CN109104290A - It is a kind of without re-register and to support the dynamic password authentication method of offline authentication - Google Patents

It is a kind of without re-register and to support the dynamic password authentication method of offline authentication Download PDF

Info

Publication number
CN109104290A
CN109104290A CN201811298431.5A CN201811298431A CN109104290A CN 109104290 A CN109104290 A CN 109104290A CN 201811298431 A CN201811298431 A CN 201811298431A CN 109104290 A CN109104290 A CN 109104290A
Authority
CN
China
Prior art keywords
user
password
dynamic password
server
seed
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201811298431.5A
Other languages
Chinese (zh)
Inventor
朱友文
鲁迁迁
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Nanjing University of Aeronautics and Astronautics
Original Assignee
Nanjing University of Aeronautics and Astronautics
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Nanjing University of Aeronautics and Astronautics filed Critical Nanjing University of Aeronautics and Astronautics
Priority to CN201811298431.5A priority Critical patent/CN109104290A/en
Publication of CN109104290A publication Critical patent/CN109104290A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3226Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a predetermined code, e.g. password, passphrase or PIN
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • H04L63/067Network architectures or network communication protocols for network security for supporting key management in a packet data network using one-time keys
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Telephonic Communication Services (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

The present invention relates to a kind of without re-register and supports the dynamic password authentication method of offline authentication, belong to information security field, the invention all joined clock in user and server both ends, using mobile phone as the supplementary mode of certification, have devised Dynamic Password Scheme related to time, chain length is unrestricted, supports offline authentication technique;No matter whether user logs in simultaneously, and password in a very small time interval every that will replace, and attacker is almost impossible to crack dynamic password within this extremely short time, to protect the safety of user.This programme is suitable for user to the more demanding of password security, and particularly suitable user wishes the case where offline authentication may be implemented.

Description

It is a kind of without re-register and to support the dynamic password authentication method of offline authentication
Technical field
The invention belongs to information security fields, and in particular to a kind of without re-register and to support the dynamic password of offline authentication Authentication method.
Background technique
Password is commonly called as " password ", is one of most common identity identifying method.Authentication mechanism based on password is broadly divided into Two classes: static password and dynamic password.In static password mechanism, non-user active change password is removed, otherwise password is kept not Become, use can be repeated by the user when login every time, this causes its safety not high.Dynamic password not only has static password Cost it is low, deployment it is simple the features such as, moreover it is possible to the safety for improving authentication information is a kind of widely used authentication mode.It is dynamic State password refers to generates a related to time, uncertain random digit group according to special algorithm at regular intervals It closes, each password is used only once.
1981, Lamport was put forward for the first time dynamic password authentication method (the one-time password based on hash chain Abbreviation OTP), this scheme has a very big defect, need re-register per user after a period of time, so-called re-register refer to by Be in hash chain chain length it is fixed, after this chain is finished, user must regenerate a new chain again, and by initial authentication Value is resubmitted to server.In addition to this, it can not prevent Replay Attack and peanut attack etc..Up to the present, Many researchers have been designed that the various schemes for avoiding re-register.Chefranov propose " based on unlimited hash chain Dynamic password authentication " [Chefranov A G.Novel Algorithms and Techniques In Telecommunications, Automation and Industrial Electronics.Springer Netherlands, 2008:283-286.] it is one of the scheme for avoiding re-register with strongest influence power.The scheme of Chefranov Do not limit user login number, therefore there is no need user to re-register the problem of, while can resist peanut attack, The various attacks such as Replay Attack.
Although Chefranov avoids re-register problem, there are two shortcomings for this scheme:
1, using challenge -- answer-mode, challenge -- answer-mode need user and server carry out it is two-way exchange, this Require the mobile phone of user always on, when the mobile phone of user is in arrearage or the not state of signal exchange will in It is disconnected;
2, dynamic password continuously effective before user next time logs in, if the time interval that user logs in twice is very Long, attacker just has the possibility for cracking out dynamic password.
Summary of the invention
The present invention is previous what is logged in next time for cannot achieve offline authentication and dynamic password existing for above scheme Straight effectively the two shortcomings propose and a kind of without re-register and support the dynamic password authentication method of offline authentication.This Invention can meet without re-register (re-register refer to due to hash chain chain length be it is fixed, after this chain is finished, use Family must regenerate a new chain again, and initial authentication value is resubmitted to server) on the basis of, while supporting offline Certification, every that will replace in a very small time interval, attacker is almost impossible to break password within this extremely short time Dynamic password is solved, to protect the safety of user.
The object of the invention is in order to solve the problems, such as to cannot achieve offline authentication in Chefranov scheme and ensure Password is effective in an extremely short time interval.The present invention joined clock in user and server both ends, be made with mobile phone For the supplementary mode of certification, Dynamic Password Scheme related to time is had devised, supports offline authentication technique;No matter use simultaneously Whether family logs in, and password is effective all within very short a period of time.
The purpose of the present invention is achieved through the following technical solutions:
It is a kind of without re-register and to support the dynamic password authentication method of offline authentication, which is characterized in that the method packet Include following steps:
1, registration phase:
(1) user: when user's registration, SEED is generated at randomP、SEEDC
(2) user: the static password K submitted according to user the and SEED generated at randomPInitial challenge is generated, is generated just Beginning password P0Formula are as follows:P0=H (P);
(3) user: by SEED in the channel of a safetyC、P0Being sent to server, (server obtains first password Pprev=P0, SEEDCIt is authenticated for post-service device).
It is automatically updated once every 30 seconds passwords, the formula that password updates are as follows:
2, landing phase:
(4) user: a random number D is generatedC
(5) user: M1 is calculated, and M1 is sent to server: M1=(M11, M12, M13, M14), in which:
(6) server: first using being stored in local SEEDCIt obtainsAnd then use is passed Method is returned to calculateIfAnd Success is then authenticated, authenticates and successfully turns (7), otherwise authentification failure;
(7) server: authentication information P is updatedprev=Pt, tprev=t.
SEED in the step (1)PFor generating initial challenge P0, user is in the channel of a safety by SEEDCTransmission To server, SEEDPOnly used in registration, and SEEDCThen can all it be used in each certification of server.
User submits a User ID and static password K, cell phone application to be submitted according to user first in the step (2) Static password and generation random number SEEDPGenerate initial challenge P0
By the initial challenge and SEED of generation in the step (3)C(such as SSL/TLS) is sent out in the channel of a safety Server is given, server stores them, is used for subsequent authentication.
User logs in every time in the step (4) can all generate a random number DC, DCFor encrypting the dynamic generated at random Password.
M in the step (5)11For encrypting the dynamic password P of generationt, M12、M13It is for verifying M1 in transmission process It is no to be distorted by attacker, M14For encrypting the D that user generates at randomC
After M1 is sent to server in the step (6), server uses SEED firstCCome obtain user generation with Machine number DC, then M11And DCA cryptographic Hash carry out XOR operation, obtain the dynamic password transmitted, while server According to time algorithm, calculated using recurrence methodIf dynamic password and service that user transmits The dynamic password that device calculates is consistent, then authenticates success, otherwise authentification failure.
It is that service will be stored in if authenticated successfully to the update of server verification information next time in the step (7) P in deviceprevIt is updated to newest in step (6) log in successful dynamic password Pt
The specific setting environment for the problem of being solved can be in the object of the invention are as follows: user in the case where mobile phone arrearage, Either user goes on business or plays to remote place, and the mobile phone of user is searched less than signal, but the computer at hotel can join Net, due to presently, there are several schemes require the interaction of both sides, currently existing scheme is to be unable to complete to recognize in this case Card.The present invention can support offline authentication, solve to be unable to complete certification caused by above-mentioned user can not network due to mobile phone The problem of.
The invention has the advantages that
Present invention substantive distinguishing features outstanding and conspicuousness progress are mainly reflected in the following:
1, user is not necessarily to re-register, in existing several schemes, hash chain chain length be it is fixed, when this chain be finished with Afterwards, user must regenerate a new chain again, and initial authentication value is resubmitted to server, and this process is known as re-injection Copy, user operates without this re-register in this programme, to bring good experience sense to user;
2, offline authentication is supported, only a small number of schemes are supported using mobile phone as assistant authentification tool at present, and they are all Using challenge -- answer-mode, this mode need user and server carry out it is two-way exchange, once user is because certain Reason can not network, and verification process will be unable to complete.This programme supports offline authentication, even if the mobile phone of user can not network, hand Machine still can produce dynamic password, while dynamic password is generated dynamic two-dimension code, the dynamic that computer scanning mobile phone generates Verification process can be completed in two dimensional code, brings great convenience to user;
3, each dynamic password has timeliness, and no matter whether user uses dynamic password, and dynamic password is all only one In a extremely short a period of time (in such as 30 seconds) effectively, it to increase the difficulty of attacker's password cracking, further improves The safety of user account.
The purpose of the present invention, advantage and feature will be explained by the non-limitative illustration of preferred embodiment below.This A little embodiments are only the prominent example using technical solution of the present invention, all skills taking equivalent replacement or equivalent transformation and being formed Art scheme, all falls within the scope of protection of present invention.
Detailed description of the invention
The invention will be further described with reference to the accompanying drawings and embodiments:
Fig. 1 is the flow chart of registration phase of the present invention
Fig. 2 is the flow chart of authentication phase of the present invention
Fig. 3 is mobile phone two-dimension code figure of the present invention
Specific embodiment
Above scheme is described further below in conjunction with specific embodiment.It should be understood that these embodiments are for illustrating The present invention and be not limited to limit the scope of the invention.Based on the embodiment of the present invention, those of ordinary skill in the art are not doing Every other embodiment obtained under the premise of creative work out, belongs to protection scope of the present invention.
Fig. 3 illustrates the two dimensional code schematic diagram that the present invention generates, since the dynamic password ratio Lamport that the present invention generates is mentioned Dynamic password caused by the dynamic password based on hash chain out is long, it is contemplated that the inconvenience that user is manually entered, we are hand Machine generates two dimensional code as auxiliary tool, by password on mobile phone, and user only needs with computer camera scanning cell phone screen In two dimensional code be dynamic password in mobile phone can be read, without being manually entered password, solve the problems, such as that password is too long with this.
The a kind of of the present embodiment without re-register and supports the dynamic password authentication method implementation steps of offline authentication as follows:
Registration phase:
Step 1: when user's registration, submitting registration information, such as user name ID, static password K, and mailbox, cell-phone number etc., According to the information that user submits, mobile phone generates two random number SEEDC、SEEDP;SEEDCIt will be sent to server, for servicing The verifying in device later period, SEEDPThe static password K submitted with user generates dynamic password jointly, on mobile phone that dynamic password is raw At two dimensional code, the two dimensional code that user is generated using the camera scanning cell phone of computer, computer once successfully identifies two dimensional code, Dynamic password will be automatically entered into corresponding password frame, click " determination " button, registration information will be in a safety Channel in send server to.
Step 2: server receives the registration information that user sends, by dynamic password and SEEDCLocal is stored in, Recording registion time simultaneously is tprev
After user registration success, no matter whether password is used, and password just automatically updated once every 30 seconds:
Authentication phase:
Step 3: user inputs user name and static password K in cell phone application, and cell phone application is according to the static password of input K and current time generate dynamic password two dimensional code, when user logs on computers, it is only necessary to it is manually entered user name, Password can be obtained by the camera scanning cell phone two dimensional code of computer, and mobile phone just generated a new dynamic password every 30 seconds. After computer successfully identifies two dimensional code, password, and automated log on can be automatically entered, does any operation without user.
Step 4: server receives the log-on message that sends of user, first using being stored in local SEEDCIt obtains The random number D that mobile phone generatesc, then use random number DcFurther parse password, meanwhile, server using recurrence method and and when Between related algorithm calculate dynamic password, if the password that server calculates is consistent with the password transmitted, login at Function, otherwise login failure.If logined successfully, the dynamic password that user newly sends over updates original store in the server Verification information, while renewal time.

Claims (7)

  1. Without re-register and the dynamic password authentication method of offline authentication is supported 1. a kind of, which is characterized in that the method includes Following steps:
    Registration phase:
    (1) user: when user's registration, SEED is generated at randomP、SEEDC
    (2) user: the static password K submitted according to user the and SEED generated at randomPGenerate initial challenge P0
    (3) user: by SEED in the channel of a safetyC、P0It is sent to server.
    Landing phase:
    (4) a random number D user: is randomly generatedC
    (5) user: M1 is calculated, and M1 is sent to server: M1=(M11, M12, M13, M14);
    (6) server: first using being stored in local SEEDCObtain DC, then further parse PtIf user is transmitted The dynamic password to come over is consistent with the dynamic password that server calculates, and authenticates success, authenticates and successfully turns (7), otherwise authenticates Failure;
    (7) server: verification information P is updatedprevAnd authenticated time tprev
  2. 2. the dynamic password authentication method according to claim 1 for being not necessarily to re-register and supporting offline authentication, feature exist In,
    In the method step (1), according to the information that user submits, two random number SEED of mobile phone generationC、SEEDP;SEEDC It will be sent to server, for the verifying in server later period, SEEDPThe static password K submitted with user generates dynamic mouth jointly It enables.
  3. 3. the dynamic password authentication method according to claim 1 for being not necessarily to re-register and supporting offline authentication, feature exist In,
    User logs in every time in the method step (4) can all generate a random number DC, DCFor encrypting the dynamic generated at random Password.
  4. 4. the dynamic password authentication method according to claim 1 for being not necessarily to re-register and supporting offline authentication, feature exist In,
    In the method step (5), the calculation method of M1 is carried out as follows processing: M1=(M11, M12, M13, M14), In:
  5. 5. the dynamic password authentication method according to claim 1 for being not necessarily to re-register and supporting offline authentication, feature exist In,
    In the method step (5), the dynamic password generated according to this scheme is longer, it is contemplated that the inconvenience that user is manually entered, We generate two dimensional code using mobile phone as auxiliary tool, by password on mobile phone, and user only needs to be scanned with computer camera Two dimensional code in mobile phone screen is the dynamic password that can be read in mobile phone, without being manually entered password, solves password mistake with this Long problem.
  6. 6. the dynamic password authentication method according to claim 1 for being not necessarily to re-register and supporting offline authentication, feature exist In,
    In the method step (6), after M1 is sent to server, server uses SEED firstCCome obtain user generation with Machine numberThen M11And DCA cryptographic Hash carry out XOR operation, obtain transmit it is dynamic State passwordServer is calculated according to time algorithm using recurrence method simultaneouslyClothes The dynamic password transmitted and the dynamic password for calculating generation are compared by business device.
  7. 7. the dynamic password authentication method according to claim 1 for being not necessarily to re-register and supporting offline authentication, feature exist In,
    Each dynamic password has a timeliness, and after user registration success, no matter whether password is used, and dynamic password all only exists In one extremely short time (in such as 30 seconds) effectively, the formula that password updates are as follows:
CN201811298431.5A 2018-10-26 2018-10-26 It is a kind of without re-register and to support the dynamic password authentication method of offline authentication Pending CN109104290A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201811298431.5A CN109104290A (en) 2018-10-26 2018-10-26 It is a kind of without re-register and to support the dynamic password authentication method of offline authentication

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201811298431.5A CN109104290A (en) 2018-10-26 2018-10-26 It is a kind of without re-register and to support the dynamic password authentication method of offline authentication

Publications (1)

Publication Number Publication Date
CN109104290A true CN109104290A (en) 2018-12-28

Family

ID=64869849

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201811298431.5A Pending CN109104290A (en) 2018-10-26 2018-10-26 It is a kind of without re-register and to support the dynamic password authentication method of offline authentication

Country Status (1)

Country Link
CN (1) CN109104290A (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110688644A (en) * 2019-10-09 2020-01-14 重庆市筑智建信息技术有限公司 Method and system for realizing login of BIM system through graphic code
CN111243137A (en) * 2020-01-13 2020-06-05 汪洵 Intelligent door lock safety management system based on open architecture

Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1385781A (en) * 2001-05-11 2002-12-18 范平志 Dynamic password based authentication identifying method
CN1427609A (en) * 2001-12-20 2003-07-02 西北工业大学 Nonrecurring countersign and business confirmation method
CN101197667A (en) * 2007-12-26 2008-06-11 北京飞天诚信科技有限公司 Dynamic password authentication method
CN101958913A (en) * 2010-10-29 2011-01-26 四川长虹电器股份有限公司 Bidirectional ID (Identity) authentication method based on dynamic password and digital certificate
WO2012005744A1 (en) * 2010-06-27 2012-01-12 King Saud University One-time password authentication with infinite nested hash claims
WO2015042668A2 (en) * 2013-09-06 2015-04-02 Lin.K N.V. Mobile authentication method and system for providing authenticated access to internet-supported services and applications
CN104767624A (en) * 2015-04-23 2015-07-08 北京航空航天大学 Remote protocol authentication method based on biological features
CN104901809A (en) * 2015-04-23 2015-09-09 北京航空航天大学 Remote authentication protocol method based on password and intelligent card

Patent Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1385781A (en) * 2001-05-11 2002-12-18 范平志 Dynamic password based authentication identifying method
CN1427609A (en) * 2001-12-20 2003-07-02 西北工业大学 Nonrecurring countersign and business confirmation method
CN101197667A (en) * 2007-12-26 2008-06-11 北京飞天诚信科技有限公司 Dynamic password authentication method
WO2012005744A1 (en) * 2010-06-27 2012-01-12 King Saud University One-time password authentication with infinite nested hash claims
CN101958913A (en) * 2010-10-29 2011-01-26 四川长虹电器股份有限公司 Bidirectional ID (Identity) authentication method based on dynamic password and digital certificate
WO2015042668A2 (en) * 2013-09-06 2015-04-02 Lin.K N.V. Mobile authentication method and system for providing authenticated access to internet-supported services and applications
CN104767624A (en) * 2015-04-23 2015-07-08 北京航空航天大学 Remote protocol authentication method based on biological features
CN104901809A (en) * 2015-04-23 2015-09-09 北京航空航天大学 Remote authentication protocol method based on password and intelligent card

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
CHANG-SEOP PARK: "One-time password based on hash chain without shared secret and re-registration", 《COMPUTER & SECURITY》 *

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110688644A (en) * 2019-10-09 2020-01-14 重庆市筑智建信息技术有限公司 Method and system for realizing login of BIM system through graphic code
CN111243137A (en) * 2020-01-13 2020-06-05 汪洵 Intelligent door lock safety management system based on open architecture

Similar Documents

Publication Publication Date Title
US20210367795A1 (en) Identity-Linked Authentication Through A User Certificate System
US20180097806A1 (en) Multi factor user authentication on multiple devices
CN104065652B (en) A kind of auth method, device, system and relevant device
CN104660605B (en) A kind of multiple-factor auth method and its system
CN110324143A (en) Data transmission method, electronic equipment and storage medium
WO2018219056A1 (en) Authentication method, device, system and storage medium
CN107251035A (en) Account recovers agreement
CN114157451B (en) Internet of things equipment identity authentication method, device and system and storage medium
JP2015519776A (en) Secure authentication in multi-party systems
WO2019226115A1 (en) Method and apparatus for user authentication
CN106850228A (en) A kind of foundation of portable intelligent password management system and operating method
CN104063650B (en) A kind of key storage device and using method thereof
CN109104290A (en) It is a kind of without re-register and to support the dynamic password authentication method of offline authentication
JP2024501728A (en) Blockchain-based SDP access control method and system
CN103384249A (en) Network access authentication method, device and system and authentication server
KR102244890B1 (en) Global authentication account system
KR20210001034A (en) Global authentication account system
CN112769894B (en) Equipment authentication method based on block chain Merkle tree verification
CN114765551A (en) SDP access control method and device based on block chain
EP2763346B1 (en) Mutual anti-piracy authentication system in smartphone-type software tokens and in the sms thereof
WO2024088145A1 (en) Data processing method and apparatus, and program product, computer device and storage medium
CN111818521A (en) Authority authentication method and system based on data center 5G network encryption multicast
KR20210001037A (en) Global authentication account system
Wang et al. A novel user’s authentication scheme for pervasive on-line media services
CN102025497A (en) System for logging in multiple websites by verifying client key and method

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
WD01 Invention patent application deemed withdrawn after publication

Application publication date: 20181228

WD01 Invention patent application deemed withdrawn after publication