CN112087438A - Otp algorithm-based anti-replay attack authentication method - Google Patents
Otp algorithm-based anti-replay attack authentication method Download PDFInfo
- Publication number
- CN112087438A CN112087438A CN202010886236.5A CN202010886236A CN112087438A CN 112087438 A CN112087438 A CN 112087438A CN 202010886236 A CN202010886236 A CN 202010886236A CN 112087438 A CN112087438 A CN 112087438A
- Authority
- CN
- China
- Prior art keywords
- authentication
- user
- challenge
- algorithm
- server
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0876—Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/06—Network architectures or network communication protocols for network security for supporting key management in a packet data network
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
- H04L9/3249—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures using RSA or related signature schemes, e.g. Rabin scheme
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Power Engineering (AREA)
- Computer And Data Communications (AREA)
Abstract
The invention discloses an otp algorithm-based replay attack prevention authentication method, which comprises the following specific processes: each system user holds corresponding challenge/response equipment, namely a dynamic password card, when the user needs to access the system, the authentication system firstly prompts the user to input a user account user and a static password PIN, the system downloads a challenge digit string randomly generated by a central system after the authentication is passed, the effective time of the random number is 1min, and once the authentication is unsuccessful or is re-authenticated or overtime, the invention can effectively resist most network attacks aiming at the static password authentication, the safety of the invention is obviously improved, and particularly, the invention can effectively resist attack forms such as network eavesdropping, interception/replay, password leakage, social engineering and the like.
Description
Technical Field
The invention relates to the technical field of network security, in particular to an otp algorithm-based anti-replay attack authentication method. (information technology and software development are mainly applied to protecting the identity authentication security of software account login and transaction).
Background
The dynamic password authentication technology can effectively resist most of network attacks aiming at static password authentication, the safety of the dynamic password authentication technology is obviously improved, and particularly, attack forms such as network eavesdropping, interception/replay, password leakage, social engineering and the like can be effectively resisted. However, there are many dynamic password authentication systems that still have security holes when subjected to attacks such as spoofing of hosts, password guessing, denial of service, and the like. This needs to be considered more carefully and comprehensively when designing a dynamic password authentication scheme to effectively resist various types of network attacks.
Aiming at the weakness of the static password, the invention improves the dynamic password authentication system based on the challenge/response mode on the basis of seriously analyzing and researching the existing dynamic password authentication scheme.
Disclosure of Invention
The present invention aims to provide an otp algorithm-based authentication method for preventing replay attack, so as to solve the problems in the background art.
In order to achieve the purpose, the invention provides the following technical scheme:
an otp algorithm-based anti-replay attack authentication method comprises the following specific processes: each system user holds a corresponding challenge/response device, namely a dynamic password card, when the user needs to access the system, the authentication system firstly prompts the user to input a user account number user and a static password PIN, the system downloads a challenge digit string challenge randomly generated by a central system after the authentication is passed, the validity time of the random number is 1min, once the authentication is unsuccessful or the authentication is re-authenticated or overtime is exceeded, the challenge number is invalid, the system re-generates a challenge number during the next authentication, meanwhile, the authentication server and the dynamic password card generate another digit string Ntime, at the moment, the user inputs the challenge digit challenge to the challenge/response dynamic password card, the dynamic password card calculates a corresponding response digit string Plogin by using the Ntime and the challenge digit string challenge as variables through an RSA encryption algorithm, and the user uploads the digit string Plogin as the response number to the authentication center, the authentication center calculates the same response number Pcurent by using the same RSA algorithm encryption algorithm for the Ntime and the challenge digit string, only if the response number Pcurent is not displayed, waits for the response number Plogin uploaded by the user, compares the Pcurent with the Plogin, allows the user to access the system if the response number Pcurent and the Plogin are the same, and otherwise, refuses the login request of the user.
As a further technical scheme of the invention: the dynamic password card is internally provided with a seed key generation algorithm and an encrypted RSA algorithm.
As a further technical scheme of the invention: the key interval between two authentications is 1-2 minutes.
As a further technical scheme of the invention: the authentication server, the backup authentication server and the management workstation are all realized by Visual C + + language, and the user authentication end is realized by C language.
As a further technical scheme of the invention: an authentication service interface function (API) provides a software interface between the client server and the dynamic authentication server, and the client server obtains the authentication service provided by the dynamic authentication server through a call thereto.
As a further technical scheme of the invention: after receiving the calling request, the authentication service interface function can automatically decide to send the request to the dynamic authentication server or the backup authentication server, and then returns the authentication result to the client server.
As a further technical scheme of the invention: ntime is not displayed, but is only temporarily stored in the authentication server and the dynamic password card, the value Ntime is generated only in relation to time, and Ntime generated at different times is different.
Compared with the prior art, the invention has the beneficial effects that: the invention can effectively resist most of network attacks aiming at static password authentication, obviously improves the safety, and particularly can effectively resist attack forms such as network eavesdropping, interception/replay, password leakage, social engineering and the like.
Drawings
FIG. 1 is an overall flow chart of the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
Referring to fig. 1, a method for preventing replay attack based on otp algorithm includes the following steps: each system user holds a corresponding challenge/response device, namely a dynamic password card, when the user needs to access the system, the authentication system firstly prompts the user to input a user account number user and a static password PIN, the system downloads a challenge digit string challenge randomly generated by a central system after the authentication is passed, the validity time of the random number is 1min, once the authentication is unsuccessful or the authentication is re-authenticated or overtime is exceeded, the challenge number is invalid, the system re-generates a challenge number during the next authentication, meanwhile, the authentication server and the dynamic password card generate another digit string Ntime, at the moment, the user inputs the challenge digit challenge to the challenge/response dynamic password card, the dynamic password card calculates a corresponding response digit string Plogin by using the Ntime and the challenge digit string challenge as variables through an RSA encryption algorithm, and the user uploads the digit string Plogin as the response number to the authentication center, the authentication center calculates the same response number Pcurent by using the same RSA algorithm encryption algorithm for the Ntime and the challenge digit string, only if the response number Pcurent is not displayed, waits for the response number Plogin uploaded by the user, compares the Pcurent with the Plogin, allows the user to access the system if the response number Pcurent and the Plogin are the same, and otherwise, refuses the login request of the user.
Example 1: assuming that the user a performs an authentication operation, the following is an authentication step:
1) firstly, a user A initiates an authentication application, an ID and a PIN are input, a user name and the PIN are uploaded to an authentication server by a client, the authentication server judges that if the user is a legal user, the client generates a random number R1= C (user, PIN and Time), the public key of the server is used for calculating a numeric string Ntime = g (Time) by taking Time as a variable, meanwhile, a dynamic token also calculates Ntime = g (Time), and R1 and Ntime are temporarily stored;
2) the user inputs a random number R1 into the token, the token generates a response number Plogin = f (R1, Ntime) by taking R1 and Ntime as variables according to an internal RSA algorithm, the Plogin is uploaded to an authentication server, the server searches the temporary stored R1 and Ntime in a database after receiving the Plogin, and the Pcurent = f (R1, Ntime) is calculated according to the same RSA algorithm.
3) And the user server compares the calculated Pcurent with the Plogin uploaded by the user, and if the Pcurent = the Plogin, the result is returned to the client side, and the client side displays that the verification is passed.
4) After the authentication is successful, the random number R1 and the number string Ntime are destroyed.
Embodiment 2, on the basis of embodiment 1, the system authentication server, the backup authentication server, and the management workstation are all implemented in Visual C + + language, and the user authentication end is implemented in C language. An authentication service interface function (API) provides a software interface between the client server and the dynamic authentication server, and the client server obtains the authentication service provided by the dynamic authentication server through a call thereto. After receiving the calling request, the authentication service interface function can automatically decide to send the request to the dynamic authentication server or the backup authentication server, and then returns the authentication result to the client server. The using process and principle are as follows:
step 1, a user sends a request to an authentication server to request identity authentication, the user fills in a user name and a password for authentication, the authentication server inquires whether the user is a legal user from a user database, and if not, no further processing is performed; if the user is legal, a random number is generated in the authentication server and is used as a question to be sent to the user;
step 2, the user inputs the random number into a challenge/response dynamic password card, the password card uses an RSA algorithm to generate a byte string as a response, and the user uploads the response to an authentication server;
step 3, the authentication server compares the response string with the calculation result of the authentication server, and if the response string and the calculation result are the same, the authentication server passes one-time authentication; otherwise, authentication fails;
step 4 the authentication server informs the client of the success or failure of the authentication.
The subsequent authentication is initiated by the client at random, and no step is required for client authentication in the process. The key interval between two authentications cannot be too short, otherwise too much overhead is brought to the network, the client and the authentication server; and the time is not too long, otherwise, the user cannot be guaranteed not to steal the IP address by others, and the time is generally set to be 1-2 minutes.
Assuming that the user a performs an authentication operation, the following is an authentication step:
1. logging in software, prompting and inputting a user name and a password by a client:
inputting a user name: 33445566 (user)
Password: admin1234 (PIN)
The authentication server judges whether the user name and the password are correct, and if so, generates and displays a random number key 749125 (challenge number R);
meanwhile, the authentication server and the dynamic password card generate another string of the numeric string X, and the string of the numeric string X is not displayed. This value X is generated only in relation to time, with X being generated differently at different times.
3. The user inputs the random number '749125' (challenge number R) into a challenge/response dynamic password card, the dynamic password card calculates and displays a corresponding response number string '831542' (password Y) by using a built-in encryption RSA algorithm by taking the random number '749125' (challenge number R) and a plaintext X as variables, and the user inputs the generated '831542' (password Y) into a client;
4. at this time, the authentication server has already calculated the same answer number string "831542" (password Y') using the same algorithm, but it is not shown. And (3) waiting for the user to input 831542 (password Y) into the client, comparing Y 'with the response number Y uploaded by the user by the authentication server to obtain Y = Y', and then successfully authenticating.
5. And after the authentication is successful, the user successfully logs in the client.
The specific function is illustrated as:
Y=f ( X ,R );
X=g (Time);
R=C(user, PIN ,Time);
f () is an RSA algorithm which is developed by entrusting a domestic information security authority and the operation of the RSA algorithm is irreversible;
g () is a specific function, so that the generation of the numeric string X is time dependent only;
the user and the PIN are respectively a user name and a password;
r is a challenge number randomly generated in the server;
c () is a random number generation function.
The identity authentication of the challenge/response mechanism has extremely high security. Because the RSA algorithm is irreversible, the plaintext X cannot be deduced through the obtained ciphertext Y, and better indecipherability is achieved. Secondly, because the generation of X is time-dependent, although the algorithm is unique, the plaintext X generated at different times is different, and the replay attack is well resisted. Even if the time is the same, the generated plaintext X is the same, but the obtained Y value is still uncontrollable because the challenge number R is randomly generated, so the protection scheme can prevent illegal users from stealing passwords, illegal login and operation from various aspects, and correct response numbers can be calculated for legal login and operation only if the users hold the appointed challenge/response dynamic password card, thereby ensuring that the users are legal users holding the appointed dynamic password card.
It will be evident to those skilled in the art that the invention is not limited to the details of the foregoing illustrative embodiments, and that the present invention may be embodied in other specific forms without departing from the spirit or essential attributes thereof. The present embodiments are therefore to be considered in all respects as illustrative and not restrictive, the scope of the invention being indicated by the appended claims rather than by the foregoing description, and all changes which come within the meaning and range of equivalency of the claims are therefore intended to be embraced therein. Any reference sign in a claim should not be construed as limiting the claim concerned.
Furthermore, it should be understood that although the present description refers to embodiments, not every embodiment may contain only a single embodiment, and such description is for clarity only, and those skilled in the art should integrate the description, and the embodiments may be combined as appropriate to form other embodiments understood by those skilled in the art.
Claims (7)
1. An otp algorithm-based anti-replay attack authentication method is characterized by comprising the following specific processes: each system user holds a corresponding challenge/response device, namely a dynamic password card, when the user needs to access the system, the authentication system firstly prompts the user to input a user account number user and a static password PIN, the system downloads a challenge digit string challenge randomly generated by a central system after the authentication is passed, the validity time of the random number is 1min, once the authentication is unsuccessful or the authentication is re-authenticated or overtime is exceeded, the challenge number is invalid, the system re-generates a challenge number during the next authentication, meanwhile, the authentication server and the dynamic password card generate another digit string Ntime, at the moment, the user inputs the challenge digit challenge to the challenge/response dynamic password card, the dynamic password card calculates a corresponding response digit string Plogin by using the Ntime and the challenge digit string challenge as variables through an RSA encryption algorithm, and the user uploads the digit string Plogin as the response number to the authentication center, the authentication center calculates the same response number Pcurent by using the same RSA algorithm encryption algorithm for the Ntime and the challenge digit string, only if the response number Pcurent is not displayed, waits for the response number Plogin uploaded by the user, compares the Pcurent with the Plogin, allows the user to access the system if the response number Pcurent and the Plogin are the same, and otherwise, refuses the login request of the user.
2. The otp algorithm-based authentication method for preventing replay attack according to claim 1, wherein the dynamic password card has a seed key generation algorithm and an encrypted RSA algorithm built therein.
3. An otp algorithm-based authentication method for preventing replay attack, according to claim 2, wherein the key interval between two authentications is 1-2 minutes.
4. The otp algorithm-based replay attack prevention authentication method according to claim 1, wherein the authentication server, the backup authentication server and the management workstation are all implemented in Visual C + + language, and the user authentication side is implemented in C language.
5. The otp algorithm-based authentication method for preventing replay attack according to claim 1, wherein an authentication service interface function (API) provides a software interface between the client server and the dynamic authentication server, and the client server obtains the authentication service provided by the dynamic authentication server through a call to the client server.
6. The otp algorithm-based authentication method for preventing replay attack, according to claim 1, wherein the authentication service interface function, after receiving the call request, automatically decides to send the request to the dynamic authentication server or the backup authentication server, and then returns the authentication result to the client server.
7. The otp algorithm-based method for authenticating protection against replay attacks, wherein Ntime is not displayed but temporarily stored in the authentication server and the dynamic password card, and the value Ntime is generated only in relation to time, and is different from time to time.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010886236.5A CN112087438A (en) | 2020-08-28 | 2020-08-28 | Otp algorithm-based anti-replay attack authentication method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010886236.5A CN112087438A (en) | 2020-08-28 | 2020-08-28 | Otp algorithm-based anti-replay attack authentication method |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN112087438A true CN112087438A (en) | 2020-12-15 |
Family
ID=73728758
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010886236.5A Pending CN112087438A (en) | 2020-08-28 | 2020-08-28 | Otp algorithm-based anti-replay attack authentication method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112087438A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115766281A (en) * | 2022-12-09 | 2023-03-07 | 北京深盾科技股份有限公司 | Method, system, electronic device and storage medium for preventing replay attack |
Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1431591A (en) * | 2003-01-29 | 2003-07-23 | 西安海星现代科技股份有限公司 | Dynamic password identity authentication system applicable to network based on software token |
| CN101188495A (en) * | 2007-12-04 | 2008-05-28 | 魏恺言 | A secure system and method for realizing powerful password authentication mode |
| CN101645775A (en) * | 2008-08-05 | 2010-02-10 | 北京灵创科新科技有限公司 | Over-the-air download-based dynamic password identity authentication system |
| CN103840943A (en) * | 2014-03-11 | 2014-06-04 | 上海动联信息技术股份有限公司 | Method for achieving multi-service authentication based on challenge-response dynamic passwords |
| CN103902880A (en) * | 2014-03-31 | 2014-07-02 | 上海动联信息技术股份有限公司 | Windows system two-factor authentication method based on challenge responding type dynamic passwords |
| CN104539421A (en) * | 2014-08-22 | 2015-04-22 | 南京速帕信息科技有限公司 | Realizing method for mobile token based on dynamic algorithm seed |
| CN106506529A (en) * | 2016-12-06 | 2017-03-15 | 上海众人网络安全技术有限公司 | A kind of mutual authentication method and system |
| CN108347335A (en) * | 2018-04-26 | 2018-07-31 | 广州江南科友科技股份有限公司 | Login validation method based on SM3 algorithms and random challenge code and system |
-
2020
- 2020-08-28 CN CN202010886236.5A patent/CN112087438A/en active Pending
Patent Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1431591A (en) * | 2003-01-29 | 2003-07-23 | 西安海星现代科技股份有限公司 | Dynamic password identity authentication system applicable to network based on software token |
| CN101188495A (en) * | 2007-12-04 | 2008-05-28 | 魏恺言 | A secure system and method for realizing powerful password authentication mode |
| CN101645775A (en) * | 2008-08-05 | 2010-02-10 | 北京灵创科新科技有限公司 | Over-the-air download-based dynamic password identity authentication system |
| CN103840943A (en) * | 2014-03-11 | 2014-06-04 | 上海动联信息技术股份有限公司 | Method for achieving multi-service authentication based on challenge-response dynamic passwords |
| CN103902880A (en) * | 2014-03-31 | 2014-07-02 | 上海动联信息技术股份有限公司 | Windows system two-factor authentication method based on challenge responding type dynamic passwords |
| CN104539421A (en) * | 2014-08-22 | 2015-04-22 | 南京速帕信息科技有限公司 | Realizing method for mobile token based on dynamic algorithm seed |
| CN106506529A (en) * | 2016-12-06 | 2017-03-15 | 上海众人网络安全技术有限公司 | A kind of mutual authentication method and system |
| CN108347335A (en) * | 2018-04-26 | 2018-07-31 | 广州江南科友科技股份有限公司 | Login validation method based on SM3 algorithms and random challenge code and system |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115766281A (en) * | 2022-12-09 | 2023-03-07 | 北京深盾科技股份有限公司 | Method, system, electronic device and storage medium for preventing replay attack |
| CN115766281B (en) * | 2022-12-09 | 2023-07-18 | 北京深盾科技股份有限公司 | Replay attack prevention method, system, electronic device and storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN105516195B (en) | A kind of security certification system and its authentication method based on application platform login | |
| CN108418691A (en) | Dynamic network identity identifying method based on SGX | |
| US20100217975A1 (en) | Method and system for secure online transactions with message-level validation | |
| US20070192829A1 (en) | Authenticated communication using a shared unpredictable secret | |
| US6892308B1 (en) | Internet protocol telephony security architecture | |
| US20100058064A1 (en) | Login authentication using a trusted device | |
| CN1937498A (en) | Dynamic cipher authentication method, system and device | |
| WO1999024895A1 (en) | Tamper resistant method and apparatus | |
| CN109963282A (en) | Secret protection access control method in the wireless sensor network that IP is supported | |
| KR100656355B1 (en) | Method for user authentication and service authentication using splitted user authentication key and apparatus thereof | |
| CN112989426B (en) | Authorization authentication method and device, and resource access token acquisition method | |
| CN111224784B (en) | Role separation distributed authentication and authorization method based on hardware trusted root | |
| CN111800378A (en) | Login authentication method, device, system and storage medium | |
| Alqubaisi et al. | Should we rush to implement password-less single factor FIDO2 based authentication? | |
| CN110035035B (en) | Secondary authentication method and system for single sign-on | |
| EP2070248B1 (en) | System and method for facilitating secure online transactions | |
| CN112087438A (en) | Otp algorithm-based anti-replay attack authentication method | |
| Form | Content | |
| CN105681364B (en) | A kind of IPv6 mobile terminal attack resistance method based on enhancing binding | |
| CA2421628A1 (en) | Internet protocol telephony security architecture | |
| CN115396149A (en) | Efficient authentication key exchange method based on privacy protection | |
| Putro et al. | Implementation of the park schema on user authentication services using password-based web codeigniter library to overcome man in the middle attack | |
| US10979226B1 (en) | Soft-token authentication system with token blocking after entering the wrong PIN | |
| Jo et al. | A secure user authentication protocol based on one-time-password for home network | |
| CN108289102B (en) | Micro-service interface safe calling device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20201215 |
|
| RJ01 | Rejection of invention patent application after publication |