CN111432408B - Wi-Fi flow analysis-based double-factor authentication method and electronic device - Google Patents

Wi-Fi flow analysis-based double-factor authentication method and electronic device Download PDF

Info

Publication number
CN111432408B
CN111432408B CN202010110203.1A CN202010110203A CN111432408B CN 111432408 B CN111432408 B CN 111432408B CN 202010110203 A CN202010110203 A CN 202010110203A CN 111432408 B CN111432408 B CN 111432408B
Authority
CN
China
Prior art keywords
login
challenge code
terminal
identifier
request
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202010110203.1A
Other languages
Chinese (zh)
Other versions
CN111432408A (en
Inventor
王伟
王明月
李文渊
鲁琳俪
王琼霄
林璟锵
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Institute of Information Engineering of CAS
Original Assignee
Institute of Information Engineering of CAS
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Institute of Information Engineering of CAS filed Critical Institute of Information Engineering of CAS
Priority to CN202010110203.1A priority Critical patent/CN111432408B/en
Publication of CN111432408A publication Critical patent/CN111432408A/en
Application granted granted Critical
Publication of CN111432408B publication Critical patent/CN111432408B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

The invention discloses a wireless Wi-Fi flow analysis-based double-factor authentication method and an electronic device, wherein the method comprises the following steps: receiving and verifying a request login information of a login end, sending an identifier to the login end passing the verification and sending a first challenge code with the identifier to a corresponding auxiliary end; and receiving a second challenge code of the login terminal obtained according to the identification and a first challenge code of the corresponding auxiliary terminal, calculating a similarity value of the first challenge code and the second challenge code, and judging whether the login terminal authentication request passes through a set threshold value. The method and the system are realized in a manner that the server issues the challenge code to the auxiliary terminal through a wireless channel, and the login terminal is grabbed and analyzed through a wireless network card, so that the operation is simple and easy to realize, and no interaction exists between a user and the auxiliary terminal; a second factor challenge code is added which is not re-used and is long enough so that it becomes infeasible for an adversary to guess by exhaustion and is highly safe.

Description

Wi-Fi flow analysis-based double-factor authentication method and electronic device
Technical Field
The invention relates to the field of information security, in particular to a wireless Wi-Fi flow analysis-based double-factor authentication method and an electronic device.
Background
In the modern society with continuously strengthened digital informatization, identity authentication is a crucial barrier for network security guarantee. Two-factor authentication, which combines information known to a user (e.g., a password) and something owned by the user (e.g., a registration token) to secure the user's account, has been widely used in applications such as online banking, and in particular, where a user enters a username/password at a login end to request to log on to a remote server and proves possession of the token to the server. Traditional two-factor authentication requires some interaction/manual operations (e.g., manual input after viewing a token) by the user during the second verification step, which puts additional burden on the user.
Chinese patent application CN101795196A discloses an authentication method and an authentication system for logging in internet bank, which reads the IMSI number of a user identification card through a mobile terminal, and a bank server receives and verifies the IMSI number. However, the method completely depends on the IMSI number, is convenient for the user to operate, does not need to manually operate after checking the token, and has the risk of huge property loss caused by loss of the mobile terminal.
Therefore, it is of great significance to design a two-factor authentication method which is safe and does not add extra operations.
Disclosure of Invention
The invention solves the problems: the defects of the prior art are overcome, and the dual-factor authentication method and the electronic device based on wireless Wi-Fi flow analysis are provided and can be used for protecting the safety of a user account.
A double-factor authentication method based on wireless Wi-Fi flow analysis is suitable for a network consisting of a server, a plurality of login ends and a plurality of auxiliary ends in one-to-one correspondence with the login ends, login information of Wi-Fi connected with the corresponding auxiliary end is known by any login end, and the method comprises the following steps:
1) receiving and verifying a request login information of a login end, sending an identifier to the login end passing the verification and sending a first challenge code with the identifier to a corresponding auxiliary end;
2) receiving a second challenge code of the login terminal obtained according to the identification and a first challenge code of the corresponding auxiliary terminal, calculating a similarity value of the first challenge code and the second challenge code, and judging whether the login terminal authentication request passes through a set threshold value;
wherein, the login terminal in step 1) starts the wireless promiscuous mode after sending the login request information.
Further, the login information of the Wi-Fi connected to the corresponding auxiliary terminal comprises a user name and a password.
Further, the server verifies the correctness and/or validity of the login request information of the login terminal.
Further, the request login information includes a username and a password.
Further, the identifier has a byte length that is less than a byte length of the first challenge code.
Further, the byte length of the first challenge code is not less than 112 bits.
Further, the first challenge code comprises a random number or a pseudo-random number.
Further, the step of acquiring, by the login terminal, the second challenge code includes:
(1) logging in the Wi-Fi connected with the corresponding auxiliary terminal;
(2) capturing a wireless data packet sent to the corresponding auxiliary terminal by the server;
(3) and analyzing the wireless data packet, and resolving according to the identifier to obtain the second challenge code.
A storage medium having a computer program stored therein, wherein the computer program performs the above method.
An electronic device comprising a memory having a computer program stored therein and a processor arranged to run the computer program to perform the above method.
Compared with the prior art, the invention has the beneficial effects that:
1) the invention adopts the server to issue the challenge code to the auxiliary end through the wireless channel, and the login end is realized in a mode of grabbing and analyzing through the wireless network card, so that the operation is simple and easy to realize, and the user has no interaction with the auxiliary end.
2) The invention adds a second factor challenge code which is not reused and is long enough, so that an adversary guessed by an exhaustion method becomes infeasible and has high safety.
Drawings
FIG. 1 is a flow chart of a two-factor authentication based on Wi-Fi traffic analysis.
Detailed Description
In order that the objects, principles, aspects and advantages of the present invention will become more apparent, the present invention will be described in detail below with reference to specific embodiments thereof and with reference to the accompanying drawings.
The invention utilizes challenge codes and Wi-Fi traffic analysis to achieve user imperceptible (no extra operations required) two-factor authentication. Specifically, the server issues a challenge code with a certain identifier to the auxiliary terminal through a wireless Wi-Fi channel, the login terminal and the auxiliary terminal are in the same Wi-Fi environment (located at the same physical position), and the login terminal performs Wi-Fi flow analysis through the identifier to acquire the challenge code and sends the challenge code to the server.
The invention comprises the following participants: the system comprises a user, a login end, an auxiliary end and a server. The user is the owner of the account and the owner of the auxiliary terminal, and initiates an authentication request to the server on the login terminal to complete the first step of verification; the login end is a device for requesting to access the user account and is provided with a wireless network card, and the second step of authentication is automatically triggered on the basis of finishing the first step of authentication; the auxiliary end is a device trusted and held by the user, is registered on the server in advance, is accessed into the network through the wireless Wi-Fi, and can establish safe communication with the server to complete the second step of verification; the server is in safe communication with the login end and the auxiliary end respectively and is responsible for checking the correctness/legality of the two-step authentication.
The technical scheme adopted by the invention is as follows: a two-factor authentication method based on Wi-Fi traffic analysis, as shown in fig. 1, is specifically as follows.
1) The user inputs account information at the login end to request login, and the login end starts a wireless hybrid mode.
2) The server verifies the correctness/validity of the account information sent from the login end, and if the account information passes the verification, a challenge code r with an identifier t is sent to the auxiliary enddMeanwhile, the identifier t is informed to the login end; otherwise, the login end is informed that the login is not passed.
3) The login end grabs the wireless data packet through the wireless network card, and analyzes and obtains the challenge code r according to the identifier tc
4) Challenge code r to be analyzed by login endcSending the challenge code r to a server, and receiving the challenge code r sent by the server by an auxiliary enddAnd sending the data to a server.
5) The server compares the received challenge codes rdAnd rcAnd returning the comparison result to the login end and the auxiliary end if the comparison result is similar to the comparison resultIf the two types of authentication are consistent, the authentication is passed, otherwise, the authentication is not passed.
In step 1), the user account information includes, but is not limited to, a username/password.
In said step 2), the challenge code is not reused and should be long enough, suggesting a random number or pseudo-random number of 112 bits or more, so that it becomes infeasible for an adversary to guess by exhaustive methods. The length of the identifier should be much smaller than the length of the challenge code, and is suggested to be 16 bits, so that the logging end can grab and parse the data packet with the identifier.
In the step 3), the login end knows the Wi-Fi account/password information connected with the auxiliary end, and can decrypt the data packet to obtain the challenge code plaintext.
The present invention will be specifically described below with reference to an embodiment.
The present embodiment illustrates the design method of the present invention by taking password and Wi-Fi traffic analysis-based two-factor authentication as an example.
The concrete implementation steps are as follows:
1) the user inputs a user name/password at the login end to request login, and the login end starts a wireless hybrid mode to enable the login end to simultaneously acquire the flow of the login end and the auxiliary end.
2) The server verifies the correctness/validity of the account information sent from the login end, and if the account information passes the verification, a 112-bit random number r with a 16-bit identifier t is sent to the auxiliary enddMeanwhile, the identifier t is informed to the login end; otherwise, the login end is informed that the login is not passed.
3) The login end grabs the wireless data packet through the wireless network card, and analyzes and obtains the random number r according to the identifier t of 16 bitsc
4) The login end analyzes the random number rcSending the random number r to a server, and receiving the random number r sent by the server by an auxiliary enddAnd sending the data to a server.
5) The server compares the received random numbers rdAnd rcAnd returning the comparison result to the login end and the auxiliary end, if the comparison result is consistent with the comparison result, the authentication is passed, otherwise, the authentication is not passed.
In summary, the invention provides a two-factor authentication method based on Wi-Fi flow analysis. The method and the system are realized in a manner that the server issues the challenge code to the auxiliary terminal through a wireless channel, and the login terminal is grabbed and analyzed through a wireless network card, so that the operation is simple and easy to realize, and no interaction exists between a user and the auxiliary terminal; the invention adds a second factor challenge code which is not reused and is long enough, so that an adversary guessed by an exhaustion method becomes infeasible and has high safety.
The above-mentioned embodiments are merely for better illustrating the objects, principles, technical solutions and advantages of the present invention. It should be understood that the above-mentioned embodiments are only exemplary of the present invention, and are not intended to limit the present invention, and any modification, equivalent replacement, or improvement made within the spirit and principle of the present invention should be included in the protection scope of the present invention.

Claims (9)

1. A double-factor authentication method based on wireless Wi-Fi flow analysis is suitable for a network consisting of a server, a plurality of login ends and a plurality of auxiliary ends in one-to-one correspondence with the login ends, login information of Wi-Fi connected with the corresponding auxiliary end is known by any login end, and the method comprises the following steps:
1) receiving and verifying a request login information of a login end, sending an identifier to the login end passing the verification and sending a first challenge code with the identifier to a corresponding auxiliary end;
2) receiving a second challenge code of the login terminal obtained according to the identification and a first challenge code of the corresponding auxiliary terminal, calculating a similarity value of the first challenge code and the second challenge code, and judging whether the login terminal authentication request passes through a set threshold value;
the login terminal in the step 1) sends the login request information and then starts a wireless hybrid mode; the step of obtaining the second challenge code by the login terminal comprises the following steps:
a) logging in the Wi-Fi connected with the corresponding auxiliary terminal;
b) capturing a wireless data packet sent to the corresponding auxiliary terminal by the server;
c) and analyzing the wireless data packet, and resolving according to the identifier to obtain the second challenge code.
2. The method of claim 1, wherein the login information for Wi-Fi connected to the respective helper includes a username and a password.
3. The method according to claim 1, wherein the server verifies the correctness and/or validity of the request login information of the login end.
4. The method of claim 3, wherein the request for login information comprises a username and password.
5. The method of claim 1, wherein a byte length of the identifier is less than a byte length of the first challenge code.
6. The method of claim 5, wherein the first challenge code has a byte length of no less than 112 bits.
7. The method of claim 1, wherein the first challenge code comprises a random number or a pseudo-random number.
8. A storage medium having a computer program stored therein, wherein the computer program performs the method of any of the preceding claims 1-7.
9. An electronic device comprising a memory having a computer program stored therein and a processor arranged to execute the computer program to perform the method of any of the preceding claims 1-7.
CN202010110203.1A 2020-02-23 2020-02-23 Wi-Fi flow analysis-based double-factor authentication method and electronic device Active CN111432408B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010110203.1A CN111432408B (en) 2020-02-23 2020-02-23 Wi-Fi flow analysis-based double-factor authentication method and electronic device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010110203.1A CN111432408B (en) 2020-02-23 2020-02-23 Wi-Fi flow analysis-based double-factor authentication method and electronic device

Publications (2)

Publication Number Publication Date
CN111432408A CN111432408A (en) 2020-07-17
CN111432408B true CN111432408B (en) 2021-07-06

Family

ID=71547041

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010110203.1A Active CN111432408B (en) 2020-02-23 2020-02-23 Wi-Fi flow analysis-based double-factor authentication method and electronic device

Country Status (1)

Country Link
CN (1) CN111432408B (en)

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2011161461A1 (en) * 2010-06-23 2011-12-29 Applied Neural Technologies Limited Identity verification
CN104506510A (en) * 2014-12-15 2015-04-08 百度在线网络技术(北京)有限公司 Method and device for equipment authentication and authentication service system
CN104683343A (en) * 2015-03-03 2015-06-03 中山大学 Method for rapidly logging WiFi hotspot by terminal
CN105072110A (en) * 2015-08-06 2015-11-18 山东科技大学 Two-factor remote identity authentication method based on smart card
CN106921965A (en) * 2017-01-19 2017-07-04 厦门盛华电子科技有限公司 A kind of method that EAP authentication is realized in wlan network

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2011161461A1 (en) * 2010-06-23 2011-12-29 Applied Neural Technologies Limited Identity verification
CN104506510A (en) * 2014-12-15 2015-04-08 百度在线网络技术(北京)有限公司 Method and device for equipment authentication and authentication service system
CN104683343A (en) * 2015-03-03 2015-06-03 中山大学 Method for rapidly logging WiFi hotspot by terminal
CN105072110A (en) * 2015-08-06 2015-11-18 山东科技大学 Two-factor remote identity authentication method based on smart card
CN106921965A (en) * 2017-01-19 2017-07-04 厦门盛华电子科技有限公司 A kind of method that EAP authentication is realized in wlan network

Also Published As

Publication number Publication date
CN111432408A (en) 2020-07-17

Similar Documents

Publication Publication Date Title
CN106656907B (en) Method, device, terminal equipment and system for authentication
CN104468115B (en) information system access authentication method and device
CN105516195B (en) A kind of security certification system and its authentication method based on application platform login
US9378352B2 (en) Barcode authentication for resource requests
US8661254B1 (en) Authentication of a client using a mobile device and an optical link
CN105827573B (en) System, method and the relevant apparatus of internet of things equipment strong authentication
CN102377756B (en) Service access method and system, authentication method and system, client and authentication server
US20200074070A1 (en) Risk based time-based one-time password (totp) authenticator
CN106921640A (en) Identity identifying method, authentication device and Verification System
CN107426235B (en) Authority authentication method, device and system based on equipment fingerprint
TW201545526A (en) Method, apparatus, and system for providing a security check
CN105897424A (en) Method for enhancing identity authentication
US20200351263A1 (en) Dynamic user id
CN103220673B (en) WLAN user authentication method, certificate server and subscriber equipment
US20170034164A1 (en) Multifactor authentication for mail server access
CN111800377B (en) Mobile terminal identity authentication system based on safe multi-party calculation
CN112383401B (en) User name generation method and system for providing identity authentication service
CN104734856B (en) A kind of command identifying method of anti-server information leakage
WO2018043951A1 (en) Pos device and system for performing payment authentication using biometric information, and control method therefor
CN114430324B (en) On-line rapid identity verification method based on hash chain
CN111641651A (en) Access verification method and device based on Hash chain
CN105577606B (en) A kind of method and apparatus for realizing authenticator registration
CN111432408B (en) Wi-Fi flow analysis-based double-factor authentication method and electronic device
CN116647345A (en) Method and device for generating permission token, storage medium and computer equipment
CN114389903B (en) Digital identity information encryption and authentication method

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant