CN111800276B - Service processing method and device - Google Patents

Service processing method and device Download PDF

Info

Publication number
CN111800276B
CN111800276B CN202010764543.6A CN202010764543A CN111800276B CN 111800276 B CN111800276 B CN 111800276B CN 202010764543 A CN202010764543 A CN 202010764543A CN 111800276 B CN111800276 B CN 111800276B
Authority
CN
China
Prior art keywords
information
password
dynamic password
terminal
token
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202010764543.6A
Other languages
Chinese (zh)
Other versions
CN111800276A (en
Inventor
邱鹏
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Advanced New Technologies Co Ltd
Original Assignee
Advanced New Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Advanced New Technologies Co Ltd filed Critical Advanced New Technologies Co Ltd
Priority to CN202010764543.6A priority Critical patent/CN111800276B/en
Publication of CN111800276A publication Critical patent/CN111800276A/en
Application granted granted Critical
Publication of CN111800276B publication Critical patent/CN111800276B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3226Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a predetermined code, e.g. password, passphrase or PIN
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0823Network architectures or network communication protocols for network security for authentication of entities using certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • H04L63/0846Network architectures or network communication protocols for network security for authentication of entities using passwords using time-dependent-passwords, e.g. periodically changing passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0863Generation of secret information including derivation or calculation of cryptographic keys or passwords involving passwords or one-time passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/321Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority
    • H04L9/3213Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority using tickets or tokens, e.g. Kerberos

Abstract

The embodiment of the application discloses a password generation method, a password verification method, a payment method and a payment device. The password generation method comprises the following steps: the terminal takes a pre-stored token and a current time value as input values of a first preset algorithm, and calculates to obtain a dynamic password; the terminal also prestores a device ID corresponding to the token, and the token and the device ID are generated by the server and are sent to the terminal; the terminal at least takes the first information containing the dynamic password as an input value of a second preset algorithm, and second information is obtained through calculation; and the terminal generates an authentication password containing the dynamic password, the second information and the equipment ID. Compared with the prior art, the risk that the authentication password generated by the embodiment of the application is broken by brute force of others is effectively reduced.

Description

Service processing method and device
The present application is a divisional application of patent application having application No. 201610371868.1, application date "2016, 05, and 30", application name "password generation method, password verification method, payment method, and payment apparatus".
Technical Field
The present application relates to the field of information authentication, and in particular, to a password generation method, a password verification method, a payment method, and a payment device.
Background
At present, in many scenarios, authentication of a user identity needs to be performed through a dynamic-time Password (OTP). The application scene comprises offline code scanning payment and the like.
Taking the offline code scanning payment scenario as an example, generally, a server of a payment application may generate a unique token and a device ID corresponding to the token for each client in advance, and send the generated token and device ID to each client, and the client may store the token and device ID in a secure storage area. The server needs to store the corresponding relationship between the token and the device ID in advance. When a user needs to perform code scanning payment through the client of the payment application, the client can calculate a dynamic password by adopting a certain preset algorithm (such as an event synchronous HOTP algorithm) according to a pre-stored token and a current time value, and the dynamic password (such as M bits) and the equipment ID (such as N bits) form an identity password (such as M + N bits). And then, the merchant can scan the identity password through the code scanning device, and upload the scanned identity password to the server of the payment application for verification. The server side can obtain the equipment ID according to the identity password, inquire to obtain a token corresponding to the equipment ID, calculate to obtain a trusted dynamic password list by using the current time of the system and the token as input values of the preset algorithm, and verify the dynamic password by using the trusted dynamic password list; if the dynamic password passes the verification, the identity authentication of the current user is passed, and the payment transaction can be executed.
The prior art identity passwords described above are at risk of being "brute force broken". By "brute force" is meant: because the identity password generated by the client is a plaintext, after an equipment ID (such as N bits) in the identity password is acquired, the dynamic password (such as M bits) can be generated according to a certain mode (such as random and exhaustive), and the identity of the user is authenticated by continuously utilizing an identity authentication password (such as M + N bits) formed by the generated dynamic password and the equipment ID until the identity authentication of the user is successful. For example, at a certain time, the dynamic password calculated by the client according to the token and the current time value is: "123456", the "brute force" process described above is: and (3) generating dynamic passwords from '000000' to '999999' one by others, and breaking the identity authentication password at the current moment until the correct dynamic password '123456' is collided. In the prior art, assuming that each bit of the M-bit dynamic password is 0 to 9, the probability of successful brute force cracking of the user identity is about: 1/10 M
Therefore, the identity authentication password in the prior art has a certain risk of being broken by brute force of others.
Disclosure of Invention
The embodiment of the application aims to provide a password generation method, a password verification method, a payment method and a device, so as to solve the problem that an identity authentication password in the prior art is at risk of being broken by brute force of others.
In order to solve the above technical problem, a password generation method, a password verification method, a payment method, and an apparatus provided in the embodiments of the present application are implemented as follows:
a password generation method, comprising:
the terminal takes a pre-stored token and a current time value as input values of a first preset algorithm, and calculates to obtain a dynamic password; the terminal also prestores a device ID corresponding to the token, and the token and the device ID are generated by the server and are sent to the terminal;
the terminal at least takes the first information containing the dynamic password as an input value of a second preset algorithm, and second information is obtained through calculation;
and the terminal generates an authentication password containing the dynamic password, the second information and the equipment ID.
A password verification method, comprising:
the server receives an authentication password which is generated by the terminal and contains the dynamic password, the second information and the equipment ID; the dynamic password is obtained by the terminal by calculating a pre-stored token and a current time value as input values of a first preset algorithm, the second information is obtained by the terminal by calculating at least first information including the dynamic password as input values of a second preset algorithm, and the equipment ID is pre-stored in the terminal;
the server side inquires a token corresponding to the equipment ID;
the server side verifies the dynamic password by using the token and the first preset algorithm;
the server side verifies the second information at least by using the first information and the second preset algorithm;
and if the dynamic password passes the verification and the second information passes the verification, judging that the authentication password passes the verification.
A payment method, comprising:
the server receives an authentication password which is generated by the terminal and contains the dynamic password, the second information and the equipment ID; the dynamic password is obtained by the terminal by calculating a pre-stored token and a current time value as input values of a first preset algorithm, the second information is obtained by the terminal by calculating at least first information including the dynamic password as input values of a second preset algorithm, and the equipment ID is pre-stored in the terminal;
the server side inquires a token corresponding to the equipment ID;
the server side verifies the dynamic password by using the token and the first preset algorithm;
the server side verifies the second information at least by using the first information and the second preset algorithm;
and if the dynamic password passes the verification and the second information passes the verification, executing the payment transaction corresponding to the authentication password.
A password generation apparatus comprising:
the first calculation unit is used for calculating to obtain a dynamic password by taking a token stored in the terminal in advance and a current time value as input values of a first preset algorithm; the terminal also prestores a device ID corresponding to the token, and the token and the device ID are generated by the server and sent to the terminal;
the second calculation unit is used for calculating at least first information containing the dynamic password as an input value of a second preset algorithm to obtain second information;
and a password generation unit configured to generate an authentication password including the dynamic password, the second information, and the device ID.
A password authentication device, comprising:
a receiving unit configured to receive an authentication password including a dynamic password, second information, and a device ID generated by a terminal; the dynamic password is obtained by the terminal by calculating a pre-stored token and a current time value as input values of a first preset algorithm, the second information is obtained by the terminal by calculating at least first information including the dynamic password as input values of a second preset algorithm, and the equipment ID is pre-stored in the terminal;
a query unit configured to query a token corresponding to the device ID;
the verification unit is used for verifying the dynamic password by using the token and the first preset algorithm and verifying the second information by using at least the first information and the second preset algorithm;
and the judging unit is used for judging that the authentication password passes verification when the dynamic password passes verification and the second information passes verification.
A payment device, comprising:
a receiving unit configured to receive an authentication password including the dynamic password, the second information, and the device ID generated by the terminal; the dynamic password is obtained by the terminal by calculating a pre-stored token and a current time value as input values of a first preset algorithm, the second information is obtained by the terminal by calculating at least first information including the dynamic password as input values of a second preset algorithm, and the equipment ID is pre-stored in the terminal;
an inquiry unit configured to inquire about a token corresponding to the device ID;
the verification unit is used for verifying the dynamic password by using the token and the first preset algorithm and verifying the second information by using at least the first information and the second preset algorithm;
and the payment unit is used for executing a payment transaction corresponding to the authentication password when the dynamic password passes the verification and the second information passes the verification.
The embodiment of the application adopts at least one technical scheme which can achieve the following beneficial effects: after the dynamic password is obtained by calculation according to the token and the current time value, at least the first information including the dynamic password is used as an input value of a second preset algorithm to obtain second information by calculation, and finally the authentication password including the dynamic password, the second information and the equipment ID is generated,the second information is also included. In the process of verifying the authentication password, the dynamic password and the second information need to be verified, and after the dynamic password and the second information are both verified, the current authentication password is judged to be verified. Compared with the prior art, the risk that the authentication password generated by the embodiment of the application is broken by brute force of others is effectively reduced. For example, assuming that the dynamic password is a number of M bits from 0 to 9 and the second information is a number of K bits from 0 to 9, the probability that the authentication password generated by the embodiment of the present application is brute force of others is about: 1/10 M+K
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings needed to be used in the description of the embodiments or the prior art will be briefly introduced below, it is obvious that the drawings in the following description are only some embodiments described in the present application, and for those skilled in the art, other drawings can be obtained according to the drawings without any creative effort.
FIG. 1 is a flow chart of the generation and verification of an authentication password according to an embodiment of the present application;
FIG. 2 illustrates a generation process of an authentication password in an exemplary embodiment of the present application;
FIG. 3 is a schematic diagram of an authentication password provided in an embodiment of the present application;
fig. 4 is a flowchart of a password generation method using a terminal as a main body according to an embodiment of the present application;
fig. 5 is a flowchart of a password authentication method with a server as a main body according to an embodiment of the present application;
fig. 6 is a schematic block diagram of a password generation apparatus and a password verification apparatus according to an embodiment of the present application.
Detailed Description
In order to make those skilled in the art better understand the technical solutions in the present application, the technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are only a part of the embodiments of the present application, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
The method and the device aim to reduce the risk of identity authentication attack by others in a brute force cracking mode by generating the authentication password with higher security level. In a brute force cracking mode, an attacker can collide with a correct authentication password by exhaling all possible authentication passwords and performing one-by-one verification by utilizing the exhaustible authentication passwords. Generally, since the authentication password verification interface of the server is exposed in an untrusted channel of the public network, the attack using the brute force attack method is low in cost, and once the attack is successfully cracked, property loss of a user may be caused.
Fig. 1 is a flowchart of generating and verifying an authentication password according to an embodiment of the present disclosure. In an exemplary identity authentication (or called identity recognition) scenario, the system may include a terminal, a server, and a code scanning device, where the terminal may be a wireless terminal (such as a smart phone), an application client for identity authentication may be installed on the wireless terminal, the server may be a server for identity authentication, and the code scanning device may be various types of two-dimensional codes or barcode scanning devices. Then, the technical solution of the embodiment of the present application may be implemented through the following processes:
s101: and the terminal writes the token sent by the server and the device ID corresponding to the token into a storage area of the terminal.
Generally, after the terminal installs the application client for identity authentication and starts up the application client for the first time, the server may generate a unique token and a device ID corresponding to the token, where the token may be used as a seed (input value of an algorithm) for generating a dynamic password (OTP code), and the device ID is used to uniquely identify the terminal. Generally, only the terminal and the server store the token, and other devices are difficult to acquire the token. After sending the token and the device ID to each terminal, the server needs to store the mapping relationship between the token and the device ID. It should be noted that the secure storage area may be a certain storage unit in the terminal, and it is required to ensure that the content stored in the storage unit is difficult to be stolen by other devices except the client for performing identity identification. Generally, a user may log in an account on a terminal, and after logging in the account, the server may generate a device ID corresponding to the current account and the token. That is, the token and the device ID correspond to the account registered in the terminal.
S102: and the terminal takes the pre-stored token and the current time value as input values of a first preset algorithm, and calculates to obtain the dynamic password.
The current time value may be a numerical value corresponding to the current time acquired by the terminal. The first preset algorithm includes an input value and an output value calculated according to the input value, where the input value may be a current time value and a token, and the output value is a Dynamic Password (Dynamic Password). In this embodiment of the application, to improve security, the first preset algorithm may be an irreversible algorithm formed at will, and the irreversible algorithm may be a time synchronization algorithm (TOTP), an event synchronization algorithm (HOTP), an challenge response algorithm (OCRA), or the like. Because the current time value is used as the input value of the first preset algorithm in the process of calculating the dynamic password, the dynamic password has certain timeliness (namely, the dynamic password can be valid only within a period of time). Therefore, the method can prevent an attacker from cracking the user identity authentication process through Replay Attacks (Replay Attacks).
S103: and the terminal at least takes the first information comprising the dynamic password as an input value of a second preset algorithm to obtain second information by calculation.
In this embodiment, the second preset algorithm may be any one of algorithms set manually, the first information is used as an input value of the second preset algorithm, and an output value obtained by calculation is the second information. Since the first information at least comprises a dynamic password, and the dynamic password is related to the current time value (i.e. calculated according to the current time value), the first information comprising the dynamic password changes continuously as time goes on.
In this embodiment, the second predetermined algorithm may be an irreversible algorithm, for example, a "signature algorithm" that takes the token and the first information as input values and calculates an output value as the second information (signature). The "signature algorithm" described above includes, but is not limited to: an HMAC (Hash-based Message Authentication Code) -MD5 algorithm, or an HMAC-SHA algorithm. In the "signature algorithm", the second information (signature) is generally calculated by using a secret key (the token) and a plaintext (the first information) as input values. Then, the step S103 includes: and the terminal takes the token and the first information containing the dynamic password as input values of a second preset algorithm to obtain second information by calculation.
It should be noted that the input value of the second preset algorithm may be only the first information, or the first information and the token, or may include other input values besides the first information and the token, and the application does not limit the input value of the second preset algorithm.
In an embodiment of the present application, the first information may be any one of:
1) A dynamic password; such as: 123456.
2) A combination of a dynamic password and a current time value; such as: 123456 (dynamic password) 20160503110232 (current time value).
3) A combination of a device ID and a dynamic password; such as: 5060341211 (device ID) 20160503110232 (current time value).
4) A combination of a device ID, a dynamic password, and a current time value. Such as: 5060341211 (device ID) 123456 (dynamic password) 20160503110232 (current time value).
S104: the terminal generates an authentication password including the dynamic password, the second information, and the device ID.
The general terminal may display the generated authentication password on a display screen in one or more of a two-dimensional code form, a barcode form and a digital form. In the process of generating the authentication password, the dynamic password may be encrypted using a corresponding encryption algorithm.
Referring to fig. 2, in an embodiment of the present application, the second information (signature) may be generated by a "signature algorithm". Then in this embodiment, the current time value and the token may be used as input values of the HOTP algorithm (i.e., the first predetermined algorithm) to calculate a dynamic password (e.g., N digits), and then the device ID (e.g., M digits) and the dynamic password may be combined to obtain a one-time identity password (e.g., N + M digits). Then, the token and the one-time identity password (i.e. the first information) are used as input values of a second preset algorithm (such as HMAC-SHA algorithm) to calculate second information (such as K-bit digits). Finally, the one-time identity password (such as N + M digits) and the second information (such as K digits) are combined to obtain an authentication password (N + M + K digits) for realizing identity authentication.
Referring to FIG. 3, an exemplary authenticated password is illustrated. The authentication password may generally include a two-dimensional code display area and a barcode display area, and an authentication password represented in digital form. The authentication password, which is represented in digital form, may include the device ID10, the dynamic password 20, and the second information 30, among others. It should be noted that the order and combination of the second information, the dynamic password, and the device ID in the finally generated authentication password are not limited. In fig. 3, the dynamic password may be automatically updated every certain period of time (e.g., one minute), that is, the effective period of each generated authentication password including the dynamic password, the second information, and the device ID is one minute.
S105: the code scanning device scans the authentication password displayed on the terminal and sends the authentication password to the server to request identity authentication. In the embodiment of the application, the scanning device may send the service request information corresponding to the current service according to the difference of specific services, and the service request information carries the authentication password. The code scanning device can be a two-dimensional code scanning device or a bar code scanning device which is formed arbitrarily, and the code scanning device is communicated with the server through a network.
S106: and the server acquires the equipment ID in the authentication password according to the authentication password and inquires a token corresponding to the equipment ID.
As described above, after the server sends the unique token and the device ID corresponding to the token to the terminal, the server stores the mapping relationship between the token and the device ID. The server side can extract the device ID according to the field where the device ID is located in the authentication password, and inquire the token mapped with the device ID. In this way, although the authentication password is a plaintext, due to the adoption of an irreversible algorithm, the token cannot be obtained by the outside in a reverse cracking manner, so that the token can be used as a secret key and is only stored in the client and the server.
S107: and the server side verifies the dynamic password and verifies the second information.
In the embodiment of the application, the server side can calculate to obtain a trusted dynamic password list by using the queried token and the current time value and adopting the irreversible algorithm (such as HOTP algorithm), wherein the trusted dynamic password list comprises a plurality of trusted dynamic passwords. Then, each trusted dynamic password in the trusted dynamic password list can be compared with the dynamic password, if a certain trusted dynamic password is found to be consistent with the dynamic password, the current dynamic password is legal, and the verification is passed. In general, the dynamic password may be valid for a period of time (e.g., valid for 30 seconds after the point in time when the dynamic password is generated) and may only be used once. It is worth mentioning that the process of verifying a dynamic password is well known to those skilled in the art and will not be described in detail herein.
In the embodiment of the application, the server side can verify the second information by using the first information and a second preset algorithm. Specifically, the server calculates a check value by using the first information as an input value of a second preset algorithm, compares the check value with the second information, and if the check value is consistent with the second information, the server indicates that the check of the second information is passed, otherwise, the check of the second information is not passed.
In an embodiment of the application, if the second predetermined algorithm is a signature algorithm (e.g., HMAC-SHA algorithm), the input values of the signature algorithm are a token and a one-time identity password (e.g., N + M digits), and the obtained second information (signature) is K digits. Then, the server may calculate a check value by using the one-time identity password (i.e., the first information) and the token as input values of the signature algorithm, and compare the check value with the second information (the signature), if the check value is consistent with the second information (the signature), the check is passed, otherwise, the check is not passed.
S108: and the server sends the identity authentication result to the scanning device.
It can be seen that, when the second information passes the verification and the dynamic password passes the verification, it indicates that the identity authentication of the current user passes, and the server may send a message that the identity authentication passes to the scanning device; otherwise, sending a message that the identity authentication fails to pass to the scanning device. Of course, the server may also feed the identity authentication result back to the terminal. According to different services, when the second information passes the verification and the dynamic password passes the verification, a transaction (such as a transaction for deducting a designated account number) corresponding to the current authentication password can be executed.
According to the technical scheme provided by the embodiment of the application, after the dynamic password is obtained through calculation according to the token and the current time value, at least the first information comprising the dynamic password is used as the input value of the second preset algorithm, the second information is obtained through calculation, and the authentication password comprising the dynamic password, the second information and the equipment ID is finally generated. In the process of verifying the authentication password, the dynamic password and the second information need to be verified, and after the dynamic password and the second information are both verified, the current authentication password is judged to be verified. Compared with the prior art, the application is implementedThe risk that the generated authentication password is brute force cracked by others is effectively reduced. For example, assuming that the dynamic password is a number of 0 to 9 of M bits and the second information is a number of 0 to 9 of K bits, the probability that the authentication password generated by the embodiment of the present application is broken by others with brute force is about: 1/10 M+K
In addition, in the above-described embodiment, a signature algorithm may be used, and second information (signature) may be calculated using the token and the first information including the dynamic password as input values of the signature algorithm, and added to the authentication password that is finally generated. Compared with the prior art, the signature algorithm can reduce the possibility that an attacker collides with the obtained authentication password in a brute force cracking mode. That is to say, if an attacker needs to break the authentication of the user identity, the attacker needs to obtain the second information by collision while obtaining the dynamic password by collision in a brute force breaking manner, so that compared with the prior art, the difficulty in breaking is obviously increased, and the security of the user identity authentication process is further improved.
Fig. 4 is a flowchart of a password generation method according to an embodiment of the present application, where an execution subject of the password generation method may be the terminal, and the password generation method may include the following steps:
s201: taking a pre-stored token and a current time value as input values of a first preset algorithm, and calculating to obtain a dynamic password; the terminal also stores a device ID corresponding to the token in advance, and the token and the device ID are generated by the server and sent to the terminal.
The step S201 may refer to the content of the step S102, and is not described herein again.
S202: and at least taking the first information containing the dynamic password as an input value of a second preset algorithm, and calculating to obtain second information.
The step S202 can refer to the content of the step S103, and will not be described herein again.
In an embodiment of the application, the token and the first information including the dynamic password may be used as input values of a second preset algorithm, and second information is obtained through calculation.
S203: and generating an authentication password comprising the dynamic password, the second information and the equipment ID.
The step S203 can refer to the content of the step S104, which is not described herein again.
By the password generation method executed by the terminal, the authentication password comprising the dynamic password, the second information and the equipment ID can be obtained, and compared with the prior art, the risk that the authentication password generated by the embodiment of the application is broken by brute force of others is effectively reduced.
Fig. 5 is a flowchart of a password authentication method according to an embodiment of the present application, where an execution subject of the password authentication method may be the server, and the password authentication method may include the following steps:
s301: receiving an authentication password which is generated by the terminal and contains the dynamic password, the second information and the equipment ID; the dynamic password is obtained by the terminal by calculating a pre-stored token and a current time value as input values of a first preset algorithm, the second information is obtained by the terminal by calculating at least first information including the dynamic password as input values of a second preset algorithm, and the device ID is pre-stored in the terminal.
S302: and inquiring a token corresponding to the equipment ID according to the equipment ID in the authentication password.
The step S302 can refer to the content of the step S106, and is not described herein again.
S303: and verifying the dynamic password by using the token and the first preset algorithm.
S304: and checking the second information by at least utilizing the first information and the second preset algorithm.
S305: and if the dynamic password passes the verification and the second information passes the verification, judging that the authentication password passes the verification.
By the password verification method executed by the server, the authentication password generated by the terminal and containing the dynamic password, the second information and the equipment ID can be verified, and compared with the prior art, the risk that the authentication password verified by the embodiment of the application is brute force cracked by others is effectively reduced.
Next, a payment method implemented using the above password generation method and password authentication method will be described. The payment method can be a line code scanning payment scene, and comprises the following steps:
step a: the server receives a payment request carrying an authentication password generated by the terminal; the authentication password comprises a dynamic password, second information and an equipment ID, the dynamic password is obtained by the terminal by taking a pre-stored token and a current time value as input values of a first preset algorithm, the second information is obtained by the terminal by taking at least first information comprising the dynamic password as input values of a second preset algorithm, and the equipment ID is pre-stored in the terminal. The payment request can also carry payment amount information, payee account information and payer account information.
Step b: and the server inquires a token corresponding to the equipment ID according to the equipment ID in the authentication password.
Step c: and the server side verifies the dynamic password by using the token and the current time value.
Step d: and the server side verifies the second information by using the first information, the token and the second preset algorithm.
Step f: and if the dynamic password passes the verification and the second information passes the verification, executing the payment transaction corresponding to the authentication password. The execution of the payment transaction is generally a process of transferring a certain amount (the amount information of the payment carried by the payment request) from a payer account (e.g. a certain buyer) to a payee account (e.g. a merchant account).
Therefore, compared with the prior art, in the scene of on-line code scanning payment, the risk that the authentication password verified by the embodiment of the application is broken by brute force of others is effectively reduced, and the possibility that the property of the user is stolen and brushed is greatly reduced.
It should be noted that the application scenarios of the password generation method and the password verification method provided in the embodiments of the present application are not limited to the above-mentioned offline code scanning payment scenario, and may also be other scenarios that require identity authentication (for example, opening a door by verifying the identity of a user is implemented).
It should be noted that all execution subjects of the steps of the methods provided in the above embodiments may be the same apparatus, or different apparatuses may be used as execution subjects of the methods. For example, the execution subject of steps S201 and S1202 may be device 1, and the execution subject of step S203 may be device 2; for another example, the execution subject of step S201 may be device 1, and the execution subjects of step S202 and step S203 may be device 2; and so on.
Fig. 6 is a schematic block diagram of a password generation apparatus and a password verification apparatus according to an embodiment of the present disclosure. In the embodiment of the present application, taking a payment scenario as an example, the payment scenario includes a terminal 100, a server 200, a code scanning device 300, and a network 400, where the server 200 and the terminal 100 may communicate with each other through the network 400, and the server 200 and the code scanning device 300 may communicate with each other through the network 400. The terminal 100 includes hardware such as a display screen 102, a processing unit, a bus, an input/output device, and the server 200 also includes hardware such as a processor 202, a memory 204, a non-volatile memory 206, a bus, an input/output device, and the like. In addition to the above hardware, the terminal 100 and the server 200 also include corresponding software. The password generating device 110 may be in the terminal 100 (for example, in a memory or a hard disk) in the form of software, or hardware, or a combination of software and hardware, and the password verifying device 210 may be in the terminal 200 (for example, in a memory or a hard disk) in the form of software, or hardware, or a combination of software and hardware. The functions that can be realized by each unit in the password generation device are similar to the functions that can be realized by each step in the password generation method, so the details of the password generation device can refer to the contents of the embodiment of the password generation method, and are not described herein again. Similarly, the details of the password authentication apparatus may refer to the contents of the embodiment of the password authentication method.
As shown in fig. 6, in an embodiment of the present application, a password generating apparatus 110 includes:
a first calculating unit 111, configured to use a token pre-stored in the terminal and a current time value as input values of a first preset algorithm, and calculate to obtain a dynamic password; the terminal also prestores a device ID corresponding to the token, and the token and the device ID are generated by the server and are sent to the terminal.
And a second calculating unit 113, configured to calculate, using at least the first information including the dynamic password as an input value of a second preset algorithm, to obtain second information.
A password generating unit 115 configured to generate an authentication password including the dynamic password, the second information, and the device ID.
In an alternative embodiment of the present application, the second calculating unit 113 is configured to:
and calculating to obtain second information by taking the token and the first information containing the dynamic password as input values of a second preset algorithm.
In an optional embodiment of the present application, the first information includes any one of:
a dynamic password;
a combination of a dynamic password and a current time value;
a combination of a device ID and a dynamic password;
a combination of a device ID, a dynamic password, and a current time value.
In an optional embodiment of the present application, the first preset algorithm is an irreversible algorithm, and/or the second preset algorithm is an irreversible algorithm.
As shown in fig. 6, in an embodiment of the present application, a password verification apparatus 210 includes:
a receiving unit 211 configured to receive an authentication password generated by the terminal and including the dynamic password, the second information, and the device ID; the dynamic password is obtained by the terminal by calculating a pre-stored token and a current time value as input values of a first preset algorithm, the second information is obtained by the terminal by calculating at least first information including the dynamic password as input values of a second preset algorithm, and the equipment ID is pre-stored in the terminal;
an inquiring unit 213 configured to inquire about a token corresponding to the device ID;
a verification unit 215, configured to verify the dynamic password by using the token and the first preset algorithm, and to verify the second information by using at least the first information and the second preset algorithm;
a determining unit 217, configured to determine that the authentication password is verified when the dynamic password passes verification and the second information passes verification.
In an optional embodiment of the present application, the verifying unit 215 is configured to:
verifying the second information by using the first information, the token and the second preset algorithm; the second information is obtained by the terminal by calculating the token and the first information as input values of a second preset algorithm.
In an optional embodiment of the present application, the first information includes any one of:
a dynamic password;
a combination of a dynamic password and a current time value;
a combination of a device ID and a dynamic password;
a combination of a device ID, a dynamic password, and a current time value.
In a payment scenario, a payment apparatus provided in an embodiment of the present application includes:
a receiving unit configured to receive an authentication password including a dynamic password, second information, and a device ID generated by a terminal; the dynamic password is obtained by the terminal by calculating a pre-stored token and a current time value as input values of a first preset algorithm, the second information is obtained by the terminal by calculating at least first information including the dynamic password as input values of a second preset algorithm, and the equipment ID is pre-stored in the terminal;
an inquiry unit configured to inquire about a token corresponding to the device ID;
the verification unit is used for verifying the dynamic password by using the token and the first preset algorithm and verifying the second information by using at least the first information and the second preset algorithm;
and the payment unit is used for executing a payment transaction corresponding to the authentication password when the dynamic password passes the verification and the second information passes the verification.
Compared with the prior art, the risk that the authentication password verified by the embodiment of the application is broken by brute force of others is effectively reduced, and the possibility that the property of the user is stolen and brushed is greatly reduced.
For convenience of description, the above devices are described as being divided into various units by function, and are described separately. Of course, the functionality of the various elements may be implemented in the same one or more pieces of software and/or hardware in the practice of the present application.
As will be appreciated by one skilled in the art, embodiments of the present invention may be provided as a method, system, or computer program product. Accordingly, the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present invention may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present invention is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the invention. It will be understood that each flow and/or block of the flowchart illustrations and/or block diagrams, and combinations of flows and/or blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
It should also be noted that the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element described by the phrase "comprising a. -" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element.
As will be appreciated by one skilled in the art, embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The application may be described in the general context of computer-executable instructions, such as program modules, being executed by a computer. Generally, program modules include routines, programs, objects, components, data structures, etc. that perform particular tasks or implement particular abstract data types. The application may also be practiced in distributed computing environments where tasks are performed by remote processing devices that are linked through a communications network. In a distributed computing environment, program modules may be located in both local and remote computer storage media including memory storage devices.
All the embodiments in the present specification are described in a progressive manner, and the same and similar parts among the embodiments are referred to each other, and each embodiment focuses on the differences from other embodiments. In particular, for the system embodiment, since it is substantially similar to the method embodiment, the description is simple, and for the relevant points, reference may be made to the partial description of the method embodiment.
The above description is only an example of the present application and is not intended to limit the present application. Various modifications and changes may occur to those skilled in the art. Any modification, equivalent replacement, improvement, etc. made within the spirit and principle of the present application should be included in the scope of the claims of the present application.

Claims (10)

1. A method for processing a service, comprising:
the method comprises the steps that a service end receives service request information sent by a code scanning device, the service request information is service request information which is sent to the service end through an authentication password displayed on a scanning terminal by the code scanning device and corresponds to a current service, the service request information carries the authentication password, the authentication password comprises a dynamic password, second information and an equipment ID, the dynamic password is obtained by the terminal by taking a pre-stored token and a current time value as input values of a first preset algorithm, the second information is obtained by the terminal by taking at least first information comprising the dynamic password as input values of a second preset algorithm, and the equipment ID is pre-stored in the terminal;
the server side inquires a token corresponding to the equipment ID according to the equipment ID in the authentication password;
the server side verifies the dynamic password by using the token and the current time value;
the server side verifies the second information at least by using the first information and the second preset algorithm;
and if the dynamic password passes the verification and the second information passes the verification, executing the transaction corresponding to the authentication password based on the current service.
2. The method of claim 1, wherein the server side checks the second information by using at least the first information and the second preset algorithm, and comprises:
and the server checks the second information by using the first information, the token and the second preset algorithm, wherein the second information is obtained by calculating the token and the first information as input values of the second preset algorithm by the terminal.
3. The method of claim 1, further comprising:
and the server sends the verification result of the authentication password to the code scanning device and/or the terminal based on the verification result of the second information and the verification result of the dynamic password.
4. The method according to any one of claims 1 to 3, wherein the first information comprises any one of:
a dynamic password;
a combination of a dynamic password and a current time value;
a combination of a device ID and a dynamic password;
a combination of a device ID, a dynamic password, and a current time value.
5. Method according to any one of claims 1 to 3, characterized in that said first preset algorithm is an irreversible algorithm and/or said second preset algorithm is an irreversible algorithm.
6. The method of any one of claims 1 to 3, wherein the authentication password is displayed on the terminal in one or more of a two-dimensional code form, a barcode form, and a numeric form.
7. A traffic processing apparatus, comprising:
the system comprises a receiving unit and a processing unit, wherein the receiving unit is used for receiving service request information sent by a code scanning device, the service request information is service request information which is sent to a server side by scanning an authentication password displayed on a terminal and corresponds to a current service, the service request information carries the authentication password, the authentication password comprises a dynamic password, second information and an equipment ID, the dynamic password is obtained by calculating a pre-stored token and a current time value as input values of a first preset algorithm by the terminal, the second information is obtained by calculating at least first information comprising the dynamic password as input values of a second preset algorithm by the terminal, and the equipment ID is pre-stored in the terminal;
the query unit is used for querying a token corresponding to the equipment ID according to the equipment ID in the authentication password;
the verification unit is used for verifying the dynamic password by using the token and the current time value and verifying the second information by using the first information and the second preset algorithm;
and the transaction processing unit is used for executing the transaction corresponding to the authentication password based on the current service when the dynamic password passes the verification and the second information passes the verification.
8. The apparatus of claim 7, wherein the verification unit is configured to:
and checking the second information by using the first information, the token and the second preset algorithm, wherein the second information is obtained by calculating the token and the first information as input values of the second preset algorithm by the terminal.
9. The apparatus according to claim 7 or 8, wherein the first information comprises any one of:
a dynamic password;
a combination of a dynamic password and a current time value;
a combination of a device ID and a dynamic password;
a combination of a device ID, a dynamic password, and a current time value.
10. Device according to claim 7 or 8, characterized in that said first predetermined algorithm is an irreversible algorithm and/or said second predetermined algorithm is an irreversible algorithm.
CN202010764543.6A 2016-05-30 2016-05-30 Service processing method and device Active CN111800276B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010764543.6A CN111800276B (en) 2016-05-30 2016-05-30 Service processing method and device

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201610371868.1A CN107453871B (en) 2016-05-30 2016-05-30 Password generation method, password verification method, payment method and payment device
CN202010764543.6A CN111800276B (en) 2016-05-30 2016-05-30 Service processing method and device

Related Parent Applications (1)

Application Number Title Priority Date Filing Date
CN201610371868.1A Division CN107453871B (en) 2016-05-30 2016-05-30 Password generation method, password verification method, payment method and payment device

Publications (2)

Publication Number Publication Date
CN111800276A CN111800276A (en) 2020-10-20
CN111800276B true CN111800276B (en) 2022-12-23

Family

ID=60484905

Family Applications (2)

Application Number Title Priority Date Filing Date
CN201610371868.1A Active CN107453871B (en) 2016-05-30 2016-05-30 Password generation method, password verification method, payment method and payment device
CN202010764543.6A Active CN111800276B (en) 2016-05-30 2016-05-30 Service processing method and device

Family Applications Before (1)

Application Number Title Priority Date Filing Date
CN201610371868.1A Active CN107453871B (en) 2016-05-30 2016-05-30 Password generation method, password verification method, payment method and payment device

Country Status (1)

Country Link
CN (2) CN107453871B (en)

Families Citing this family (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109389386B (en) * 2018-09-13 2020-09-29 阿里巴巴集团控股有限公司 Code scanning control method, device and system
CN109586922A (en) * 2018-12-20 2019-04-05 武汉璞华大数据技术有限公司 Dynamic password offline authentication method and device
CN113037682A (en) * 2019-12-09 2021-06-25 西安诺瓦星云科技股份有限公司 Encrypted communication method, encrypted communication device, and encrypted communication system
CN113570377A (en) * 2020-03-04 2021-10-29 支付宝(杭州)信息技术有限公司 Verification method, device and equipment
CN113285948A (en) * 2021-05-21 2021-08-20 中国电信股份有限公司 Reverse dynamic password authentication method, device, medium and electronic equipment

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102043804A (en) * 2009-10-22 2011-05-04 上海杉达学院 Safety login method of database system
CN105243542A (en) * 2015-11-13 2016-01-13 广西米付网络技术有限公司 System and method of dynamic electronic certificate authentication
CN105516104A (en) * 2015-12-01 2016-04-20 神州融安科技(北京)有限公司 Identity verification method and system of dynamic password based on TEE (Trusted execution environment)

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1142653C (en) * 2000-04-28 2004-03-17 杨宏伟 Dynamic password authentication system and method
US8024576B2 (en) * 2008-03-31 2011-09-20 International Business Machines Corporation Method and system for authenticating users with a one time password using an image reader
CN101662465B (en) * 2009-08-26 2013-03-27 深圳市腾讯计算机系统有限公司 Method and device for verifying dynamic password
CN104426659B (en) * 2013-09-02 2018-05-18 中国移动通信集团公司 Dynamic password formation method, authentication method and system, relevant device
CN104023030A (en) * 2014-06-20 2014-09-03 上海动联信息技术股份有限公司 Method for synchronizing token passwords

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102043804A (en) * 2009-10-22 2011-05-04 上海杉达学院 Safety login method of database system
CN105243542A (en) * 2015-11-13 2016-01-13 广西米付网络技术有限公司 System and method of dynamic electronic certificate authentication
CN105516104A (en) * 2015-12-01 2016-04-20 神州融安科技(北京)有限公司 Identity verification method and system of dynamic password based on TEE (Trusted execution environment)

Also Published As

Publication number Publication date
CN107453871B (en) 2020-07-03
CN111800276A (en) 2020-10-20
CN107453871A (en) 2017-12-08

Similar Documents

Publication Publication Date Title
US20210258162A1 (en) Methods for secure cryptogram generation
US9838205B2 (en) Network authentication method for secure electronic transactions
CN109359691B (en) Identity verification method and system based on block chain
US9231925B1 (en) Network authentication method for secure electronic transactions
US20190281028A1 (en) System and method for decentralized authentication using a distributed transaction-based state machine
CN100459488C (en) Portable one-time dynamic password generator and security authentication system using the same
CN111800276B (en) Service processing method and device
CN110401615B (en) Identity authentication method, device, equipment, system and readable storage medium
CN103067402B (en) The generation method and system of digital certificate
US10147092B2 (en) System and method for signing and authenticating secure transactions through a communications network
US9027103B2 (en) Method and system for securely accessing to protected resource
CN108243176B (en) Data transmission method and device
CN110690956B (en) Bidirectional authentication method and system, server and terminal
CN107733636B (en) Authentication method and authentication system
EP1886204B1 (en) Transaction method and verification method
CN102916970B (en) Network-based PIN cache method
CN109831311B (en) Server verification method, system, user terminal and readable storage medium
WO2020018182A1 (en) Public-private key pair protected password manager
CN112989426B (en) Authorization authentication method and device, and resource access token acquisition method
CN110677382A (en) Data security processing method, device, computer system and storage medium
US20160071081A1 (en) Offline pin authentication method and system for ic card
CN113886771A (en) Software authorization authentication method
CN111130798A (en) Request authentication method and related equipment
KR101253683B1 (en) Digital Signing System and Method Using Chained Hash
CN109981677B (en) Credit granting management method and device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
REG Reference to a national code

Ref country code: HK

Ref legal event code: DE

Ref document number: 40039742

Country of ref document: HK

GR01 Patent grant
GR01 Patent grant