CN112688972A - Method and system for protecting account security - Google Patents

Method and system for protecting account security Download PDF

Info

Publication number
CN112688972A
CN112688972A CN202110293417.1A CN202110293417A CN112688972A CN 112688972 A CN112688972 A CN 112688972A CN 202110293417 A CN202110293417 A CN 202110293417A CN 112688972 A CN112688972 A CN 112688972A
Authority
CN
China
Prior art keywords
login
user
account
ciphertext
risk
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202110293417.1A
Other languages
Chinese (zh)
Other versions
CN112688972B (en
Inventor
肖寒
金宏洲
刘海平
李程
徐吉
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hangzhou Tiangu Information Technology Co ltd
Original Assignee
Hangzhou Tiangu Information Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hangzhou Tiangu Information Technology Co ltd filed Critical Hangzhou Tiangu Information Technology Co ltd
Priority to CN202110293417.1A priority Critical patent/CN112688972B/en
Publication of CN112688972A publication Critical patent/CN112688972A/en
Application granted granted Critical
Publication of CN112688972B publication Critical patent/CN112688972B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Landscapes

  • Storage Device Security (AREA)

Abstract

The invention discloses a method and a system for protecting the safety of an account number, wherein the method comprises the following steps: receiving login information comprising a login account and a login ciphertext, wherein the login ciphertext is a login password encrypted based on a key; sending the login ciphertext to an external authentication server, and receiving identification information returned by the authentication server, wherein the identification information is used for identifying the login password; generating corresponding login analysis data based on the login information and the identification information; performing leakage analysis based on the login analysis data to obtain a risk identifier and/or a risk ciphertext; and acquiring a corresponding user account as a risk account based on the risk identifier and the risk ciphertext. According to the invention, through the design of the login ciphertext and the identification information, the login password cannot be transmitted in a plaintext manner, so that the leakage risk is reduced, and the user account with the password leakage risk and the ciphertext leakage risk can be monitored to protect the safety of the account.

