CN111126533A - Identity authentication method and device based on dynamic password and dynamic token - Google Patents

Identity authentication method and device based on dynamic password and dynamic token Download PDF

Info

Publication number
CN111126533A
CN111126533A CN202010017764.7A CN202010017764A CN111126533A CN 111126533 A CN111126533 A CN 111126533A CN 202010017764 A CN202010017764 A CN 202010017764A CN 111126533 A CN111126533 A CN 111126533A
Authority
CN
China
Prior art keywords
dynamic
token
factor
dimensional code
dynamic token
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202010017764.7A
Other languages
Chinese (zh)
Other versions
CN111126533B (en
Inventor
曾庆非
燕云
陆晓
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Oxford Hainan Blockchain Research Institute Co Ltd
Original Assignee
Oxford Hainan Blockchain Research Institute Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Oxford Hainan Blockchain Research Institute Co Ltd filed Critical Oxford Hainan Blockchain Research Institute Co Ltd
Priority to CN202010017764.7A priority Critical patent/CN111126533B/en
Publication of CN111126533A publication Critical patent/CN111126533A/en
Application granted granted Critical
Publication of CN111126533B publication Critical patent/CN111126533B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06KGRAPHICAL DATA READING; PRESENTATION OF DATA; RECORD CARRIERS; HANDLING RECORD CARRIERS
    • G06K17/00Methods or arrangements for effecting co-operative working between equipments covered by two or more of main groups G06K1/00 - G06K15/00, e.g. automatic card files incorporating conveying and reading operations
    • G06K17/0022Methods or arrangements for effecting co-operative working between equipments covered by two or more of main groups G06K1/00 - G06K15/00, e.g. automatic card files incorporating conveying and reading operations arrangements or provisious for transferring data to distant stations, e.g. from a sensing device
    • G06K17/0025Methods or arrangements for effecting co-operative working between equipments covered by two or more of main groups G06K1/00 - G06K15/00, e.g. automatic card files incorporating conveying and reading operations arrangements or provisious for transferring data to distant stations, e.g. from a sensing device the arrangement consisting of a wireless interrogation device in combination with a device for optically marking the record carrier
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06KGRAPHICAL DATA READING; PRESENTATION OF DATA; RECORD CARRIERS; HANDLING RECORD CARRIERS
    • G06K19/00Record carriers for use with machines and with at least a part designed to carry digital markings
    • G06K19/06Record carriers for use with machines and with at least a part designed to carry digital markings characterised by the kind of the digital marking, e.g. shape, nature, code
    • G06K19/06009Record carriers for use with machines and with at least a part designed to carry digital markings characterised by the kind of the digital marking, e.g. shape, nature, code with optically detectable marking
    • G06K19/06037Record carriers for use with machines and with at least a part designed to carry digital markings characterised by the kind of the digital marking, e.g. shape, nature, code with optically detectable marking multi-dimensional coding
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y04INFORMATION OR COMMUNICATION TECHNOLOGIES HAVING AN IMPACT ON OTHER TECHNOLOGY AREAS
    • Y04SSYSTEMS INTEGRATING TECHNOLOGIES RELATED TO POWER NETWORK OPERATION, COMMUNICATION OR INFORMATION TECHNOLOGIES FOR IMPROVING THE ELECTRICAL POWER GENERATION, TRANSMISSION, DISTRIBUTION, MANAGEMENT OR USAGE, i.e. SMART GRIDS
    • Y04S40/00Systems for electrical power generation, transmission, distribution or end-user application management characterised by the use of communication or information technologies, or communication or information technology specific aspects supporting them
    • Y04S40/20Information technology specific aspects, e.g. CAD, simulation, modelling, system security

Landscapes

  • Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • General Engineering & Computer Science (AREA)
  • Storage Device Security (AREA)
  • Telephonic Communication Services (AREA)

Abstract

The invention provides an identity authentication method and device based on a dynamic password and a dynamic token, wherein the dynamic token generates a dynamic factor based on an event synchronization mechanism, calculates the dynamic factor and an equipment identifier of the dynamic token by using an encryption algorithm to obtain a dynamic verification code, converts the dynamic factor, the equipment identifier of the dynamic token and the dynamic verification code into a dynamic two-dimensional code, and finally displays the dynamic two-dimensional code; the dynamic two-dimensional code is used for providing the dynamic factor, the equipment identification of the dynamic token and the dynamic verification code to the server, and the server verifies the dynamic verification code by using the dynamic factor and the equipment identification of the dynamic token. In the scheme, the dynamic token provides the dynamic verification code, the dynamic factor and the equipment identifier for the server through the dynamic two-dimensional code, and the server can complete identity verification by utilizing information in the dynamic two-dimensional code without maintaining synchronous information consistent with the dynamic token, so that the problem of identity authentication failure caused by desynchronization of the dynamic token and the server is solved.

Description

Identity authentication method and device based on dynamic password and dynamic token
Technical Field
The invention relates to the technical field of identity authentication, in particular to an identity authentication method and device based on a dynamic password and a dynamic token.
Background
Dynamic password technology is a common identity authentication technology. One existing dynamic password technique is: the dynamic token calculates the synchronous information (such as the current time or the occurrence frequency of events) of the dynamic token by using an encryption algorithm to obtain a verification code, the server verifies the verification code based on the synchronous information of the server after obtaining the verification code, and identity authentication is performed according to the verification result.
The problem with the existing dynamic password technology is that the synchronization information of the dynamic token and the synchronization information of the server need to be consistent to achieve effective identity authentication. However, in the actual use process, the dynamic token and the server often have out-of-synchronization (i.e. inconsistent synchronization information) conditions, which results in the failure of identity authentication.
Disclosure of Invention
Based on the defects of the prior art, the invention provides an identity authentication method and device based on a dynamic password and a dynamic token, so as to avoid identity authentication failure caused by desynchronization of the dynamic token and a server.
The invention provides an identity authentication method based on a dynamic password, which is applied to a dynamic token and comprises the following steps:
generating a dynamic factor based on an event synchronization mechanism;
calculating the dynamic factor and the equipment identification of the dynamic token by using an encryption algorithm to obtain a dynamic verification code;
converting the dynamic factor, the equipment identification of the dynamic token and the dynamic verification code into a dynamic two-dimensional code;
displaying the dynamic two-dimensional code; the dynamic two-dimensional code is used for providing the dynamic factor, the equipment identification of the dynamic token and the dynamic verification code to a server, and the server verifies the dynamic verification code by using the dynamic factor and the equipment identification of the dynamic token.
Optionally, before converting the dynamic factor, the device identifier of the dynamic token, and the dynamic verification code into a dynamic two-dimensional code, the method further includes:
calculating the equipment identification of the dynamic token by using a signature algorithm to obtain the equipment signature of the dynamic token;
wherein the converting the dynamic factor, the device identifier of the dynamic token, and the dynamic verification code into a dynamic two-dimensional code includes:
and converting the dynamic factor, the equipment identification of the dynamic token, the dynamic verification code and the equipment signature of the dynamic token into a dynamic two-dimensional code.
Optionally, the converting the dynamic factor, the device identifier of the dynamic token, and the dynamic verification code into a dynamic two-dimensional code includes:
splicing the dynamic factor, the equipment identification of the dynamic token and the dynamic verification code to obtain an authentication message;
and converting the authentication message into a dynamic two-dimensional code by using a two-dimensional code conversion algorithm.
Optionally, the generating a dynamic factor based on the event synchronization mechanism includes:
and determining the accumulated starting times of the dynamic token and the accumulated clicked times of the two-dimensional code generation button of the dynamic token as dynamic factors.
Optionally, the encoding format of the dynamic two-dimensional code is as follows: hex code format.
The second aspect of the present invention provides an identity authentication method based on a dynamic password, which is applied to a server, and the identity authentication method includes:
receiving a dynamic two-dimensional code uploaded by terminal equipment; the dynamic two-dimensional code is obtained by the terminal equipment from a dynamic token;
analyzing a dynamic factor, the equipment identification of the dynamic token and a dynamic verification code from the dynamic two-dimensional code; the dynamic factor is generated by the dynamic token based on an event synchronization mechanism, and the dynamic verification code is obtained by the dynamic token through calculating the dynamic factor and the equipment identifier of the dynamic token by using an encryption algorithm;
verifying the dynamic verification code by using the dynamic factor and the device identification of the dynamic token;
if the dynamic verification code does not pass the verification, determining that the user to be authenticated does not pass the identity authentication;
and if the dynamic verification code passes the verification and the user information of the user to be authenticated and the equipment identifier of the dynamic token are successfully matched, determining that the user to be authenticated passes the identity authentication.
Optionally, before verifying the dynamic verification code by using the dynamic factor and the device identifier of the dynamic token, the method further includes:
analyzing the device signature of the dynamic token from the dynamic two-dimensional code; the device signature of the dynamic token is obtained by calculating the device identifier of the dynamic token by the dynamic token through a signature algorithm;
wherein the verifying the dynamic verification code using the dynamic factor and the device identifier of the dynamic token comprises:
verifying the device signature of the dynamic token by using the device identification of the dynamic token;
and if the equipment signature of the dynamic token passes the verification, verifying the dynamic verification code by using the dynamic factor and the equipment identifier of the dynamic token.
The third aspect of the present invention provides an identity authentication apparatus based on a dynamic password, which is applied to a dynamic token, and the identity authentication apparatus includes:
a generating unit, configured to generate a dynamic factor based on an event synchronization mechanism;
the encryption unit is used for calculating the dynamic factor and the equipment identifier of the dynamic token by using an encryption algorithm to obtain a dynamic verification code;
the conversion unit is used for converting the dynamic factor, the equipment identifier of the dynamic token and the dynamic verification code into a dynamic two-dimensional code;
the display unit is used for displaying the dynamic two-dimensional code; the dynamic two-dimensional code is used for providing the dynamic factor, the equipment identification of the dynamic token and the dynamic verification code to a server, and the server verifies the dynamic verification code by using the dynamic factor and the equipment identification of the dynamic token.
Optionally, the encryption unit is further configured to calculate a device identifier of the dynamic token by using a signature algorithm, so as to obtain a device signature of the dynamic token;
when the conversion unit converts the dynamic factor, the device identifier of the dynamic token, and the dynamic verification code into a dynamic two-dimensional code, the conversion unit is specifically configured to:
and converting the dynamic factor, the equipment identification of the dynamic token, the dynamic verification code and the equipment signature of the dynamic token into a dynamic two-dimensional code.
Optionally, when the conversion unit converts the dynamic factor, the device identifier of the dynamic token, and the dynamic verification code into a dynamic two-dimensional code, the conversion unit is specifically configured to:
splicing the dynamic factor, the equipment identification of the dynamic token and the dynamic verification code to obtain an authentication message; and converting the authentication message into a dynamic two-dimensional code by using a two-dimensional code conversion algorithm.
Optionally, when the generating unit generates the dynamic factor based on the event synchronization mechanism, the generating unit is specifically configured to:
and determining the accumulated starting times of the dynamic token and the accumulated clicked times of the two-dimensional code generation button of the dynamic token as dynamic factors.
Optionally, the encoding format of the dynamic two-dimensional code is as follows: hex code format.
The fourth aspect of the present invention provides an identity authentication apparatus based on a dynamic password, which is applied to a server, and the identity authentication apparatus includes:
the receiving unit is used for receiving the dynamic two-dimensional code uploaded by the terminal equipment; the dynamic two-dimensional code is obtained by the terminal equipment from a dynamic token;
the analysis unit is used for analyzing a dynamic factor, the equipment identifier of the dynamic token and a dynamic verification code from the dynamic two-dimensional code; the dynamic factor is generated by the dynamic token based on an event synchronization mechanism, and the dynamic verification code is obtained by the dynamic token through calculating the dynamic factor and the equipment identifier of the dynamic token by using an encryption algorithm;
the verification unit is used for verifying the dynamic verification code by utilizing the dynamic factor and the equipment identifier of the dynamic token;
the determining unit is used for determining that the user to be authenticated does not pass the identity authentication if the dynamic verification code does not pass the verification;
and the determining unit is used for determining that the user to be authenticated passes the identity authentication if the dynamic verification code passes the verification and the user information of the user to be authenticated and the equipment identifier of the dynamic token are successfully matched.
Optionally, the parsing unit is further configured to:
analyzing the device signature of the dynamic token from the dynamic two-dimensional code; the device signature of the dynamic token is obtained by calculating the device identifier of the dynamic token by the dynamic token through a signature algorithm;
wherein, when the verification unit verifies the dynamic verification code by using the dynamic factor and the device identifier of the dynamic token, the verification unit is specifically configured to:
verifying the device signature of the dynamic token by using the device identification of the dynamic token; and if the equipment signature of the dynamic token passes the verification, verifying the dynamic verification code by using the dynamic factor and the equipment identifier of the dynamic token.
A fifth aspect of the present invention provides a dynamic token, comprising:
the system comprises a main control chip, a safety chip connected with the main control chip, a display screen connected with the main control chip, a control key and a battery; wherein:
the main control chip is configured to execute the dynamic password-based identity authentication method provided in any one of the first aspects of the present application, and provide the obtained dynamic two-dimensional code on the display screen for display;
the security chip is used for storing the dynamic factor generated by the main control chip, the encryption algorithm used when the main control chip generates the dynamic verification code, and the private key used when the main control chip obtains the device signature of the dynamic token.
Optionally, the dynamic token further includes: the interface of the universal serial bus and the Bluetooth communication module.
The invention provides an identity authentication method and device based on a dynamic password and a dynamic token, wherein the dynamic token generates a dynamic factor based on an event synchronization mechanism, calculates the dynamic factor and an equipment identifier of the dynamic token by using an encryption algorithm to obtain a dynamic verification code, converts the dynamic factor, the equipment identifier of the dynamic token and the dynamic verification code into a dynamic two-dimensional code, and finally displays the dynamic two-dimensional code; the dynamic two-dimensional code is used for providing the dynamic factor, the equipment identification of the dynamic token and the dynamic verification code to the server, and the server verifies the dynamic verification code by using the dynamic factor and the equipment identification of the dynamic token. In the scheme, the dynamic token provides the dynamic verification code, the dynamic factor and the equipment identifier for the server through the dynamic two-dimensional code, and the server can complete identity verification by utilizing information in the dynamic two-dimensional code without maintaining synchronous information consistent with the dynamic token, so that the problem of identity authentication failure caused by desynchronization of the dynamic token and the server is solved.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to the provided drawings without creative efforts.
FIG. 1 is a flowchart of a method for dynamic password-based identity authentication according to an embodiment of the present application;
FIG. 2 is a flowchart of a method for dynamic password-based identity authentication according to another embodiment of the present application;
fig. 3 is a schematic diagram of an application scenario of identity authentication according to an embodiment of the present application;
fig. 4 is a schematic structural diagram of an identity authentication apparatus based on a dynamic password according to an embodiment of the present application;
fig. 5 is a schematic structural diagram of an identity authentication apparatus based on a dynamic password according to another embodiment of the present application;
fig. 6 is a schematic structural diagram of a dynamic token according to an embodiment of the present application.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
Dynamic Password (Dynamic Password) is a random number string obtained by calculating a Dynamic factor by using a preset encryption algorithm, each Dynamic Password can be used only once within a certain time period, and each Dynamic factor changes when the Dynamic Password is generated, and the corresponding generated Dynamic Password is different from the previous Dynamic Password. Based on the above characteristics, the dynamic password is widely applied to the fields of online banking, online games, telecom operators, e-commerce and enterprises which need to perform identity authentication on users and have high requirements on security.
Existing identity authentication techniques based on dynamic passwords can be classified into synchronous and asynchronous according to the manner of dynamic factor generation. In the synchronization technology, a dynamic token (generally referred to as a portable electronic device for generating a dynamic password, and mainly includes a chip and a display screen, where the chip is used to execute an encryption algorithm to generate the dynamic password) may use the current time or the current accumulated dynamic password generation times recorded by the dynamic token itself as a first dynamic factor, and after the generated dynamic password is uploaded to a server, the server uses the current time or the accumulated user login times recorded by the server as a second dynamic factor, and verifies the dynamic password based on the second dynamic factor, thereby implementing identity authentication.
Among them, a technique using time as a dynamic factor is called a dynamic password technique based on time synchronization, and a technique using the cumulative number of times of generation of a dynamic password and the cumulative number of times of user login as dynamic factors is called a dynamic password technique based on event synchronization.
The problem of the synchronization technology is that the server and the dynamic token need to keep synchronization to normally perform identity authentication, where the synchronization means that the second dynamic factor used by the server and the first dynamic factor used by the dynamic token must be kept consistent. However, whether based on time synchronization or event synchronization, there is a risk of desynchronization between the server and the dynamic token (i.e. there may be inconsistency between the dynamic factor used by the server and the dynamic factor used by the dynamic token), which results in the failure of identity authentication.
Specifically, in the dynamic password technology based on time synchronization, a certain deviation may exist between the timer of the dynamic token and the timer of the server as time goes on, specifically, the reading of the timer of the dynamic token at the current time is 10:01:30, and the reading of the timer of the server is 10:02:00, in this case, the dynamic factors of the server and the dynamic token may be inconsistent, so that the identity authentication may not be performed normally.
In the event synchronization-based dynamic password technology, a user may perform a plurality of purposeless dynamic password generation operations outside the occasion of logging in the system, in other words, the number of times that the user operates the dynamic token to generate the dynamic password is not equal to the number of times that the user logs in, and correspondingly, the dynamic factor between the dynamic token and the server is inconsistent, resulting in failure of identity authentication.
In the asynchronous dynamic password technology, a dynamic token needs to acquire a challenge code from a server, then the challenge code is used as a dynamic factor and generates a dynamic password based on the dynamic factor, and finally the dynamic password is provided for the server for identity authentication. In this technology, since the dynamic token is generally not accessed to the network, the user needs to operate the dynamic token to interact with the server (for example, input a challenge code to the dynamic token, or scan a two-dimensional code with the challenge code provided by the server with the dynamic token) each time the dynamic password is generated, the identity authentication process is complicated, and the user experience is poor.
Therefore, the present application provides a novel identity authentication method based on dynamic password and related device to solve the above-mentioned problems of the prior art.
Referring to fig. 1, a first embodiment of the present application provides an identity authentication method based on a dynamic password, which includes the following steps:
s101, the dynamic token generates a dynamic factor based on an event synchronization mechanism.
The dynamic token is a self-contained portable hardware device, and is configured with a processor, a memory and other related components (such as a display screen, a communication interface, and the like), wherein the memory stores: the processor is used for calculating the dynamic factor by using the encryption algorithm so as to generate a dynamic password.
The event synchronization mechanism is used for counting the accumulated occurrence times of certain events in the dynamic token, determining the current accumulated occurrence times of the events as dynamic factors when a dynamic password needs to be generated, and executing subsequent steps by using the dynamic factors.
Specifically, the event may be any one of the start-up of the dynamic token and the click of the two-dimensional code generation button of the dynamic token, or a combination of the two.
The two-dimensional code generation button is a button configured on the dynamic token provided by the application, and each time a user clicks the button, the dynamic token executes the step of generating the dynamic password and the corresponding two-dimensional code in the method provided by any embodiment of the application, so as to generate and display a dynamic two-dimensional code which at least carries information such as the equipment identifier of the dynamic token, the dynamic password generated this time, the dynamic factor used this time and the like.
That is, when step S101 is executed, the dynamic token may directly determine the current accumulated boot-up frequency as the dynamic factor, may directly determine the accumulated click frequency of the current two-dimensional code generation button as the dynamic factor, and may further combine the current accumulated boot-up frequency and the accumulated click frequency of the current two-dimensional code generation button into a numeric string, and determine the numeric string as the dynamic factor.
Specifically, the memory of the dynamic token may be configured with a first variable for recording the number of times of booting and a second variable for recording the number of times of button clicking, the dynamic token may be shipped in a manner that the variables are initialized to 0, after shipment, the variable value of the first variable is automatically increased by 1 each time the two-dimensional code generation button is clicked by the user, and the variable value of the second variable is automatically increased by 1 each time the two-dimensional code generation button is clicked by the user, and when step S101 is executed, the processor of the dynamic token may directly read the variable value of the first variable and/or the second variable from the memory and determine the variable value as the dynamic factor.
According to the method for generating the dynamic factor, it can be understood that the dynamic factor in the method provided by the present application is a one-way increasing dynamic factor, that is, the dynamic factor generated by the dynamic token each time the dynamic token executes any of the embodiments of the present application is greater than the dynamic factor generated by the dynamic token at the previous time in the whole life cycle of the dynamic token.
S102, the dynamic token calculates the dynamic factor and the equipment identification of the dynamic token by utilizing an encryption algorithm to obtain a dynamic verification code.
The dynamic verification code in step S102 is the aforementioned dynamic password for identity authentication.
There are a variety of existing encryption algorithms that may be used to implement step S102, such as: MD5(Message digest algorithm 5), sha (secure Hash algorithm), mac (Message authentication code) and the like, which can process any long input string (in this application, the input string is the device identifier of the dynamic factor and the dynamic token) to obtain an output string (in this application, the output string is the dynamic authentication code). As long as any one of the existing encryption algorithms is configured in the dynamic token in advance, the dynamic token can calculate the dynamic factors and the dynamic token by using the encryption algorithm to obtain the corresponding dynamic verification code.
Taking a Secure Hash (Secure Hash Algorithm) SHA-256 with an output length of 256 bits as an example, an encryption program for implementing the SHA-256 Algorithm is stored in advance in a memory of the dynamic token, when step S102 is executed, the processor concatenates the dynamic factor and the device identifier of the dynamic token into an input character string, loads the encryption program from the memory, uses the input character string as an input parameter of the encryption program, then runs the encryption program, and the character string output after the encryption program runs is the dynamic verification code described in step S102.
The device identifier in step S102 may be any one of a device serial number of the dynamic token stored in the memory of the dynamic token and a device private key of the dynamic token, or a combination of the two, and of course, other information capable of uniquely identifying one dynamic token may also be used as the device identifier.
S103, the dynamic token converts the dynamic factor, the equipment identification of the dynamic token and the dynamic verification code into a dynamic two-dimensional code.
The specific execution process of step S103 is:
the dynamic factor, the device identifier of the dynamic token and the dynamic verification code are concatenated to obtain an authentication message, and as can be understood, the authentication message is a character string formed by combining the above information.
And converting the authentication message into a dynamic two-dimension code by using a two-dimension code conversion algorithm.
Optionally, the encoding format of the dynamic two-dimensional code obtained by conversion may be a hex encoding format.
Compared with the ASCII coding format which is common at present, the hex coding format occupies less character data. For example, for the same information amount, the two-dimensional code converted into the ASCII coding format needs to occupy 160 bytes of data, while the two-dimensional code converted into the hex coding format only needs to occupy 96 bytes of data, and further, because the occupied data amount is small, in the link of displaying the dynamic two-dimensional code, the two-dimensional code pixel points needed to be displayed by the two-dimensional code in the hex coding format are less than the two-dimensional code pixel points needed to be displayed by the two-dimensional code in the ASCII coding format, so that the problem of scanning failure of the two-dimensional code caused by over-dense two-dimensional code pixel points when the display screen of the dynamic token is small is solved.
On the other hand, the currently commonly used two-dimensional code scanning tool can only analyze the two-dimensional code in the ASCII coding format, but cannot analyze the two-dimensional code in the hex coding format, so that the two-dimensional code in the hex coding format can ensure that the two-dimensional code displayed by the dynamic token can only be analyzed by specific terminal equipment or a server, thereby improving the security and avoiding the information carried in the dynamic two-dimensional code from being leaked.
And S104, displaying the dynamic two-dimensional code by the dynamic token.
The dynamic token is provided with a display screen, and the processor can control the display screen to display the dynamic two-dimensional code after generating the dynamic two-dimensional code.
And S105, the server acquires the dynamic two-dimensional code from the dynamic token.
It should be noted that, in order to ensure security, the dynamic token generally does not have a network connection function, and therefore, the specific implementation procedure of step S105 is:
and the local first terminal equipment acquires the dynamic two-dimensional code from the dynamic token and uploads the dynamic two-dimensional code to the server through the network.
The first terminal device may be a personal computer, a tablet computer, or a smart phone, etc. accessing the internet.
Optionally, the local first terminal device may obtain the dynamic two-dimensional code from the dynamic token in any one of the following manners:
first, if the first terminal device has a two-dimensional code scanning function, the user can directly scan the display screen of the dynamic token with the first terminal device, and then the first terminal device can read the dynamic two-dimensional code displayed on the display screen of the dynamic token.
Second, the dynamic token that this application provided can be configured with bluetooth communication module, and the dynamic token can communicate through bluetooth communication module and the first terminal equipment that has bluetooth communication function equally, then sends the dynamic two-dimensional code to first terminal equipment through the bluetooth after generating the dynamic two-dimensional code, then first terminal equipment uploads the dynamic two-dimensional code to the server.
Third, the dynamic token provided by the present application may further be configured with a Universal Serial Bus (USB) interface, and a user may connect the dynamic token and the first terminal device by using a data line, and then the first terminal device receives the dynamic two-dimensional code of the dynamic token through the USB interface of the dynamic token and sends the dynamic two-dimensional code to the server.
S106, the server analyzes the dynamic two-dimensional code.
As described above, the dynamic two-dimensional code is obtained by converting the dynamic factor, the device identifier of the dynamic token, and the dynamic verification code by the dynamic token, and therefore, the server can extract the dynamic factor, the device identifier of the dynamic token, and the dynamic verification code by analyzing the dynamic two-dimensional code provided by the dynamic token.
S107, the server checks the dynamic verification code.
If the dynamic verification code passes the verification, step S108 is executed, and if the dynamic verification code does not pass the verification, step S109 is executed.
The server checks the dynamic verification code by the following steps:
and calculating the dynamic factor and the equipment identifier of the dynamic token by using an encryption algorithm configured in advance in the server to obtain a check code, considering the dynamic verification code provided by the dynamic token if the check code is consistent with the dynamic verification code provided by the dynamic token, and otherwise, considering the dynamic verification code not to pass the verification if the check code is inconsistent with the dynamic verification code provided by the dynamic token.
It should be noted that, the encryption algorithm used by the server and the encryption algorithm configured in the dynamic token are the same encryption algorithm, for example, if the dynamic token uses the SHA-256 algorithm to calculate the dynamic factor and the device identification code to generate the dynamic verification code, then the verification code generated by the server is also obtained by calculating the dynamic factor and the device identification code using the SHA-256 algorithm. Correspondingly, the process of calculating the dynamic factor and the device identifier of the dynamic token by the server through the encryption algorithm to obtain the check code is consistent with the process of calculating the dynamic verification code by the dynamic token, and details are not repeated here.
That is to say, the present application provides a dynamic token and a server configured with the same encryption algorithm, and when the server obtains the dynamic factor, the device identifier of the dynamic token, and the dynamic verification code by parsing from the dynamic two-dimensional code, and the dynamic verification code passes verification, it may be considered that the user (denoted as the user to be authenticated) currently requesting authentication holds the authentic dynamic token provided by the present application, so that the subsequent step of authentication may be performed, whereas, if the dynamic verification code fails verification, it is considered that the user to be authenticated does not hold the authentic dynamic token provided by the present application, and in this case, the user to be authenticated may be directly determined as an illegal user, that is, step S109 is performed.
S108, the server matches the equipment identification with the user information.
The user information is user information of a user to be authenticated, and specifically, the user information of the user to be authenticated may be an account number of the user, a user name of the user, or information that can uniquely identify the user.
If the matching between the device identifier of the dynamic token and the user information of the user to be authenticated fails, step S109 is executed, and if the matching between the device identifier of the dynamic token and the user information of the user to be authenticated fails, step S110 is executed.
Specifically, when the dynamic token is issued to the user, the device identifier of the dynamic token and the corresponding relationship between the user information of the user holding the dynamic token may be recorded in the database of the server. When step S108 is executed, the server directly searches out the user information corresponding to the device identifier carried by the dynamic token from the database, if the user information obtained by the search is consistent with the user information of the user to be authenticated provided by the second terminal device, it is considered that the device identifier of the dynamic token is successfully matched with the user information of the user to be authenticated, and if the user information obtained by the search is inconsistent with the user information of the user to be authenticated provided by the second terminal device, it is considered that the device identifier of the dynamic token is unsuccessfully matched with the user information of the user to be authenticated.
S109, the server determines that the user to be authenticated does not pass the identity authentication.
S110, the server determines that the user to be authenticated passes identity authentication.
Optionally, if the server determines that the user to be authenticated does not pass the identity authentication, authentication failure information may be sent to the second terminal device, and if the server determines that the user to be authenticated passes the identity authentication, authentication success information may be sent to the second terminal device, and subsequent operations are authorized to be executed.
The second terminal device may be a personal computer, a tablet computer, or a smart phone, etc. accessing the internet.
It should be noted that the second terminal device and the first terminal device may be the same terminal device or different terminal devices.
On the first hand, a user can request to execute an operation needing authorization on a mobile terminal (such as a smart phone), the mobile terminal prompts the user to provide a dynamic two-dimensional code, the user triggers a dynamic token to generate the dynamic two-dimensional code, then the user scans the dynamic two-dimensional code by using the same mobile terminal, the mobile terminal uploads the dynamic two-dimensional code to a server, after the server is verified, whether the user passes identity authentication is determined, if the user passes the identity authentication, authentication success information is sent to the mobile terminal, the mobile terminal is authorized to execute subsequent operations, and if the user does not pass the identity authentication, authentication failure information is sent to the mobile terminal.
In a second aspect, a user may request to execute an operation requiring authorization on a personal computer, and then, after a dynamic token is triggered to generate a dynamic two-dimensional code, the dynamic two-dimensional code is scanned by a mobile phone and provided to a server, after the server verifies, if the user passes identity authentication, authentication success information is sent to the computer, the computer is authorized to execute subsequent operations, and if the user does not pass identity authentication, authentication failure information is sent to the computer.
The embodiment of the application provides an identity authentication method based on a dynamic password, after a dynamic token generates a dynamic factor based on an event synchronization mechanism, the dynamic factor, an equipment identifier and a dynamic verification code generated according to the dynamic factor are provided to a server in a dynamic two-dimensional code form, the server analyzes the dynamic factor, the equipment identifier and the dynamic verification code from the dynamic two-dimensional code, and then identity authentication is carried out on a user based on information obtained by analysis.
The first aspect of the invention can solve the problem of complex authentication process in the existing asynchronous dynamic password technology. When the user needs to perform identity authentication, the user only needs to click the corresponding button on the dynamic token and then uses the terminal device to acquire the dynamic two-dimensional code of the dynamic token, so that the identity authentication process can be realized, the user does not need to operate the dynamic token to interact with the server before generating the dynamic two-dimensional code, the identity authentication process is effectively simplified, and the user experience is improved.
The second aspect of the present invention can solve the problem of identity authentication failure caused by the desynchronization between the dynamic token and the server in the existing synchronous dynamic password technology. In the existing synchronous dynamic password technology, a dynamic token generates a dynamic password by using a clock or event occurrence frequency of the dynamic token as a dynamic factor, a server verifies the dynamic password by using the clock or event occurrence frequency of the server as the dynamic factor, and once the clock or event occurrence frequency of the server and the dynamic token are inconsistent, the server and the dynamic token are out of synchronization. In the scheme, after the dynamic token generates the dynamic verification code by taking the event occurrence frequency of the dynamic token as the dynamic factor, the interaction with the server is realized through the terminal equipment, the dynamic factor and the dynamic verification code are directly provided to the server together, so that the server can check by taking the event occurrence frequency of the dynamic token as the dynamic factor, therefore, the dynamic factors of the dynamic token and the server can be kept consistent when identity authentication is carried out every time, desynchronization caused by clock deviation between the dynamic token and the server or inconsistency of counted event occurrence frequencies can be avoided, and the success rate of the identity authentication is ensured.
A second embodiment of the present application further provides an identity authentication method based on a dynamic password, please refer to fig. 2, where the method includes:
s201, the dynamic token generates a dynamic factor based on an event synchronization mechanism.
S202, the dynamic token calculates the dynamic factor and the equipment identification of the dynamic token by utilizing an encryption algorithm to obtain a dynamic verification code.
And S203, the dynamic token calculates the equipment identifier of the dynamic token by using a signature algorithm to obtain the equipment signature of the dynamic token.
The specific calculation process of step S203 is the same as the process of calculating the dynamic verification code by using the encryption algorithm in S102 in the foregoing embodiment, that is, the processor retrieves the program for implementing the signature algorithm from the memory, and then provides the device identifier to the program, and the device signature of the dynamic token can be output after the program runs.
Specifically, the signature Algorithm may be an Elliptic Curve Digital Signature Algorithm (ECDSA), where ECDSA refers to an existing asymmetric encryption Algorithm implemented based on an Elliptic Curve mathematical theory, and the ECDSA Algorithm may encrypt input information to be encrypted (in this application, the device identifier) according to a preset private key to obtain a signature of the information to be encrypted (in this application, the device signature). Optionally, in this embodiment, the device identifier may be calculated by using an elliptic curve digital signature algorithm implemented based on an elliptic curve SECP256K1, so as to obtain a device signature.
The above equation of the elliptic curve and the implementation process of ECDSA are well known to those skilled in the art, and will not be described herein.
And S204, the dynamic token converts the dynamic factor, the equipment identifier, the equipment signature and the dynamic verification code into a dynamic two-dimensional code.
And S205, displaying the dynamic two-dimensional code by the dynamic token.
S206, the server acquires the dynamic two-dimensional code from the dynamic token.
And S207, the server analyzes the dynamic two-dimensional code.
Similar to the previous embodiment, after the server analyzes the dynamic two-dimensional code, the dynamic factor, the device identifier, the device signature and the dynamic verification code carried by the dynamic two-dimensional code can be obtained.
S208, the server verifies the device signature, the dynamic verification code and the user information in sequence.
The user information is information provided by the user to be authenticated and used for identity authentication, and may be, for example, a user account, a user name, or other identifiers.
If each check is passed, it indicates that the user to be authenticated passes the identity authentication, step S209 is executed, and if any check is not passed, it indicates that the user to be authenticated does not pass the identity authentication, step S210 is executed.
The execution process of step S208 is:
firstly, verifying the equipment signature by using the equipment identification of the dynamic token, directly determining that the identity authentication fails if the equipment signature fails to pass the verification, verifying the dynamic verification code by using the dynamic factor and the equipment identification if the equipment signature passes the verification, directly determining that the identity authentication fails if the dynamic verification code fails the verification, verifying the user information if the dynamic verification code passes the verification, namely judging whether the user information is matched with the equipment identification, determining that the identity authentication fails if the user information does not pass the verification, and determining that the identity authentication succeeds if the user information passes the verification.
The process of checking the dynamic verification code is consistent with step S107 in the foregoing embodiment, and the process of checking the user information is consistent with step S108 in the foregoing embodiment, which is not described herein again.
The process of verifying the device signature is as follows:
it should be noted that, the server is pre-configured with a public key matching with the private key used by the dynamic token, and the public key of the server and the private key of the dynamic token form a public-private key pair. The server calculates the analyzed device identifier by using a signature algorithm the same as that of the dynamic token and a public key matched with a private key of the dynamic token to generate a device signature, then verifies whether the calculated device signature is matched with the device signature analyzed by the server from the dynamic two-dimensional code, if the calculated device signature is matched with the device signature analyzed by the server from the dynamic two-dimensional code, the device signature passes verification, otherwise, if the calculated device signature is not matched with the device signature analyzed by the server, the device signature does not pass verification.
In this embodiment, on the basis of the embodiment corresponding to fig. 1, a link of generating and verifying an equipment signature is added, so that the security of the identity authentication scheme provided by the present application is further improved.
S209, the server determines that the identity authentication of the user to be authenticated is successful.
S210, the server determines that the identity authentication of the user to be authenticated fails.
In order to better understand the identity authentication method provided by the present application, a specific implementation process of the present application in a mobile payment scenario is described below with reference to fig. 3.
As shown in fig. 3, it is assumed that a user a needs to use mobile payment software of the mobile phone 200 to purchase a commodity through an internet banking system, and has entered a payment link at present, the user a logs in the mobile payment software by using an account and a password, inputs an amount of money and clicks to confirm payment, and then, in order to ensure the property security of the user, it is generally necessary to verify that the user currently operating the mobile phone 200 is the user a, so that the mobile payment software outputs a two-dimensional code scanning interface shown in the mobile phone 200 on the left side of fig. 3, and prompts the user to operate the dynamic token 100 to generate a dynamic two-dimensional code and scan.
After the mobile phone outputs the interface, the user a can operate the dynamic token to generate the dynamic two-dimensional code, specifically, the dynamic token can be kept in a shutdown state at ordinary times, the user clicks a power key when needing to use the dynamic token, the dynamic token is started and automatically executes corresponding steps in the foregoing embodiment after being started, the dynamic two-dimensional code is generated and displayed in the two-dimensional code display area, and the user can also click a refresh button on the right side of the power key to trigger the dynamic token to generate and display a new dynamic two-dimensional code. Optionally, the dynamic token may not automatically generate the dynamic two-dimensional code after the device is turned on, and the dynamic two-dimensional code is generated and displayed only when the user clicks the refresh button.
After the dynamic token displays the two-dimensional code, the user a scans the two-dimensional code display area by using the mobile phone, so that the mobile phone obtains the two-dimensional code generated by the dynamic token, and then the mobile payment software on the mobile phone uploads the user information of the user to be authenticated of the dynamic two-dimensional code, namely the account number of the user a, to the server 300.
After receiving the information, the server executes the steps corresponding to the server in the embodiment, analyzes the two-dimensional code and verifies the device signature and the dynamic verification code, and after both the device signature and the dynamic verification code pass verification, the server determines whether the device identifier carried in the dynamic two-dimensional code matches with the account number of the user a, in other words, determines whether the dynamic token currently providing the dynamic two-dimensional code is the dynamic token of the user a, and if the device identifier matches with the account number of the user a, it indicates that the dynamic token currently providing the dynamic two-dimensional code is the dynamic token of the user a, and then it is considered that the user currently requesting payment is indeed the user a.
After the user requesting payment currently is confirmed to be the user A, the server can directly deduct money from the bank account of the user A which is associated in advance in a mobile payment scene, and the user does not need to perform subsequent operation on the mobile phone side, so that the server only needs to send an authentication result for indicating that identity authentication passes to the mobile phone, and after the mobile phone receives the authentication result, the current requested payment is considered to be completed, and an interface on the right side of the figure 3 is output.
Of course, the above is only one application scenario of the identity authentication method provided in the present application. The method provided by the application can also be applied to other scenes, and in other scenes, according to different practical situations, the user can also execute subsequent operations on the mobile terminal after the identity authentication is passed.
For example, the method provided by the application can also be applied to identity authentication of a user when the user logs in a certain platform, if the identity authentication is passed, the server issues a result of successful authentication, and then the terminal device outputs a relevant interface of the platform, so that the user can enter the platform and execute relevant operations.
In combination with the method provided by the embodiment of the present application, the embodiment of the present application further provides an apparatus for performing the method.
Referring to fig. 4, an embodiment of the present application provides an identity authentication device based on a dynamic password, which may be regarded as a processor in the dynamic token mentioned in the foregoing embodiment, and includes the following units:
a generating unit 401, configured to generate a dynamic factor based on the event synchronization mechanism.
And the encryption unit 402 is configured to calculate the dynamic factor and the device identifier of the dynamic token by using an encryption algorithm, so as to obtain the dynamic verification code.
And a converting unit 403, configured to convert the dynamic factor, the device identifier of the dynamic token, and the dynamic verification code into a dynamic two-dimensional code.
And a display unit 404 for displaying the dynamic two-dimensional code.
The dynamic two-dimensional code is used for providing the dynamic factor, the equipment identification of the dynamic token and the dynamic verification code to the server, and the server verifies the dynamic verification code by using the dynamic factor and the equipment identification of the dynamic token.
Optionally, the encryption unit 402 is further configured to calculate the device identifier of the dynamic token by using a signature algorithm, so as to obtain a device signature of the dynamic token.
When the conversion unit 403 converts the dynamic factor, the device identifier of the dynamic token, and the dynamic verification code into a dynamic two-dimensional code, the conversion unit is specifically configured to:
and converting the dynamic factor, the equipment identification of the dynamic token, the dynamic verification code and the equipment signature of the dynamic token into a dynamic two-dimensional code.
When the conversion unit 403 converts the dynamic factor, the device identifier of the dynamic token, and the dynamic verification code into a dynamic two-dimensional code, it is specifically configured to:
splicing the dynamic factor, the equipment identification of the dynamic token and the dynamic verification code to obtain an authentication message; and converting the authentication message into a dynamic two-dimension code by using a two-dimension code conversion algorithm.
When the generating unit 401 generates the dynamic factor based on the event synchronization mechanism, it is specifically configured to:
and determining the accumulated starting times of the dynamic token and the accumulated clicked times of the two-dimensional code generation button of the dynamic token as dynamic factors.
Optionally, the dynamic two-dimensional code obtained by conversion by the conversion unit may be a two-dimensional code in a hex encoding format.
For the device provided in this embodiment, specific working principles of the device may refer to steps executed by the dynamic token in the identity authentication method provided in any embodiment of the present application, and details are not described here.
Referring to fig. 5, an embodiment of the present application further provides an apparatus, which may be regarded as the server mentioned in the foregoing embodiment, where the apparatus includes:
the receiving unit 501 is configured to receive a dynamic two-dimensional code uploaded by a terminal device; and the dynamic two-dimension code is acquired from the dynamic token by the terminal equipment.
And the parsing unit 502 is configured to parse the dynamic factor, the device identifier of the dynamic token, and the dynamic verification code from the dynamic two-dimensional code.
The dynamic factor is generated by the dynamic token based on an event synchronization mechanism, and the dynamic verification code is obtained by the dynamic token through calculating the dynamic factor and the equipment identification of the dynamic token by using an encryption algorithm.
And a checking unit 503, configured to check the dynamic verification code by using the dynamic factor and the device identifier of the dynamic token.
The determining unit 504 is configured to determine that the user to be authenticated does not pass the identity authentication if the dynamic verification code does not pass the verification.
The determining unit 504 is configured to determine that the user to be authenticated passes the identity authentication if the dynamic verification code passes the verification and the user information of the user to be authenticated and the device identifier of the dynamic token are successfully matched.
Optionally, the parsing unit 502 is further configured to:
and analyzing the device signature of the dynamic token from the dynamic two-dimensional code.
The device signature of the dynamic token is obtained by calculating the device identification of the dynamic token by the dynamic token through a signature algorithm.
When the verification unit 503 verifies the dynamic verification code by using the dynamic factor and the device identifier of the dynamic token, it is specifically configured to:
verifying the device signature of the dynamic token by using the device identifier of the dynamic token; and if the device signature of the dynamic token passes the verification, verifying the dynamic verification code by using the dynamic factor and the device identifier of the dynamic token.
For the apparatus provided in this embodiment, specific working principles of the apparatus may refer to steps executed by the server in the identity authentication method provided in any embodiment of the present application, and details are not described here again.
The embodiment of the application provides an identity authentication device based on a dynamic password, after a generation unit 401 of a dynamic token generates a dynamic factor based on an event synchronization mechanism, an encryption unit 402 calculates the dynamic factor and an equipment identifier of the dynamic token by using an encryption algorithm to obtain a dynamic verification code, a conversion unit 403 converts the dynamic factor, the equipment identifier and the dynamic verification code into a dynamic two-dimensional code, a display unit 404 displays the dynamic two-dimensional code, a terminal device acquires the dynamic two-dimensional code from the dynamic token, a receiving unit 501 of a server receives the dynamic two-dimensional code uploaded by the terminal device, an analysis unit 502 analyzes the dynamic factor from the dynamic two-dimensional code, the equipment identifier and the dynamic verification code, and a verification unit 503 performs identity authentication on a user based on information obtained by analysis.
In the device provided by the application, the dynamic token provides the dynamic factor, the equipment identifier and the dynamic verification code to the server in a two-dimensional code form through the conversion unit 403 and the display unit 404, so that the server can directly verify the dynamic verification code by using the dynamic factor of the dynamic token, thereby effectively avoiding the condition of identity authentication failure under the condition of desynchronization between the server and the dynamic token and improving the user experience.
Finally, an embodiment of the present application further provides a dynamic token, please refer to fig. 6, where the dynamic token includes the following structure:
the system comprises a main control chip, a safety chip connected with the main control chip, a display screen connected with the main control chip, a control key and a battery.
And the main control chip is used for executing the step of generating the dynamic two-dimensional code in the identity authentication method based on the dynamic password provided by any embodiment of the application, and providing the obtained dynamic two-dimensional code on a display screen for displaying.
And the security chip is used for storing the dynamic factor generated by the main control chip, the encryption algorithm utilized when the main control chip generates the dynamic verification code and the private key utilized when the main control chip obtains the device signature of the dynamic token.
As shown in fig. 6, the main control chip, the security chip and the battery are packaged in the shell of the dynamic token, and the shell of the dynamic token may be a zinc alloy shell or a shell made of other materials.
The control keys include a power key and a refresh key in fig. 6, and the refresh key corresponds to the two-dimensional code generation button in the method provided in the foregoing embodiment.
The battery may be a secondary lithium battery.
Further, the dynamic token provided by this embodiment further includes a bluetooth communication module and a USB interface. The USB interface can be connected with the terminal equipment through a data line on one hand, so that the main control chip of the dynamic token can provide the dynamic two-dimensional code to the terminal equipment in a wired connection mode, and on the other hand, the USB interface can be externally connected with a charging device, so that the battery of the dynamic token can be charged.
The Bluetooth communication module is also packaged in the shell, the Bluetooth communication module can be used for establishing Bluetooth connection with the terminal equipment, and the main control chip can provide the dynamic two-dimensional code for the terminal equipment in a Bluetooth mode after the Bluetooth connection is established.
An optional working principle of the dynamic token provided by this embodiment is as follows:
the dynamic token is preset with an auto-off duration (for example, may be 5 minutes), and if the dynamic token is not operated within 5 minutes, the dynamic token is automatically turned off. The method comprises the steps that a user can press a power key for a long time to start the mobile phone in a power-off state, after the mobile phone is started, the user can press the power key for a long time, then a display screen of a dynamic token is lightened, a main control chip firstly displays current electric quantity and preset text information on the display screen, then the main control chip executes relevant steps for generating a dynamic two-dimensional code in the identity authentication method provided by the embodiment of the application, the dynamic two-dimensional code is generated, and the mobile phone jumps to a two-dimensional code display interface to display the dynamic two-dimensional code.
Under the condition that the two-dimension code is displayed on the display screen, a user can click the refresh key, and each time the user clicks the refresh key, the main control chip executes the step of generating the dynamic two-dimension code in the embodiment to generate a new dynamic two-dimension code and controls the display screen to display the two-dimension code. After the display screen outputs the two-dimensional code, the user can scan the two-dimensional code displayed on the display screen by using the terminal equipment, and therefore the two-dimensional code is uploaded to the server.
Specifically, in an occasion where multiple times of identity authentication are required (for example, when multiple transactions are required), the user may click the refresh key once every time of identity authentication, and generate a new two-dimensional code for performing the next identity authentication.
After the display screen of the dynamic token is lighted up, if the user does not perform any operation within 2 minutes (of course, the duration can be adjusted according to specific conditions), the display screen is turned off, and when the dynamic display screen is turned off and the dynamic token is in the power-on state, the user can click a power key or a refresh key to light up the display screen again. And if the user does not operate the dynamic token for 5 minutes continuously, automatically shutting down the dynamic token.
Finally, it should also be noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.
It should be noted that the terms "first", "second", and the like in the present invention are only used for distinguishing different devices, modules or units, and are not used for limiting the order or interdependence relationship of the functions performed by the devices, modules or units.
Those skilled in the art can make or use the present application. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other embodiments without departing from the spirit or scope of the application. Thus, the present application is not intended to be limited to the embodiments shown herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.

Claims (16)

1. An identity authentication method based on a dynamic password is applied to a dynamic token, and comprises the following steps:
generating a dynamic factor based on an event synchronization mechanism;
calculating the dynamic factor and the equipment identification of the dynamic token by using an encryption algorithm to obtain a dynamic verification code;
converting the dynamic factor, the equipment identification of the dynamic token and the dynamic verification code into a dynamic two-dimensional code;
displaying the dynamic two-dimensional code; the dynamic two-dimensional code is used for providing the dynamic factor, the equipment identification of the dynamic token and the dynamic verification code to a server, and the server verifies the dynamic verification code by using the dynamic factor and the equipment identification of the dynamic token.
2. The identity authentication method of claim 1, wherein before converting the dynamic factor, the device identifier of the dynamic token, and the dynamic verification code into a dynamic two-dimensional code, further comprising:
calculating the equipment identification of the dynamic token by using a signature algorithm to obtain the equipment signature of the dynamic token;
wherein the converting the dynamic factor, the device identifier of the dynamic token, and the dynamic verification code into a dynamic two-dimensional code includes:
and converting the dynamic factor, the equipment identification of the dynamic token, the dynamic verification code and the equipment signature of the dynamic token into a dynamic two-dimensional code.
3. The identity authentication method of claim 2, wherein the converting the dynamic factor, the device identification of the dynamic token, the dynamic verification code, and the device signature of the dynamic token into a dynamic two-dimensional code comprises:
splicing the dynamic factor, the equipment identification of the dynamic token, the dynamic verification code and the equipment signature of the dynamic token to obtain an authentication message;
and converting the authentication message into a dynamic two-dimensional code by using a two-dimensional code conversion algorithm.
4. The identity authentication method of claim 1, wherein the generating of the dynamic factor based on the event synchronization mechanism comprises:
and determining the accumulated starting times of the dynamic token and the accumulated clicked times of the two-dimensional code generation button of the dynamic token as dynamic factors.
5. The identity authentication method according to any one of claims 1 to 4, wherein the encoding format of the dynamic two-dimensional code is: hex code format.
6. An identity authentication method based on a dynamic password is applied to a server, and the identity authentication method comprises the following steps:
receiving a dynamic two-dimensional code uploaded by terminal equipment; the dynamic two-dimensional code is obtained by the terminal equipment from a dynamic token;
analyzing a dynamic factor, the equipment identification of the dynamic token and a dynamic verification code from the dynamic two-dimensional code; the dynamic factor is generated by the dynamic token based on an event synchronization mechanism, and the dynamic verification code is obtained by the dynamic token through calculating the dynamic factor and the equipment identifier of the dynamic token by using an encryption algorithm;
verifying the dynamic verification code by using the dynamic factor and the device identification of the dynamic token;
if the dynamic verification code does not pass the verification, determining that the user to be authenticated does not pass the identity authentication;
and if the dynamic verification code passes the verification and the user information of the user to be authenticated and the equipment identifier of the dynamic token are successfully matched, determining that the user to be authenticated passes the identity authentication.
7. The identity authentication method of claim 6, wherein before verifying the dynamic verification code using the dynamic factor and the device identification of the dynamic token, further comprising:
analyzing the device signature of the dynamic token from the dynamic two-dimensional code; the device signature of the dynamic token is obtained by calculating the device identifier of the dynamic token by the dynamic token through a signature algorithm;
wherein the verifying the dynamic verification code using the dynamic factor and the device identifier of the dynamic token comprises:
verifying the device signature of the dynamic token by using the device identification of the dynamic token;
and if the equipment signature of the dynamic token passes the verification, verifying the dynamic verification code by using the dynamic factor and the equipment identifier of the dynamic token.
8. An identity authentication device based on dynamic password, which is applied to a dynamic token, the identity authentication device comprising:
a generating unit, configured to generate a dynamic factor based on an event synchronization mechanism;
the encryption unit is used for calculating the dynamic factor and the equipment identifier of the dynamic token by using an encryption algorithm to obtain a dynamic verification code;
the conversion unit is used for converting the dynamic factor, the equipment identifier of the dynamic token and the dynamic verification code into a dynamic two-dimensional code;
the display unit is used for displaying the dynamic two-dimensional code; the dynamic two-dimensional code is used for providing the dynamic factor, the equipment identification of the dynamic token and the dynamic verification code to a server, and the server verifies the dynamic verification code by using the dynamic factor and the equipment identification of the dynamic token.
9. The identity authentication device of claim 8, wherein the encryption unit is further configured to calculate the device identifier of the dynamic token by using a signature algorithm, and obtain a device signature of the dynamic token;
when the conversion unit converts the dynamic factor, the device identifier of the dynamic token, and the dynamic verification code into a dynamic two-dimensional code, the conversion unit is specifically configured to:
and converting the dynamic factor, the equipment identification of the dynamic token, the dynamic verification code and the equipment signature of the dynamic token into a dynamic two-dimensional code.
10. The identity authentication apparatus according to claim 9, wherein the conversion unit is specifically configured to, when converting the dynamic factor, the device identifier of the dynamic token, the dynamic verification code, and the device signature of the dynamic token into a dynamic two-dimensional code:
splicing the dynamic factor, the equipment identification of the dynamic token, the dynamic verification code and the equipment signature of the dynamic token to obtain an authentication message; and converting the authentication message into a dynamic two-dimensional code by using a two-dimensional code conversion algorithm.
11. The identity authentication device according to claim 8, wherein the generating unit, when generating the dynamic factor based on the event synchronization mechanism, is specifically configured to:
and determining the accumulated starting times of the dynamic token and the accumulated clicked times of the two-dimensional code generation button of the dynamic token as dynamic factors.
12. The identity authentication device according to any one of claims 8 to 11, wherein the encoding format of the dynamic two-dimensional code is: hex code format.
13. An identity authentication device based on dynamic password, which is applied to a server, the identity authentication device comprising:
the receiving unit is used for receiving the dynamic two-dimensional code uploaded by the terminal equipment; the dynamic two-dimensional code is obtained by the terminal equipment from a dynamic token;
the analysis unit is used for analyzing a dynamic factor, the equipment identifier of the dynamic token and a dynamic verification code from the dynamic two-dimensional code; the dynamic factor is generated by the dynamic token based on an event synchronization mechanism, and the dynamic verification code is obtained by the dynamic token through calculating the dynamic factor and the equipment identifier of the dynamic token by using an encryption algorithm;
the verification unit is used for verifying the dynamic verification code by utilizing the dynamic factor and the equipment identifier of the dynamic token;
the determining unit is used for determining that the user to be authenticated does not pass the identity authentication if the dynamic verification code does not pass the verification;
and the determining unit is used for determining that the user to be authenticated passes the identity authentication if the dynamic verification code passes the verification and the user information of the user to be authenticated and the equipment identifier of the dynamic token are successfully matched.
14. The identity authentication device of claim 13, wherein the parsing unit is further configured to:
analyzing the device signature of the dynamic token from the dynamic two-dimensional code; the device signature of the dynamic token is obtained by calculating the device identifier of the dynamic token by the dynamic token through a signature algorithm;
wherein, when the verification unit verifies the dynamic verification code by using the dynamic factor and the device identifier of the dynamic token, the verification unit is specifically configured to:
verifying the device signature of the dynamic token by using the device identification of the dynamic token; and if the equipment signature of the dynamic token passes the verification, verifying the dynamic verification code by using the dynamic factor and the equipment identifier of the dynamic token.
15. A dynamic token, comprising:
the system comprises a main control chip, a safety chip connected with the main control chip, a display screen connected with the main control chip, a control key and a battery; wherein:
the main control chip is used for executing the identity authentication method based on the dynamic password according to any one of claims 1 to 5, and providing the obtained dynamic two-dimensional code on the display screen for displaying;
the security chip is used for storing the dynamic factor generated by the main control chip, the encryption algorithm used when the main control chip generates the dynamic verification code, and the private key used when the main control chip obtains the device signature of the dynamic token.
16. The dynamic token of claim 15, further comprising: the interface of the universal serial bus and the Bluetooth communication module.
CN202010017764.7A 2020-01-08 2020-01-08 Identity authentication method and device based on dynamic password and dynamic token Active CN111126533B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010017764.7A CN111126533B (en) 2020-01-08 2020-01-08 Identity authentication method and device based on dynamic password and dynamic token

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010017764.7A CN111126533B (en) 2020-01-08 2020-01-08 Identity authentication method and device based on dynamic password and dynamic token

Publications (2)

Publication Number Publication Date
CN111126533A true CN111126533A (en) 2020-05-08
CN111126533B CN111126533B (en) 2023-06-23

Family

ID=70487511

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010017764.7A Active CN111126533B (en) 2020-01-08 2020-01-08 Identity authentication method and device based on dynamic password and dynamic token

Country Status (1)

Country Link
CN (1) CN111126533B (en)

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111598556A (en) * 2020-05-26 2020-08-28 牛津(海南)区块链研究院有限公司 Digital currency exchange method, device, equipment and medium
CN114024703A (en) * 2020-10-28 2022-02-08 北京八分量信息科技有限公司 Identity leakage method for preventing server from being invaded in zero trust architecture
CN114040349A (en) * 2020-07-21 2022-02-11 华为技术有限公司 Electronic equipment and distributed system
WO2022199293A1 (en) * 2021-03-22 2022-09-29 支付宝(杭州)信息技术有限公司 Generation and verification of two-dimensional code
US11880450B2 (en) 2020-12-17 2024-01-23 Apollo Intelligent Connectivity (Beijing) Technology Co., Ltd. Method and apparatus for updating password of electronic device, device and storage medium

Citations (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20080270791A1 (en) * 2007-04-26 2008-10-30 Magnus Nystrom Method and Apparatus for Remote Administration of Cryptographic Devices
CN101594232A (en) * 2009-06-30 2009-12-02 北京飞天诚信科技有限公司 The authentication method of dynamic password, system and corresponding authenticating device
WO2011050745A1 (en) * 2009-10-30 2011-05-05 北京飞天诚信科技有限公司 Method and system for authentication
CN102148837A (en) * 2011-05-11 2011-08-10 上海时代亿信信息科技有限公司 Bidirectional authentication method and system for dynamic token
CN102186169A (en) * 2010-04-30 2011-09-14 北京华大智宝电子系统有限公司 Identity authentication method, device and system
CN103905195A (en) * 2012-12-28 2014-07-02 中国电信股份有限公司 User card authentication method and system based on dynamic password
CN103944720A (en) * 2014-04-08 2014-07-23 武汉信安珞珈科技有限公司 Method for synchronizing time of dynamic token
WO2014161436A1 (en) * 2013-04-03 2014-10-09 天地融科技股份有限公司 Electronic signature token, and method and system for electronic signature token to respond to operation request
WO2015058596A1 (en) * 2013-10-22 2015-04-30 天地融科技股份有限公司 Dynamic password generation method and system, and transaction request processing method and system
CN107180351A (en) * 2017-04-13 2017-09-19 上海动联信息技术股份有限公司 A kind of off line Dynamic Two-dimensional code generating method, method of payment and equipment
CN108234124A (en) * 2016-12-15 2018-06-29 腾讯科技(深圳)有限公司 Auth method, device and system
CN109547217A (en) * 2019-01-11 2019-03-29 北京中实信达科技有限公司 One-to-many identity authorization system and method based on dynamic password

Patent Citations (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20080270791A1 (en) * 2007-04-26 2008-10-30 Magnus Nystrom Method and Apparatus for Remote Administration of Cryptographic Devices
CN101594232A (en) * 2009-06-30 2009-12-02 北京飞天诚信科技有限公司 The authentication method of dynamic password, system and corresponding authenticating device
WO2011050745A1 (en) * 2009-10-30 2011-05-05 北京飞天诚信科技有限公司 Method and system for authentication
CN102186169A (en) * 2010-04-30 2011-09-14 北京华大智宝电子系统有限公司 Identity authentication method, device and system
CN102148837A (en) * 2011-05-11 2011-08-10 上海时代亿信信息科技有限公司 Bidirectional authentication method and system for dynamic token
CN103905195A (en) * 2012-12-28 2014-07-02 中国电信股份有限公司 User card authentication method and system based on dynamic password
WO2014161436A1 (en) * 2013-04-03 2014-10-09 天地融科技股份有限公司 Electronic signature token, and method and system for electronic signature token to respond to operation request
WO2015058596A1 (en) * 2013-10-22 2015-04-30 天地融科技股份有限公司 Dynamic password generation method and system, and transaction request processing method and system
CN103944720A (en) * 2014-04-08 2014-07-23 武汉信安珞珈科技有限公司 Method for synchronizing time of dynamic token
CN108234124A (en) * 2016-12-15 2018-06-29 腾讯科技(深圳)有限公司 Auth method, device and system
CN107180351A (en) * 2017-04-13 2017-09-19 上海动联信息技术股份有限公司 A kind of off line Dynamic Two-dimensional code generating method, method of payment and equipment
CN109547217A (en) * 2019-01-11 2019-03-29 北京中实信达科技有限公司 One-to-many identity authorization system and method based on dynamic password

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111598556A (en) * 2020-05-26 2020-08-28 牛津(海南)区块链研究院有限公司 Digital currency exchange method, device, equipment and medium
CN114040349A (en) * 2020-07-21 2022-02-11 华为技术有限公司 Electronic equipment and distributed system
CN114040349B (en) * 2020-07-21 2024-04-09 华为技术有限公司 Electronic equipment and distributed system
CN114024703A (en) * 2020-10-28 2022-02-08 北京八分量信息科技有限公司 Identity leakage method for preventing server from being invaded in zero trust architecture
US11880450B2 (en) 2020-12-17 2024-01-23 Apollo Intelligent Connectivity (Beijing) Technology Co., Ltd. Method and apparatus for updating password of electronic device, device and storage medium
WO2022199293A1 (en) * 2021-03-22 2022-09-29 支付宝(杭州)信息技术有限公司 Generation and verification of two-dimensional code

Also Published As

Publication number Publication date
CN111126533B (en) 2023-06-23

Similar Documents

Publication Publication Date Title
CN111126533B (en) Identity authentication method and device based on dynamic password and dynamic token
CN112733107B (en) Information verification method, related device, equipment and storage medium
CN110291757B (en) Method for providing simplified account registration service, user authentication service, and authentication server using the same
US9479497B2 (en) One time password authentication of websites
CN100492966C (en) Identity certifying system based on intelligent card and dynamic coding
CN100459488C (en) Portable one-time dynamic password generator and security authentication system using the same
CN101106455B (en) Identity authentication method and intelligent secret key device
RU2506637C2 (en) Method and device for verifying dynamic password
US8572713B2 (en) Universal authentication token
KR100992573B1 (en) Authentication method and system using mobile terminal
CN110601853A (en) Block chain private key generation method and equipment
US8959606B2 (en) Key updating method and system thereof
CA2417770A1 (en) Trusted authentication digital signature (tads) system
CN102158488B (en) Dynamic countersign generation method and device and authentication method and system
US20090031405A1 (en) Authentication system and authentication method
CN101789864B (en) On-line bank background identity identification method, device and system
CN101467387A (en) Time and event based one time password
CN101800645B (en) Identity authentication method, device and system
CN101964789A (en) Method and system for safely accessing protected resources
CN108809982B (en) Secret-free authentication method and system based on trusted execution environment
CN201717873U (en) Identity authentication device and system
CN110572396A (en) method and system for controlling function use authorization
CN114338212A (en) Identity authentication token management method and device, electronic equipment and readable storage medium
CN110659899B (en) Offline payment method, device and equipment
KR101746102B1 (en) User authentication method for integrity and security enhancement

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
CB03 Change of inventor or designer information
CB03 Change of inventor or designer information

Inventor after: Zeng Qingfei

Inventor after: Lei Hong

Inventor after: Yan Yun

Inventor after: Lu Xiao

Inventor before: Zeng Qingfei

Inventor before: Yan Yun

Inventor before: Lu Xiao

SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant