, uses hmac _ sha256_ hex to calculate the hash value password corresponding to the user name stored in the server and sent by the client, compares the secondary hash value password of the client with the secondary hash value password of the server for verification, and feeds back the verification result to the client.
2. The secure cryptographic storage authentication method of claim 1, wherein: step S20 specifically includes:
s21), the client acquires the user name and the password of the user;
s22), the client sends the user name of the user to the server;
s23), the server side generates a unique token for the session;
s24), the server side sends the token and the Salt stored in the server side by the user and corresponding to the user name of the user to the client side;
s25), adding Salt to the user password by the client, and then calculating to obtain a hash value password;
s26), the client splices the hash value password with the user name;
s27), the client side takes token as key and obtains a secondary hash value password by using hmac _ sha256_ hex calculation;
s28), the client sends the twice hash value password to the server.
3. The secure cryptographic storage authentication method of claim 2, wherein: step S30 specifically includes:
s31), the server receives the user name and the secondary hash value password sent by the client;
s32), the server side inquires the hash value password corresponding to the user name from the server side through the user name;
s33), the server side splices the hash value password and the user name;
s34), the server side takes the unique token generated by the session with the client side as a key, and calculates the hash value password stored in the server side by using hmac _ sha256_ hex to obtain a secondary hash value password;
s35), the server side compares the client side secondary hash value password with the server side secondary hash value password for verification;
s36), the server side sends the verification result to the client side;
if the passwords are consistent, the verification is passed;
if the passwords are not consistent, the authentication is not passed.
4. The secure cryptographic storage authentication method of claim 1, wherein: it also includes password modification process, including:
s41), the client acquires the user name and the new password of the user;
s42), the client acquires a new Salt from the server;
s43), adding Salt to the new password of the user by the client;
s44), the client calculates a new hash value password through a hash algorithm;
s45), the client stores the username, the new Salt, and the hash password to the server.
5. A secure password storage authentication apparatus, characterized by: it includes password storage module and password verification module, and wherein, password storage module includes:
the registration information acquisition unit is used for acquiring a user name and a password of a user by the client and then transferring to the Salt acquisition unit;
the Salt obtaining unit is used for obtaining a Salt from the server side by the client side and then transferring the Salt to the Salt adding unit;
the Salt adding unit is used for adding Salt to the password of the user by the client and then transferring to the client encryption unit;
the client encryption unit is used for calculating the code added with the Salt by the client through a Hash algorithm to obtain a Hash value code and then transferring the Hash value code to the storage unit;
the storage unit is used for storing the user name, the Salt and the hash value password to the server side by the client side;
the password authentication module includes:
the client encryption sub-module is used for acquiring a session token of the server and a Salt stored corresponding to the user name of the user by the client, calculating a hash value password after adding the Salt to the password of the user, calculating a secondary hash value password by using hmac _ sha256_ hex with the token as a key, sending the secondary hash value password to the server, and then transferring the secondary hash value password to the server encryption verification sub-module;
the server side encryption verification sub-module is used for receiving the user name and the secondary hash value password sent from the client side by the server side, the server side takes token of conversation with the client side as key, the hmac _ sha256_ hex is used for calculating the hash value password stored in the server side and corresponding to the user name sent by the client side to obtain the secondary hash value password, the secondary hash value password of the client side and the secondary hash value password of the server side are compared and verified, and the verification result is fed back to the client side.
6. The secure password storage authentication apparatus of claim 5, wherein: the client encryption submodule comprises:
the login information acquisition unit is used for acquiring a user name and a password of a user by the client and then transmitting the user name and the password to the information sending unit;
the information sending unit is used for sending the user name of the user to the server side by the client side and then transferring the user name to the token generating unit;
the Token generating unit is used for generating a unique Token for the session by the server side and then transferring the unique Token to the server side sending unit;
the server side sending unit is used for sending the token and the Salt stored by the user in the server side and corresponding to the user name of the user to the client side together by the server side, and then turning to the verification encryption unit;
the verification encryption unit is used for calculating a hash value password after the client adds Salt to the password of the user, and then transferring the hash value password to the client splicing unit;
the client side splicing unit is used for splicing the hash value password and the user name by the client side and then transferring the hash value password and the user name to the client side secondary encryption unit;
the client secondary encryption unit is used for calculating to obtain a secondary hash value password by using hmac _ sha256_ hex by taking token as key at the client, and then transferring the secondary hash value password to the password sending unit;
and the password sending unit is used for sending the secondary hash value password to the server side by the client side.
7. The secure cryptographic storage authentication apparatus of claim 6, wherein: the server side encryption and verification submodule comprises:
the server side receiving unit is used for receiving the user name and the secondary hash value password sent by the client side and then transmitting the user name and the secondary hash value password to the query unit;
the query unit is used for the server side to query the hash value password corresponding to the user name from the server side through the user name and then transfer the hash value password to the server side splicing unit;
the server side splices the hash value password and the user name and then transfers the hash value password to a server side secondary encryption unit;
the server-side secondary encryption unit is used for calculating the hash value password stored in the server side by using hmac _ sha256_ hex to obtain a secondary hash value password by taking the only token generated by the session with the client side as a key, and then transferring the secondary hash value password to the verification unit;
the verification unit is used for comparing and verifying the secondary hash value password of the client and the secondary hash value password of the server by the server and then switching to the verification result feedback unit;
the verification result feedback unit is used for the server side to send the verification result to the client side;
if the passwords are consistent, the verification is passed;
if the passwords are not consistent, the authentication is not passed.
8. The secure password storage authentication apparatus of claim 5, wherein: it also includes, password modification module, including:
a new information acquisition unit, which is used for the client to acquire the user name and the new password of the user and then transfer to a new Salt acquisition unit;
the new Salt obtaining unit is used for obtaining a new Salt from the server side by the client side and then transferring to the new Salt adding unit;
the new Salt adding unit is used for adding Salt to the new password of the user by the client and then transferring to the new encryption unit;
the new encryption unit is used for the client to calculate a new hash value password through a hash algorithm and then transfer the new hash value password to the new storage unit;
and the new storage unit is used for storing the user name, the new Salt and the hash value password to the server side by the client side.
CN201711031339.8A 2017-10-27 2017-10-27 Secure password storage verification method and device Active CN107911343B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201711031339.8A CN107911343B (en) 2017-10-27 2017-10-27 Secure password storage verification method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201711031339.8A CN107911343B (en) 2017-10-27 2017-10-27 Secure password storage verification method and device

Publications (2)

Publication Number Publication Date
CN107911343A CN107911343A (en) 2018-04-13
CN107911343B true CN107911343B (en) 2020-09-15

Family

ID=61841951

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201711031339.8A Active CN107911343B (en) 2017-10-27 2017-10-27 Secure password storage verification method and device

Country Status (1)

Country Link
CN (1) CN107911343B (en)

Families Citing this family (17)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108833109B (en) * 2018-05-28 2021-09-14 苏州科达科技股份有限公司 Identity authentication method and device and electronic equipment
CN110912683B (en) * 2018-09-18 2022-09-23 阿里巴巴集团控股有限公司 Password storage method and device and password verification method and device
CN109450925B (en) * 2018-12-05 2021-09-28 国网浙江省电力有限公司杭州供电公司 User authority verification method and device for operation and maintenance of power secondary system and electronic equipment
CN111447613B (en) * 2019-01-16 2023-07-25 南京快轮智能科技有限公司 Encryption system for sharing products
CN109992934A (en) * 2019-04-10 2019-07-09 苏州浪潮智能科技有限公司 A kind of response method, device, equipment and medium
CN110493197B (en) * 2019-07-25 2022-02-01 深圳壹账通智能科技有限公司 Login processing method and related equipment
CN110572269B (en) * 2019-09-20 2022-03-08 成都安恒信息技术有限公司 Method for improving secondary use of token
CN110990809B (en) * 2019-11-26 2021-08-03 卓尔购信息科技(武汉)有限公司 Password salting verification method and system based on workload
CN111385093B (en) * 2020-03-20 2022-05-10 杭州小影创新科技股份有限公司 Web system design method combining slow hash and dynamic salt
CN111639357B (en) * 2020-06-05 2023-05-16 杭州安恒信息技术股份有限公司 Encryption network disk system and authentication method and device thereof
CN112417393A (en) * 2020-11-02 2021-02-26 深圳依时货拉拉科技有限公司 Identity verification method and device, computer equipment and computer readable storage medium
CN113078999A (en) * 2021-04-13 2021-07-06 傲普(上海)新能源有限公司 Password security encryption storage mode
CN113626802B (en) * 2021-08-23 2023-05-12 重庆第二师范学院 Login verification system and method for equipment password
US20230145340A1 (en) * 2021-11-08 2023-05-11 Adobe Inc. Distributing and synchronizing encrypted data for multi-regional accessibility
CN114567430A (en) * 2022-01-26 2022-05-31 银盛通信有限公司 Method for adding private key to user password by mobile resale system
CN114499859A (en) * 2022-03-22 2022-05-13 深圳壹账通智能科技有限公司 Password verification method, device, equipment and storage medium
CN114745173B (en) * 2022-04-08 2023-04-25 湖南长银五八消费金融股份有限公司 Login verification method, login verification device, computer equipment and storage medium

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105721390A (en) * 2014-12-01 2016-06-29 阿里巴巴集团控股有限公司 Encrypted storage method and encrypted storage device
CN106060078A (en) * 2016-07-11 2016-10-26 浪潮(北京)电子信息产业有限公司 User information encryption method, user registration method and user validation method applied to cloud platform
CN106656476A (en) * 2017-01-18 2017-05-10 腾讯科技(深圳)有限公司 Password protecting method and device

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2013036946A1 (en) * 2011-09-09 2013-03-14 Stoneware, Inc. Method and apparatus for key sharing over remote desktop protocol

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105721390A (en) * 2014-12-01 2016-06-29 阿里巴巴集团控股有限公司 Encrypted storage method and encrypted storage device
CN106060078A (en) * 2016-07-11 2016-10-26 浪潮(北京)电子信息产业有限公司 User information encryption method, user registration method and user validation method applied to cloud platform
CN106656476A (en) * 2017-01-18 2017-05-10 腾讯科技(深圳)有限公司 Password protecting method and device

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
"基于安卓平台的多云存储系统";孔琰等;《计算机应用》;20170615;全文 *

Also Published As

Publication number Publication date
CN107911343A (en) 2018-04-13

Similar Documents

Publication Publication Date Title
CN107911343B (en) Secure password storage verification method and device
US6996715B2 (en) Method for identification of a user's unique identifier without storing the identifier at the identification site
US6064736A (en) Systems, methods and computer program products that use an encrypted session for additional password verification
US6959394B1 (en) Splitting knowledge of a password
US8156333B2 (en) Username based authentication security
EP1359491B1 (en) Methods for remotely changing a communications password
US8966276B2 (en) System and method providing disconnected authentication
CA2913444C (en) System and method for user authentication
US9118661B1 (en) Methods and apparatus for authenticating a user using multi-server one-time passcode verification
WO2017147503A1 (en) Techniques for confidential delivery of random data over a network
US20080162934A1 (en) Secure transmission system
CN109981285B (en) Password protection method, password verification method and system
CN106789032B (en) Single password three-party authentication method for secret sharing between server and mobile equipment
CN106464493B (en) Permanent authentication system containing one-time pass code
CN113918528A (en) Secure cloud data deduplication method and system based on trusted hardware
WO2017020669A1 (en) Method and device for authenticating identity of node in distributed system
CN111740965A (en) Internet of things equipment authentication method based on physical unclonable equation
CN111711624B (en) Control system, control method, equipment and storage medium of security cloud password manager
He et al. On one-time cookies protocol based on one-time password
CN109740339B (en) Method for user password security
Styugin Dynamic key password authentication
Contini Method to protect passwords in databases for web applications
Bissoli et al. Authentication as a service based on Shamir secret sharing
CN113645250B (en) Chinese herbal medicine traceability platform RFID protocol method based on cloud
EP1440549A1 (en) Authentication of a remote user to a host in a data communication system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant