CN111262702A - Double-factor authentication method, device and system based on cryptographic algorithm and biological characteristics - Google Patents
Double-factor authentication method, device and system based on cryptographic algorithm and biological characteristics Download PDFInfo
- Publication number
- CN111262702A CN111262702A CN202010030854.XA CN202010030854A CN111262702A CN 111262702 A CN111262702 A CN 111262702A CN 202010030854 A CN202010030854 A CN 202010030854A CN 111262702 A CN111262702 A CN 111262702A
- Authority
- CN
- China
- Prior art keywords
- user
- password
- fuzzy
- biological characteristics
- authentication
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 61
- 238000004422 calculation algorithm Methods 0.000 title claims abstract description 58
- 238000000605 extraction Methods 0.000 claims abstract description 34
- 238000012795 verification Methods 0.000 claims abstract description 26
- 150000003839 salts Chemical class 0.000 claims description 53
- 238000004364 calculation method Methods 0.000 claims description 15
- 230000006870 function Effects 0.000 claims description 9
- 230000008569 process Effects 0.000 description 17
- 238000010586 diagram Methods 0.000 description 6
- 230000003068 static effect Effects 0.000 description 5
- 238000004891 communication Methods 0.000 description 4
- 238000012545 processing Methods 0.000 description 4
- 238000013459 approach Methods 0.000 description 3
- 238000005336 cracking Methods 0.000 description 3
- 230000000694 effects Effects 0.000 description 3
- 230000001815 facial effect Effects 0.000 description 3
- 210000001747 pupil Anatomy 0.000 description 3
- 230000001010 compromised effect Effects 0.000 description 2
- 230000007123 defense Effects 0.000 description 2
- 230000009977 dual effect Effects 0.000 description 2
- 210000000887 face Anatomy 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 230000002159 abnormal effect Effects 0.000 description 1
- 238000004590 computer program Methods 0.000 description 1
- 238000009795 derivation Methods 0.000 description 1
- 230000000452 restraining effect Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 230000001360 synchronised effect Effects 0.000 description 1
- 238000012546 transfer Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3226—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a predetermined code, e.g. password, passphrase or PIN
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/31—User authentication
- G06F21/32—User authentication using biometric data, e.g. fingerprints, iris scans or voiceprints
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3226—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a predetermined code, e.g. password, passphrase or PIN
- H04L9/3231—Biological data, e.g. fingerprint, voice or retina
Abstract
The embodiment of the invention discloses a dual-factor authentication method, a device and a system based on a cryptographic algorithm and biological characteristics, wherein the method comprises the following steps: acquiring biological characteristics and password hash values of a preset user, and carrying out fuzzy extraction on the biological characteristics of the preset user to obtain fuzzy biological characteristics of the preset user; integrating the fuzzy biological characteristics of the preset user with the password hash value of the preset user to obtain registration data, and storing the registration data in a database to complete user registration; acquiring the biological characteristics and the password hash value of the current user, and carrying out fuzzy extraction on the biological characteristics of the current user to obtain the fuzzy biological characteristics of the current user; integrating the fuzzy biological characteristics of the current user with the password hash value of the current user to obtain double-factor verification data; and outputting authentication result information according to the comparison result of the double-factor verification data and the registration data in the database. It has higher security and is poorer.
Description
Technical Field
The embodiment of the invention relates to the technical field of data security, in particular to a dual-factor authentication method, a dual-factor authentication device, a dual-factor authentication system and a storage medium based on a cryptographic algorithm and biological characteristics.
Background
Identity authentication is the most important link in network security, and is the first line of defense in a network application system and the most important line of defense. Two-factor authentication (2FA), sometimes also referred to as two-step authentication or two-factor authentication, is a security authentication process. In this verification process, the user is required to provide two different authentication factors to prove his identity, thereby better protecting the user credentials and the resources accessible to the user. Two-factor authentication provides a higher level of assurance than single-factor based authentication approaches. In single factor authentication, the user need only provide an authentication factor, typically a password or password. The two-factor authentication approach requires not only a password provided by the user, but also a second factor, which typically will be a security token or biometric factor like fingerprint and face scan. Because knowing only the victim's password is insufficient to pass the authentication checks, two-factor authentication achieves the goal of adding an additional layer of security to the authentication process by increasing the difficulty of an attacker accessing the user device and online account.
However, typically the account information of the user is stored in a user account database of the server. If the user's password and biometric are stored in the database in clear text, all individuals with access to the user's account database (e.g., database system administrators) can easily obtain the password and biometric of others. If a hacker gets an opportunity to access the user account database, the user's password and biometric will be revealed.
For the problem of password protection, the common solution is that the plaintext password is not directly stored in the user table, and the user password is transformed by adopting the cryptology hash operation, and the transformed password is stored in the user table, so that the user password can be well protected. In order to avoid using static password hash to obtain higher security, the system performs hash one-way encryption on the password hash and random salt submitted by the user, and stores the password hash and random salt in the database. The user authentication process is shown in fig. 1.
The biometric information is often stored in the clear, and the associated database is at risk of being hacked or compromised by itself. The leakage of the biological characteristic database faces greater hidden danger, the password is stolen before, the password can be changed by resetting, and the safety precaution level is improved. However, the biometric information such as the human face is unique and unchangeable for life, so that once the biometric information is leaked, personal property or privacy of people are disclosed, and a great loss is caused and cannot be recovered.
Disclosure of Invention
Therefore, the embodiment of the invention provides a dual-factor authentication method, device and system based on a cryptographic algorithm and biological characteristics and a storage medium, so as to at least partially solve the technical problem of poor security of user password data in the prior art.
In order to achieve the above object, the embodiments of the present invention provide the following technical solutions:
a two-factor authentication method based on a cryptographic algorithm and biometric features, the method comprising:
acquiring biological characteristics and password hash values of a preset user, and carrying out fuzzy extraction on the biological characteristics of the preset user to obtain fuzzy biological characteristics of the preset user;
integrating the fuzzy biological characteristics of the preset user with the password hash value of the preset user to obtain registration data, and storing the registration data in a database to complete user registration;
acquiring the biological characteristics and the password hash value of the current user, and carrying out fuzzy extraction on the biological characteristics of the current user to obtain the fuzzy biological characteristics of the current user;
integrating the fuzzy biological characteristics of the current user with the password hash value of the current user to obtain double-factor verification data;
and outputting authentication result information according to the comparison result of the double-factor verification data and the registration data in the database.
Further, the method comprises the steps of collecting a biological feature and a password hashed value of a preset user, and carrying out fuzzy extraction on the biological feature of the preset user to obtain a fuzzy biological feature of the preset user; integrating the fuzzy biological characteristics of the preset user with the password hash value of the preset user to obtain registration data, and storing the registration data in a database to complete user registration, wherein the method specifically comprises the following steps:
inputting biological characteristic information BIO of a preset user into a Gen () algorithm by a fuzzy extraction technology so as to output a biological characteristic uniform random string RB of the preset user and a biological characteristic auxiliary string P of the preset user;
calculating Au ═ H (ID | | | P | | | RB | | | | PWD) by using a password SM3 algorithm, wherein Au is authentication data, H is a password hash function corresponding to the SM3 algorithm, ID is identity information of a preset user, and PWD is a password of the preset user;
encrypting Enc (Pk, ID and Au) by adopting a SM2 public key Pk of the server, and sending the Enc (Pk, ID P Au) to the server S;
the server receives the data and then decrypts Enc (Pk, ID P Au) by using a SM2 private key Dk of the server to obtain ID P Au;
generating a random number salt, carrying out SM3 hash calculation on H (salt, Au), simultaneously storing ID, P, salt and H (salt, Au) in a database, and not storing Au in a server;
and sending a registration success message to complete the user registration.
Further, the biometric feature and the password hash value of the current user are obtained, and the biometric feature of the current user is subjected to fuzzy extraction to obtain the fuzzy biometric feature of the current user; integrating the fuzzy biological characteristics of the current user with the password hash value of the current user to obtain double-factor verification data, which specifically comprises:
inputting biological characteristic information BIO' and a biological characteristic auxiliary character string P of a current user into a Rep () algorithm by a fuzzy extraction technology to obtain a biological characteristic uniform random string RB;
calculating Au ═ H (ID | | | P | | | RB | | | PWD) by using a password SM3 algorithm;
encrypting the Enc (Pk, ID P Au) by using an SM2 public key Pk of the server, and sending the Enc (Pk, ID P Au) to the server S;
the server receives the data and then decrypts Enc (Pk, ID P Au) by using the SM2 private key D of the server to obtain ID Au to obtain the two-factor verification data.
Further, outputting authentication result information according to a comparison result between the two-factor verification data and the registration data in the database, specifically comprising:
comparing whether the ID and P obtained by decryption are the same as the ID and P values in the database;
if the random number is the same as the random number, reading the random number salt in the database, carrying out SM3 hash calculation on H (salt, Au), and comparing the H (salt, Au) with the H (salt, Au) in the database;
if the two are the same, the authentication is successful, and authentication success information is sent.
The invention also provides a two-factor authentication device based on a cryptographic algorithm and biological characteristics, for implementing the method as described above, the device comprising:
the registration unit is used for acquiring the biological characteristics and the password hashed value of a preset user and carrying out fuzzy extraction on the biological characteristics of the preset user so as to obtain the fuzzy biological characteristics of the preset user;
the registration unit is also used for integrating the fuzzy biological characteristics of the preset user with the password hash value of the preset user to obtain registration data, and the registration data is stored in a database to complete user registration;
the authentication unit is used for acquiring the biological characteristics and the password hashed value of the current user and carrying out fuzzy extraction on the biological characteristics of the current user so as to obtain the fuzzy biological characteristics of the current user;
the authentication unit is also used for integrating the fuzzy biological characteristics of the current user with the password hash value of the current user to obtain double-factor verification data;
and the authentication result output unit is used for outputting authentication result information according to the comparison result of the double-factor verification data and the registration data in the database.
Further, the registration unit is specifically configured to:
inputting biological characteristic information BIO of a preset user into a Gen () algorithm by a fuzzy extraction technology so as to output a biological characteristic uniform random string RB of the preset user and a biological characteristic auxiliary string P of the preset user;
calculating Au ═ H (ID | | | P | | | RB | | | | PWD) by using a password SM3 algorithm, wherein Au is authentication data, H is a password hash function corresponding to the SM3 algorithm, ID is identity information of a preset user, and PWD is a password of the preset user;
encrypting Enc (Pk, ID and Au) by adopting a SM2 public key Pk of the server, and sending the Enc (Pk, ID P Au) to the server S;
the server receives the data and then decrypts Enc (Pk, ID P Au) by using a SM2 private key Dk of the server to obtain ID P Au;
generating a random number salt, carrying out SM3 hash calculation on H (salt, Au), simultaneously storing ID, P, salt and H (salt, Au) in a database, and not storing Au in a server;
and sending a registration success message to complete the user registration.
Further, the authentication unit is specifically configured to:
inputting biological characteristic information BIO' and a biological characteristic auxiliary character string P of a current user into a Rep () algorithm by a fuzzy extraction technology to obtain a biological characteristic uniform random string RB;
calculating Au ═ H (ID | | | P | | | RB | | | PWD) by using a password SM3 algorithm;
encrypting the Enc (Pk, ID P Au) by using an SM2 public key Pk of the server, and sending the Enc (Pk, ID P Au) to the server S;
the server receives the data and then decrypts Enc (Pk, ID P Au) by using the SM2 private key D of the server to obtain ID Au to obtain the two-factor verification data.
Further, the authentication result output unit is specifically configured to:
comparing whether the ID and P obtained by decryption are the same as the ID and P values in the database;
if the random number is the same as the random number, reading the random number salt in the database, carrying out SM3 hash calculation on H (salt, Au), and comparing the H (salt, Au) with the H (salt, Au) in the database;
if the two are the same, the authentication is successful, and authentication success information is sent.
The invention also provides a two-factor authentication system, which comprises: a processor and a memory;
the memory is to store one or more program instructions;
the processor is configured to execute one or more program instructions to perform the method as described above.
The present invention also provides a computer storage medium having one or more program instructions embodied therein for use by a two-factor authentication system to perform a method as described above.
The invention provides a dual-factor authentication method, a device and a system based on a national password algorithm and biological characteristics and a storage medium, which adopt a special domestic commercial password algorithm to carry out password calculation, ensure the security of the password algorithm, simultaneously utilize the biological characteristics and password to carry out dual-factor authentication, protect the password and the uniform random number of the biological characteristics of a user by using a domestic commercial password SM3 hash function, even if a hacker steals data of a server, the password and the uniform random number of the biological characteristics of the user cannot be recovered, a password cracking method cannot recover the password, and simultaneously ensure the security of the password and the biological characteristics. Meanwhile, random salt which changes once is used, and static data replay attack is prevented. The communication is carried out in an encrypted security channel, and the exchanged authentication data is protected by a domestic commercial code SM2 password, and the security of the user data is ensured by multiple means, so that the technical problem of poor security of the user password data in the prior art is solved.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below. It should be apparent that the drawings in the following description are merely exemplary, and that other embodiments can be derived from the drawings provided by those of ordinary skill in the art without inventive effort.
The structures, ratios, sizes, and the like shown in the present specification are only used for matching with the contents disclosed in the specification, so as to be understood and read by those skilled in the art, and are not used to limit the conditions that the present invention can be implemented, so that the present invention has no technical significance, and any structural modifications, changes in the ratio relationship, or adjustments of the sizes, without affecting the effects and the achievable by the present invention, should still fall within the range that the technical contents disclosed in the present invention can cover.
FIG. 1 is a diagram illustrating a user identity authentication process in the prior art;
FIG. 2 is a flowchart of one embodiment of a two-factor authentication method provided by the present invention;
FIG. 3 is a diagram illustrating a scenario of a user registration process in the two-factor authentication method shown in FIG. 2;
FIG. 4 is a diagram illustrating a scenario of a user authentication process in the two-factor authentication method shown in FIG. 2;
FIG. 5 is a diagram of a scenario of a library drag attack process;
FIG. 6 is a block diagram of a dual-factor authentication device according to an embodiment of the present invention;
FIG. 7 is a block diagram of an embodiment of a two-factor authentication system according to the present invention.
Detailed Description
The present invention is described in terms of particular embodiments, other advantages and features of the invention will become apparent to those skilled in the art from the following disclosure, and it is to be understood that the described embodiments are merely exemplary of the invention and that it is not intended to limit the invention to the particular embodiments disclosed. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
In a specific implementation mode, the dual-factor authentication method based on the national cryptographic algorithm and the biological characteristics provided by the invention can realize the dual encryption of the data password and the biological characteristics so as to improve the encryption effect, ensure the security of the password data and the biological characteristic data of a user, and particularly has a better effect on preventing hackers from carrying out library dragging operation. As shown in fig. 2, the method includes:
s1: acquiring biological characteristics and password hash values of a preset user, and carrying out fuzzy extraction on the biological characteristics of the preset user to obtain fuzzy biological characteristics of the preset user; it should be understood that the preset user at this location is the target user that needs to complete registration, and after the biometric features of the target user are subjected to the fuzzy processing, the biometric features are prestored as the fuzzy biometric features, so as to facilitate calling and comparison in the subsequent authentication process. The biometric features of the preset user can be specifically fingerprints, facial scan features or pupil features and other features with typical biometric specificity.
S2: integrating the fuzzy biological characteristics of the preset user with the password hash value of the preset user to obtain registration data, and storing the registration data in a database to complete user registration; that is, after the user biological characteristics are processed by using the fuzzy extraction technology, the obtained fuzzy biological characteristics and the hash value of the user password are stored at the server; because the entropy of the biological characteristics is large, the biological characteristics and the password participate in hash operation together, the password cannot be obtained through dictionary, exhaustion and other password collision algorithms, and meanwhile, the safety of the user password is also ensured.
In an actual algorithm, as shown in fig. 3, the registration process of the user includes the following specific steps:
inputting biological characteristic information BIO of a preset user into a Gen () algorithm by a fuzzy extraction technology so as to output a biological characteristic uniform random string RB of the preset user and a biological characteristic auxiliary string P of the preset user;
calculating Au ═ H (ID | | | P | | | RB | | | | PWD) by using a password SM3 algorithm, wherein Au is authentication data, H is a password hash function corresponding to the SM3 algorithm, ID is identity information of a preset user, and PWD is a password of the preset user;
encrypting Enc (Pk, ID and Au) by adopting a SM2 public key Pk of the server, and sending the Enc (Pk, ID P Au) to the server S;
the server receives the data and then decrypts Enc (Pk, ID P Au) by using a SM2 private key Dk of the server to obtain ID P Au;
generating a random number salt, carrying out SM3 hash calculation on H (salt, Au), simultaneously storing ID, P, salt and H (salt, Au) in a database, and not storing Au in a server;
and sending a registration success message to complete the user registration.
After the registration is completed, the subsequent re-login process needs to authenticate the feature information.
S3: acquiring the biological characteristics and the password hash value of the current user, and carrying out fuzzy extraction on the biological characteristics of the current user to obtain the fuzzy biological characteristics of the current user; it should be understood that, the current user at this location, i.e. the target user that needs to complete authentication, performs a fuzzy processing on the biometric features of the current user, and then prestores the biometric features as fuzzy biometric features, so as to compare the fuzzy biometric features with the features of the preset user that are prestored in the database, thereby determining whether authentication is successful. The biometric features of the current user may be fingerprints, facial scan features or pupil features, etc. with typical biometric specificity, and the biometric features extracted by the current user should match with the biometric features of the preset user pre-stored in the database, i.e. the pre-stored biometric features are fingerprints, and the extracted biometric features should also be fingerprints.
S4: and integrating the fuzzy biological characteristics of the current user with the password hash value of the current user to obtain the double-factor verification data.
S5: and outputting authentication result information according to the comparison result of the double-factor verification data and the registration data in the database.
In an actual algorithm, as shown in fig. 4, the authentication process of the user includes the following specific steps:
inputting biological characteristic information BIO' and a biological characteristic auxiliary character string P of a current user into a Rep () algorithm by a fuzzy extraction technology to obtain a biological characteristic uniform random string RB;
calculating Au ═ H (ID | | | P | | | RB | | | PWD) by using a password SM3 algorithm;
encrypting the Enc (Pk, ID P Au) by using an SM2 public key Pk of the server, and sending the Enc (Pk, ID P Au) to the server S;
the server receives the data and then decrypts Enc (Pk, ID P Au) by using the SM2 private key D of the server to obtain ID Au to obtain the two-factor verification data.
Further, outputting authentication result information according to a comparison result between the two-factor verification data and the registration data in the database, specifically comprising:
comparing whether the ID and P obtained by decryption are the same as the ID and P values in the database;
if the random number is the same as the random number, reading the random number salt in the database, carrying out SM3 hash calculation on H (salt, Au), and comparing the H (salt, Au) with the H (salt, Au) in the database;
if the two are the same, the authentication is successful, and authentication success information is sent.
The method can be used for preventing hackers from stealing personal data, and has a remarkable restraining effect on the means of 'dragging libraries' commonly used by hackers. The term "drag library" is originally a term of art in the field of databases and generally refers to the derivation of data from a database. After a hacker invades a website through some abnormal way, the hacker can steal the database therein and download all information. If information in a certain website server is hacked, personal information and passwords of users can be leaked, and personal real property and online virtual property of the users in other systems can be led to face risks. The process of a hacker attacking a user password by dragging the library is shown in fig. 5.
From the above, even if the plaintext password is protected by the hash algorithm, once the database is leaked, the password is still easily broken, and several attack methods are described below.
(1) Dictionary attack and brute force attack
The dictionary attack is not greatly different from the brute force attack, the dictionary attack can be regarded as one kind of brute force attack, common characters (the brute force attack is that various possible characters are combined together) are subjected to Hash operation (an attacker needs to know the Hash algorithm used by encryption), and then the Hash value in the database is compared, if the Hash value is the same, the password of the user is successfully cracked.
(2) Lookup table
The basic method is to pre-calculate the password in the dictionary, then store the password and the ciphertext corresponding to the password in a data structure (such as a Hash table or a Memcached), and then search according to the password plaintext and the ciphertext, so that the searching speed is very high.
(3) Rainbow watch
The rainbow table is very similar to the lookup table, the lookup table is used for storing more data, and the operation speed is higher; and the rainbow table has small storage and slow operation, which is equivalent to changing the time for the space.
The biometric information is often stored in the clear, and the associated database is at risk of being hacked or compromised by itself. The leakage of the biological characteristic database faces greater hidden danger, the password is stolen before, the password can be changed by resetting, and the safety precaution level is improved. However, the biometric information such as the human face is unique and unchangeable for life, so that once the biometric information is leaked, personal property or privacy of people are disclosed, and a great loss is caused and cannot be recovered.
Currently, fuzzy extraction techniques are widely used for biometric identification. When a biometric B is input, the fuzzy extraction technique can output a random string R in a fault-tolerant manner. When the input B' and B are not greatly different, the random character string R output by the fuzzy extractor is not changed. The server need only store the random character R and not the user biometric. In the process of inputting the biological characteristics B' to recover R, auxiliary public information P is generally required to be input. The blur extractor consists of the following 2 algorithms. However, this authentication approach may also result in the leakage of the biometric or corresponding R, which is difficult to resist man-in-the-middle attacks or data replay attacks.
The method provided by the invention is used for carrying out encryption protection on the password hash stored in the database by designing the cryptographic algorithm protocol and combining with the hardware cryptography operation, so that a hacker can not attack the user password to acquire password information even if data is leaked, and the user password data is effectively protected.
In the above specific embodiment, the two-factor authentication method based on the national password algorithm and the biological characteristics provided by the present invention adopts the dedicated domestic commercial password algorithm to perform password calculation, so as to ensure the security of the password algorithm, and simultaneously performs the two-factor authentication by using the biological characteristics and the password, the password and the uniform random number of the biological characteristics of the user are protected by the domestic commercial password SM3 hash function, even if a hacker steals the data of the server, the password and the uniform random number of the biological characteristics of the user cannot be recovered, the password cracking method cannot recover the password, and simultaneously ensures the security of the password and the biological characteristics. Meanwhile, random salt which changes once is used, and static data replay attack is prevented. The communication is carried out in an encrypted security channel, and the exchanged authentication data is protected by a domestic commercial code SM2 password, and the security of the user data is ensured by multiple means, so that the technical problem of poor security of the user password data in the prior art is solved.
In addition to the above method, the present invention also provides a dual factor authentication apparatus based on cryptographic algorithm and biometric features, for implementing the method as described above, as shown in fig. 6, the apparatus comprising:
the registration unit 100 is configured to collect a biometric feature and a password hash value of a preset user, and perform fuzzy extraction on the biometric feature of the preset user to obtain a fuzzy biometric feature of the preset user; it should be understood that the preset user at this location is the target user that needs to complete registration, and after the biometric features of the target user are subjected to the fuzzy processing, the biometric features are prestored as the fuzzy biometric features, so as to facilitate calling and comparison in the subsequent authentication process. The biometric features of the preset user can be specifically fingerprints, facial scan features or pupil features and other features with typical biometric specificity.
The registration unit is also used for integrating the fuzzy biological characteristics of the preset user with the password hash value of the preset user to obtain registration data, and the registration data is stored in a database to complete user registration; that is, after the user biological characteristics are processed by using the fuzzy extraction technology, the obtained fuzzy biological characteristics and the hash value of the user password are stored at the server; because the entropy of the biological characteristics is large, the biological characteristics and the password participate in hash operation together, the password cannot be obtained through dictionary, exhaustion and other password collision algorithms, and meanwhile, the safety of the user password is also ensured.
In an actual implementation process, the registration unit is specifically configured to:
inputting biological characteristic information BIO of a preset user into a Gen () algorithm by a fuzzy extraction technology so as to output a biological characteristic uniform random string RB of the preset user and a biological characteristic auxiliary string P of the preset user;
calculating Au ═ H (ID | | | P | | | RB | | | | PWD) by using a password SM3 algorithm, wherein Au is authentication data, H is a password hash function corresponding to the SM3 algorithm, ID is identity information of a preset user, and PWD is a password of the preset user;
encrypting Enc (Pk, ID and Au) by adopting a SM2 public key Pk of the server, and sending the Enc (Pk, ID P Au) to the server S;
the server receives the data and then decrypts Enc (Pk, ID P Au) by using a SM2 private key Dk of the server to obtain ID P Au;
generating a random number salt, carrying out SM3 hash calculation on H (salt, Au), simultaneously storing ID, P, salt and H (salt, Au) in a database, and not storing Au in a server;
and sending a registration success message to complete the user registration.
The authentication unit 200 is configured to obtain a biometric feature of the current user and a password hash value, and perform fuzzy extraction on the biometric feature of the current user to obtain a fuzzy biometric feature of the current user;
the authentication unit is also used for integrating the fuzzy biological characteristics of the current user with the password hash value of the current user to obtain double-factor verification data;
an authentication result output unit 300, configured to output authentication result information according to a comparison result between the two-factor verification data and the registration data in the database.
In a specific implementation process, the authentication unit is specifically configured to:
inputting biological characteristic information BIO' and a biological characteristic auxiliary character string P of a current user into a Rep () algorithm by a fuzzy extraction technology to obtain a biological characteristic uniform random string RB;
calculating Au ═ H (ID | | | P | | | RB | | | PWD) by using a password SM3 algorithm;
encrypting the Enc (Pk, ID P Au) by using an SM2 public key Pk of the server, and sending the Enc (Pk, ID P Au) to the server S;
the server receives the data and then decrypts Enc (Pk, ID P Au) by using the SM2 private key D of the server to obtain ID Au to obtain the two-factor verification data.
Further, the authentication result output unit is specifically configured to:
comparing whether the ID and P obtained by decryption are the same as the ID and P values in the database;
if the random number is the same as the random number, reading the random number salt in the database, carrying out SM3 hash calculation on H (salt, Au), and comparing the H (salt, Au) with the H (salt, Au) in the database;
if the two are the same, the authentication is successful, and authentication success information is sent.
In the above embodiment, the dual-factor authentication device based on the national password algorithm and the biometric feature provided by the present invention adopts the dedicated domestic commercial password algorithm to perform the password calculation, so as to ensure the security of the password algorithm, and simultaneously performs the dual-factor authentication by using the biometric feature and the password, the password and the biometric uniform random number of the user are protected by the domestic commercial password SM3 hash function, even if a hacker steals the data of the server, the password and the biometric uniform random number of the user cannot be recovered, the password cracking method cannot recover the password, and simultaneously ensures the security of the password and the biometric feature. Meanwhile, random salt which changes once is used, and static data replay attack is prevented. The communication is carried out in an encrypted security channel, and the exchanged authentication data is protected by a domestic commercial code SM2 password, and the security of the user data is ensured by multiple means, so that the technical problem of poor security of the user password data in the prior art is solved.
According to a third aspect of the embodiments of the present invention, there is also provided a two-factor authentication system, as shown in fig. 7, the system including: a processor 301 and a memory 302;
the memory is to store one or more program instructions;
the processor is configured to execute one or more program instructions to perform the method as described above.
In correspondence with the above embodiments, embodiments of the present invention also provide a computer storage medium containing one or more program instructions therein. Wherein the one or more program instructions are for performing the method as described above by a two-factor authentication system.
In an embodiment of the invention, the processor may be an integrated circuit chip having signal processing capability. The Processor may be a general purpose Processor, a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), a Field Programmable Gate Array (FPGA) or other programmable logic device, discrete Gate or transistor logic device, discrete hardware component.
The various methods, steps and logic blocks disclosed in the embodiments of the present invention may be implemented or performed. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like. The steps of the method disclosed in connection with the embodiments of the present invention may be directly implemented by a hardware decoding processor, or implemented by a combination of hardware and software modules in the decoding processor. The software module may be located in ram, flash memory, rom, prom, or eprom, registers, etc. storage media as is well known in the art. The processor reads the information in the storage medium and completes the steps of the method in combination with the hardware.
The storage medium may be a memory, for example, which may be volatile memory or nonvolatile memory, or which may include both volatile and nonvolatile memory.
The nonvolatile Memory may be a Read-Only Memory (ROM), a Programmable ROM (PROM), an Erasable PROM (EPROM), an Electrically Erasable PROM (EEPROM), or a flash Memory.
The volatile Memory may be a Random Access Memory (RAM) which serves as an external cache. By way of example, and not limitation, many forms of RAM are available, such as Static Random Access Memory (SRAM), Dynamic RAM (DRAM), Synchronous DRAM (SDRAM), Double Data Rate SDRAM (DDRSDRAM), Enhanced SDRAM (ESDRAM), SLDRAM (SLDRAM), and Direct Rambus RAM (DRRAM).
The storage media described in connection with the embodiments of the invention are intended to comprise, without being limited to, these and any other suitable types of memory.
Those skilled in the art will appreciate that the functionality described in the present invention may be implemented in a combination of hardware and software in one or more of the examples described above. When software is applied, the corresponding functionality may be stored on or transmitted over as one or more instructions or code on a computer-readable medium. Computer-readable media includes both computer storage media and communication media including any medium that facilitates transfer of a computer program from one place to another. A storage media may be any available media that can be accessed by a general purpose or special purpose computer.
The above embodiments are only for illustrating the embodiments of the present invention and are not to be construed as limiting the scope of the present invention, and any modifications, equivalent substitutions, improvements and the like made on the basis of the embodiments of the present invention shall be included in the scope of the present invention.
Claims (10)
1. A dual-factor authentication method based on a cryptographic algorithm and biological characteristics is characterized by comprising the following steps:
acquiring biological characteristics and password hash values of a preset user, and carrying out fuzzy extraction on the biological characteristics of the preset user to obtain fuzzy biological characteristics of the preset user;
integrating the fuzzy biological characteristics of the preset user with the password hash value of the preset user to obtain registration data, and storing the registration data in a database to complete user registration;
acquiring the biological characteristics and the password hash value of the current user, and carrying out fuzzy extraction on the biological characteristics of the current user to obtain the fuzzy biological characteristics of the current user;
integrating the fuzzy biological characteristics of the current user with the password hash value of the current user to obtain double-factor verification data;
and outputting authentication result information according to the comparison result of the double-factor verification data and the registration data in the database.
2. The two-factor authentication method according to claim 1, wherein the biometric feature and the password hash value of the preset user are collected, and the biometric feature of the preset user is subjected to fuzzy extraction to obtain the fuzzy biometric feature of the preset user; integrating the fuzzy biological characteristics of the preset user with the password hash value of the preset user to obtain registration data, and storing the registration data in a database to complete user registration, wherein the method specifically comprises the following steps:
inputting biological characteristic information BIO of a preset user into a Gen () algorithm by a fuzzy extraction technology so as to output a biological characteristic uniform random string RB of the preset user and a biological characteristic auxiliary string P of the preset user;
calculating Au ═ H (ID | | | P | | | RB | | | | PWD) by using a password SM3 algorithm, wherein Au is authentication data, H is a password hash function corresponding to the SM3 algorithm, ID is identity information of a preset user, and PWD is a password of the preset user;
encrypting Enc (Pk, ID and Au) by adopting a SM2 public key Pk of the server, and sending the Enc (Pk, ID P Au) to the server S;
the server receives the data and then decrypts Enc (Pk, ID P Au) by using a SM2 private key Dk of the server to obtain ID P Au;
generating a random number salt, carrying out SM3 hash calculation on H (salt, Au), simultaneously storing ID, P, salt and H (salt, Au) in a database, and not storing Au in a server;
and sending a registration success message to complete the user registration.
3. The two-factor authentication method of claim 1, wherein the biometric feature of the current user and the password hash value are obtained, and the biometric feature of the current user is subjected to fuzzy extraction to obtain the fuzzy biometric feature of the current user; integrating the fuzzy biological characteristics of the current user with the password hash value of the current user to obtain double-factor verification data, which specifically comprises:
inputting biological characteristic information BIO' and a biological characteristic auxiliary character string P of a current user into a Rep () algorithm by a fuzzy extraction technology to obtain a biological characteristic uniform random string RB;
calculating Au ═ H (ID | | | P | | | RB | | | PWD) by using a password SM3 algorithm;
encrypting the Enc (Pk, ID P Au) by using an SM2 public key Pk of the server, and sending the Enc (Pk, ID P Au) to the server S;
the server receives the data and then decrypts Enc (Pk, ID P Au) by using the SM2 private key D of the server to obtain ID Au to obtain the two-factor verification data.
4. The dual-factor authentication method of claim 3, wherein outputting authentication result information according to a comparison result between the dual-factor verification data and the registration data in the database specifically comprises:
comparing whether the ID and P obtained by decryption are the same as the ID and P values in the database;
if the random number is the same as the random number, reading the random number salt in the database, carrying out SM3 hash calculation on H (salt, Au), and comparing the H (salt, Au) with the H (salt, Au) in the database;
if the two are the same, the authentication is successful, and authentication success information is sent.
5. A two-factor authentication device based on cryptographic algorithm and biometric features for implementing the method according to any one of claims 1 to 4, the device comprising:
the registration unit is used for acquiring the biological characteristics and the password hashed value of a preset user and carrying out fuzzy extraction on the biological characteristics of the preset user so as to obtain the fuzzy biological characteristics of the preset user;
the registration unit is also used for integrating the fuzzy biological characteristics of the preset user with the password hash value of the preset user to obtain registration data, and the registration data is stored in a database to complete user registration;
the authentication unit is used for acquiring the biological characteristics and the password hashed value of the current user and carrying out fuzzy extraction on the biological characteristics of the current user so as to obtain the fuzzy biological characteristics of the current user;
the authentication unit is also used for integrating the fuzzy biological characteristics of the current user with the password hash value of the current user to obtain double-factor verification data;
and the authentication result output unit is used for outputting authentication result information according to the comparison result of the double-factor verification data and the registration data in the database.
6. The dual-factor authentication device according to claim 5, wherein the registration unit is specifically configured to:
inputting biological characteristic information BIO of a preset user into a Gen () algorithm by a fuzzy extraction technology so as to output a biological characteristic uniform random string RB of the preset user and a biological characteristic auxiliary string P of the preset user;
calculating Au ═ H (ID | | | P | | | RB | | | | PWD) by using a password SM3 algorithm, wherein Au is authentication data, H is a password hash function corresponding to the SM3 algorithm, ID is identity information of a preset user, and PWD is a password of the preset user;
encrypting Enc (Pk, ID and Au) by adopting a SM2 public key Pk of the server, and sending the Enc (Pk, ID P Au) to the server S;
the server receives the data and then decrypts Enc (Pk, ID P Au) by using a SM2 private key Dk of the server to obtain ID P Au;
generating a random number salt, carrying out SM3 hash calculation on H (salt, Au), simultaneously storing ID, P, salt and H (salt, Au) in a database, and not storing Au in a server;
and sending a registration success message to complete the user registration.
7. The two-factor authentication device of claim 5, wherein the authentication unit is specifically configured to:
inputting biological characteristic information BIO' and a biological characteristic auxiliary character string P of a current user into a Rep () algorithm by a fuzzy extraction technology to obtain a biological characteristic uniform random string RB;
calculating Au ═ H (ID | | | P | | | RB | | | PWD) by using a password SM3 algorithm;
encrypting the Enc (Pk, ID P Au) by using an SM2 public key Pk of the server, and sending the Enc (Pk, ID P Au) to the server S;
the server receives the data and then decrypts Enc (Pk, ID P Au) by using the SM2 private key D of the server to obtain ID Au to obtain the two-factor verification data.
8. The two-factor authentication device according to claim 5, wherein the authentication result output unit is specifically configured to:
comparing whether the ID and P obtained by decryption are the same as the ID and P values in the database;
if the random number is the same as the random number, reading the random number salt in the database, carrying out SM3 hash calculation on H (salt, Au), and comparing the H (salt, Au) with the H (salt, Au) in the database;
if the two are the same, the authentication is successful, and authentication success information is sent.
9. A two-factor authentication system, the system comprising: a processor and a memory;
the memory is to store one or more program instructions;
the processor, configured to execute one or more program instructions to perform the method of any of claims 1-4.
10. A computer storage medium comprising one or more program instructions for performing the method of any one of claims 1-4 by a two-factor authentication system.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010030854.XA CN111262702A (en) | 2020-01-13 | 2020-01-13 | Double-factor authentication method, device and system based on cryptographic algorithm and biological characteristics |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010030854.XA CN111262702A (en) | 2020-01-13 | 2020-01-13 | Double-factor authentication method, device and system based on cryptographic algorithm and biological characteristics |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN111262702A true CN111262702A (en) | 2020-06-09 |
Family
ID=70953973
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010030854.XA Pending CN111262702A (en) | 2020-01-13 | 2020-01-13 | Double-factor authentication method, device and system based on cryptographic algorithm and biological characteristics |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111262702A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112100611A (en) * | 2020-08-14 | 2020-12-18 | 广州江南科友科技股份有限公司 | Password generation method and device, storage medium and computer equipment |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8868923B1 (en) * | 2010-07-28 | 2014-10-21 | Sandia Corporation | Multi-factor authentication |
| CN105871553A (en) * | 2016-06-28 | 2016-08-17 | 电子科技大学 | Identity-free three-factor remote user authentication method |
| CN107733656A (en) * | 2017-10-23 | 2018-02-23 | 北京深思数盾科技股份有限公司 | A kind of cipher authentication method and device |
| CN108880822A (en) * | 2018-06-29 | 2018-11-23 | 郑州云海信息技术有限公司 | A kind of identity identifying method, device, system and a kind of intelligent wireless device |
| CN110213232A (en) * | 2019-04-26 | 2019-09-06 | 特斯联(北京)科技有限公司 | A kind of fingerprint characteristic and key double verification method and apparatus |
-
2020
- 2020-01-13 CN CN202010030854.XA patent/CN111262702A/en active Pending
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8868923B1 (en) * | 2010-07-28 | 2014-10-21 | Sandia Corporation | Multi-factor authentication |
| CN105871553A (en) * | 2016-06-28 | 2016-08-17 | 电子科技大学 | Identity-free three-factor remote user authentication method |
| CN107733656A (en) * | 2017-10-23 | 2018-02-23 | 北京深思数盾科技股份有限公司 | A kind of cipher authentication method and device |
| CN108880822A (en) * | 2018-06-29 | 2018-11-23 | 郑州云海信息技术有限公司 | A kind of identity identifying method, device, system and a kind of intelligent wireless device |
| CN110213232A (en) * | 2019-04-26 | 2019-09-06 | 特斯联(北京)科技有限公司 | A kind of fingerprint characteristic and key double verification method and apparatus |
Non-Patent Citations (1)
| Title |
|---|
| 宋健: "基于切比雪夫多项式的匿名认证协议设计与分析", 《中国优秀硕士学位论文全文数据库 (信息科技辑)》 * |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112100611A (en) * | 2020-08-14 | 2020-12-18 | 广州江南科友科技股份有限公司 | Password generation method and device, storage medium and computer equipment |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US9935951B2 (en) | Remote blind hashing | |
| US5491752A (en) | System for increasing the difficulty of password guessing attacks in a distributed authentication scheme employing authentication tokens | |
| US6996715B2 (en) | Method for identification of a user's unique identifier without storing the identifier at the identification site | |
| CN110059458B (en) | User password encryption authentication method, device and system | |
| US20160269393A1 (en) | Protecting passwords and biometrics against back-end security breaches | |
| CN106452770B (en) | Data encryption method, data decryption method, device and system | |
| KR20070024633A (en) | Renewable and private biometrics | |
| US20200021448A1 (en) | Public-private key pair account login and key manager | |
| US10250589B2 (en) | System and method for protecting access to authentication systems | |
| JP2000315999A (en) | Cryptographic key generating method | |
| EP3398289B1 (en) | A method, system and apparatus using forward-secure cryptography for passcode verification | |
| Giri et al. | A novel and efficient session spanning biometric and password based three-factor authentication protocol for consumer USB mass storage devices | |
| Zhang et al. | Remote three‐factor authentication scheme based on Fuzzy extractors | |
| Choi et al. | A secure OTP algorithm using a smartphone application | |
| Touil et al. | H-rotation: secure storage and retrieval of passphrases on the authentication process | |
| Goel et al. | LEOBAT: Lightweight encryption and OTP based authentication technique for securing IoT networks | |
| US20050223218A1 (en) | Storing of data in a device | |
| CN111262702A (en) | Double-factor authentication method, device and system based on cryptographic algorithm and biological characteristics | |
| Banerjee et al. | A perfect dynamic-id and biometric based remote user authentication scheme under multi-server environments using smart cards | |
| KR100986980B1 (en) | Biometric authentication method, client and server | |
| WO2018114574A1 (en) | Method for secure management of secrets in a hierarchical multi-tenant environment | |
| US11171953B2 (en) | Secret sharing-based onboarding authentication | |
| CN107302542B (en) | Biological feature-based communication method and device | |
| Riaz et al. | OSAP: Online Smartphone's User Authentication Protocol | |
| WO2016042473A1 (en) | Secure authentication using dynamic passcode |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20200609 |