CN109104290A - It is a kind of without re-register and to support the dynamic password authentication method of offline authentication - Google Patents
It is a kind of without re-register and to support the dynamic password authentication method of offline authentication Download PDFInfo
- Publication number
- CN109104290A CN109104290A CN201811298431.5A CN201811298431A CN109104290A CN 109104290 A CN109104290 A CN 109104290A CN 201811298431 A CN201811298431 A CN 201811298431A CN 109104290 A CN109104290 A CN 109104290A
- Authority
- CN
- China
- Prior art keywords
- user
- password
- dynamic password
- server
- seed
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3226—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a predetermined code, e.g. password, passphrase or PIN
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/06—Network architectures or network communication protocols for network security for supporting key management in a packet data network
- H04L63/067—Network architectures or network communication protocols for network security for supporting key management in a packet data network using one-time keys
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Telephonic Communication Services (AREA)
- Mobile Radio Communication Systems (AREA)
Abstract
The present invention relates to a kind of without re-register and supports the dynamic password authentication method of offline authentication, belong to information security field, the invention all joined clock in user and server both ends, using mobile phone as the supplementary mode of certification, have devised Dynamic Password Scheme related to time, chain length is unrestricted, supports offline authentication technique;No matter whether user logs in simultaneously, and password in a very small time interval every that will replace, and attacker is almost impossible to crack dynamic password within this extremely short time, to protect the safety of user.This programme is suitable for user to the more demanding of password security, and particularly suitable user wishes the case where offline authentication may be implemented.
Description
Technical field
The invention belongs to information security fields, and in particular to a kind of without re-register and to support the dynamic password of offline authentication
Authentication method.
Background technique
Password is commonly called as " password ", is one of most common identity identifying method.Authentication mechanism based on password is broadly divided into
Two classes: static password and dynamic password.In static password mechanism, non-user active change password is removed, otherwise password is kept not
Become, use can be repeated by the user when login every time, this causes its safety not high.Dynamic password not only has static password
Cost it is low, deployment it is simple the features such as, moreover it is possible to the safety for improving authentication information is a kind of widely used authentication mode.It is dynamic
State password refers to generates a related to time, uncertain random digit group according to special algorithm at regular intervals
It closes, each password is used only once.
1981, Lamport was put forward for the first time dynamic password authentication method (the one-time password based on hash chain
Abbreviation OTP), this scheme has a very big defect, need re-register per user after a period of time, so-called re-register refer to by
Be in hash chain chain length it is fixed, after this chain is finished, user must regenerate a new chain again, and by initial authentication
Value is resubmitted to server.In addition to this, it can not prevent Replay Attack and peanut attack etc..Up to the present,
Many researchers have been designed that the various schemes for avoiding re-register.Chefranov propose " based on unlimited hash chain
Dynamic password authentication " [Chefranov A G.Novel Algorithms and Techniques In
Telecommunications, Automation and Industrial Electronics.Springer
Netherlands, 2008:283-286.] it is one of the scheme for avoiding re-register with strongest influence power.The scheme of Chefranov
Do not limit user login number, therefore there is no need user to re-register the problem of, while can resist peanut attack,
The various attacks such as Replay Attack.
Although Chefranov avoids re-register problem, there are two shortcomings for this scheme:
1, using challenge -- answer-mode, challenge -- answer-mode need user and server carry out it is two-way exchange, this
Require the mobile phone of user always on, when the mobile phone of user is in arrearage or the not state of signal exchange will in
It is disconnected;
2, dynamic password continuously effective before user next time logs in, if the time interval that user logs in twice is very
Long, attacker just has the possibility for cracking out dynamic password.
Summary of the invention
The present invention is previous what is logged in next time for cannot achieve offline authentication and dynamic password existing for above scheme
Straight effectively the two shortcomings propose and a kind of without re-register and support the dynamic password authentication method of offline authentication.This
Invention can meet without re-register (re-register refer to due to hash chain chain length be it is fixed, after this chain is finished, use
Family must regenerate a new chain again, and initial authentication value is resubmitted to server) on the basis of, while supporting offline
Certification, every that will replace in a very small time interval, attacker is almost impossible to break password within this extremely short time
Dynamic password is solved, to protect the safety of user.
The object of the invention is in order to solve the problems, such as to cannot achieve offline authentication in Chefranov scheme and ensure
Password is effective in an extremely short time interval.The present invention joined clock in user and server both ends, be made with mobile phone
For the supplementary mode of certification, Dynamic Password Scheme related to time is had devised, supports offline authentication technique;No matter use simultaneously
Whether family logs in, and password is effective all within very short a period of time.
The purpose of the present invention is achieved through the following technical solutions:
It is a kind of without re-register and to support the dynamic password authentication method of offline authentication, which is characterized in that the method packet
Include following steps:
1, registration phase:
(1) user: when user's registration, SEED is generated at randomP、SEEDC;
(2) user: the static password K submitted according to user the and SEED generated at randomPInitial challenge is generated, is generated just
Beginning password P0Formula are as follows:P0=H (P);
(3) user: by SEED in the channel of a safetyC、P0Being sent to server, (server obtains first password
Pprev=P0, SEEDCIt is authenticated for post-service device).
It is automatically updated once every 30 seconds passwords, the formula that password updates are as follows:
2, landing phase:
(4) user: a random number D is generatedC;
(5) user: M1 is calculated, and M1 is sent to server: M1=(M11, M12, M13, M14), in which:
(6) server: first using being stored in local SEEDCIt obtainsAnd then use is passed
Method is returned to calculateIfAnd
Success is then authenticated, authenticates and successfully turns (7), otherwise authentification failure;
(7) server: authentication information P is updatedprev=Pt, tprev=t.
SEED in the step (1)PFor generating initial challenge P0, user is in the channel of a safety by SEEDCTransmission
To server, SEEDPOnly used in registration, and SEEDCThen can all it be used in each certification of server.
User submits a User ID and static password K, cell phone application to be submitted according to user first in the step (2)
Static password and generation random number SEEDPGenerate initial challenge P0。
By the initial challenge and SEED of generation in the step (3)C(such as SSL/TLS) is sent out in the channel of a safety
Server is given, server stores them, is used for subsequent authentication.
User logs in every time in the step (4) can all generate a random number DC, DCFor encrypting the dynamic generated at random
Password.
M in the step (5)11For encrypting the dynamic password P of generationt, M12、M13It is for verifying M1 in transmission process
It is no to be distorted by attacker, M14For encrypting the D that user generates at randomC。
After M1 is sent to server in the step (6), server uses SEED firstCCome obtain user generation with
Machine number DC, then M11And DCA cryptographic Hash carry out XOR operation, obtain the dynamic password transmitted, while server
According to time algorithm, calculated using recurrence methodIf dynamic password and service that user transmits
The dynamic password that device calculates is consistent, then authenticates success, otherwise authentification failure.
It is that service will be stored in if authenticated successfully to the update of server verification information next time in the step (7)
P in deviceprevIt is updated to newest in step (6) log in successful dynamic password Pt。
The specific setting environment for the problem of being solved can be in the object of the invention are as follows: user in the case where mobile phone arrearage,
Either user goes on business or plays to remote place, and the mobile phone of user is searched less than signal, but the computer at hotel can join
Net, due to presently, there are several schemes require the interaction of both sides, currently existing scheme is to be unable to complete to recognize in this case
Card.The present invention can support offline authentication, solve to be unable to complete certification caused by above-mentioned user can not network due to mobile phone
The problem of.
The invention has the advantages that
Present invention substantive distinguishing features outstanding and conspicuousness progress are mainly reflected in the following:
1, user is not necessarily to re-register, in existing several schemes, hash chain chain length be it is fixed, when this chain be finished with
Afterwards, user must regenerate a new chain again, and initial authentication value is resubmitted to server, and this process is known as re-injection
Copy, user operates without this re-register in this programme, to bring good experience sense to user;
2, offline authentication is supported, only a small number of schemes are supported using mobile phone as assistant authentification tool at present, and they are all
Using challenge -- answer-mode, this mode need user and server carry out it is two-way exchange, once user is because certain
Reason can not network, and verification process will be unable to complete.This programme supports offline authentication, even if the mobile phone of user can not network, hand
Machine still can produce dynamic password, while dynamic password is generated dynamic two-dimension code, the dynamic that computer scanning mobile phone generates
Verification process can be completed in two dimensional code, brings great convenience to user;
3, each dynamic password has timeliness, and no matter whether user uses dynamic password, and dynamic password is all only one
In a extremely short a period of time (in such as 30 seconds) effectively, it to increase the difficulty of attacker's password cracking, further improves
The safety of user account.
The purpose of the present invention, advantage and feature will be explained by the non-limitative illustration of preferred embodiment below.This
A little embodiments are only the prominent example using technical solution of the present invention, all skills taking equivalent replacement or equivalent transformation and being formed
Art scheme, all falls within the scope of protection of present invention.
Detailed description of the invention
The invention will be further described with reference to the accompanying drawings and embodiments:
Fig. 1 is the flow chart of registration phase of the present invention
Fig. 2 is the flow chart of authentication phase of the present invention
Fig. 3 is mobile phone two-dimension code figure of the present invention
Specific embodiment
Above scheme is described further below in conjunction with specific embodiment.It should be understood that these embodiments are for illustrating
The present invention and be not limited to limit the scope of the invention.Based on the embodiment of the present invention, those of ordinary skill in the art are not doing
Every other embodiment obtained under the premise of creative work out, belongs to protection scope of the present invention.
Fig. 3 illustrates the two dimensional code schematic diagram that the present invention generates, since the dynamic password ratio Lamport that the present invention generates is mentioned
Dynamic password caused by the dynamic password based on hash chain out is long, it is contemplated that the inconvenience that user is manually entered, we are hand
Machine generates two dimensional code as auxiliary tool, by password on mobile phone, and user only needs with computer camera scanning cell phone screen
In two dimensional code be dynamic password in mobile phone can be read, without being manually entered password, solve the problems, such as that password is too long with this.
The a kind of of the present embodiment without re-register and supports the dynamic password authentication method implementation steps of offline authentication as follows:
Registration phase:
Step 1: when user's registration, submitting registration information, such as user name ID, static password K, and mailbox, cell-phone number etc.,
According to the information that user submits, mobile phone generates two random number SEEDC、SEEDP;SEEDCIt will be sent to server, for servicing
The verifying in device later period, SEEDPThe static password K submitted with user generates dynamic password jointly, on mobile phone that dynamic password is raw
At two dimensional code, the two dimensional code that user is generated using the camera scanning cell phone of computer, computer once successfully identifies two dimensional code,
Dynamic password will be automatically entered into corresponding password frame, click " determination " button, registration information will be in a safety
Channel in send server to.
Step 2: server receives the registration information that user sends, by dynamic password and SEEDCLocal is stored in,
Recording registion time simultaneously is tprev。
After user registration success, no matter whether password is used, and password just automatically updated once every 30 seconds:
Authentication phase:
Step 3: user inputs user name and static password K in cell phone application, and cell phone application is according to the static password of input
K and current time generate dynamic password two dimensional code, when user logs on computers, it is only necessary to it is manually entered user name,
Password can be obtained by the camera scanning cell phone two dimensional code of computer, and mobile phone just generated a new dynamic password every 30 seconds.
After computer successfully identifies two dimensional code, password, and automated log on can be automatically entered, does any operation without user.
Step 4: server receives the log-on message that sends of user, first using being stored in local SEEDCIt obtains
The random number D that mobile phone generatesc, then use random number DcFurther parse password, meanwhile, server using recurrence method and and when
Between related algorithm calculate dynamic password, if the password that server calculates is consistent with the password transmitted, login at
Function, otherwise login failure.If logined successfully, the dynamic password that user newly sends over updates original store in the server
Verification information, while renewal time.
Claims (7)
- Without re-register and the dynamic password authentication method of offline authentication is supported 1. a kind of, which is characterized in that the method includes Following steps:Registration phase:(1) user: when user's registration, SEED is generated at randomP、SEEDC;(2) user: the static password K submitted according to user the and SEED generated at randomPGenerate initial challenge P0;(3) user: by SEED in the channel of a safetyC、P0It is sent to server.Landing phase:(4) a random number D user: is randomly generatedC;(5) user: M1 is calculated, and M1 is sent to server: M1=(M11, M12, M13, M14);(6) server: first using being stored in local SEEDCObtain DC, then further parse PtIf user is transmitted The dynamic password to come over is consistent with the dynamic password that server calculates, and authenticates success, authenticates and successfully turns (7), otherwise authenticates Failure;(7) server: verification information P is updatedprevAnd authenticated time tprev。
- 2. the dynamic password authentication method according to claim 1 for being not necessarily to re-register and supporting offline authentication, feature exist In,In the method step (1), according to the information that user submits, two random number SEED of mobile phone generationC、SEEDP;SEEDC It will be sent to server, for the verifying in server later period, SEEDPThe static password K submitted with user generates dynamic mouth jointly It enables.
- 3. the dynamic password authentication method according to claim 1 for being not necessarily to re-register and supporting offline authentication, feature exist In,User logs in every time in the method step (4) can all generate a random number DC, DCFor encrypting the dynamic generated at random Password.
- 4. the dynamic password authentication method according to claim 1 for being not necessarily to re-register and supporting offline authentication, feature exist In,In the method step (5), the calculation method of M1 is carried out as follows processing: M1=(M11, M12, M13, M14), In:。
- 5. the dynamic password authentication method according to claim 1 for being not necessarily to re-register and supporting offline authentication, feature exist In,In the method step (5), the dynamic password generated according to this scheme is longer, it is contemplated that the inconvenience that user is manually entered, We generate two dimensional code using mobile phone as auxiliary tool, by password on mobile phone, and user only needs to be scanned with computer camera Two dimensional code in mobile phone screen is the dynamic password that can be read in mobile phone, without being manually entered password, solves password mistake with this Long problem.
- 6. the dynamic password authentication method according to claim 1 for being not necessarily to re-register and supporting offline authentication, feature exist In,In the method step (6), after M1 is sent to server, server uses SEED firstCCome obtain user generation with Machine numberThen M11And DCA cryptographic Hash carry out XOR operation, obtain transmit it is dynamic State passwordServer is calculated according to time algorithm using recurrence method simultaneouslyClothes The dynamic password transmitted and the dynamic password for calculating generation are compared by business device.
- 7. the dynamic password authentication method according to claim 1 for being not necessarily to re-register and supporting offline authentication, feature exist In,Each dynamic password has a timeliness, and after user registration success, no matter whether password is used, and dynamic password all only exists In one extremely short time (in such as 30 seconds) effectively, the formula that password updates are as follows:
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201811298431.5A CN109104290A (en) | 2018-10-26 | 2018-10-26 | It is a kind of without re-register and to support the dynamic password authentication method of offline authentication |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201811298431.5A CN109104290A (en) | 2018-10-26 | 2018-10-26 | It is a kind of without re-register and to support the dynamic password authentication method of offline authentication |
Publications (1)
Publication Number | Publication Date |
---|---|
CN109104290A true CN109104290A (en) | 2018-12-28 |
Family
ID=64869849
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201811298431.5A Pending CN109104290A (en) | 2018-10-26 | 2018-10-26 | It is a kind of without re-register and to support the dynamic password authentication method of offline authentication |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN109104290A (en) |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110688644A (en) * | 2019-10-09 | 2020-01-14 | 重庆市筑智建信息技术有限公司 | Method and system for realizing login of BIM system through graphic code |
CN111243137A (en) * | 2020-01-13 | 2020-06-05 | 汪洵 | Intelligent door lock safety management system based on open architecture |
Citations (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1385781A (en) * | 2001-05-11 | 2002-12-18 | 范平志 | Dynamic password based authentication identifying method |
CN1427609A (en) * | 2001-12-20 | 2003-07-02 | 西北工业大学 | Nonrecurring countersign and business confirmation method |
CN101197667A (en) * | 2007-12-26 | 2008-06-11 | 北京飞天诚信科技有限公司 | Dynamic password authentication method |
CN101958913A (en) * | 2010-10-29 | 2011-01-26 | 四川长虹电器股份有限公司 | Bidirectional ID (Identity) authentication method based on dynamic password and digital certificate |
WO2012005744A1 (en) * | 2010-06-27 | 2012-01-12 | King Saud University | One-time password authentication with infinite nested hash claims |
WO2015042668A2 (en) * | 2013-09-06 | 2015-04-02 | Lin.K N.V. | Mobile authentication method and system for providing authenticated access to internet-supported services and applications |
CN104767624A (en) * | 2015-04-23 | 2015-07-08 | 北京航空航天大学 | Remote protocol authentication method based on biological features |
CN104901809A (en) * | 2015-04-23 | 2015-09-09 | 北京航空航天大学 | Remote authentication protocol method based on password and intelligent card |
-
2018
- 2018-10-26 CN CN201811298431.5A patent/CN109104290A/en active Pending
Patent Citations (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1385781A (en) * | 2001-05-11 | 2002-12-18 | 范平志 | Dynamic password based authentication identifying method |
CN1427609A (en) * | 2001-12-20 | 2003-07-02 | 西北工业大学 | Nonrecurring countersign and business confirmation method |
CN101197667A (en) * | 2007-12-26 | 2008-06-11 | 北京飞天诚信科技有限公司 | Dynamic password authentication method |
WO2012005744A1 (en) * | 2010-06-27 | 2012-01-12 | King Saud University | One-time password authentication with infinite nested hash claims |
CN101958913A (en) * | 2010-10-29 | 2011-01-26 | 四川长虹电器股份有限公司 | Bidirectional ID (Identity) authentication method based on dynamic password and digital certificate |
WO2015042668A2 (en) * | 2013-09-06 | 2015-04-02 | Lin.K N.V. | Mobile authentication method and system for providing authenticated access to internet-supported services and applications |
CN104767624A (en) * | 2015-04-23 | 2015-07-08 | 北京航空航天大学 | Remote protocol authentication method based on biological features |
CN104901809A (en) * | 2015-04-23 | 2015-09-09 | 北京航空航天大学 | Remote authentication protocol method based on password and intelligent card |
Non-Patent Citations (1)
Title |
---|
CHANG-SEOP PARK: "One-time password based on hash chain without shared secret and re-registration", 《COMPUTER & SECURITY》 * |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110688644A (en) * | 2019-10-09 | 2020-01-14 | 重庆市筑智建信息技术有限公司 | Method and system for realizing login of BIM system through graphic code |
CN111243137A (en) * | 2020-01-13 | 2020-06-05 | 汪洵 | Intelligent door lock safety management system based on open architecture |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US20210367795A1 (en) | Identity-Linked Authentication Through A User Certificate System | |
US20180097806A1 (en) | Multi factor user authentication on multiple devices | |
CN104065652B (en) | A kind of auth method, device, system and relevant device | |
CN104660605B (en) | A kind of multiple-factor auth method and its system | |
CN110324143A (en) | Data transmission method, electronic equipment and storage medium | |
WO2018219056A1 (en) | Authentication method, device, system and storage medium | |
CN107251035A (en) | Account recovers agreement | |
CN114157451B (en) | Internet of things equipment identity authentication method, device and system and storage medium | |
JP2015519776A (en) | Secure authentication in multi-party systems | |
WO2019226115A1 (en) | Method and apparatus for user authentication | |
CN106850228A (en) | A kind of foundation of portable intelligent password management system and operating method | |
CN104063650B (en) | A kind of key storage device and using method thereof | |
CN109104290A (en) | It is a kind of without re-register and to support the dynamic password authentication method of offline authentication | |
JP2024501728A (en) | Blockchain-based SDP access control method and system | |
CN103384249A (en) | Network access authentication method, device and system and authentication server | |
KR102244890B1 (en) | Global authentication account system | |
KR20210001034A (en) | Global authentication account system | |
CN112769894B (en) | Equipment authentication method based on block chain Merkle tree verification | |
CN114765551A (en) | SDP access control method and device based on block chain | |
EP2763346B1 (en) | Mutual anti-piracy authentication system in smartphone-type software tokens and in the sms thereof | |
WO2024088145A1 (en) | Data processing method and apparatus, and program product, computer device and storage medium | |
CN111818521A (en) | Authority authentication method and system based on data center 5G network encryption multicast | |
KR20210001037A (en) | Global authentication account system | |
Wang et al. | A novel user’s authentication scheme for pervasive on-line media services | |
CN102025497A (en) | System for logging in multiple websites by verifying client key and method |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20181228 |
|
WD01 | Invention patent application deemed withdrawn after publication |