CN111324885A - Distributed identity authentication method - Google Patents

Distributed identity authentication method Download PDF

Info

Publication number
CN111324885A
CN111324885A CN202010096154.0A CN202010096154A CN111324885A CN 111324885 A CN111324885 A CN 111324885A CN 202010096154 A CN202010096154 A CN 202010096154A CN 111324885 A CN111324885 A CN 111324885A
Authority
CN
China
Prior art keywords
node
authentication
login
password
account
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Withdrawn
Application number
CN202010096154.0A
Other languages
Chinese (zh)
Inventor
蒋子杰
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Individual
Original Assignee
Individual
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Individual filed Critical Individual
Priority to CN202010096154.0A priority Critical patent/CN111324885A/en
Publication of CN111324885A publication Critical patent/CN111324885A/en
Withdrawn legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/45Structures or tools for the administration of authentication
    • G06F21/46Structures or tools for the administration of authentication by designing passwords or checking the strength of passwords

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Information Transfer Between Computers (AREA)

Abstract

The invention relates to a distributed identity authentication method, which comprises a registration process and a login process, wherein in the registration process, a login node splits a password and generates a plurality of distributed authentication parameters which are respectively stored in a plurality of authentication nodes; and in the login process, carrying out distributed identity authentication by a plurality of authentication nodes based on the distributed authentication parameters. The method improves the safety of the identity authentication process and improves the safety of password information storage.

Description

Distributed identity authentication method
Technical Field
The invention belongs to the field of computers, and particularly relates to a distributed identity authentication method.
Background
In the information age, especially with the explosive development of the mobile internet, people often need to perform identity authentication on the network. The most common identity authentication method is that a user inputs an account and a password at a client, and a server verifies the account and the password. In this process, the security of the password is one of the most sensitive considerations.
The account password of the user is usually stored in a database of the server, and due to the factors that the server is invaded by a hacker, internal personnel are leaked and the like, password data in the server is often stolen. Early passwords were plaintext stored in the server, and once the password data in the server was stolen, the password was revealed. The improvement measures are that the plain-text password is not stored, but the hash value of the password is stored, but the hacker can still crack the password by means of calculating the hash value in advance, bumping a library and the like. In summary, the security of server cryptographic data is a core weakness of the prior art of identity authentication.
Disclosure of Invention
In order to solve the above problems in the prior art, the present invention provides a distributed identity authentication method.
The technical scheme adopted by the invention is as follows:
a distributed identity authentication method comprises a registration process and a login process, wherein the registration process comprises the following steps:
step 100: a user uses a client to connect a login node for registration, and inputs an account and a password according to the requirements of a registration interface;
step 200: a client generates a registration request message, and sends the registration request message to a login node, wherein the registration request message comprises an account and a password which are required to be registered by a user;
step 300: after receiving the registration request message, the login node splits the password into K parts, wherein K is the number of authentication nodes;
step 400: setting K parts obtained after password splitting as P1,P2,……,PKThe login node calculates the hash value of each part, i.e. calculates Hi=Hash(Pi),1≤i≤K;
Step 500: the login node generates a random number Salt and calculates K distributed authentication parameters AiWherein:
A1=Hash(H1||Salt);
Aj=Hash(Hj||Aj-1),2≤j≤K
step 600: the login node sends a distributed authentication parameter AiAnd the corresponding account number is sent to the authentication node RiEach authentication node only stores one distributed authentication parameter of the account;
the login process comprises the following steps:
step 700: a user uses a client to connect a login node for login, and inputs an account and a password according to the requirements of a login interface;
step 800: the client splits the password input by the user into K parts and calculates the hash value of each part, and the splitting and calculating methods are the same as the steps 300 and 400;
step 900: the client generates a login request message and sends the login request message to a login node, wherein the login request message comprises the hash value H of each part of an account and a password input by a useri
Step 1000: after the login node receives the login request message, the account and the H are combinediTo an authentication node RiWhile sending Salt to the authentication node R1Requiring authentication of the node R1Starting distributed identity authentication;
step 1100: k authentication nodes carry out distributed identity authentication, and the distributed identity authentication comprises the following steps:
authentication node R1Computing Hash (H)1| Salt), and whether the calculation result is equal to the locally stored A or not is judged1If not, the login node is informed of authentication failure, otherwise, the calculation result is sent to the authentication node R2
For any one authentication node Rj(2. ltoreq. j. ltoreq.K-1), which, on receipt, has received the last node Rj-1After the calculation result of (2), Hash (H) is calculatedj||Aj-1) And judging whether the calculation result is compared with the locally stored AjIf not, the login node is informed of authentication failure, otherwise, the calculation result is sent to the authentication node Rj+1
For the last authentication node RKUpon reception of the last node RK-1After the calculation result of (2), Hash (H) is calculatedK||AK-1) And judging whether the calculation result is compared with the locally stored AKAnd if not, notifying the login node that the authentication is failed, otherwise, notifying the login node that the authentication is successful.
Further, splitting the password into K parts specifically includes: the binary representation of the password is split into K parts.
Further, splitting the password into K parts specifically includes: the binary value of the password is split into the sum of K numbers.
Further, the Hash algorithm is MD5 or SHA-1.
Further, each account number has a different random number Salt, or all account numbers have a fixed random number Salt.
Further, the connection between the client and the login node is https connection.
Further, the random number Salt is a 128-bit random number.
The invention has the beneficial effects that: the security of the identity authentication process is improved, and the security of password information storage is improved.
Drawings
The accompanying drawings, which are included to provide a further understanding of the invention and are incorporated in and constitute a part of this application, and are not to be considered limiting of the invention, in which:
fig. 1 is a logical structure diagram of the distributed identity authentication system of the present invention.
Detailed Description
The present invention will now be described in detail with reference to the drawings and specific embodiments, wherein the exemplary embodiments and descriptions are provided only for the purpose of illustrating the present invention and are not to be construed as limiting the present invention.
Referring to fig. 1, a logical block diagram of a distributed identity authentication system used by the present invention is shown. The system comprises a client, a login node and a plurality of authentication nodes.
The client is a device used by the user for identity authentication, and specifically, the user uses the client to register and log in through an account and a password. The client may be a PC, a smartphone, a tablet computer, or the like.
The login node is a core node of the distributed identity authentication system and is used for receiving the access of the client and receiving the registration and authentication request of the client.
The plurality of authentication nodes are specifically used for identity verification in the distributed identity authentication system, the plurality of authentication nodes are used for distributed authentication, and the login node determines whether the identity verification passes or not based on the authentication results of all the authentication nodes.
Based on the above system structure, the distributed identity authentication method of the present invention is described in detail below. The method comprises two processes: a registration procedure and an authentication procedure.
The registration process is a process that a user registers an account password by using a client, and comprises the following specific steps:
step 100: the user uses the client to connect the login node for registration, and inputs the account and the password according to the requirements of the registration interface.
Specifically, step 100 is the same as a common registration step in the prior art, that is, the client connects to the login node, and after the user selects to register a new account, the registration interface is displayed, and according to the requirement of the registration interface, the user inputs registration information, including the account and the password that the user needs to register, in the corresponding input box. The specific implementation method of this step is the same as that in the prior art, and is not described herein again.
Step 200: the client generates a registration request message, and sends the registration request message to a login node, wherein the registration request message comprises an account and a password which are required to be registered by a user.
Specifically, after the user fills in the registration information at the client, the user clicks registration, the client generates a registration request message including an account number and a password of the user, and the registration request message is sent to the login node through connection between the client and the login node. In order to ensure information security, the connection should be a secure connection, and typically, https connections are generally used in the prior art to realize secure transmission of data.
Step 300: and after receiving the registration request message, the login node splits the password into K parts, wherein K is the number of the authentication nodes.
The specific splitting manner of the password can have different designs, and according to a specific embodiment of the invention, the binary representation of the password can be split into K parts. Specifically, assuming that the password is 6 characters, one byte for each character, the password has 6 bytes, for a total of 48 bits. When K is 3, the password is split into 3 parts, each part including 2 bytes, i.e., 16 bits; when K is 4, the cipher is split into 4 parts, each part comprising 12 bits.
According to another embodiment of the invention, the binary value of the password may be split into a sum of K numbers. For example, when the binary value of the password is PW and K is 3, the PW can be randomly split into PW and P1+P2+P3Thus P is1、P2And P3Three parts after password splitting are formed.
In short, different password splitting modes can be adopted according to specific design strategies, and the present invention is not limited in particular.
Step 400: setting K parts obtained after password splitting as P1,P2,……,PKThe login node calculates the hash value of each part, i.e. calculates Hi=Hash(Pi),1≤i≤K。
The Hash is a Hash algorithm, which may adopt any one of the Hash algorithms in the art, such as MD5, SHA-1, etc., and the present invention is not limited thereto.
Step 500: the login node calculates K distributed authentication parameters Ai,1≤i≤K。
Specifically, the login node first needs to generate a random number Salt, which should have a sufficient number of bits, and preferably, the Salt is a 128-bit random number. Based on the management policy, each account may correspond to a different random number Salt, or all accounts may correspond to a fixed random number Salt.
Then, the login node calculates K distributed authentication parameters A according to the following methodi
A1=Hash(H1||Salt);
Aj=Hash(Hj||Aj-1),2≤j≤K。
Where the | symbol represents the concatenation of two binary numbers.
It can be seen from the above calculation that the distributed authentication parameters are interdependent, the latter calculation depends on the former calculation, and it is practically meaningless to obtain one or a few distributed authentication parameters separately, thus improving the security of the password.
Step 600: the login node respectively sends each distributed authentication parameter and the corresponding account number to each authentication node, and each authentication node only stores one distributed authentication parameter of the account number.
Specifically, let K authentication nodes be R1,R2,……,RKThen the logging node A1And the account number is sent to an authentication node R1Authenticating node R1A is to be1Storing the account number correspondingly; at the same time, the logging node will A2And the account number is sent to an authentication node R2Authenticating node R2A is to be2Storing the account number correspondingly; and so on. In summary, the logging node will AiAnd the account number is sent to an authentication node RiAuthenticating node RiA is to beiAnd storing corresponding to the account number.
By this point the registration process is ended, each authentication node stores a distributed authentication parameter, and the login node stores the random number Salt.
After the user registers, the user can log in by using an account and a password, the system performs distributed identity authentication on the account and the password through K authentication nodes, and the login process comprises the following specific steps:
step 700: the user uses the client to connect the login node for login, and inputs the account and the password according to the requirements of the login interface.
Specifically, step 700 is the same as a common login step in the prior art, that is, the client connects to a login node, and after the user selects login, the login interface is displayed, and according to the requirement of the login interface, the user inputs login information in a corresponding input box, where the login information includes an account and a password that the user has registered in advance. The specific implementation method of this step is the same as that in the prior art, and is not described herein again.
Step 800: the client splits the password input by the user into K parts and calculates the hash value of each part.
The specific splitting method of the client for the password is consistent with the splitting method of the login node for the password in the step 300; the calculation method of the hash value for each part is identical to the calculation method in step 400. Thus, the client can obtain K H s identical to the result of step 400iThe value is obtained.
Step 900: the client generates a login request message and sends the login request message to a login node, wherein the login request message comprises the hash value H of each part of an account and a password input by a useri,1≤i≤K。
Specifically, after the user fills in the login information at the client, the user clicks on login, the client performs the calculation in step 800, and then generates a login request message, and sends the login request message to the login node through the connection between the client and the login node. In order to ensure information security, the connection should be a secure connection, and typically, https connections are generally used in the prior art to realize secure transmission of data.
Step 1000: after the login node receives the login request message, the account and the H are combinediTo an authentication node RiWhile sending Salt to the authentication node R1Requiring authentication of the node R1Distributed identity authentication is initiated.
In particular, the authentication node R hereiSame as set in step 600, i.e. authentication node RiStoring a distributed authentication parameter Ai. Thus, the logging node will<Account number, H1,Salt>To an authentication node R1Will be<Account number, H2>To an authentication node R2Will be<Account number, H3>To an authentication node R3And so on. When authenticating node R1And starting distributed identity authentication after receiving the requirement of logging in the node.
Step 1100: and the K authentication nodes perform distributed identity authentication.
In particular, the authentication node R1Computing Hash (H)1| Salt), and whether the calculation result is equal to the locally stored A or not is judged1Equal, if not equal, notifying the login node of authentication failure, otherwise, calculating the result (namely A)1) To an authentication node R2
For any one authentication node Rj(2. ltoreq. j. ltoreq.K-1), which, on receipt, has received the last node Rj-1Is calculated (i.e. A)j-1) After that, Hash (H) is calculatedj||Aj-1) And judging whether the calculation result is compared with the locally stored AjEqual, if not equal, notifying the login node of authentication failure, otherwise, calculating the result (namely A)j) To an authentication node Rj+1
For the last authentication node RKUpon reception of the last node RK-1Is calculated (i.e. A)K-1) After that, Hash (H) is calculatedK||AK-1) And judging whether the calculation result is compared with the locally stored AKAnd if not, notifying the login node that the authentication is failed, otherwise, notifying the login node that the authentication is successful.
Through the steps, the specific process of identity authentication is completed by K authentication nodes in sequence, authentication fails when any authentication node fails, and a hacker needs to control a login node and the K authentication nodes simultaneously if the hacker needs to control an authentication system, which is obviously difficult. On the other hand, the password information is actually stored in the K authentication nodes through the K distributed authentication parameters, and even if part of the authentication parameters are leaked, the key cannot be recovered. Therefore, the security of the whole identity authentication system is greatly improved.
The above description is only a preferred embodiment of the present invention, and all equivalent changes or modifications of the structure, characteristics and principles described in the present invention are included in the scope of the present invention.

Claims (8)

1. A distributed identity authentication method is characterized by comprising a registration process and a login process, wherein the registration process comprises the following steps:
step 100: a user uses a client to connect a login node for registration, and inputs an account and a password according to the requirements of a registration interface;
step 200: a client generates a registration request message, and sends the registration request message to a login node, wherein the registration request message comprises an account and a password which are required to be registered by a user;
step 300: after receiving the registration request message, the login node splits the password into K parts, wherein K is the number of authentication nodes;
step 400: setting K parts obtained after password splitting as P1,P2,……,PKThe login node calculates the hash value of each part, i.e. calculates Hi=Hash(Pi),1≤i≤K;
Step 500: the login node generates a random number Salt and calculates K distributed authentication parameters AiWherein:
A1=Hash(H1||Salt);
Aj=Hash(Hj||Aj-1),2≤j≤K
step 600: the login node sends a distributed authentication parameter AiAnd the corresponding account number is sent to the authentication node RiEach authentication node only stores one distributed authentication parameter of the account;
the login process comprises the following steps:
step 700: a user uses a client to connect a login node for login, and inputs an account and a password according to the requirements of a login interface;
step 800: the client splits the password input by the user into K parts and calculates the hash value of each part, and the splitting and calculating methods are the same as the steps 300 and 400;
step 900: the client generates a login request message and sends the login request message to a login node, wherein the login request message comprises the hash value H of each part of an account and a password input by a useri
Step 1000: the login node receives the login requestAfter the information is solved, the account number and the H are combinediTo an authentication node RiWhile sending Salt to the authentication node R1Requiring authentication of the node R1Starting distributed identity authentication;
step 1100: k authentication nodes carry out distributed identity authentication, and the distributed identity authentication comprises the following steps:
authentication node R1Computing Hash (H)1| Salt), and whether the calculation result is equal to the locally stored A or not is judged1If not, the login node is informed of authentication failure, otherwise, the calculation result is sent to the authentication node R2
For any one authentication node Rj(2. ltoreq. j. ltoreq.K-1), which, on receipt, has received the last node Rj-1After the calculation result of (2), Hash (H) is calculatedj||Aj-1) And judging whether the calculation result is compared with the locally stored AjIf not, the login node is informed of authentication failure, otherwise, the calculation result is sent to the authentication node Rj+1
For the last authentication node RKUpon reception of the last node RK-1After the calculation result of (2), Hash (H) is calculatedK||AK-1) And judging whether the calculation result is compared with the locally stored AKAnd if not, notifying the login node that the authentication is failed, otherwise, notifying the login node that the authentication is successful.
2. The method according to claim 1, wherein splitting the password into K parts is specifically: the binary representation of the password is split into K parts.
3. The method according to claim 1, wherein splitting the password into K parts is specifically: the binary value of the password is split into the sum of K numbers.
4. The method according to any of claims 1-3, wherein the Hash algorithm is MD5 or SHA-1.
5. A method according to any of claims 1-4, characterized in that each account number has a different random number Salt.
6. The method according to any of claims 1-4, characterized in that all account numbers correspond to a fixed random number Salt.
7. The method of claim 1, wherein the connection between the client and the login node is an https connection.
8. The method according to claim 1, wherein the random number Salt is a 128-bit random number.
CN202010096154.0A 2020-02-17 2020-02-17 Distributed identity authentication method Withdrawn CN111324885A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010096154.0A CN111324885A (en) 2020-02-17 2020-02-17 Distributed identity authentication method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010096154.0A CN111324885A (en) 2020-02-17 2020-02-17 Distributed identity authentication method

Publications (1)

Publication Number Publication Date
CN111324885A true CN111324885A (en) 2020-06-23

Family

ID=71163489

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010096154.0A Withdrawn CN111324885A (en) 2020-02-17 2020-02-17 Distributed identity authentication method

Country Status (1)

Country Link
CN (1) CN111324885A (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112948780A (en) * 2021-01-05 2021-06-11 浪潮云信息技术股份公司 Distributed database authentication method and system
CN113221082A (en) * 2021-05-26 2021-08-06 东营安顺电气有限公司 Data encryption method, system and computer
CN116827520A (en) * 2023-08-30 2023-09-29 环球数科集团有限公司 Distributed identity authentication system based on WEB3 technology

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112948780A (en) * 2021-01-05 2021-06-11 浪潮云信息技术股份公司 Distributed database authentication method and system
CN113221082A (en) * 2021-05-26 2021-08-06 东营安顺电气有限公司 Data encryption method, system and computer
CN116827520A (en) * 2023-08-30 2023-09-29 环球数科集团有限公司 Distributed identity authentication system based on WEB3 technology
CN116827520B (en) * 2023-08-30 2023-10-27 环球数科集团有限公司 Distributed identity authentication system based on WEB3 technology

Similar Documents

Publication Publication Date Title
CN108064440B (en) FIDO authentication method, device and system based on block chain
EP3319292B1 (en) Methods, client and server for checking security based on biometric features
US8196186B2 (en) Security architecture for peer-to-peer storage system
EP1577736B1 (en) Efficient and secure authentication of computing systems
US8209744B2 (en) Mobile device assisted secure computer network communication
US8955076B1 (en) Controlling access to a protected resource using multiple user devices
CN112425118B (en) Public key-private key pair account login and key manager
CN112425114A (en) Password manager protected by public-private key pair
US10375084B2 (en) Methods and apparatuses for improved network communication using a message integrity secure token
CN111324885A (en) Distributed identity authentication method
CN106789032B (en) Single password three-party authentication method for secret sharing between server and mobile equipment
CN111327629B (en) Identity verification method, client and server
CN105827395A (en) Network user authentication method
CN112989426B (en) Authorization authentication method and device, and resource access token acquisition method
US20180255053A1 (en) Partial one-time password
US11223489B1 (en) Advanced security control implementation of proxied cryptographic keys
CN111130798A (en) Request authentication method and related equipment
CN108140079A (en) Device authentication system
WO2022042198A1 (en) Identity authentication method and apparatus, computer device, and storage medium
EP3076584B1 (en) Hashed data retrieval method
US20220237595A1 (en) Cryptocurrency key management
CN117336092A (en) Client login method and device, electronic equipment and storage medium
CN111628985A (en) Security access control method, security access control device, computer equipment and storage medium
US11502840B2 (en) Password management system and method
EP3757920A1 (en) Cryptocurrency key management

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
WW01 Invention patent application withdrawn after publication

Application publication date: 20200623

WW01 Invention patent application withdrawn after publication