Description

Method and system for protecting account security
Technical Field
The invention relates to the technical field of information, in particular to a method and a system for protecting account security.
Background
It is well known that cryptography is a relatively weak authentication mechanism. Most platforms today store passwords in the clear.
An attacker can acquire the database by dragging the database to acquire a plaintext password through SQL injection or by executing a command to acquire the authority of the vulnerability acquisition server, and can also use the acquired plaintext password to bump other platforms, so that after the password of the user is leaked, the user has leakage risks in accounts of a plurality of platforms, and the attack of the password leaked by other platforms to bump the database is often difficult to sense, so that great potential safety hazards exist.
The personal contract and the enterprise contract of the user exist on the electronic contract platform, and the electronic contract platform also contains sensitive data of the individual and the enterprise, even business confidentiality, so the account system security of the electronic contract platform is very important, and once an attacker obtains the account information of the user or obtains the login mode of the user by using a collision library, the user, the enterprise and an electronic contract service provider are greatly lost.
Disclosure of Invention
Aiming at the defects in the prior art, the invention provides a method and a system for protecting the security of an account, which can avoid the leakage of a plaintext password and can monitor whether the risk of the leakage of the password exists or not based on login information.
In order to solve the technical problem, the invention is solved by the following technical scheme:
the invention provides a method for protecting account security, which comprises the following steps:
receiving login information, wherein the login information comprises a login account and a login ciphertext, and the login ciphertext is a login password encrypted based on a key; according to the invention, through the design of the login ciphertext, an attacker can be effectively prevented from intercepting the login password for obtaining the plaintext, and after the same login password is encrypted by different keys, the generated login ciphertexts are different, so that after the attacker drags the library, the attacker cannot judge which passwords used by the user are consistent through the login ciphertext, and cannot explode the passwords, so that the difficulty of password cracking is greatly improved;
and sending the login ciphertext to an external authentication server, and receiving identification information returned by the authentication server, wherein the identification information is used for identifying the login password, namely the identification information corresponding to the same login password is the same, so that the subsequent analysis on the leakage condition of the plaintext password is facilitated.
Note that "external" in this specification is used only to distinguish the corresponding device from a main body for implementing the method disclosed in the present invention, and does not limit the location of the corresponding device, and the external authentication server may be located in an external network or an internal network as described above.
Generating corresponding login analysis data based on the login information and the identification information;
performing leakage analysis based on the login analysis data, wherein identification information with leakage risks is used as risk identification, and login ciphertext with leakage risks is used as risk ciphertext;
the leakage analysis rule can be set by a person skilled in the art according to actual needs to identify the risk identifier and the risk ciphertext.
And acquiring a corresponding user account as a risk account based on the risk identifier and the risk ciphertext.
As an implementation manner, the identification information is a login password signature or a login password digest;
the existing signature method is as follows:
performing hash calculation on the data needing to be signed, for example, performing hash calculation on the signed data by using the SHA-256 algorithm which is disclosed nowadays to obtain summary information of the signed data;
signing the abstract information to obtain a corresponding signature;
if a random number is added during signing, the digest information corresponding to the same data is the same but the signatures are different, for example, the presently disclosed ECC algorithm may be adopted, or the presently disclosed RSA algorithm and the random number may be added;
if no random number is added during signing, the digest information corresponding to the same data is the same, and the signature is also the same, for example, the presently disclosed RSA algorithm can be used without adding a random number.
The identification information is used for identifying the login password, that is, the identification information corresponding to the same login password is also the same, so that a person skilled in the art can select a signature algorithm according to actual needs and determine the identification information according to the selected signature algorithm.
The specific steps of acquiring the corresponding user account as the risk account based on the risk identifier and the risk ciphertext are as follows:
acquiring a preset user information table and a signature information table, wherein the user information table comprises a user account and a user ciphertext, the user ciphertext is a user password encrypted based on a secret key, the signature information table comprises the user account and a password signature, and the password signature is a digital signature of the user password;
matching the risk ciphertext with each user ciphertext in a preset user information table, extracting a user account corresponding to the matched user ciphertext, and acquiring a risk account with a leakage risk in the ciphertext;
matching the risk ciphertext with each user ciphertext in a preset user information table, extracting a user account corresponding to the matched user ciphertext, and acquiring a risk account with a leakage risk in the ciphertext;
when the identification information is a login password signature, matching the risk identification with each password signature in the signature information table, extracting a user account corresponding to the matched password signature, and acquiring a risk account with a risk of password leakage;
that is, in the case where the same signature information can be obtained by signing the same password, the login password signature may be directly matched with the password signature of each user to obtain an account using the login password as the user password.
When the identification information is a login password abstract, a temporary abstract information table is obtained from an external authentication server, the temporary abstract information table comprises a user account and a password abstract, and the password abstract is abstract information of a user password; and matching the risk identification with each password abstract in the temporary abstract information table, extracting a user account corresponding to the matched password abstract, and acquiring the risk account with the leakage risk of the password.
Namely, the same password is signed, and the obtained signature information is different;
and destroying the temporary summary information table after matching and acquiring the corresponding risk account number.
As an implementable embodiment:
the user information table comprises a plurality of user information sub-tables divided according to enterprise information, and the user information sub-tables are isolated from each other;
the login analysis data further comprises a login state, a first affiliated enterprise, at least one ciphertext affiliated account and at least one second affiliated enterprise, wherein the login state comprises login success or login failure, the first affiliated enterprise is enterprise information corresponding to the login account, the ciphertext affiliated account is a user account with the user ciphertext as the login ciphertext, and the second affiliated enterprise is an enterprise with the account with the ciphertext in one-to-one correspondence.
As an implementable manner, after generating corresponding login analysis data, performing library dragging analysis based on the login analysis data, and taking an enterprise with library dragging risk as an inauguration enterprise, the specific steps are as follows:
in the current library dragging analysis period, when the number of successful login states in login analysis data corresponding to a certain first affiliated enterprise exceeds a preset first number threshold, judging that the first affiliated enterprise is an inauguration enterprise;
and when the number of the risk ciphertexts corresponding to a certain second affiliated enterprise exceeds a preset second number threshold value in the current database dragging analysis period, judging that the second affiliated enterprise is the risk enterprise.
As an implementable manner, before receiving the login information, the method further comprises a login request response step, and the specific steps are as follows:
receiving a login request containing a login account, retrieving a user account corresponding to the login account, and obtaining a retrieval result;
when the matched user account is retrieved, obtaining and returning a user public key corresponding to the matched user account, wherein the user public key is used for encrypting a login password to generate a corresponding login ciphertext;
and when the matched user account is not retrieved, enabling an external authentication server to generate a temporary public key, and returning the temporary public key, wherein the temporary public key is used for encrypting the login password to generate a corresponding login ciphertext.
Aiming at the wrong login information of the login account, the account number existing in the system is prevented from being exploded by an attacker through the design of the temporary public key or the absence of the front-end display account number, and corresponding identification information can be obtained, so that the subsequent analysis of whether an individual user outputs a mistake or the attacker is in a database collision state is facilitated.
As an implementable manner, the method further comprises an account registration step, and the specific steps are as follows:
receiving a registration request, establishing a corresponding user account, and generating a key generation request based on the user account;
sending the key generation request to an external authentication server, and receiving a user public key generated by the authentication server, wherein the user public key corresponds to the user account;
returning a user public key, receiving a user cipher text generated after a user password is encrypted by the user public key, and associating the user cipher text with the user account;
and sending the user ciphertext to the authentication server, receiving a password signature returned by the authentication server, and associating the password signature with the user account.
The invention also provides a system for protecting the security of the account, which comprises a risk detection subsystem, wherein the risk detection subsystem comprises:
the login module is used for receiving login information, wherein the login information comprises a login account and a login ciphertext, and the login ciphertext is a login password encrypted based on a key;
the signature acquisition module is used for sending the login ciphertext to an external authentication server and receiving identification information returned by the authentication server, wherein the identification information is used for identifying the login password;
the data generation module is used for generating corresponding login analysis data based on the login information and the identification information;
the leakage analysis module is used for carrying out leakage analysis based on the login analysis data, taking the identification information with the leakage risk as a risk identification, and taking the login ciphertext with the leakage risk as a risk ciphertext;
and the account checking module is used for acquiring a corresponding user account as a risk account based on the risk identifier and the risk ciphertext.
As an implementation manner, the login module comprises a first login unit and a second login unit;
the first login unit is configured to:
receiving a login request containing a login account, retrieving a user account corresponding to the login account, and obtaining a retrieval result;
when the matched user account is retrieved, acquiring a user public key corresponding to the matched user account and returning;
when the matched user account is not retrieved, enabling an external authentication server to generate a temporary public key and returning the temporary public key;
the second login unit is used for receiving login information, the login information comprises a login account and a login ciphertext, and the login ciphertext is a login password encrypted based on a user public key or a temporary public key.
As an implementable embodiment, further comprising a registration subsystem, the registration subsystem comprising:
the account construction module is used for receiving a registration request, establishing a corresponding user account and generating a key generation request based on the user account;
the key request module is used for sending the key generation request to an external authentication server and receiving a user public key generated by the authentication server, wherein the user public key corresponds to the user account;
the ciphertext acquisition module is used for returning the user public key, receiving a user ciphertext generated by encrypting the user password by the user public key, and associating the user ciphertext with the user account;
and the signature acquisition module is used for sending the user ciphertext to the authentication server, receiving the password signature returned by the authentication server, and associating the password signature with the user account.
The invention also provides a system for protecting the safety of the account number, which comprises a platform server, an authentication server, an analysis engine and a plurality of clients, wherein the authentication server is connected with the platform server through signals;
the platform server includes:
the system comprises a login module, a password generation module and a password generation module, wherein the login module is used for receiving login information sent by a client, the login information comprises a login account and a login ciphertext, and the login ciphertext is a login password encrypted based on a key;
the signature acquisition module is used for sending the login ciphertext to the authentication server and receiving identification information returned by the authentication server, wherein the identification information is used for identifying the login password;
the data generation module is used for generating corresponding login analysis data based on the login information and the identification information;
the leakage analysis module is used for carrying out leakage analysis on the login analysis data through the analysis engine, taking the identification information with the leakage risk as a risk identification, and taking the login ciphertext with the leakage risk as a risk ciphertext;
and the account checking module is used for acquiring a corresponding user account as a risk account based on the risk identifier and the risk ciphertext.
Due to the adoption of the technical scheme, the invention has the remarkable technical effects that:
1. according to the invention, through the design of the login ciphertext and the identification information, the login password cannot be transmitted in a plaintext manner in the whole login process, so that the risk of the login password leakage is effectively reduced; and in the subsequent leakage analysis process, the leakage of the related ciphertext or the leakage of the plaintext password of the user can be conveniently identified, the corresponding user is timely alarmed, and the account safety is effectively protected.
2. According to the invention, through the design of the temporary public key, when the login account input by the user is wrong and has no corresponding public key, the corresponding login information can be generated through the temporary public key, so that an attacker is prevented from exploding the account existing in the system by failing to acquire the public key or not existing in the front-end display account, and a corresponding login ciphertext can be obtained, so that whether a person explodes based on the login password or not can be analyzed through corresponding identification information.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to the drawings without creative efforts.
FIG. 1 is a flowchart illustrating a method for securing an account according to the present invention;
fig. 2 is a schematic diagram of signal transmission in the account login process in embodiment 1;
FIG. 3 is a schematic diagram showing signal transmission in the risk analysis process in example 1;
fig. 4 is a schematic flowchart of account registration in embodiment 3;
FIG. 5 is a schematic illustration of signaling during account registration;
FIG. 6 is a schematic block diagram showing the connection of the risk detection sub-system according to embodiment 4;
FIG. 7 is a schematic block diagram showing connection of modules of the registration subsystem in embodiment 5;
fig. 8 is a schematic diagram of module connections of a system for protecting account security according to the present invention.
Detailed Description
The present invention will be described in further detail with reference to examples, which are illustrative of the present invention and are not to be construed as being limited thereto.
Embodiment 1, a method for protecting account security, where the method is leak detection performed by a platform server 1 based on received login information, as shown in fig. 1, includes the following steps:
s110, receiving login information, wherein the login information comprises a login account and a login ciphertext, the login ciphertext is a login password encrypted based on a key, and due to the fact that the keys adopted by the users are different, when different users adopt the same login password, the corresponding login ciphertexts are different.
In this embodiment, the external client 3 encrypts the login password input by the user based on the corresponding key, and then sends the generated login ciphertext to the platform server 1.
S120, sending the login ciphertext to an external authentication server 2, and receiving identification information returned by the authentication server 2, wherein the identification information is used for identifying the login password;
in this embodiment, the identification information is a login password signature, and the external authentication server 2 decrypts the login ciphertext after receiving the login ciphertext, performs signature addition on the login password obtained by decryption, and sends the generated identification information to the platform server 1.
The identification information is used for identifying the login password, that is, the identification information corresponding to the same login password is also the same.
S130, generating corresponding login analysis data based on the login information and the identification information;
in this embodiment, login analysis data corresponding to each piece of login information is generated;
s140, performing leakage analysis based on the login analysis data, wherein identification information with leakage risks is used as a risk identification, and login ciphertext with leakage risks is used as risk ciphertext;
and S150, acquiring a corresponding user account as a risk account based on the risk identification and the risk ciphertext.
After the risk account is obtained, alarming can be performed based on the external client 3 and the platform server 1 according to a preset alarming rule.
According to the embodiment, through the design of the login ciphertext and the identification information, the login password cannot be transmitted in a plaintext mode in the whole login process, and the risk of the login password leakage is effectively reduced;
because the login ciphertext is encrypted by the key, when different users adopt the same login password, the corresponding login ciphertexts are different, and an attacker cannot judge which passwords used by the users are consistent through the ciphertext, so that the password blasting cannot be performed, and the difficulty of password cracking can be greatly improved;
the identification information is a digital signature of the login password of the authentication server 2, and when the login password is the same, the corresponding identification information is the same; according to the embodiment, through the design of the identification information and the login ciphertext, when leakage analysis is performed, leakage risks of different types are effectively detected according to the conditions of the login ciphertext and the identification information, an alarm is given to a corresponding user in time, and the safety of an account is effectively protected.
Those skilled in the art can set leakage analysis rules according to actual needs, so that the platform server 1 analyzes each login analysis data based on the leakage analysis rules to identify and obtain corresponding risk identifiers and risk ciphertexts, for example:
in the current leakage analysis period, judging the login ciphertext of which the occurrence frequency exceeds a preset ciphertext frequency threshold value as a risk ciphertext;
in the current leakage analysis period, judging the identification information of which the occurrence frequency exceeds a preset signature frequency threshold value as a risk identification;
note that data-assisted analysis such as login IP and login state can be added to the login analysis data according to actual needs to improve the accuracy of risk determination.
A person skilled in the art can set a current leakage analysis period, a ciphertext time threshold, and a signature time threshold according to actual needs, where the current leakage analysis period in this embodiment is: the current time is within 1 hour of the cutoff time.
Further analysis can be carried out based on the risk ciphertext and the risk identifier:
when the number of the risk ciphertexts exceeds a preset cipher text number threshold value, judging that the platform server 1 is dragged, wherein an attacker uses the user cipher texts obtained by dragging the library to bump the library, otherwise, judging that the cipher texts of individual users are leaked;
when the number of the risk identifications exceeds a preset signature number threshold value, judging that the third-party platform is dragged to the library, and an attacker utilizes a plaintext password leaked by the third-party platform to bump the library, otherwise, judging that the password of an individual user is leaked;
further, before the step S110 acquires the login information, a step of responding to the login request is further included, and the specific steps are as follows:
receiving a login request containing a login account, retrieving a user account corresponding to the login account, and obtaining a retrieval result;
when the matched user account is retrieved, obtaining and returning a user public key corresponding to the matched user account, wherein the user public key is used for encrypting a login password to generate a corresponding login ciphertext;
the user public key is generated by the external authentication server 2 in the early registration process, and the corresponding user private key is stored in the authentication server 2.
And when the matched user account is not retrieved, enabling the external authentication server 2 to generate a temporary public key, and returning the temporary public key, wherein the temporary public key is used for encrypting the login password to generate a corresponding login ciphertext.
And storing the corresponding temporary private key into the authentication server 2, and destroying the temporary public key and the temporary private key after the authentication server 2 decrypts the corresponding login ciphertext by using the temporary private key to obtain a login password.
When the login account input by the user is wrong, the embodiment returns the temporary public key to obtain corresponding login information, so that an attacker is prevented from blasting the account existing in the system by failing to obtain the public key or preventing the front-end display account from not existing;
in addition, in this embodiment, through the design of the temporary public key, a corresponding login ciphertext can be obtained, and whether someone explodes based on the login password is analyzed through corresponding identification information.
And when the matched user account is not retrieved, directly judging that the login state is login failure after the corresponding login information is received.
Further, the step S150 of extracting the user account using the risk identifier or the risk ciphertext includes the specific steps of:
s151, acquiring a preset user information table and a signature information table, wherein the user information table comprises a user account and a user ciphertext, the user ciphertext is a user password encrypted based on a secret key, the signature information table comprises the user account and a password signature, and the password signature is a digital signature of the user password;
the user cipher text is the user cipher code encrypted by the client 3 based on the received user public key in the registration process.
The password signature is obtained by the authentication server 2 decrypting the user ciphertext by using the corresponding user private key and signing in the registration process.
After obtaining the login information, the platform server 1 extracts the corresponding user ciphertext from the user information table through the login account, matches the user ciphertext with the login ciphertext, allows login if the matching is successful, and if not, refuses to login, and if the login status is failed.
Therefore, in the embodiment, through the design of the user cipher text and the password signature, the platform server 1 does not adopt the user password and the login password in the plaintext in the login verification and the leakage analysis processes, and the platform server 1 does not store the user password and the login password in the plaintext, so that the risk of password leakage is effectively reduced.
S152, matching the risk ciphertext with each user ciphertext in a preset user information table, extracting a user account corresponding to the matched user ciphertext, and acquiring a risk account with a ciphertext leakage risk;
s153, matching the risk identification with each password signature in the signature information table, extracting the user account corresponding to the matched password signature, and acquiring the risk account with the risk of leakage of the password.
In the embodiment, whether the account using the risk ciphertext or the risk identifier exists is checked, so that the risk of password leakage is monitored, and a warning is given to a relevant user in time.
Further:
the user information table comprises a plurality of user information sub-tables divided according to enterprise information, and the user information sub-tables are isolated from each other;
in this embodiment, the enterprise information may be other, which means that the user is an individual user or the user exists independently, and such users may be classified into the same user information sub-table as other classes.
The login analysis data further comprises a login state, a first affiliated enterprise, at least one ciphertext affiliated account and at least one second affiliated enterprise, wherein the login state comprises login success or login failure, the first affiliated enterprise is enterprise information corresponding to the login account, the ciphertext affiliated account is a user account with the user ciphertext as the login ciphertext, and the second affiliated enterprise is an enterprise with the account with the ciphertext in one-to-one correspondence.
When an attacker takes the ciphertext of some account numbers, the ciphertext cannot be decrypted, and blasting other account numbers by using the ciphertext may exist to see whether the account numbers can be directly logged in through the ciphertext;
the embodiment is particularly applied to an electronic contract platform and relates to a plurality of enterprises, user information sub-tables corresponding to the enterprises in the embodiment are mutually isolated, on one hand, leaked data can be reduced when the database dragging occurs, and on the other hand, the enterprises with leakage risks can be obtained according to behavior analysis of an attacker colliding the database after the database dragging.
The database dragging analysis is performed based on the login analysis data, and the enterprise with the database dragging risk is used as an inauguration enterprise, which in this embodiment may be another enterprise, and indicates that the enterprise information is the database dragging risk in the user information sub-table where another user account (individual user) is located.
The library analysis method is as follows:
s161, in the current library dragging analysis period, when the number of successful login states in login analysis data corresponding to a certain first affiliated enterprise exceeds a preset first number threshold, determining that the first affiliated enterprise is an inauguration enterprise;
in a certain time, a large number of users belonging to the same enterprise log in successfully, which indicates that an attacker has dragged the library to obtain the user ciphertext of the enterprise and successfully hit the library by using the user ciphertext, and at this time, an alarm is given to an administrator of the platform server 1 and an administrator of the corresponding enterprise.
And S162, when the number of the risk ciphertexts corresponding to a certain second affiliated enterprise exceeds a preset second number threshold value in the current library dragging analysis period, judging that the second affiliated enterprise is the risk enterprise.
In a certain period of time, a plurality of login ciphertexts log in different account numbers in batches, the login ciphertexts are of the same enterprise, the fact that an attacker drags the database to obtain the user ciphertexts of the enterprise is shown, the user ciphertexts are used for colliding the database, and at the moment, an alarm is given to an administrator of the platform server 1 and an administrator of the corresponding enterprise. Note: and a login IP can be added in login analysis data according to actual needs to perform auxiliary analysis so as to improve the accuracy of library dragging detection.
Those skilled in the art can set the method of library dragging analysis by themselves according to actual needs, and also can set the current library dragging analysis period, the first quantity threshold and the second quantity threshold by themselves according to actual needs, where the current library dragging analysis period is greater than or equal to the current leakage analysis period, and the current leakage analysis period in this embodiment is: the current time is within 2 hours of the cutoff time.
To sum up, this embodiment can in time perceive the password and reveal and the behavior that the attacker dragged the storehouse through the design to logging in ciphertext and login signature, can reduce the risk that user's signing account number is maliciously used in the electronic signature field, can also protect the safety of the account number that uses the same password.
With reference to fig. 2 and 3, a detailed description will be given of a specific process for protecting account security based on login information:
the login process is shown in fig. 2, and specifically includes the following steps:
firstly, an external client 3 sends a login request to a platform server 1, wherein the login request comprises a login account;
secondly, the platform server 1 requests a public key to an external authentication server 2 based on the login account;
when a user account corresponding to the login account exists in the user information table, the platform server 1 requests a user public key corresponding to the user account to an external authentication server 2, otherwise, a temporary public key is requested;
thirdly, the external authentication server 2 sends a corresponding user public key or temporary public key to the platform server 1 according to the request;
the user public key and the temporary public key are generated by the external authentication server 2 based on the existing public RSA algorithm (without adding a random number).
Fourthly, the platform server 1 returns the user public key or the temporary public key to the corresponding client 3;
the external client 3 encrypts the login password input by the user based on the received public key (the user public key or the temporary public key) to obtain a login ciphertext;
sixthly, the external client 3 generates login information based on the login account and the login ciphertext and sends the login information to the platform server 1;
seventhly, the platform server 1 performs login authentication to generate a login result:
when a user account corresponding to the login account exists, the platform server 1 matches the login ciphertext with the user ciphertext of the user account, and if the matching is successful, the login is allowed, otherwise, the login is refused;
when the user account corresponding to the login account does not exist, the platform server 1 refuses login;
and the platform server 1 returns the login result to the external client 3.
The risk analysis process is as shown in fig. 3, where an analysis engine 4 in fig. 3 is a preset analysis engine 4, and is configured to analyze login analysis data according to a preconfigured analysis rule, a database is used to store a user information table and a signature information table, the analysis engine 4 and the database are in a platform server 1 or other third-party servers, and in this embodiment, the analysis engine 4 and the database are both in the platform server 1, and are used as separate modules to reflect a data interaction process;
the method specifically comprises the following steps:
firstly, the platform server 1 extracts the information: the affiliated information comprises a first affiliated enterprise, at least one ciphertext affiliated account and a second affiliated enterprise corresponding to the ciphertext affiliated account;
the platform server 1 extracts enterprise information corresponding to the login account based on a user information table to obtain a first affiliated enterprise; and extracting a user account with the user ciphertext consistent with the login ciphertext from the user information table to serve as an account to which the ciphertext belongs, wherein enterprise information corresponding to the user account serves as a second affiliated enterprise.
Secondly, the platform server 1 acquires the login state of the current login;
thirdly, the platform server 1 acquires corresponding identification information from an external authentication server 2;
the platform server 1 transmits a login account and a login ciphertext to the external authentication server 2.
The external authentication server 2 calls a corresponding private key (a user private key or a temporary private key) based on the login account, decrypts the login ciphertext by using the private key to obtain a corresponding login password, signs the login password and obtains corresponding identification information;
in this embodiment, the cipher is encrypted/decrypted and signed based on the RSA algorithm (without adding a random number).
The external authentication server 2 destroys the temporary key pair (temporary public key and temporary private key) after completing decryption of the corresponding login ciphertext based on the temporary private key.
Note that the authentication server 2 does not save the decrypted login password.
Fourthly, the platform server 1 sends corresponding login analysis data to a preset analysis engine 4;
the platform server 1 generates metadata which comprises login information, belonging information, login state and identification information, and the metadata is used as login analysis data;
the analysis engine 4 is located in the third-party server obtained from the platform server 1, and a person skilled in the art can configure the rule of the analysis engine 4 for risk analysis according to actual needs, which is not specifically limited in this embodiment.
Fifthly, the analysis engine 4 pushes the risk warning information to the platform server 1;
the risk warning information comprises a risk type and a corresponding risk identifier, a risk ciphertext and/or a risk enterprise;
risk types such as personal ciphertext leakage, personal password leakage, ciphertext dragged library, and the like.
Sixthly, the platform server 1 acquires a risk account number based on the risk warning information;
extracting user information sub-tables of enterprise information which are risk enterprises, and taking all accounts in the sub-tables as risk accounts;
extracting an account with the user ciphertext as the risk ciphertext from the user information table to serve as a risk account;
extracting an account with a password signature as a risk identifier from the signature information table to serve as a risk account;
seventhly, the platform server 1 pushes alarm information according to preset alarm rules;
for example:
summarizing and generating platform alarm information based on the risk alarm information and the risk account number, and pushing the platform alarm information to a corresponding platform administrator;
generating enterprise alarm information based on the inauguration enterprise, and pushing the enterprise alarm information to a corresponding enterprise principal;
generating account alarm information based on the risk identification or the risk account, and pushing the account alarm information to the corresponding risk account.
Embodiment 2, the method for obtaining a corresponding risk account based on a risk identifier in embodiment 1 is as follows, where the identification information in embodiment 1 has a login password signature and is changed into a login password digest, and the rest are the same as those in embodiment 1:
acquiring a temporary summary information table from an external authentication server, wherein the temporary summary information table comprises a user account and a password summary, and the password summary is summary information of a user password; and matching the risk identification with each password abstract in the temporary abstract information table, extracting a user account corresponding to the matched password abstract, and acquiring the risk account with the leakage risk of the password.
In this embodiment, the existing public ECC algorithm (elliptic curve encryption algorithm) is used to replace the RSA algorithm (without adding random numbers) in embodiment 1 for encryption, decryption, and signature verification.
In this embodiment, the user signatures corresponding to the same user password are different, so that an attacker cannot find a user account with the same password for blasting based on the user signature, and compared with embodiment 1, the security is higher.
Referring to fig. 3, in the process of risk analysis in embodiment 1, a risk account obtaining step with a risk of password disclosure is added between step c and step c, and at this time:
sixthly, the platform server 1 acquires a risk account number (particularly a risk account with a ciphertext leakage risk) based on the risk alarm information;
extracting user information sub-tables of enterprise information which are risk enterprises, and taking all accounts in the sub-tables as risk accounts;
extracting an account with the user ciphertext as the risk ciphertext from the user information table to serve as a risk account;
A. the platform server 1 acquires a temporary summary information table from an external authentication server 2, and acquires a risk account number (in particular to a risk account with a password leakage risk) based on the temporary summary information table;
and matching the login risk summary serving as the risk identification with each password summary in the temporary summary information table, extracting a user account corresponding to the matched password summary, and acquiring the risk account with the risk of leakage of the password.
The acquisition mode of the temporary summary information table comprises the following two modes:
the platform server 1 sends a signature information table to an external authentication server 2, the authentication server 2 checks each password signature in the signature information table to obtain a password abstract corresponding to the password signature, and a temporary abstract information table containing a user account and the password abstract is generated and returned to the platform server 1;
the platform server 1 sends a digest retrieval request to the external authentication server 2, and the authentication server 2 returns a formed temporary digest information table to the platform server 1 after adding conditions (one-time) to a pre-constructed digest information table (containing a user account and a password digest) based on the digest retrieval request.
And seventhly, the platform server 1 pushes alarm information according to preset alarm rules based on the risk account numbers obtained in the step A and the step B.
Embodiment 3 adds an account registration step to embodiment 1 or embodiment 2, where the method is an account registration method performed by the platform server 1 based on a received registration request, and as shown in fig. 4, the method specifically includes the following steps:
s210, receiving a registration request, establishing a corresponding user account, and generating a key generation request based on the user account;
s220, sending the key generation request to an external authentication server 2, and receiving a user public key generated by the authentication server 2, wherein the user public key corresponds to the user account;
in this embodiment, the external authentication server 2 generates and stores the user private key and the user public key belonging to the user account, and returns the corresponding user public key to the platform server 1.
S230, returning a user public key, receiving a user cipher text generated after the user public key encrypts a user password, associating the user cipher text with the user account, and adding the user cipher text into a user information table for storage;
in this embodiment, the external client 3 encrypts the user password according to the received user public key, and then sends the generated user ciphertext to the platform server 1.
S240, sending the user ciphertext to the authentication server 2, receiving the password signature returned by the authentication server 2, associating the password signature with the user account, and adding the password signature to a summary information table for storage.
That is, the authentication server 2 decrypts the user ciphertext using the saved user private key, and signs the user password obtained by decryption to generate a corresponding password signature.
In the embodiment, the user ciphertext is obtained by encrypting based on the user public key, and the user ciphertext is almost impossible to have the same condition, so that an attacker cannot explode through the user ciphertext, the attacker not only needs to know the encryption mode but also needs to obtain the user private key, otherwise, the user ciphertext cannot be cracked, the difficulty of cracking the password by the attacker is improved, and the account safety is effectively ensured.
The platform server 1 only stores the user password encrypted by the user public key and the signature of the authentication server 2 on the user password, so that the platform server 1 does not contain the user password in the clear text, and the risk of leakage of the user password is effectively reduced.
In this embodiment, the platform server 1 is separated from the authentication server 2, and the authentication server 2 is located in an intranet, an attacker often only needs to drag the platform server 1 to obtain the data information in the authentication server 2, and after the platform is dragged to the library, the attacker not only needs to obtain the encryption algorithm, but also needs to obtain a key pair (a user public key and a user private key) corresponding to each user or a key pair of the external authentication server 2 to decrypt a user ciphertext or check a password signature, so as to obtain a plaintext user password, thereby greatly improving the difficulty in password cracking.
In this embodiment, the authentication server 2 associates the generated digest information with the user account in the process of signing the decrypted user password, and adds the generated digest information to the digest information table stored in the authentication server 2.
Further, the registration request includes information of a user to be registered, the information of the user to be registered includes a user name (unique) to be registered, and the registration authentication step is further included before the corresponding user account is established, and the specific steps are as follows:
extracting a user information table, wherein the user information table comprises user accounts and user names corresponding to the accounts;
and searching whether the user name to be registered exists in the user information table, if not, establishing a corresponding user account, and updating the user information table by taking the user information to be registered as user information, namely adding the user account and the user information in the user information table.
Further, the information of the user to be registered also includes enterprise information, and the enterprise information may be other information, for example, the user is an individual user;
the user information table comprises a plurality of user information sub-tables divided according to enterprise information, and the user information sub-tables are isolated from each other.
Referring to fig. 5, a detailed description is given of a specific flow of account registration:
firstly, an external client 3 sends a registration request to a platform server 1, wherein the registration request comprises information of a user to be registered;
secondly, the platform server 1 establishes a corresponding user account and then requests a public key to an external authentication server 2;
when a user account conflicting with the information of the user to be registered does not exist in the user information table (for example, the user name conflicts), the platform server 1 requests a user public key corresponding to the user account to the external authentication server 2;
thirdly, the external authentication server 2 sends a corresponding user public key to the platform server 1 according to the request;
the external authentication server 2 generates and stores a key pair belonging to the user account based on an existing public ECC algorithm (elliptic curve encryption algorithm);
and sending the public key of the key pair as the user public key to the platform server 1.
Fourthly, the platform server 1 returns the user public key to the corresponding client 3;
the external client 3 encrypts the account password input by the user based on the received user public key to obtain a user ciphertext;
sixthly, the external client 3 generates registration information based on the user ciphertext and the user information to be registered, and sends the registration information to the platform server 1;
seventhly, the platform server 1 sends the user account and the user ciphertext to an external authentication server 2;
the external authentication server 2 sends the user account and the corresponding password signature to the platform server 1;
the external authentication server 2 calls a corresponding user private key based on the user account, decrypts the user ciphertext by using the user private key, and obtains a corresponding account password;
the authentication server 2 generates and stores a key pair belonging to the authentication server 2 by using an ECC algorithm in advance to obtain a platform public key and a platform private key;
and performing hash calculation on the account password by using the existing public SHA-256 algorithm to obtain a password abstract, associating the password abstract with the user account, adding the password abstract into an abstract information table, and signing the password abstract by using the platform private key to obtain a corresponding password signature.
The external authentication server 2 does not store the account password.
Ninthly, the platform server 1 saves the user ciphertext and the password signature;
the platform server 1 stores the user cipher text, the user account and the user information to be registered in a user information table, and stores the password signature and the user account in a signature information table.
The data bank feeds back the storage state to the platform server 1;
⑪, the platform server 1 feeds back the registration result to the external client 3.
Embodiment 4, a system for protecting security of an account includes a risk detection subsystem, as shown in fig. 6, which includes:
the login module 110 is configured to receive login information, where the login information includes a login account and a login ciphertext, and the login ciphertext is a login password encrypted based on a key;
a signature obtaining module 120, configured to send the login ciphertext to an external authentication server 2, and receive identification information returned by the authentication server 2, where the identification information is used to identify the login password;
a data generating module 130, configured to generate corresponding login analysis data based on the login information and the identification information;
a leakage analysis module 140, configured to perform leakage analysis based on the login analysis data, where identification information with a leakage risk is used as a risk identification, and a login ciphertext with a leakage risk is used as a risk ciphertext;
and the account checking module 150 is configured to obtain a corresponding user account as a risk account based on the risk identifier and the risk ciphertext.
Further, the login module comprises a first login unit and a second login unit;
the first login unit is configured to:
receiving a login request containing a login account, retrieving a user account corresponding to the login account, and obtaining a retrieval result;
when the matched user account is retrieved, acquiring a user public key corresponding to the matched user account and returning;
when the matched user account is not retrieved, enabling the external authentication server 2 to generate a temporary public key and returning the temporary public key;
the second login unit is used for receiving login information, the login information comprises a login account and a login ciphertext, and the login ciphertext is a login password encrypted based on a user public key or a temporary public key.
Further, the account checking module comprises an information acquisition unit, a first extraction unit and a second extraction unit;
the information acquisition unit is used for acquiring a preset user information table and a signature information table, wherein the user information table comprises a user account and a user ciphertext, the user ciphertext is a user password encrypted based on a secret key, the signature information table comprises the user account and a password signature, and the password signature is a digital signature of the user password;
the first extraction unit is used for matching the risk ciphertext with each user ciphertext in a preset user information table, extracting a user account corresponding to the matched user ciphertext and acquiring the risk account with the ciphertext having leakage risk;
the second extraction unit is configured to:
when the identification information is a login password signature, matching the risk identification with each password signature in the signature information table, extracting a user account corresponding to the matched password signature, and acquiring a risk account with a risk of password leakage;
when the identification information is a login password abstract, a temporary abstract information table is obtained from an external authentication server, the temporary abstract information table comprises a user account and a password abstract, and the password abstract is abstract information of a user password; and matching the risk identification with each password abstract in the temporary abstract information table, extracting a user account corresponding to the matched password abstract, and acquiring the risk account with the leakage risk of the password.
And further, the system also comprises a database dragging analysis module which is used for carrying out database dragging analysis based on the login analysis data and taking the enterprise with the database dragging risk as an inauguration enterprise.
In the embodiment of the apparatus corresponding to embodiments 1 and 2, since the embodiment is basically similar to embodiments 1 and 2, the description is relatively simple, and the relevant points can be referred to the partial description of embodiments 1 and 2.
Embodiment 5, a system for protecting account security, add a registration subsystem on the basis of embodiment 4, as shown in fig. 7, the registration subsystem includes:
the account construction module 210 receives a registration request, establishes a corresponding user account, and generates a key generation request based on the user account;
a key request module 220, configured to send the key generation request to an external authentication server 2, and receive a user public key generated by the authentication server 2, where the user public key corresponds to the user account;
a ciphertext obtaining module 230, configured to return a user public key, receive a user ciphertext generated by encrypting a user password with the user public key, and associate the user ciphertext with the user account;
a signature obtaining module 240, configured to send the user ciphertext to the authentication server 2, receive a cryptographic signature returned by the authentication server 2, and associate the cryptographic signature with the user account.
Since this embodiment is basically similar to embodiment 3, the description is relatively simple, and for the relevant points, refer to the partial description of embodiment 3.
Embodiment 6, a system for protecting account security, as shown in fig. 8, includes a platform server 1, an authentication server 2 connected to the platform server 1 through signals, an analysis engine 4, a database, and a plurality of clients 3;
the platform server 1 includes:
the login module 110 is configured to receive login information sent by the client 3, where the login information includes a login account and a login ciphertext, and the login ciphertext is a login password encrypted based on a key;
a signature obtaining module 120, configured to send the login ciphertext to the authentication server 2, and receive identification information returned by the authentication server 2, where the identification information is used to identify the login password;
a data generating module 130, configured to generate corresponding login analysis data based on the login information and the identification information;
a leakage analysis module 140, configured to perform leakage analysis on the login analysis data through the analysis engine 4, where identification information with a leakage risk is used as a risk identification, and a login ciphertext with a leakage risk is used as a risk ciphertext;
and the account checking module 150 is configured to obtain a corresponding user account as a risk account based on the risk identifier and the risk ciphertext.
Further, the platform server 1 further includes:
an account construction module 210, configured to receive a registration request sent by the client 3, establish a corresponding user account, and generate a key generation request based on the user account;
a key request module 220, configured to send the key generation request to the authentication server 2, and receive a user public key generated by the authentication server 2, where the user public key corresponds to the user account;
a ciphertext obtaining module 230, configured to return a user public key to a corresponding client 3, receive registration information sent by the client 3, where the registration information includes a user account and a user ciphertext generated by encrypting a user password with the user public key, and associate the user ciphertext with the user account;
a signature obtaining module 240, configured to send the user ciphertext to the authentication server 2, receive a cryptographic signature returned by the authentication server 2, and associate the cryptographic signature with the user account.
The embodiments in the present specification are described in a progressive manner, each embodiment focuses on differences from other embodiments, and the same and similar parts among the embodiments are referred to each other.
As will be appreciated by one skilled in the art, embodiments of the present invention may be provided as a method, apparatus, or computer program product. Accordingly, the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present invention may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present invention has been described with reference to flowchart illustrations and/or block diagrams of methods, terminal devices (systems), and computer program products according to the invention. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing terminal to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing terminal, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing terminal to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing terminal to cause a series of operational steps to be performed on the computer or other programmable terminal to produce a computer implemented process such that the instructions which execute on the computer or other programmable terminal provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
It should be noted that:
while preferred embodiments of the present invention have been described, additional variations and modifications in those embodiments may occur to those skilled in the art once they learn of the basic inventive concepts. Therefore, it is intended that the appended claims be interpreted as including preferred embodiments and all such alterations and modifications as fall within the scope of the invention.
All equivalent or simple changes of the structure, the characteristics and the principle of the invention which are described in the patent conception of the invention are included in the protection scope of the patent of the invention. Various modifications, additions and substitutions for the specific embodiments described may be made by those skilled in the art without departing from the scope of the invention as defined in the accompanying claims.

Claims (10)

1. A method for protecting the security of an account number is characterized by comprising the following steps:
receiving login information, wherein the login information comprises a login account and a login ciphertext, and the login ciphertext is a login password encrypted based on a key;
sending the login ciphertext to an external authentication server, and receiving identification information returned by the authentication server, wherein the identification information is used for identifying the login password;
generating corresponding login analysis data based on the login information and the identification information;
performing leakage analysis based on the login analysis data, wherein identification information with leakage risks is used as risk identification, and login ciphertext with leakage risks is used as risk ciphertext;
and acquiring a corresponding user account as a risk account based on the risk identifier and the risk ciphertext.
2. The method for protecting account security according to claim 1, wherein the identification information is a login password signature or a login password digest, and the specific steps of obtaining the corresponding user account as the risky account based on the risky identification and the risk ciphertext include:
acquiring a preset user information table and a signature information table, wherein the user information table comprises a user account and a user ciphertext, the user ciphertext is a user password encrypted based on a secret key, the signature information table comprises the user account and a password signature, and the password signature is a digital signature of the user password;
matching the risk ciphertext with each user ciphertext in a preset user information table, extracting a user account corresponding to the matched user ciphertext, and acquiring a risk account with a leakage risk in the ciphertext;
when the identification information is a login password signature, matching the risk identification with each password signature in the signature information table, extracting a user account corresponding to the matched password signature, and acquiring a risk account with a risk of password leakage;
when the identification information is a login password abstract, a temporary abstract information table is obtained from an external authentication server, the temporary abstract information table comprises a user account and a password abstract, and the password abstract is abstract information of a user password; and matching the risk identification with each password abstract in the temporary abstract information table, extracting a user account corresponding to the matched password abstract, and acquiring the risk account with the leakage risk of the password.
3. The method for protecting account security according to claim 2, wherein:
the user information table comprises a plurality of user information sub-tables divided according to enterprise information, and the user information sub-tables are isolated from each other;
the login analysis data further comprises a login state, a first affiliated enterprise, at least one ciphertext affiliated account and at least one second affiliated enterprise, wherein the login state comprises login success or login failure, the first affiliated enterprise is enterprise information corresponding to the login account, the ciphertext affiliated account is a user account with the user ciphertext as the login ciphertext, and the second affiliated enterprise is an enterprise with the account with the ciphertext in one-to-one correspondence.
4. The method for protecting account security according to claim 3, wherein after the corresponding login analysis data is generated, library dragging analysis is performed based on the login analysis data, and an enterprise with library dragging risk is taken as an inauguration enterprise, and the method specifically comprises the following steps:
in the current library dragging analysis period, when the number of successful login states in login analysis data corresponding to a certain first affiliated enterprise exceeds a preset first number threshold, judging that the first affiliated enterprise is an inauguration enterprise;
and when the number of the risk ciphertexts corresponding to a certain second affiliated enterprise exceeds a preset second number threshold value in the current database dragging analysis period, judging that the second affiliated enterprise is the risk enterprise.
5. The method for protecting account security according to any one of claims 1 to 4, further comprising a login request response step before receiving the login information, the specific steps being:
receiving a login request containing a login account, retrieving a user account corresponding to the login account, and obtaining a retrieval result;
when the matched user account is retrieved, obtaining and returning a user public key corresponding to the matched user account, wherein the user public key is used for encrypting a login password to generate a corresponding login ciphertext;
and when the matched user account is not retrieved, enabling an external authentication server to generate a temporary public key, and returning the temporary public key, wherein the temporary public key is used for encrypting the login password to generate a corresponding login ciphertext.
6. The method for protecting account security according to any one of claims 1 to 4, further comprising an account registration step, specifically comprising:
receiving a registration request, establishing a corresponding user account, and generating a key generation request based on the user account;
sending the key generation request to an external authentication server, and receiving a user public key generated by the authentication server, wherein the user public key corresponds to the user account;
returning a user public key, receiving a user cipher text generated after a user password is encrypted by the user public key, and associating the user cipher text with the user account;
and sending the user ciphertext to the authentication server, receiving a password signature returned by the authentication server, and associating the password signature with the user account.
7. A system for securing an account, comprising a risk detection subsystem, the risk detection subsystem comprising:
the login module is used for receiving login information, wherein the login information comprises a login account and a login ciphertext, and the login ciphertext is a login password encrypted based on a key;
the signature acquisition module is used for sending the login ciphertext to an external authentication server and receiving identification information returned by the authentication server, wherein the identification information is used for identifying the login password;
the data generation module is used for generating corresponding login analysis data based on the login information and the identification information;
the leakage analysis module is used for carrying out leakage analysis based on the login analysis data, taking the identification information with the leakage risk as a risk identification, and taking the login ciphertext with the leakage risk as a risk ciphertext;
and the account checking module is used for acquiring a corresponding user account as a risk account based on the risk identifier and the risk ciphertext.
8. The system for protecting account security according to claim 7, wherein the login module comprises a first login unit and a second login unit;
the first login unit is configured to:
receiving a login request containing a login account, retrieving a user account corresponding to the login account, and obtaining a retrieval result;
when the matched user account is retrieved, acquiring a user public key corresponding to the matched user account and returning;
when the matched user account is not retrieved, enabling an external authentication server to generate a temporary public key and returning the temporary public key;
the second login unit is used for receiving login information, the login information comprises a login account and a login ciphertext, and the login ciphertext is a login password encrypted based on a user public key or a temporary public key.
9. The system for protecting account security according to claim 7 or 8, further comprising a registration subsystem, wherein the registration subsystem comprises:
the account construction module is used for receiving a registration request, establishing a corresponding user account and generating a key generation request based on the user account;
the key request module is used for sending the key generation request to an external authentication server and receiving a user public key generated by the authentication server, wherein the user public key corresponds to the user account;
the ciphertext acquisition module is used for returning the user public key, receiving a user ciphertext generated by encrypting the user password by the user public key, and associating the user ciphertext with the user account;
and the signature acquisition module is used for sending the user ciphertext to the authentication server, receiving the password signature returned by the authentication server, and associating the password signature with the user account.
10. The system for protecting the security of the account number is characterized by comprising a platform server, an authentication server, an analysis engine and a plurality of clients, wherein the authentication server, the analysis engine and the clients are connected with the platform server through signals, and the platform server comprises:
the system comprises a login module, a password generation module and a password generation module, wherein the login module is used for receiving login information sent by a client, the login information comprises a login account and a login ciphertext, and the login ciphertext is a login password encrypted based on a key;
the signature acquisition module is used for sending the login ciphertext to the authentication server and receiving identification information returned by the authentication server, wherein the identification information is used for identifying the login password;
the data generation module is used for generating corresponding login analysis data based on the login information and the identification information;
the leakage analysis module is used for carrying out leakage analysis on the login analysis data through the analysis engine, taking the identification information with the leakage risk as a risk identification, and taking the login ciphertext with the leakage risk as a risk ciphertext;
and the account checking module is used for acquiring a corresponding user account as a risk account based on the risk identifier and the risk ciphertext.
CN202110293417.1A 2021-03-19 2021-03-19 Method and system for protecting account security Active CN112688972B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110293417.1A CN112688972B (en) 2021-03-19 2021-03-19 Method and system for protecting account security

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110293417.1A CN112688972B (en) 2021-03-19 2021-03-19 Method and system for protecting account security

Publications (2)

Publication Number Publication Date
CN112688972A true CN112688972A (en) 2021-04-20
CN112688972B CN112688972B (en) 2021-06-18

Family

ID=75455704

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110293417.1A Active CN112688972B (en) 2021-03-19 2021-03-19 Method and system for protecting account security

Country Status (1)

Country Link
CN (1) CN112688972B (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114172713A (en) * 2021-12-02 2022-03-11 北京金山云网络技术有限公司 Login method, login device, electronic equipment and storage medium
CN114640530A (en) * 2022-03-24 2022-06-17 深信服科技股份有限公司 Data leakage detection method and device, electronic equipment and readable storage medium
CN115021894A (en) * 2021-11-19 2022-09-06 荣耀终端有限公司 Data protection method and system and electronic equipment

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20110164289A1 (en) * 2005-07-19 2011-07-07 Song Eun-Ah Printing system and printer with electronic signature capability and method thereof
CN104933352A (en) * 2015-06-10 2015-09-23 北京北信源软件股份有限公司 Weak password detection method and device
CN107395344A (en) * 2017-07-18 2017-11-24 北京深思数盾科技股份有限公司 User profile guard method and device
CN107566413A (en) * 2017-10-24 2018-01-09 东信和平科技股份有限公司 A kind of intelligent card security authentication method and system based on data SMS technology
CN111083165A (en) * 2019-12-31 2020-04-28 支付宝(杭州)信息技术有限公司 Login interception method and system based on combined anti-collision library platform

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20110164289A1 (en) * 2005-07-19 2011-07-07 Song Eun-Ah Printing system and printer with electronic signature capability and method thereof
CN104933352A (en) * 2015-06-10 2015-09-23 北京北信源软件股份有限公司 Weak password detection method and device
CN107395344A (en) * 2017-07-18 2017-11-24 北京深思数盾科技股份有限公司 User profile guard method and device
CN107566413A (en) * 2017-10-24 2018-01-09 东信和平科技股份有限公司 A kind of intelligent card security authentication method and system based on data SMS technology
CN111083165A (en) * 2019-12-31 2020-04-28 支付宝(杭州)信息技术有限公司 Login interception method and system based on combined anti-collision library platform

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115021894A (en) * 2021-11-19 2022-09-06 荣耀终端有限公司 Data protection method and system and electronic equipment
CN115021894B (en) * 2021-11-19 2023-05-09 荣耀终端有限公司 Data protection method, system and electronic equipment
CN114172713A (en) * 2021-12-02 2022-03-11 北京金山云网络技术有限公司 Login method, login device, electronic equipment and storage medium
CN114640530A (en) * 2022-03-24 2022-06-17 深信服科技股份有限公司 Data leakage detection method and device, electronic equipment and readable storage medium
CN114640530B (en) * 2022-03-24 2023-12-29 深信服科技股份有限公司 Data leakage detection method and device, electronic equipment and readable storage medium

Also Published As

Publication number Publication date
CN112688972B (en) 2021-06-18

Similar Documents

Publication Publication Date Title
US11778059B1 (en) Systems and methods for recognizing a device
CN110493197B (en) Login processing method and related equipment
CN112688972B (en) Method and system for protecting account security
CN110799941B (en) Anti-theft and tamper-proof data protection
US9544280B2 (en) Utilization of a protected module to prevent offline dictionary attacks
Bojinov et al. Kamouflage: Loss-resistant password management
US9634999B1 (en) Mobile device key management
US7093291B2 (en) Method and system for detecting and preventing an intrusion in multiple platform computing environments
KR100702499B1 (en) System and method for guaranteeing software integrity
US9288199B1 (en) Network access control with compliance policy check
EP3552131B1 (en) Password security
CA2842741C (en) Password audit system
KR102137122B1 (en) Security check method, device, terminal and server
CN104573549A (en) Credible method and system for protecting confidentiality of database
CN112329042A (en) Big data secure storage system and method
US10402573B1 (en) Breach resistant data storage system and method
CN112422527A (en) Safety protection system, method and device of transformer substation electric power monitoring system
CN115225350B (en) Government cloud encryption login verification method based on national secret certificate and storage medium
CN114745115A (en) Information transmission method and device, computer equipment and storage medium
CN114244620A (en) Board card network access verification method and device and board card control center
CN108289102B (en) Micro-service interface safe calling device
CN117499159B (en) Block chain-based data transaction method and device and electronic equipment
CN112395585B (en) Database service login method, device, equipment and readable storage medium
TW201917621A (en) Detection method and system for preventing password file leakage building an index database to store the correct account/password pairing code
EP3433992B1 (en) Cloud storage of data

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant