CN111126533B - Identity authentication method and device based on dynamic password and dynamic token - Google Patents
Identity authentication method and device based on dynamic password and dynamic token Download PDFInfo
- Publication number
- CN111126533B CN111126533B CN202010017764.7A CN202010017764A CN111126533B CN 111126533 B CN111126533 B CN 111126533B CN 202010017764 A CN202010017764 A CN 202010017764A CN 111126533 B CN111126533 B CN 111126533B
- Authority
- CN
- China
- Prior art keywords
- dynamic
- token
- factor
- dynamic token
- code
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 67
- 238000012795 verification Methods 0.000 claims abstract description 179
- 230000007246 mechanism Effects 0.000 claims abstract description 22
- 238000006243 chemical reaction Methods 0.000 claims description 20
- 238000004458 analytical method Methods 0.000 claims description 8
- 238000004891 communication Methods 0.000 claims description 8
- 230000001360 synchronised effect Effects 0.000 abstract description 8
- 230000008569 process Effects 0.000 description 18
- 238000005516 engineering process Methods 0.000 description 16
- 238000004364 calculation method Methods 0.000 description 4
- 238000010586 diagram Methods 0.000 description 4
- 230000006870 function Effects 0.000 description 4
- 230000009471 action Effects 0.000 description 3
- 238000013475 authorization Methods 0.000 description 3
- WHXSMMKQMYFTQS-UHFFFAOYSA-N Lithium Chemical compound [Li] WHXSMMKQMYFTQS-UHFFFAOYSA-N 0.000 description 1
- 229910001297 Zn alloy Inorganic materials 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 229910052744 lithium Inorganic materials 0.000 description 1
- 239000000463 material Substances 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06K—GRAPHICAL DATA READING; PRESENTATION OF DATA; RECORD CARRIERS; HANDLING RECORD CARRIERS
- G06K17/00—Methods or arrangements for effecting co-operative working between equipments covered by two or more of main groups G06K1/00 - G06K15/00, e.g. automatic card files incorporating conveying and reading operations
- G06K17/0022—Methods or arrangements for effecting co-operative working between equipments covered by two or more of main groups G06K1/00 - G06K15/00, e.g. automatic card files incorporating conveying and reading operations arrangements or provisions for transferring data to distant stations, e.g. from a sensing device
- G06K17/0025—Methods or arrangements for effecting co-operative working between equipments covered by two or more of main groups G06K1/00 - G06K15/00, e.g. automatic card files incorporating conveying and reading operations arrangements or provisions for transferring data to distant stations, e.g. from a sensing device the arrangement consisting of a wireless interrogation device in combination with a device for optically marking the record carrier
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06K—GRAPHICAL DATA READING; PRESENTATION OF DATA; RECORD CARRIERS; HANDLING RECORD CARRIERS
- G06K19/00—Record carriers for use with machines and with at least a part designed to carry digital markings
- G06K19/06—Record carriers for use with machines and with at least a part designed to carry digital markings characterised by the kind of the digital marking, e.g. shape, nature, code
- G06K19/06009—Record carriers for use with machines and with at least a part designed to carry digital markings characterised by the kind of the digital marking, e.g. shape, nature, code with optically detectable marking
- G06K19/06037—Record carriers for use with machines and with at least a part designed to carry digital markings characterised by the kind of the digital marking, e.g. shape, nature, code with optically detectable marking multi-dimensional coding
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y04—INFORMATION OR COMMUNICATION TECHNOLOGIES HAVING AN IMPACT ON OTHER TECHNOLOGY AREAS
- Y04S—SYSTEMS INTEGRATING TECHNOLOGIES RELATED TO POWER NETWORK OPERATION, COMMUNICATION OR INFORMATION TECHNOLOGIES FOR IMPROVING THE ELECTRICAL POWER GENERATION, TRANSMISSION, DISTRIBUTION, MANAGEMENT OR USAGE, i.e. SMART GRIDS
- Y04S40/00—Systems for electrical power generation, transmission, distribution or end-user application management characterised by the use of communication or information technologies, or communication or information technology specific aspects supporting them
- Y04S40/20—Information technology specific aspects, e.g. CAD, simulation, modelling, system security
Landscapes
- Engineering & Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Theoretical Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- General Engineering & Computer Science (AREA)
- Storage Device Security (AREA)
- Telephonic Communication Services (AREA)
Abstract
The invention provides an identity authentication method, a device and a dynamic token based on a dynamic password, wherein the dynamic token calculates the dynamic factor and the equipment identification of the dynamic token by using an encryption algorithm after generating the dynamic factor based on an event synchronization mechanism to obtain a dynamic verification code, then converts the dynamic factor, the equipment identification of the dynamic token and the dynamic verification code into a dynamic two-dimensional code, and finally displays the dynamic two-dimensional code; the dynamic two-dimensional code is used for providing the dynamic factor, the equipment identifier of the dynamic token and the dynamic verification code to the server, and the server utilizes the dynamic factor and the equipment identifier of the dynamic token to verify the dynamic verification code. In the scheme, the dynamic token provides the dynamic verification code, the dynamic factor and the equipment identifier for the server through the dynamic two-dimensional code, and the server can complete identity verification by utilizing the information in the dynamic two-dimensional code without maintaining synchronous information consistent with the dynamic token, so that the problem of identity authentication failure caused by the step out of the dynamic token and the server is solved.
Description
Technical Field
The present invention relates to the field of identity authentication technologies, and in particular, to an identity authentication method and apparatus based on a dynamic password, and a dynamic token.
Background
Dynamic password technology is a common identity authentication technology. The existing dynamic password technology is as follows: the dynamic token calculates the synchronous information (such as the current time or the occurrence frequency of the event) of the dynamic token by using an encryption algorithm to obtain a verification code, the server verifies the verification code based on the synchronous information of the server after obtaining the verification code, and identity authentication is performed according to the verification result.
The problem with existing dynamic password techniques is that the synchronization information of the dynamic token and the synchronization information of the server need to be kept consistent to achieve effective authentication. However, in the actual use process, the dynamic token and the server often have out-of-step (i.e. inconsistent synchronization information), which results in identity authentication failure.
Disclosure of Invention
Based on the defects of the prior art, the invention provides an identity authentication method and device based on a dynamic password and a dynamic token, so as to avoid identity authentication failure caused by the step out of the dynamic token and a server.
The first aspect of the invention provides an identity authentication method based on a dynamic password, which is applied to a dynamic token, and comprises the following steps:
Generating a dynamic factor based on an event synchronization mechanism;
calculating the dynamic factor and the equipment identifier of the dynamic token by using an encryption algorithm to obtain a dynamic verification code;
converting the dynamic factor, the equipment identifier of the dynamic token and the dynamic verification code into a dynamic two-dimensional code;
displaying the dynamic two-dimensional code; the dynamic two-dimensional code is used for providing the dynamic factor, the equipment identifier of the dynamic token and the dynamic verification code to a server, and the server utilizes the dynamic factor and the equipment identifier of the dynamic token to verify the dynamic verification code.
Optionally, before the converting the dynamic factor, the device identifier of the dynamic token, and the dynamic verification code into the dynamic two-dimensional code, the method further includes:
calculating the equipment identifier of the dynamic token by using a signature algorithm to obtain the equipment signature of the dynamic token;
the converting the dynamic factor, the device identifier of the dynamic token and the dynamic verification code into dynamic two-dimensional codes includes:
and converting the dynamic factor, the equipment identifier of the dynamic token, the dynamic verification code and the equipment signature of the dynamic token into a dynamic two-dimensional code.
Optionally, the converting the dynamic factor, the device identifier of the dynamic token, and the dynamic verification code into dynamic two-dimensional codes includes:
splicing the dynamic factor, the equipment identifier of the dynamic token and the dynamic verification code to obtain an authentication message;
and converting the authentication information into a dynamic two-dimensional code by using a two-dimensional code conversion algorithm.
Optionally, the generating the dynamic factor based on the event synchronization mechanism includes:
and determining the accumulated starting times of the dynamic token and the accumulated clicked times of the two-dimensional code generation button of the dynamic token as dynamic factors.
Optionally, the encoding format of the dynamic two-dimensional code is: hex coding format.
The second aspect of the present invention provides an identity authentication method based on a dynamic password, which is applied to a server, and the identity authentication method includes:
receiving a dynamic two-dimensional code uploaded by terminal equipment; the dynamic two-dimensional code is acquired by the terminal equipment from a dynamic token;
analyzing a dynamic factor, a device identifier of the dynamic token and a dynamic verification code from the dynamic two-dimensional code; the dynamic factor is generated by the dynamic token based on an event synchronization mechanism, and the dynamic verification code is obtained by calculating the dynamic factor and the equipment identifier of the dynamic token by using an encryption algorithm through the dynamic token;
Verifying the dynamic verification code by using the dynamic factor and the equipment identifier of the dynamic token;
if the dynamic verification code fails to pass the verification, determining that the user to be authenticated fails to pass the identity authentication;
and if the dynamic verification code passes the verification, and the user information of the user to be authenticated and the equipment identifier of the dynamic token are successfully matched, determining that the user to be authenticated passes the identity authentication.
Optionally, before the verifying the dynamic verification code by using the dynamic factor and the device identifier of the dynamic token, the method further includes:
analyzing the device signature of the dynamic token from the dynamic two-dimensional code; the device signature of the dynamic token is obtained by calculating the device identification of the dynamic token by a signature algorithm through the dynamic token;
wherein the verifying the dynamic verification code using the dynamic factor and the device identifier of the dynamic token comprises:
verifying the device signature of the dynamic token by using the device identifier of the dynamic token;
and if the device signature of the dynamic token passes the verification, verifying the dynamic verification code by using the dynamic factor and the device identifier of the dynamic token.
A third aspect of the present invention provides an identity authentication device based on a dynamic password, applied to a dynamic token, the identity authentication device comprising:
The generating unit is used for generating dynamic factors based on an event synchronization mechanism;
the encryption unit is used for calculating the dynamic factors and the equipment identifiers of the dynamic tokens by utilizing an encryption algorithm to obtain dynamic verification codes;
the conversion unit is used for converting the dynamic factor, the equipment identifier of the dynamic token and the dynamic verification code into a dynamic two-dimensional code;
the display unit is used for displaying the dynamic two-dimensional code; the dynamic two-dimensional code is used for providing the dynamic factor, the equipment identifier of the dynamic token and the dynamic verification code to a server, and the server utilizes the dynamic factor and the equipment identifier of the dynamic token to verify the dynamic verification code.
Optionally, the encryption unit is further configured to calculate an equipment identifier of the dynamic token by using a signature algorithm, so as to obtain an equipment signature of the dynamic token;
the conversion unit is specifically configured to, when converting the dynamic factor, the device identifier of the dynamic token, and the dynamic verification code into a dynamic two-dimensional code:
and converting the dynamic factor, the equipment identifier of the dynamic token, the dynamic verification code and the equipment signature of the dynamic token into a dynamic two-dimensional code.
Optionally, when the conversion unit converts the dynamic factor, the device identifier of the dynamic token, and the dynamic verification code into a dynamic two-dimensional code, the conversion unit is specifically configured to:
splicing the dynamic factor, the equipment identifier of the dynamic token and the dynamic verification code to obtain an authentication message; and converting the authentication information into a dynamic two-dimensional code by using a two-dimensional code conversion algorithm.
Optionally, when the generating unit generates the dynamic factor based on the event synchronization mechanism, the generating unit is specifically configured to:
and determining the accumulated starting times of the dynamic token and the accumulated clicked times of the two-dimensional code generation button of the dynamic token as dynamic factors.
Optionally, the encoding format of the dynamic two-dimensional code is: hex coding format.
A fourth aspect of the present invention provides an identity authentication device based on a dynamic password, applied to a server, the identity authentication device comprising:
the receiving unit is used for receiving the dynamic two-dimensional code uploaded by the terminal equipment; the dynamic two-dimensional code is acquired by the terminal equipment from a dynamic token;
the analysis unit is used for analyzing the dynamic factor, the equipment identifier of the dynamic token and the dynamic verification code from the dynamic two-dimensional code; the dynamic factor is generated by the dynamic token based on an event synchronization mechanism, and the dynamic verification code is obtained by calculating the dynamic factor and the equipment identifier of the dynamic token by using an encryption algorithm through the dynamic token;
The verification unit is used for verifying the dynamic verification code by utilizing the dynamic factor and the equipment identifier of the dynamic token;
the determining unit is used for determining that the user to be authenticated fails identity authentication if the dynamic verification code fails to pass verification;
and the determining unit is used for determining that the user to be authenticated passes the identity authentication if the dynamic verification code passes the verification and the user information of the user to be authenticated and the equipment identifier of the dynamic token are successfully matched.
Optionally, the parsing unit is further configured to:
analyzing the device signature of the dynamic token from the dynamic two-dimensional code; the device signature of the dynamic token is obtained by calculating the device identification of the dynamic token by a signature algorithm through the dynamic token;
the verification unit is specifically configured to, when verifying the dynamic verification code by using the dynamic factor and the device identifier of the dynamic token:
verifying the device signature of the dynamic token by using the device identifier of the dynamic token; and if the device signature of the dynamic token passes the verification, verifying the dynamic verification code by using the dynamic factor and the device identifier of the dynamic token.
A fifth aspect of the present invention provides a dynamic token comprising:
the system comprises a main control chip, a safety chip connected with the main control chip, a display screen connected with the main control chip, a control key and a battery; wherein:
the main control chip is used for executing the identity authentication method based on the dynamic password provided in any one of the first aspects of the application, and providing the obtained dynamic two-dimensional code on the display screen for display;
the security chip is used for storing the dynamic factor generated by the main control chip, an encryption algorithm utilized when the main control chip generates the dynamic verification code and a private key utilized when the main control chip obtains the device signature of the dynamic token.
Optionally, the dynamic token further includes: the interface of the universal serial bus and the Bluetooth communication module.
The invention provides an identity authentication method, a device and a dynamic token based on a dynamic password, wherein the dynamic token calculates the dynamic factor and the equipment identification of the dynamic token by using an encryption algorithm after generating the dynamic factor based on an event synchronization mechanism to obtain a dynamic verification code, then converts the dynamic factor, the equipment identification of the dynamic token and the dynamic verification code into a dynamic two-dimensional code, and finally displays the dynamic two-dimensional code; the dynamic two-dimensional code is used for providing the dynamic factor, the equipment identifier of the dynamic token and the dynamic verification code to the server, and the server utilizes the dynamic factor and the equipment identifier of the dynamic token to verify the dynamic verification code. In the scheme, the dynamic token provides the dynamic verification code, the dynamic factor and the equipment identifier for the server through the dynamic two-dimensional code, and the server can complete identity verification by utilizing the information in the dynamic two-dimensional code without maintaining synchronous information consistent with the dynamic token, so that the problem of identity authentication failure caused by the step out of the dynamic token and the server is solved.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings that are required to be used in the embodiments or the description of the prior art will be briefly described below, and it is obvious that the drawings in the following description are only embodiments of the present invention, and that other drawings can be obtained according to the provided drawings without inventive effort for a person skilled in the art.
FIG. 1 is a flow chart of an identity authentication method based on dynamic password according to one embodiment of the present application;
FIG. 2 is a flowchart of an identity authentication method based on a dynamic password according to another embodiment of the present application;
fig. 3 is a schematic diagram of an application scenario of identity authentication provided in an embodiment of the present application;
FIG. 4 is a schematic diagram of an identity authentication device based on dynamic password according to an embodiment of the present application;
FIG. 5 is a schematic diagram of an authentication device based on dynamic password according to another embodiment of the present application;
fig. 6 is a schematic structural diagram of a dynamic token according to an embodiment of the present application.
Detailed Description
The following description of the embodiments of the present invention will be made clearly and completely with reference to the accompanying drawings, in which it is apparent that the embodiments described are only some embodiments of the present invention, but not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
The Dynamic Password (Dynamic Password) is a random number string obtained by calculating a Dynamic factor by using a preset encryption algorithm, each Dynamic Password can only be used once in a certain period of time, and each time the Dynamic Password is generated, the Dynamic factor changes, and the corresponding generated Dynamic Password is different from the previous Dynamic Password. Based on the characteristics, the dynamic password is widely applied to the fields of online banking, online game, telecom operators, electronic commerce and enterprises, wherein the fields require identity authentication of users and high security requirements.
Existing dynamic password-based identity authentication techniques can be classified into synchronous and asynchronous types according to the manner in which the dynamic factor is generated. In the synchronous technology, a dynamic token (generally referred to as a portable electronic device for generating a dynamic password, and mainly includes a chip and a display screen, where the chip is configured to execute an encryption algorithm to generate the dynamic password) may take a current time or a current accumulated dynamic password generation number recorded by the dynamic token itself as a first dynamic factor, and after the generated dynamic password is uploaded to a server, the server uses the current time or the accumulated user login number recorded by the server as a second dynamic factor, and verifies the dynamic password based on the second dynamic factor, so as to implement identity authentication.
The technology using time as a dynamic factor is called a dynamic password technology based on time synchronization, and the technology using the accumulated dynamic password generation times and the accumulated user login times as dynamic factors are called a dynamic password technology based on event synchronization.
The problem with the synchronization technique is that synchronization between the server and the dynamic token is required to be maintained to perform identity authentication normally, where synchronization means that the second dynamic factor used by the server and the first dynamic factor used by the dynamic token must be kept consistent. However, whether based on time synchronization or event synchronization, there is a risk of out-of-sync (i.e., there may be an inconsistency between the dynamic factors used by the server and the dynamic factors used by the dynamic token) between the server and the dynamic token, resulting in an inability of identity authentication to proceed properly.
Specifically, in the dynamic password technology based on time synchronization, there may be a certain deviation between the timer of the dynamic token and the timer of the server over time, specifically, the reading of the timer of the dynamic token may be 10:01:30 at the current moment, and the reading of the timer of the server is 10:02:00, in this case, the dynamic factors of the server and the dynamic token are inconsistent, so that identity authentication cannot be performed normally.
In the dynamic password technology based on event synchronization, besides the occasion of logging in the system, the user may execute multiple times of purposeless dynamic password generation operation, in other words, the number of times that the user operates the dynamic token to generate the dynamic password is likely to be unequal to the number of times that the user logs in, and correspondingly, the dynamic factors between the dynamic token and the server are inconsistent, so that identity authentication fails.
In the asynchronous dynamic password technology, a dynamic token needs to acquire a challenge code from a server, then takes the challenge code as a dynamic factor and generates a dynamic password based on the dynamic factor, and finally provides the dynamic password for the server to carry out identity authentication. In this technology, since the dynamic token is generally not connected to the network, the user needs to operate the dynamic token to interact with the server (for example, to input the challenge code into the dynamic token or scan the two-dimensional code with the challenge code provided by the server with the dynamic token) each time the dynamic password is generated, so that the identity authentication process is complex and the user experience is poor.
Therefore, the application provides a novel identity authentication method based on dynamic passwords and related equipment so as to solve the problems in the prior art.
Referring to fig. 1, a first embodiment of the present application provides an identity authentication method based on a dynamic password, which includes the following steps:
s101, the dynamic token generates dynamic factors based on an event synchronization mechanism.
A dynamic token is a self-contained portable hardware device configured with a processor, memory, and other related components (e.g., a display, a communication interface, etc.), where the memory stores: the device identification, the dynamic factor and the encryption algorithm, and the processor is used for calculating the dynamic factor by utilizing the encryption algorithm so as to generate the dynamic password.
The event synchronization mechanism is used for counting the accumulated occurrence times of certain events in the dynamic token, determining the current accumulated occurrence times of the events as dynamic factors when dynamic passwords need to be generated each time, and executing subsequent steps by using the dynamic factors.
Specifically, the event may be any one of starting up the dynamic token and clicking a two-dimensional code generation button of the dynamic token, or a combination of the two.
The two-dimensional code generation button is a button configured on the dynamic token provided by the application, and each time the user clicks the button, the dynamic token executes the step of generating the dynamic password and the corresponding two-dimensional code in the method provided by any embodiment of the application, so as to generate and display a device identifier at least carrying the dynamic token, the dynamic password generated this time, the dynamic two-dimensional code of the information such as the dynamic factor used this time, and the like.
That is, when executing step S101, the dynamic token may directly determine the current accumulated startup time as a dynamic factor, may directly determine the accumulated click time of the current two-dimensional code generation button as a dynamic factor, and may combine the current accumulated startup time and the accumulated click time of the current two-dimensional code generation button into a digital string, and determine the digital string as a dynamic factor.
Specifically, a first variable for recording the number of times of starting and a second variable for recording the number of times of clicking the button may be configured in the memory of the dynamic token, and the dynamic token is delivered from the factory, wherein the variable value of the first variable is automatically added with 1 when the dynamic token is started each time after the variable is initialized to 0, and the variable value of the second variable is automatically added with 1 when the two-dimensional code generating button is clicked by a user each time, and when step S101 is executed, the processor of the dynamic token directly reads the variable values of the first variable and/or the second variable from the memory, and determines the variable values as dynamic factors.
According to the method for generating the dynamic factor, it can be understood that the dynamic factor in the method provided by the application is a dynamic factor which increases in one direction, that is, the dynamic factor generated by the dynamic token each time the dynamic token executes any embodiment of the application is greater than the dynamic factor generated by the dynamic token in the previous time in the whole life cycle of the dynamic token.
S102, the dynamic token calculates the dynamic factor and the equipment identification of the dynamic token by using an encryption algorithm to obtain a dynamic verification code.
The dynamic verification code in step S102 is the dynamic password for identity authentication described above.
There are a variety of existing encryption algorithms that can be used to implement step S102, such as: MD5 (Message Digest Algorithm 5) algorithm, SHA (Secure Hash Algorithm) algorithm, MAC (Message Authentication Code) algorithm, etc., all of which can process an input string of any length (in this application, the input string is the dynamic factor and the device identifier of the dynamic token) to obtain an output string of a fixed length (in this application, the output string is the dynamic verification code). As long as any encryption algorithm is configured in the dynamic token in advance, the dynamic token can utilize the encryption algorithm to calculate the dynamic factor and the dynamic token to obtain the corresponding dynamic verification code.
Taking a secure hash (Secure Hash Algorithm) algorithm SHA-256 with an output length of 256 bits as an example, an encryption program for realizing the SHA-256 algorithm is stored in a memory of the dynamic token in advance, and when executing step S102, the processor splices the dynamic factor and the device identifier of the dynamic token into an input character string, loads the encryption program from the memory, takes the input character string as an input parameter of the encryption program, then runs the encryption program, and the character string output after the encryption program is run, namely the dynamic verification code described in step S102.
The device identifier in step S102 may be any one of a device serial number of the dynamic token stored in a memory of the dynamic token and a device private key of the dynamic token, or may be a combination of both, or of course, other information capable of uniquely identifying one dynamic token may be used as the device identifier.
S103, the dynamic token converts the dynamic factor, the equipment identification of the dynamic token and the dynamic verification code into a dynamic two-dimensional code.
The specific implementation procedure of step S103 is:
the dynamic factor, the device identifier of the dynamic token and the dynamic verification code are spliced to obtain an authentication message, and it can be understood that the authentication message is a character string formed by combining the above information.
And converting the authentication information into a dynamic two-dimensional code by using a two-dimensional code conversion algorithm.
Optionally, the coding format of the dynamic two-dimensional code obtained by conversion may be a hex coding format.
The hex code format occupies less character data than the now common ascii code format. For example, for the same information quantity, the two-dimensional code converted into the ASCII coding format needs to occupy 160Byte of data, and the two-dimensional code converted into the hex coding format only needs to occupy 96Byte of data, further, because the occupied data quantity is less, in the link of displaying the dynamic two-dimensional code, the pixel point of the two-dimensional code in the hex coding format needs to be displayed is less than the pixel point of the two-dimensional code in the ASCII coding format, thereby solving the problem of scanning failure of the two-dimensional code caused by over-density of the pixel point of the two-dimensional code when the display screen of the dynamic token is smaller.
On the other hand, the currently commonly used two-dimensional code scanning tool can only analyze the two-dimensional code in the ASCII coding format, but cannot analyze the two-dimensional code in the hex coding format, so that the two-dimensional code displayed by the dynamic token can be ensured to be analyzed only by specific terminal equipment or a server by adopting the two-dimensional code in the hex coding format, the safety is improved, and information leakage carried in the dynamic two-dimensional code is avoided.
S104, displaying the dynamic two-dimensional code by the dynamic token.
The dynamic token is provided with a display screen, and the processor can control the display screen to display the dynamic two-dimensional code after generating the dynamic two-dimensional code.
S105, the server acquires the dynamic two-dimensional code from the dynamic token.
Note that, in order to ensure security, the dynamic token generally does not have a network connection function, so the specific implementation procedure of step S105 is as follows:
the local first terminal equipment acquires the dynamic two-dimensional code from the dynamic token, and uploads the dynamic two-dimensional code to the server through a network.
The first terminal device may be a personal computer, a tablet computer, or a smart phone accessing to the internet.
Optionally, the local first terminal device may acquire the dynamic two-dimensional code from the dynamic token in any one of the following manners:
First, if the first terminal device has a two-dimension code scanning function, the user can directly scan the display screen of the dynamic token by using the first terminal device, and then the first terminal device can read the dynamic two-dimension code displayed on the display screen by the dynamic token.
Second, the dynamic token that this application provided can be configured with bluetooth communication module, and the dynamic token can communicate through bluetooth communication module and the first terminal equipment that also has bluetooth communication function, then sends the dynamic two-dimensional code to first terminal equipment through bluetooth after generating the dynamic two-dimensional code, then first terminal equipment uploads the dynamic two-dimensional code to the server.
Thirdly, the dynamic token provided by the application can be further provided with a universal serial bus (Universal Serial Bus, USB) interface, a user can connect the dynamic token with the first terminal equipment through a data line, and then the first terminal equipment receives the dynamic two-dimensional code of the dynamic token through the USB interface of the dynamic token and sends the dynamic two-dimensional code to the server.
S106, the server analyzes the dynamic two-dimensional code.
As described above, the dynamic two-dimensional code is a two-dimensional code obtained by converting the dynamic factor, the device identifier of the dynamic token and the dynamic verification code by the dynamic token, so that the server can extract the dynamic factor, the device identifier of the dynamic token and the dynamic verification code by analyzing the dynamic two-dimensional code provided by the dynamic token.
S107, the server checks the dynamic verification code.
If the dynamic verification code passes the verification, step S108 is executed, and if the dynamic verification code does not pass the verification, step S109 is executed.
The verification process of the server on the dynamic verification code is as follows:
and calculating the dynamic factor and the equipment identifier of the dynamic token by utilizing a pre-configured encryption algorithm in the server to obtain a check code, if the check code is consistent with the dynamic check code provided by the dynamic token, considering the dynamic check code provided by the dynamic token, otherwise, if the check code is inconsistent with the dynamic check code provided by the dynamic token, considering that the dynamic check code fails to pass the check.
It should be noted that, the encryption algorithm used by the server and the encryption algorithm configured in the dynamic token are the same encryption algorithm, for example, if the dynamic token uses the SHA-256 algorithm to calculate the dynamic factor and the device identification code to generate the dynamic verification code, the verification code generated by the server is also obtained by calculating the dynamic factor and the device identification code by using SHA-256. Correspondingly, the process of calculating the dynamic factor and the device identifier of the dynamic token by using the encryption algorithm to obtain the verification code is consistent with the process of calculating the dynamic token to obtain the dynamic verification code, and the description is omitted here.
That is, the present application provides a dynamic token and a server configured with the same encryption algorithm, when the server parses the dynamic two-dimensional code to obtain a dynamic factor, a device identifier of the dynamic token, and a dynamic verification code, and after the dynamic verification code passes the verification, it can be considered that a user currently requesting for identity authentication (denoted as a user to be authenticated) holds the trusted dynamic token provided by the present application, so that a subsequent step of identity authentication can be performed, otherwise, if the dynamic verification code does not pass the verification, it is considered that the user to be authenticated does not hold the trusted dynamic token provided by the present application, and in this case, it can be directly determined that the user to be authenticated is an illegal user, that is, step S109 is performed.
S108, the server matches the device identification with the user information.
The user information is user information of the user to be authenticated, and specifically, the user information of the user to be authenticated may be an account number, a user name, or information that may uniquely identify the user.
If the matching between the device identifier of the dynamic token and the user information of the user to be authenticated fails, step S109 is executed, and if the matching between the device identifier of the dynamic token and the user information of the user to be authenticated fails, step S110 is executed.
Specifically, when a dynamic token is issued for a user, the device identifier of the dynamic token and the correspondence between the user information of the user holding the dynamic token may be recorded in a database of the server. When executing step S108, the server directly searches the user information corresponding to the device identifier carried by the dynamic token from the database, if the user information obtained by searching is consistent with the user information of the user to be authenticated provided by the second terminal device, the device identifier of the dynamic token is considered to be successfully matched with the user information of the user to be authenticated, and if the user information obtained by searching is inconsistent with the user information of the user to be authenticated provided by the second terminal device, the device identifier of the dynamic token is considered to be failed to be matched with the user information of the user to be authenticated.
S109, the server determines that the user to be authenticated fails identity authentication.
S110, the server determines that the user to be authenticated passes identity authentication.
Optionally, if the server determines that the user to be authenticated fails the identity authentication, authentication failure information may be sent to the second terminal device, and if the server determines that the user to be authenticated fails the identity authentication, authentication success information may be sent to the second terminal device, and subsequent operations are authorized to be performed.
The second terminal device may be a personal computer, a tablet computer or a smart phone accessing the internet.
It should be noted that the second terminal device and the first terminal device may be the same terminal device or different terminal devices.
In the first aspect, a user may request to execute an operation requiring authorization on a mobile terminal (such as a smart phone), after the mobile terminal prompts the user to provide a dynamic two-dimensional code, the user triggers a dynamic token to generate the dynamic two-dimensional code, then the user scans the dynamic two-dimensional code with the same mobile terminal, the mobile terminal uploads the dynamic two-dimensional code to a server, after the server checks, the server determines whether the user passes identity authentication, if the user passes identity authentication, authentication success information is sent to the mobile terminal, and provides authorization for the mobile terminal to execute a subsequent operation, and if the user does not pass identity authentication, authentication failure information is sent to the mobile terminal.
In the second aspect, the user can request to execute the operation requiring authorization on the personal computer, then after triggering the dynamic token to generate the dynamic two-dimensional code, the mobile phone scans the dynamic two-dimensional code and provides the dynamic two-dimensional code to the server, after the server checks, if the user passes the identity authentication, the authentication success information is sent to the computer, the computer is authorized to execute the subsequent operation, and if the user does not pass the identity authentication, the authentication failure information is sent to the computer.
The embodiment of the application provides an identity authentication method based on a dynamic password, wherein after a dynamic token generates a dynamic factor based on an event synchronization mechanism, the dynamic factor, a device identifier and a dynamic verification code generated according to the dynamic factor are provided to a server in the form of a dynamic two-dimensional code, the dynamic factor, the device identifier and the dynamic verification code are analyzed from the dynamic two-dimensional code by the server, and then identity authentication is performed on a user based on information obtained through analysis.
The invention can solve the problem of complex authentication flow in the prior asynchronous dynamic password technology. When a user needs to carry out identity authentication, the user only needs to click a corresponding button on the dynamic token, then the terminal equipment is used for obtaining the dynamic two-dimensional code of the dynamic token, the process of identity authentication can be realized, the user does not need to operate the dynamic token to interact with the server before generating the dynamic two-dimensional code, the identity authentication flow is effectively simplified, and the user experience is improved.
The second aspect of the present invention can solve the problem of identity authentication failure caused by out-of-sync between the dynamic token and the server in the existing synchronous dynamic password technology. In the existing synchronous dynamic password technology, a dynamic token uses the clock or event occurrence frequency of the dynamic token as a dynamic factor to generate a dynamic password, a server also uses the clock or event occurrence frequency of the server as a dynamic factor to check the dynamic password, and once the clock or event occurrence frequency of the server and the dynamic token are inconsistent, the server and the dynamic token are out of step. In the scheme, after the dynamic token generates the dynamic verification code by taking the event occurrence frequency of the dynamic token as the dynamic factor, the interaction with the server is realized through the terminal equipment, and the dynamic factor and the dynamic verification code are directly provided for the server, so that the server can verify by taking the event occurrence frequency of the dynamic token as the dynamic factor, therefore, the dynamic factors of the dynamic token and the server can be kept consistent each time when identity authentication is carried out, the step-out caused by clock deviation between the dynamic token and the dynamic factor of the server or the inconsistency of the counted event occurrence frequency is avoided, and the success rate of the identity authentication is ensured.
The second embodiment of the present application further provides an identity authentication method based on a dynamic password, please refer to fig. 2, which includes:
s201, the dynamic token generates dynamic factors based on an event synchronization mechanism.
S202, the dynamic token calculates the dynamic factor and the equipment identification of the dynamic token by using an encryption algorithm to obtain a dynamic verification code.
And S203, calculating the equipment identification of the dynamic token by using a signature algorithm to obtain the equipment signature of the dynamic token.
The specific calculation process in step S203 is identical to the process of calculating the dynamic verification code by using the encryption algorithm in S102 in the foregoing embodiment, that is, the processor invokes the program for implementing the signature algorithm from the memory, and then provides the device identifier to the program, so that the device signature of the dynamic token can be output after the program is run.
Specifically, the signature algorithm may be an elliptic curve digital signature algorithm (Elliptic Curve Digital Signature Algorithm, ECDSA), where ECDSA refers to an existing asymmetric encryption algorithm implemented based on elliptic curve mathematical theory, and the ECDSA algorithm may encrypt input information to be encrypted (in this application, the device identifier) according to a preset private key to obtain a signature of the information to be encrypted (in this application, the device signature). According to the different used elliptic curves, different elliptic curve digital signature algorithms can be provided, and optionally, in this embodiment, the elliptic curve digital signature algorithm implemented based on the elliptic curve SECP256K1 can be used to calculate the device identifier, so as to obtain the device signature.
The equation of the elliptic curve and the specific implementation process of ECDSA are common knowledge of those skilled in the art, and will not be described herein.
S204, the dynamic token converts the dynamic factor, the equipment identifier, the equipment signature and the dynamic verification code into a dynamic two-dimensional code.
S205, displaying the dynamic two-dimensional code by the dynamic token.
S206, the server acquires the dynamic two-dimensional code from the dynamic token.
S207, the server analyzes the dynamic two-dimensional code.
Similar to the previous embodiment, after the server analyzes the dynamic two-dimensional code, the dynamic factor, the device identifier, the device signature and the dynamic verification code carried by the dynamic two-dimensional code can be obtained.
S208, the server sequentially verifies the device signature, the dynamic verification code and the user information.
The user information is information provided by the user to be authenticated for identity authentication, and may be, for example, a user account number, a user name or other identifiers.
If each check passes, it indicates that the user to be authenticated passes the identity authentication, step S209 is executed, and if any check fails, it indicates that the user to be authenticated fails the identity authentication, step S210 is executed.
The execution process of step S208 is:
firstly, checking a device signature by using a device identifier of a dynamic token, if the device signature fails to check, directly determining that the identity authentication fails, if the device signature fails to check, checking a dynamic verification code by using a dynamic factor and the device identifier, if the dynamic verification code fails to check, directly determining that the identity authentication fails, if the dynamic verification code fails to check, checking user information, namely judging whether the user information is matched with the device identifier, if the user information fails to check, determining that the identity authentication fails, and if the user information fails to check, determining that the identity authentication is successful.
The process of verifying the dynamic verification code is consistent with step S107 in the foregoing embodiment, and the process of verifying the user information is consistent with step S108 in the foregoing embodiment, which is not repeated herein.
The process of verifying the device signature is:
firstly, the server side is preconfigured with a public key matched with a private key used by the dynamic token, and the public key of the server and the private key of the dynamic token form a public-private key pair. The server calculates the device identifier obtained by analysis by using the same signature algorithm as the dynamic token and a public key matched with the private key of the dynamic token to generate a device signature, then verifies whether the device signature obtained by calculation is matched with the device signature obtained by analysis in the dynamic two-dimensional code by the server, if the device signature obtained by calculation is matched with the device signature obtained by analysis in the dynamic two-dimensional code by the server, the device signature passes the verification, otherwise, if the device signature obtained by calculation is not matched with the device signature obtained by analysis, the device signature does not pass the verification.
The embodiment adds the generation and verification links of the device signature on the basis of the embodiment corresponding to the embodiment of fig. 1, and further improves the security of the identity authentication scheme provided by the application.
S209, the server determines that the identity authentication of the user to be authenticated is successful.
S210, the server determines that identity authentication of the user to be authenticated fails.
In order to better understand the identity authentication method provided in the present application, a specific implementation process of the present application in a mobile payment scenario is described below with reference to fig. 3.
As shown in fig. 3, assuming that the user a needs to use the mobile payment software of the mobile phone 200 to purchase goods through the internet banking system, and has currently entered a payment link, the user a logs in the mobile payment software with an account number and a password, inputs an amount of money and clicks to confirm payment, in order to ensure property security of the user, the user who currently operates the mobile phone 200 needs to be verified as the user a at this time, so that the mobile payment software outputs a two-dimensional code scanning interface shown by the mobile phone 200 on the left side of fig. 3, prompts the user to operate the dynamic token 100 to generate a dynamic two-dimensional code and scans with the mobile phone.
After the mobile phone outputs the interface, the user A can operate the dynamic token to generate the dynamic two-dimensional code, specifically, the dynamic token can keep the power-off state at ordinary times, the user clicks the power key when in use, the dynamic token is started and automatically executes the corresponding steps in the embodiment after the dynamic token is started to generate and display the dynamic two-dimensional code in the two-dimensional code display area, and the user can click the refresh button on the right side of the power key to trigger the dynamic token to generate and display the new dynamic two-dimensional code. Alternatively, the dynamic token may not automatically generate the dynamic two-dimensional code after being started, and the dynamic two-dimensional code is generated and displayed only when the user clicks the refresh button.
After the dynamic token displays the two-dimension code, the user A scans the two-dimension code display area by using the mobile phone, so that the mobile phone obtains the two-dimension code generated by the dynamic token, and then mobile payment software on the mobile phone uploads user information of the user to be authenticated by the dynamic two-dimension code, namely the account number of the user A, to the server 300.
After receiving the information, the server executes the steps corresponding to the server in the foregoing embodiment, analyzes the two-dimensional code, verifies the device signature and the dynamic verification code in the two-dimensional code, and after the device signature and the dynamic verification code pass the verification, the server determines whether the device identifier carried in the dynamic two-dimensional code is matched with the account number of the user a, in other words, determines whether the dynamic token currently providing the dynamic two-dimensional code is the dynamic token of the user a, if the device identifier is matched with the account number of the user a, it is indicated that the dynamic token currently providing the dynamic two-dimensional code is the dynamic token of the user a, and further considers that the user currently requesting payment is really the user a.
After confirming that the user who requests payment is user A, the server can directly deduct money from the bank account of the user A which is associated in advance in the mobile payment scene, and the user does not need to carry out subsequent operation on the mobile phone side, so that the server only needs to send an authentication result for indicating that identity authentication is passed to the mobile phone, and the mobile phone considers that the payment of the current request is completed after receiving the authentication result, and outputs an interface on the right side of the figure 3.
Of course, the above is only one application scenario of the identity authentication method provided in the present application. The method provided by the application can also be applied to other scenes, and in other scenes, the user can also execute subsequent operations on the mobile terminal after the identity authentication is passed according to different actual conditions.
For example, the method provided by the application can also be applied to identity authentication of the user when the user logs in a certain platform, if the identity authentication is passed, the server issues a successful authentication result, and then the terminal equipment outputs a relevant interface of the platform, so that the user can enter the platform and execute relevant operations.
In combination with the method provided by the embodiment of the application, the embodiment of the application also provides a device for executing the method.
Referring to fig. 4, an embodiment of the present application provides an identity authentication device based on a dynamic password, which may be considered as a processor in the dynamic token mentioned in the foregoing embodiment, and the device includes the following units:
the generating unit 401 is configured to generate a dynamic factor based on the event synchronization mechanism.
An encryption unit 402, configured to calculate the dynamic factor and the device identifier of the dynamic token by using an encryption algorithm, so as to obtain a dynamic verification code.
The conversion unit 403 is configured to convert the dynamic factor, the device identifier of the dynamic token, and the dynamic verification code into a dynamic two-dimensional code.
And the display unit 404 is used for displaying the dynamic two-dimensional code.
The dynamic two-dimensional code is used for providing the dynamic factor, the equipment identifier of the dynamic token and the dynamic verification code to the server, and the server utilizes the dynamic factor and the equipment identifier of the dynamic token to verify the dynamic verification code.
Optionally, the encryption unit 402 is further configured to calculate a device identifier of the dynamic token by using a signature algorithm, so as to obtain a device signature of the dynamic token.
When the conversion unit 403 converts the dynamic factor, the device identifier of the dynamic token, and the dynamic verification code into the dynamic two-dimensional code, the method is specifically used for:
and converting the dynamic factor, the equipment identifier of the dynamic token, the dynamic verification code and the equipment signature of the dynamic token into a dynamic two-dimensional code.
When the conversion unit 403 converts the dynamic factor, the device identifier of the dynamic token, and the dynamic verification code into the dynamic two-dimensional code, the conversion unit is specifically configured to:
splicing the dynamic factor, the equipment identifier of the dynamic token and the dynamic verification code to obtain an authentication message; and converting the authentication information into a dynamic two-dimensional code by using a two-dimensional code conversion algorithm.
When the generating unit 401 generates a dynamic factor based on the event synchronization mechanism, it is specifically configured to:
and determining the accumulated starting times of the dynamic token and the accumulated clicked times of the two-dimensional code generation button of the dynamic token as dynamic factors.
Optionally, the dynamic two-dimensional code obtained by the conversion unit may be a two-dimensional code in hex coding format.
The specific working principle of the device provided in this embodiment may refer to the steps executed by the dynamic token in the identity authentication method provided in any embodiment of the present application, which are not described herein.
Referring to fig. 5, an embodiment of the present application further provides an apparatus, which may be considered as the server mentioned in the foregoing embodiment, including:
a receiving unit 501, configured to receive a dynamic two-dimensional code uploaded by a terminal device; the dynamic two-dimensional code is obtained from the dynamic token by the terminal equipment.
The parsing unit 502 is configured to parse the dynamic factor, the device identifier of the dynamic token, and the dynamic verification code from the dynamic two-dimensional code.
The dynamic factor is generated by the dynamic token based on an event synchronization mechanism, and the dynamic verification code is obtained by calculating the dynamic factor and the equipment identifier of the dynamic token by using an encryption algorithm through the dynamic token.
A verification unit 503, configured to verify the dynamic verification code by using the dynamic factor and the device identifier of the dynamic token.
And the determining unit 504 is configured to determine that the user to be authenticated fails the identity authentication if the dynamic verification code fails the verification.
And the determining unit 504 is configured to determine that the user to be authenticated passes the identity authentication if the dynamic verification code passes the verification and the user information of the user to be authenticated and the device identifier of the dynamic token are successfully matched.
Optionally, the parsing unit 502 is further configured to:
and analyzing the device signature of the dynamic token from the dynamic two-dimensional code.
The device signature of the dynamic token is obtained by calculating the device identification of the dynamic token by a signature algorithm.
When the verification unit 503 verifies the dynamic verification code by using the dynamic factor and the device identifier of the dynamic token, the verification unit is specifically configured to:
verifying the device signature of the dynamic token by using the device identification of the dynamic token; and if the device signature of the dynamic token passes the verification, verifying the dynamic verification code by using the dynamic factor and the device identifier of the dynamic token.
The specific working principle of the device provided in this embodiment may refer to steps executed by the server in the identity authentication method provided in any embodiment of the present application, and are not described herein again.
The embodiment of the application provides an identity authentication device based on a dynamic password, after a dynamic factor is generated by a dynamic token generating unit 401 based on an event synchronization mechanism, an encrypting unit 402 calculates a dynamic factor and a device identifier of the dynamic token by using an encrypting algorithm to obtain a dynamic verification code, then a converting unit 403 converts the dynamic factor, the device identifier and the dynamic verification code into a dynamic two-dimensional code, finally a display unit 404 displays the dynamic two-dimensional code, a receiving unit 501 of a server receives the dynamic two-dimensional code uploaded by the terminal device after the terminal device obtains the dynamic two-dimensional code from the dynamic token, an analyzing unit 502 analyzes the dynamic factor, the device identifier and the dynamic verification code from the dynamic two-dimensional code, and then a verifying unit 503 performs identity authentication on a user based on information obtained by analysis.
In the device provided by the application, the dynamic token provides the dynamic factors, the device identification and the dynamic verification code to the server in the form of the two-dimensional code together through the conversion unit 403 and the display unit 404, so that the server can directly verify the dynamic verification code by using the dynamic factors of the dynamic token, thereby effectively avoiding the condition of identity authentication failure under the condition of out-of-step between the server and the dynamic token and improving user experience.
Finally, an embodiment of the present application further provides a dynamic token, please refer to fig. 6, wherein the dynamic token includes the following structure:
the system comprises a main control chip, a safety chip connected with the main control chip, a display screen connected with the main control chip, a control key and a battery.
The main control chip is used for executing the step of generating the dynamic two-dimensional code in the identity authentication method based on the dynamic password provided by any embodiment of the application, and providing the obtained dynamic two-dimensional code on the display screen for display.
The security chip is used for storing the dynamic factors generated by the main control chip, the encryption algorithm used when the main control chip generates the dynamic verification code and the private key used when the main control chip obtains the device signature of the dynamic token.
As shown in fig. 6, the main control chip, the security chip and the battery are packaged in a shell of the dynamic token, and the shell of the dynamic token can be a zinc alloy shell or a shell made of other materials.
The control keys include a power key and a refresh key in fig. 6, and the refresh key corresponds to the two-dimensional code generation button in the method provided in the foregoing embodiment.
The battery may be a rechargeable lithium battery.
Further, the dynamic token provided in this embodiment further includes a bluetooth communication module and a USB interface. The USB interface can be connected with the terminal equipment through a data line on one hand, so that the main control chip of the dynamic token can provide the dynamic two-dimensional code to the terminal equipment through a wired connection mode, and can be externally connected with a charging device on the other hand, thereby charging the battery of the dynamic token.
The Bluetooth communication module is also encapsulated in the shell, and can be used for establishing Bluetooth connection with the terminal equipment, and the main control chip can provide the dynamic two-dimension code in the terminal equipment in a Bluetooth mode after the Bluetooth connection is established.
An optional working principle of the dynamic token provided in this embodiment is as follows:
the dynamic token is preset with an automatic shutdown time (for example, may be 5 minutes), and if the dynamic token does not operate within 5 minutes, the dynamic token is automatically shutdown. The user can press the power key for a long time in the power-off state to start the mobile phone, after the mobile phone is started, the user can press the power key for a long time, then the display screen of the dynamic token is lightened, the main control chip firstly displays the current electric quantity and preset text information on the display screen, then the main control chip executes the relevant steps for generating the dynamic two-dimensional code in the identity authentication method provided by the embodiment of the application, the dynamic two-dimensional code is generated, and the mobile phone jumps to the two-dimensional code display interface to display the dynamic two-dimensional code.
Under the condition that the display screen displays the two-dimension code, the user can click the refresh key, and the main control chip executes the step of generating the dynamic two-dimension code in the embodiment to generate a new dynamic two-dimension code every time the user clicks the refresh key, and controls the display screen to display the two-dimension code. After the display screen outputs the two-dimension code, a user can scan the two-dimension code displayed on the display screen by using the terminal equipment, so that the two-dimension code is uploaded to the server.
Specifically, in the case where multiple identity authentications are required to be continuously performed (for example, when multiple transactions are required to be continuously performed), the user may click the refresh key once every time the user performs the identity authentication, and a new two-dimensional code for performing the next identity authentication is generated.
After the display screen of the dynamic token is turned on, if the user does not perform any operation within 2 minutes (of course, the duration can be adjusted according to the specific situation), the display screen is turned off, and when the dynamic display screen is turned off and the dynamic token is in a starting state, the user can click a power key or a refresh key to turn on the display screen again. If the user does not operate the dynamic token for 5 minutes continuously, the dynamic token is automatically turned off.
Finally, it is further noted that relational terms such as first and second, and the like are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Moreover, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element.
It should be noted that the terms "first," "second," and the like herein are merely used for distinguishing between different devices, modules, or units and not for limiting the order or interdependence of the functions performed by such devices, modules, or units.
Those skilled in the art can make or use the present application. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other embodiments without departing from the spirit or scope of the application. Thus, the present application is not intended to be limited to the embodiments shown herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.
Claims (16)
1. An identity authentication method based on a dynamic password is characterized by being applied to a dynamic token, and comprises the following steps:
generating a dynamic factor based on an event synchronization mechanism;
calculating the dynamic factor and the equipment identifier of the dynamic token by using an encryption algorithm to obtain a dynamic verification code;
converting the dynamic factor, the equipment identifier of the dynamic token and the dynamic verification code into a dynamic two-dimensional code;
Displaying the dynamic two-dimensional code; the dynamic two-dimensional code is used for providing the dynamic factor, the equipment identifier of the dynamic token and the dynamic verification code to a server, the server calculates the dynamic factor and the equipment identifier of the dynamic token by using the encryption algorithm to obtain a verification code, and the verification code is used for verifying the dynamic verification code.
2. The identity authentication method of claim 1, wherein before the converting the dynamic factor, the device identifier of the dynamic token, and the dynamic verification code into dynamic two-dimensional codes, further comprises:
calculating the equipment identifier of the dynamic token by using a signature algorithm to obtain the equipment signature of the dynamic token;
the converting the dynamic factor, the device identifier of the dynamic token and the dynamic verification code into dynamic two-dimensional codes includes:
and converting the dynamic factor, the equipment identifier of the dynamic token, the dynamic verification code and the equipment signature of the dynamic token into a dynamic two-dimensional code.
3. The identity authentication method of claim 2, wherein the converting the dynamic factor, the device identification of the dynamic token, the dynamic verification code, and the device signature of the dynamic token into dynamic two-dimensional codes comprises:
Splicing the dynamic factor, the equipment identifier of the dynamic token, the dynamic verification code and the equipment signature of the dynamic token to obtain an authentication message;
and converting the authentication information into a dynamic two-dimensional code by using a two-dimensional code conversion algorithm.
4. The identity authentication method of claim 1, wherein the generating a dynamic factor based on an event synchronization mechanism comprises:
and determining the accumulated starting times of the dynamic token and the accumulated clicked times of the two-dimensional code generation button of the dynamic token as dynamic factors.
5. The identity authentication method according to any one of claims 1 to 4, wherein the code format of the dynamic two-dimensional code is: hex coding format.
6. An identity authentication method based on a dynamic password is characterized by being applied to a server, and comprises the following steps:
receiving a dynamic two-dimensional code uploaded by terminal equipment; the dynamic two-dimensional code is acquired by the terminal equipment from a dynamic token;
analyzing a dynamic factor, a device identifier of the dynamic token and a dynamic verification code from the dynamic two-dimensional code; the dynamic factor is generated by the dynamic token based on an event synchronization mechanism, and the dynamic verification code is obtained by calculating the dynamic factor and the equipment identifier of the dynamic token by using an encryption algorithm through the dynamic token;
Verifying the dynamic verification code by using the dynamic factor and the equipment identifier of the dynamic token, wherein the dynamic factor and the equipment identifier of the dynamic token are calculated by using the encryption algorithm to obtain a verification code, and the dynamic verification code is verified by using the verification code;
if the dynamic verification code fails to pass the verification, determining that the user to be authenticated fails to pass the identity authentication;
and if the dynamic verification code passes the verification, and the user information of the user to be authenticated and the equipment identifier of the dynamic token are successfully matched, determining that the user to be authenticated passes the identity authentication.
7. The authentication method of claim 6, wherein before verifying the dynamic verification code using the dynamic factor and the device identification of the dynamic token, further comprising:
analyzing the device signature of the dynamic token from the dynamic two-dimensional code; the device signature of the dynamic token is obtained by calculating the device identification of the dynamic token by a signature algorithm through the dynamic token;
wherein the verifying the dynamic verification code using the dynamic factor and the device identifier of the dynamic token comprises:
Verifying the device signature of the dynamic token by using the device identifier of the dynamic token;
and if the device signature of the dynamic token passes the verification, verifying the dynamic verification code by using the dynamic factor and the device identifier of the dynamic token.
8. An identity authentication device based on a dynamic password, which is applied to a dynamic token, and comprises:
the generating unit is used for generating dynamic factors based on an event synchronization mechanism;
the encryption unit is used for calculating the dynamic factors and the equipment identifiers of the dynamic tokens by utilizing an encryption algorithm to obtain dynamic verification codes;
the conversion unit is used for converting the dynamic factor, the equipment identifier of the dynamic token and the dynamic verification code into a dynamic two-dimensional code;
the display unit is used for displaying the dynamic two-dimensional code; the dynamic two-dimensional code is used for providing the dynamic factor, the equipment identifier of the dynamic token and the dynamic verification code to a server, the server calculates the dynamic factor and the equipment identifier of the dynamic token by using the encryption algorithm to obtain a verification code, and the verification code is used for verifying the dynamic verification code.
9. The identity authentication device of claim 8, wherein the encryption unit is further configured to calculate a device identifier of the dynamic token using a signature algorithm to obtain a device signature of the dynamic token;
the conversion unit is specifically configured to, when converting the dynamic factor, the device identifier of the dynamic token, and the dynamic verification code into a dynamic two-dimensional code:
and converting the dynamic factor, the equipment identifier of the dynamic token, the dynamic verification code and the equipment signature of the dynamic token into a dynamic two-dimensional code.
10. The identity authentication device of claim 9, wherein the conversion unit is configured to, when converting the dynamic factor, the device identifier of the dynamic token, the dynamic verification code, and the device signature of the dynamic token into a dynamic two-dimensional code:
splicing the dynamic factor, the equipment identifier of the dynamic token, the dynamic verification code and the equipment signature of the dynamic token to obtain an authentication message; and converting the authentication information into a dynamic two-dimensional code by using a two-dimensional code conversion algorithm.
11. The identity authentication device according to claim 8, wherein the generating unit is configured to, when generating the dynamic factor based on the event synchronization mechanism:
And determining the accumulated starting times of the dynamic token and the accumulated clicked times of the two-dimensional code generation button of the dynamic token as dynamic factors.
12. The identity authentication device according to any one of claims 8 to 11, wherein the code format of the dynamic two-dimensional code is: hex coding format.
13. An identity authentication device based on a dynamic password, which is applied to a server, and comprises:
the receiving unit is used for receiving the dynamic two-dimensional code uploaded by the terminal equipment; the dynamic two-dimensional code is acquired by the terminal equipment from a dynamic token;
the analysis unit is used for analyzing the dynamic factor, the equipment identifier of the dynamic token and the dynamic verification code from the dynamic two-dimensional code; the dynamic factor is generated by the dynamic token based on an event synchronization mechanism, and the dynamic verification code is obtained by calculating the dynamic factor and the equipment identifier of the dynamic token by using an encryption algorithm through the dynamic token;
the verification unit is used for verifying the dynamic verification code by utilizing the dynamic factor and the equipment identifier of the dynamic token, wherein the dynamic verification code is obtained by calculating the dynamic factor and the equipment identifier of the dynamic token by utilizing the encryption algorithm, and the dynamic verification code is verified by utilizing the verification code;
The determining unit is used for determining that the user to be authenticated fails identity authentication if the dynamic verification code fails to pass verification;
and the determining unit is used for determining that the user to be authenticated passes the identity authentication if the dynamic verification code passes the verification and the user information of the user to be authenticated and the equipment identifier of the dynamic token are successfully matched.
14. The identity authentication device of claim 13, wherein the parsing unit is further configured to:
analyzing the device signature of the dynamic token from the dynamic two-dimensional code; the device signature of the dynamic token is obtained by calculating the device identification of the dynamic token by a signature algorithm through the dynamic token;
the verification unit is specifically configured to, when verifying the dynamic verification code by using the dynamic factor and the device identifier of the dynamic token:
verifying the device signature of the dynamic token by using the device identifier of the dynamic token; and if the device signature of the dynamic token passes the verification, verifying the dynamic verification code by using the dynamic factor and the device identifier of the dynamic token.
15. A dynamic token, comprising:
The system comprises a main control chip, a safety chip connected with the main control chip, a display screen connected with the main control chip, a control key and a battery; wherein:
the main control chip is used for executing the identity authentication method based on the dynamic password as claimed in any one of claims 1 to 5, and providing the obtained dynamic two-dimensional code on the display screen for display;
the security chip is used for storing the dynamic factor generated by the main control chip, an encryption algorithm utilized when the main control chip generates the dynamic verification code and a private key utilized when the main control chip obtains the device signature of the dynamic token.
16. The dynamic token of claim 15, wherein the dynamic token further comprises: the interface of the universal serial bus and the Bluetooth communication module.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010017764.7A CN111126533B (en) | 2020-01-08 | 2020-01-08 | Identity authentication method and device based on dynamic password and dynamic token |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010017764.7A CN111126533B (en) | 2020-01-08 | 2020-01-08 | Identity authentication method and device based on dynamic password and dynamic token |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN111126533A CN111126533A (en) | 2020-05-08 |
| CN111126533B true CN111126533B (en) | 2023-06-23 |
Family
ID=70487511
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010017764.7A Active CN111126533B (en) | 2020-01-08 | 2020-01-08 | Identity authentication method and device based on dynamic password and dynamic token |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111126533B (en) |
Families Citing this family (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111598556A (en) * | 2020-05-26 | 2020-08-28 | 牛津(海南)区块链研究院有限公司 | Digital currency exchange method, device, equipment and medium |
| CN114040349B (en) * | 2020-07-21 | 2024-04-09 | 华为技术有限公司 | Electronic equipment and distributed system |
| CN114024703A (en) * | 2020-10-28 | 2022-02-08 | 北京八分量信息科技有限公司 | Identity leakage method for preventing server from being invaded in zero trust architecture |
| CN112560015A (en) | 2020-12-17 | 2021-03-26 | 北京百度网讯科技有限公司 | Password updating method, device, equipment and storage medium of electronic equipment |
| CN113011864B (en) * | 2021-03-22 | 2022-12-16 | 支付宝(杭州)信息技术有限公司 | Two-dimensional code generation and verification method, device, equipment and readable medium |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2011050745A1 (en) * | 2009-10-30 | 2011-05-05 | 北京飞天诚信科技有限公司 | Method and system for authentication |
| CN102148837A (en) * | 2011-05-11 | 2011-08-10 | 上海时代亿信信息科技有限公司 | Bidirectional authentication method and system for dynamic token |
| CN103944720A (en) * | 2014-04-08 | 2014-07-23 | 武汉信安珞珈科技有限公司 | Method for synchronizing time of dynamic token |
| CN108234124A (en) * | 2016-12-15 | 2018-06-29 | 腾讯科技(深圳)有限公司 | Auth method, device and system |
Family Cites Families (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US9071439B2 (en) * | 2007-04-26 | 2015-06-30 | Emc Corporation | Method and apparatus for remote administration of cryptographic devices |
| CN101594232B (en) * | 2009-06-30 | 2011-12-28 | 飞天诚信科技股份有限公司 | Authentication method for dynamic password, system and corresponding authentication device |
| CN102186169A (en) * | 2010-04-30 | 2011-09-14 | 北京华大智宝电子系统有限公司 | Identity authentication method, device and system |
| CN103905195A (en) * | 2012-12-28 | 2014-07-02 | 中国电信股份有限公司 | User card authentication method and system based on dynamic password |
| CN103220148B (en) * | 2013-04-03 | 2015-12-09 | 天地融科技股份有限公司 | The method of electronic signature token operation response request, system and electronic signature token |
| CN103532719B (en) * | 2013-10-22 | 2017-01-18 | 天地融科技股份有限公司 | Dynamic password generation method, dynamic password generation system, as well as processing method and processing system of transaction request |
| CN107180351A (en) * | 2017-04-13 | 2017-09-19 | 上海动联信息技术股份有限公司 | A kind of off line Dynamic Two-dimensional code generating method, method of payment and equipment |
| CN109547217B (en) * | 2019-01-11 | 2021-10-22 | 北京中实信达科技有限公司 | One-to-many identity authentication system and method based on dynamic password |
-
2020
- 2020-01-08 CN CN202010017764.7A patent/CN111126533B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2011050745A1 (en) * | 2009-10-30 | 2011-05-05 | 北京飞天诚信科技有限公司 | Method and system for authentication |
| CN102148837A (en) * | 2011-05-11 | 2011-08-10 | 上海时代亿信信息科技有限公司 | Bidirectional authentication method and system for dynamic token |
| CN103944720A (en) * | 2014-04-08 | 2014-07-23 | 武汉信安珞珈科技有限公司 | Method for synchronizing time of dynamic token |
| CN108234124A (en) * | 2016-12-15 | 2018-06-29 | 腾讯科技(深圳)有限公司 | Auth method, device and system |
Also Published As
| Publication number | Publication date |
|---|---|
| CN111126533A (en) | 2020-05-08 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111126533B (en) | Identity authentication method and device based on dynamic password and dynamic token | |
| CN112733107B (en) | Information verification method, related device, equipment and storage medium | |
| US9479497B2 (en) | One time password authentication of websites | |
| US9680825B2 (en) | Token device re-synchronization through a network solution | |
| US8572713B2 (en) | Universal authentication token | |
| CN101051908B (en) | Dynamic cipher certifying system and method | |
| CN110930147B (en) | Offline payment method and device, electronic equipment and computer-readable storage medium | |
| US20110219427A1 (en) | Smart Device User Authentication | |
| JP2018532301A (en) | User authentication method and apparatus | |
| CA2417770A1 (en) | Trusted authentication digital signature (tads) system | |
| CN101789864B (en) | On-line bank background identity identification method, device and system | |
| KR20210142180A (en) | System and method for efficient challenge-response authentication | |
| CN101964789A (en) | Method and system for safely accessing protected resources | |
| CN104426659A (en) | Dynamic password generating method, authentication method, authentication system and corresponding equipment | |
| CN112154636A (en) | Deep link authentication | |
| CN104579659A (en) | Device for safety information interaction | |
| KR101746102B1 (en) | User authentication method for integrity and security enhancement | |
| WO2016086708A1 (en) | Payment verification method, apparatus and system | |
| CN113852628A (en) | Decentralized single sign-on method, decentralized single sign-on device and storage medium | |
| CN109257381A (en) | A kind of key management method, system and electronic equipment | |
| CN114830092A (en) | System and method for protecting against malicious program code injection | |
| CN111628985A (en) | Security access control method, security access control device, computer equipment and storage medium | |
| CN106533685B (en) | Identity authentication method, device and system | |
| CN113794571A (en) | Authentication method, device and medium based on dynamic password | |
| Iskandar et al. | An Authentication Scheme for IoT-Based Mechanical Relay Utilizing QR-Code and MQTT |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| CB03 | Change of inventor or designer information | ||
| CB03 | Change of inventor or designer information |
Inventor after: Zeng Qingfei Inventor after: Lei Hong Inventor after: Yan Yun Inventor after: Lu Xiao Inventor before: Zeng Qingfei Inventor before: Yan Yun Inventor before: Lu Xiao |
|
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |