CN113630238A

CN113630238A - User request permission method and device based on password confusion

Info

Publication number: CN113630238A
Application number: CN202110927400.7A
Authority: CN
Inventors: 廖俊宇; 孔永锋; 林芝峰; 姚泽雄
Original assignee: Industrial and Commercial Bank of China Ltd ICBC
Current assignee: Industrial and Commercial Bank of China Ltd ICBC
Priority date: 2021-08-10
Filing date: 2021-08-10
Publication date: 2021-11-09
Anticipated expiration: 2041-08-10
Also published as: CN113630238B

Abstract

The invention provides a user request permission method and device based on password confusion, which can be used in the technical field of finance.

Description

User request permission method and device based on password confusion

Technical Field

The invention relates to the technical field of internet finance, in particular to a user request permission method and device based on password confusion.

Background

According to the user login identity authentication system based on the webpage, sensitive information such as a user password in the processes of network transmission and background processing is subjected to confusion and hash processing and persistent storage in a database by using related technologies of cryptography and network security when a user registers and logs in an account, so that the user password is ensured to pass through system authentication under the conditions of no leakage, cracking and tampering as much as possible. However, in practical applications, various vulnerabilities occur more or less, for example, when the password is subjected to hash processing without adding salt, a hash function with which a collision has been found is used, and a plaintext password is transmitted to background processing, risks are generated to different degrees, and the security of the user account is reduced.

Disclosure of Invention

In the prior art, sensitive information such as a user password in the processes of network transmission and background processing is subjected to confusion and hash processing and persistent storage in a database when a user registers and logs in an account, so that the user password is ensured to pass through system authentication under the conditions of no leakage, cracking and tampering as much as possible. However, in practical application, various vulnerabilities occur more or less, for example, when the password is subjected to hash processing without adding salt, the use of a hash function with which collision has been found, the transmission of a plaintext password to background processing and the like, risks in different degrees are generated, and the problem of user account security is reduced.

In order to solve the technical problems, the invention provides the following technical scheme:

The embodiment of the first aspect of the invention provides a user request permission method based on password confusion, which comprises the following steps:

acquiring a password and a user request input by a user, and calling a first salt value and preset hash value data corresponding to the user from a database; the preset hash value data is obtained by splicing the first salt value and a set password and then performing hash function processing; the salt value is a random value of finite length;

processing the first salt value and the password according to the same generation mode as the hash value data to generate hash value data;

and comparing the hash value data with the preset hash value data, and if the comparison is consistent, allowing the user request.

In a preferred embodiment, the generating of the preset hash value data includes:

the system generates a first salt value, a second salt value corresponding to the first salt value and iteration times;

splicing the set password and the first salt value to generate a first combined character string;

carrying out hash processing on the first combined character string to obtain a corresponding hash value;

splicing a second salt value and the first combined character string to generate a second combined character string;

And generating the preset hash value data according to the second combined character string and the iteration times.

In a preferred embodiment, the generating the preset hash value data according to the second combined character string and the number of iterations includes:

performing an iterative operation, the iterative operation comprising: carrying out hash processing on the second combined character string to obtain a corresponding hash value; combining the hash value and the second threshold value to generate an updated second combined character string;

and repeating the iteration operation until the number of the currently executed iteration operation reaches the iteration number.

In a preferred embodiment, the processing the first salt value and the password in the same generation manner as the hash value data to generate a hash value data includes:

splicing the password and the first salt value to generate a combined character string;

carrying out hash processing on the combined character string to obtain a corresponding hash value;

splicing the second salt value and the combined character string to generate another combined character string;

and generating corresponding hash value data according to the other combined character string and the iteration times.

In a preferred embodiment, further comprising:

after a user registers an account, first salt data corresponding to the user in a one-to-one mode are randomly generated.

In a preferred embodiment, further comprising:

after a user registers an account, first salt data, second salt data and iteration times which correspond to the user in a one-to-one mode are randomly generated.

The embodiment of the second aspect of the invention provides a user request permission device based on password confusion, which comprises:

the acquisition module is used for acquiring a password and a user request input by a user and calling a first salt value and preset hash value data corresponding to the user from a database; the preset hash value data is obtained by splicing the first salt value and a set password and then performing hash function processing; the salt value is a random value of finite length;

the hash value data generation module is used for processing the first salt value and the password according to the same generation mode as the hash value data to generate hash value data;

and the comparison module is used for comparing the hash value data with the preset hash value data, and if the comparison is consistent, the user request is permitted.

In a preferred embodiment, the hash value data generation module includes:

the first splicing unit splices the password and the first salt value to generate a combined character string;

The first hash processing unit is used for carrying out hash processing on the combined character string to obtain a corresponding hash value;

the system comprises a generating unit, a calculating unit and a calculating unit, wherein the generating unit generates a first salt value, a second salt value corresponding to the first salt value and iteration times;

the second splicing unit splices the second salt value and the combined character string to generate another combined character string;

and the iteration unit generates corresponding hash value data according to the other combined character string and the iteration times.

In a preferred embodiment, further comprising:

and the random generation unit randomly generates first salt data corresponding to the users one by one after the users register accounts.

In a preferred embodiment, further comprising:

and the random generation unit randomly generates first salt data, second salt data and iteration times which are in one-to-one correspondence with the user after the user registers an account.

In a third aspect, the present invention provides an electronic device comprising a memory, a processor, and a computer program stored on the memory and executable on the processor, wherein the processor implements the method for user request permission based on password obfuscation when executing the program.

In a fourth aspect, the present invention provides a computer readable storage medium having stored thereon a computer program which, when executed by a processor, implements the password confusion-based user request permission method.

According to the technical scheme, the invention provides a user request permission method and device based on password confusion, firstly, a password input by a user and a user request are obtained, and a first salt value and preset hash value data corresponding to the user are called from a database; the preset hash value data is obtained by splicing the first salt value and a set password and then performing hash function processing; the salt value is a random value of finite length; then processing the first salt value and the password according to the same generation mode as the hash value data to generate hash value data; finally, the hash value data and the preset hash value data are compared, if the comparison is consistent, the user request is allowed, and the salt adding confusion is carried out by combining the hash function through a reasonable salt adding processing mode, so that the method has the characteristics of anti-disguise, anti-eavesdropping, anti-replay attack, dictionary attack prevention after database leakage, incapability of acquiring a cipher plaintext in the whole process, inexhaustible violence, infeasibility of reversely cracking the cipher plaintext in the calculation cost and the like, the safety of a user logging in an account through a webpage is ensured to the greatest extent, the speed of processing transaction data is improved, the data throughput is increased, and the waiting time of the user is reduced.

Drawings

In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly introduced below, and it is obvious that the drawings in the following description are some embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to these drawings without creative efforts.

Fig. 1 is a schematic process diagram of successful SSL/TLS connection establishment between two browser servers in the embodiment of the present invention.

Fig. 2 is a schematic diagram of a dictionary attack in an embodiment of the present invention.

Fig. 3 is a schematic diagram of the principle of resisting dictionary/rainbow table attacks by password salting in the embodiment of the present invention.

FIG. 4 is a schematic diagram illustrating a front-end and back-end password obfuscation and authentication process of a user logging into a website according to an embodiment of the present invention.

Fig. 5 is a flowchart illustrating a method for requesting permission based on password obfuscation according to an embodiment of the present invention.

Fig. 6 is a schematic structural diagram of a user request permission device based on password obfuscation in an embodiment of the present invention.

Fig. 7 is a schematic structural diagram of an electronic device in the embodiment of the present invention.

Detailed Description

In order to make the objects, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some, but not all, embodiments of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.

It should be noted that the user request permission method and device based on password confusion disclosed by the invention can be used in the financial field and can also be used in any field except the financial field, and the application field of the user request permission method and device based on password confusion disclosed by the invention is not limited.

In the prior art, a user login identity authentication system based on a webpage performs obfuscation and hash processing on sensitive information such as a user password in the processes of network transmission and background processing and performs persistent storage in a database by using related technologies of cryptography and network security when a user registers and logs in an account, so as to ensure that the user password passes through system authentication under the conditions of no leakage, cracking and tampering as much as possible. However, in practical applications, various vulnerabilities occur more or less, for example, when the password is subjected to hash processing without adding salt, a hash function with which a collision has been found is used, and a plaintext password is transmitted to background processing, risks are generated to different degrees, and the security of the user account is reduced.

Aiming at various loopholes and problems existing in the prior technical scheme and aiming at improving the account security of a user logging in through a webpage, the invention provides a webpage logging-based user password security confusion and authentication scheme, and by reasonably using the technical schemes of HTTPS, an asymmetric encryption algorithm, a hash function, salt adding confusion, verification code logging verification and the like, the webpage logging-based user password security confusion and authentication scheme has the characteristics of camouflage prevention, eavesdropping prevention, replay attack prevention, dictionary attack prevention after database leakage, incapability of acquiring password plaintext in the whole process, violent exhaustion, infeasible reverse cracking of the password plaintext in the aspect of calculation cost and the like, and the security of the user logging in the account through the webpage is ensured to the greatest extent.

The present invention provides a method and an apparatus for implementing user request permission based on password confusion in one or more embodiments of the present invention, and specifically includes: acquiring a password and a user request input by a user, and calling a first salt value and preset hash value data corresponding to the user from a database; the preset hash value data is obtained by splicing the first salt value and a set password and then performing hash function processing; the salt value is a random value of finite length; processing the first salt value and the password according to the same generation mode as the hash value data to generate hash value data; and comparing the hash value data with the preset hash value data, and if the comparison is consistent, allowing the user request. The invention combines the hash function to perform salt adding confusion by a reasonable salt adding processing mode, so that the method has the characteristics of preventing disguise, eavesdropping and replay attack, preventing dictionary attack after the database is leaked, preventing the password plaintext from being obtained in the whole process, exhausting violently, being infeasible in reversely cracking the password plaintext on the aspect of computing cost and the like, ensures the safety of a user logging in an account through a webpage to the greatest extent, improves the speed of processing transaction data, increases the data throughput and reduces the waiting time of the user.

It is understood that the password confusion-based user request permission apparatus of the present invention may be a server or a mobile terminal, and may include, for example, a smart phone, a tablet electronic device, a portable computer, a desktop computer, a Personal Digital Assistant (PDA), a smart wearable device, and the like. Wherein, intelligence wearing equipment can include intelligent glasses, intelligent wrist-watch, intelligent bracelet etc..

The user request permission device based on password confusion comprises a communication module, and can be in communication connection with a user terminal to realize data transmission with the user terminal.

The above-described password confusion-based user request permission device and user terminal may communicate using any suitable network protocol, including those that have not been developed at the filing date of the present application. The network protocol may include, for example, a TCP/IP protocol, a UDP/IP protocol, an HTTP protocol, an HTTPS protocol, or the like. Of course, the network Protocol may also include, for example, an RPC Protocol (Remote Procedure Call Protocol), a REST Protocol (Representational State Transfer Protocol), and the like used above the above Protocol.

The invention provides a user request permission method and device based on password confusion, which are characterized in that salt confusion is carried out by combining a hash function through a reasonable salt adding processing mode, so that the method has the characteristics of camouflage prevention, eavesdropping prevention, replay attack prevention, dictionary attack prevention after database leakage, incapability of acquiring password plaintext in the whole process, inexhaustibility, infeasibility of reversely cracking the password plaintext in the aspect of calculation cost and the like, the safety of logging in an account by a user through a webpage is ensured to the greatest extent, the speed of processing transaction data is improved, the data throughput is increased, and the waiting time of the user is shortened.

The following embodiments and application examples are specifically and respectively described.

The method aims to solve the problems that sensitive information such as user passwords and the like in the processes of network transmission and background processing is subjected to confusion and hash processing and persistent storage in a database when a user registers and logs in an account in the prior art, so that the user passwords are ensured to pass system authentication under the conditions of not being leaked, cracked and tampered as much as possible. However, in practical applications, various vulnerabilities may occur more or less, for example, when the password is hashed without adding salt, a hash function with a collision is used, and the plaintext password is transmitted to a background process, the risks may be generated to different degrees, and the security of the user account is reduced, and the present invention provides an embodiment of a user request permission method based on password confusion, and referring to fig. 5, the method specifically includes the following contents:

Step S101: acquiring a password and a user request input by a user, and calling a first salt value and preset hash value data corresponding to the user from a database; the preset hash value data is obtained by splicing the first salt value and a set password and then performing hash function processing; the salt value is a random value of finite length.

In the invention, the requirement analysis is an essential link in software development, and the requirement scheme is mainly used for defining scenes, processes and the like of services. The analysis and understanding of the requirement document are crucial for developers, the ambiguity of the requirement can face the problem of code modification and even rewriting, and the requirement for the graphical flow of the requirement document is more urgent as the complexity of business logic increases.

Step S102: and processing the first salt value and the password according to the same generation mode as the hash value data to generate hash value data.

Step S103: and comparing the hash value data with the preset hash value data, and if the comparison is consistent, allowing the user request.

According to the technical scheme, the user request permission method based on password confusion provided by the invention has the characteristics of preventing disguise, eavesdropping and replay attacks, preventing dictionary attacks after database leakage, being incapable of acquiring password plaintext in the whole process, being incapable of realizing violent exhaustion, reversely cracking the password plaintext and the like by combining a hash function to perform salt confusion through a reasonable salt adding processing mode, and the safety of logging in an account by a user through a webpage is ensured to the greatest extent.

In order to provide an operation flow of the preset hash value data generating step, in one or more embodiments of the present invention, the preset hash value data generating step includes:

s201: the system generates a first salt value, a second salt value corresponding to the first salt value, and a number of iterations.

S202: and carrying out hash processing on the first combined character string to obtain a corresponding hash value.

S203: and splicing the set password and the first salt value to generate a first combined character string.

S204: and splicing the second salt value and the first combined character string to generate a second combined character string.

S205: and generating the preset hash value data according to the second combined character string and the iteration times.

In the above embodiment, the step of generating the preset hash value data according to the second combined character string and the iteration number includes:

Correspondingly, the processing the first salt value and the password in the same generation manner as the hash value data to generate a hash value data includes:

In the above embodiment, the method further includes:

Examples corresponding to the second salt data of the present invention further include:

The following description will be made with reference to specific examples.

In a specific case of the invention, the scheme of the invention ensures that sensitive information of a user is transmitted in a secure channel during registration or login by establishing HTTPS connection, and salt adding confusion hash processing is respectively carried out on a password plaintext at the front end, and multiple circulating salt confusion and hash processing are carried out on a transmitted hash value at the back end. The specific scheme is described in detail with reference to the attached drawings.

For security reasons, the asymmetric encryption algorithm used in the scheme is RSA and the key length should be 2048 bits or more, the symmetric encryption algorithm chooses AES and the key length is 256 bits or more. The hash function used cannot select MD4/5, SHA-1/2, etc. that have been found to have a collision condition, SHA-256/512 should be selected.

Fig. 1 shows a process for successfully establishing an SSL/TLS connection. The process uses related techniques of cryptography and network security including symmetric/asymmetric encryption algorithms, hash functions, digital signatures, etc. HTTPS is actually an addition of a layer of SSL (secure socket layer) or TLS (transport layer security) between TCP and HTTP for encrypting and decrypting transport data.

First, the server needs to generate RSA public and private keys s.pub and s.pri with a key length of 2048 bits. And the public key S.pub, the domain name and other information are delivered to a third party authority CA. After the information is verified, the CA uses a hash function to generate a signature for the S.pub, uses a private key C.pri of the CA to encrypt the signature information, generates a certificate, and sends the certificate back to the mechanism to which the server belongs, and the server deploys the certificate. When a user accesses a webpage, after TCP connection is established, the user enters a handshake flow of SSL/TLS. The first step is client _ hello, the browser generates a random number R _ c, and then the SSL/TLS version and the encryption algorithm family supported by the browser and the R _ c are sent to the server. Next, server _ hello, the server generates a random number R _ s, and selects a set of encryption schemes from SSL/TLS version and encryption algorithm scheme provided in client _ hello as the encryption scheme for establishing the connection later, for example, selecting "TLS _ RSA _ WITH _ AES _256_ CBC _ SHA 256" represents:

Asymmetric encryption algorithm using TLS protocol, RSA as key exchange

Encryption and decryption of transmission information by using AES symmetric encryption algorithm with 256-bit key length

Verifying data integrity using SHA256 hash function

The R _ s, TLS version, and encryption algorithm scheme are then sent to the browser. The process of certificate verification certificate follows, the server sends the previous certificate to the browser, the browser decrypts the signature information by using a public key C.pub in a built-in CA root certificate, and meanwhile, a hash function which is the same as the certificate is used for signing an attached server public key S.pub, and whether the two are consistent or not is compared; and meanwhile, information such as a certificate chain, an issuing organization, a validity period, whether the target domain name is consistent with the certificate domain name and the like is verified, so that the legality of the certificate is verified. The step is very important, a user needs to obtain the browser from an official way, the browser cannot use the modified version, otherwise, a root certificate built in the browser cannot be guaranteed not to be tampered, and a man-in-the-middle can eavesdrop, tamper and replay attack on transmission information by using a forged certificate, so that the information safety of the user is influenced. And after the certificate is verified to be legal, performing key exchange step. The browser generates a new random number Pre-master using the random numbers R _ c and R _ s, and generates a symmetric key for symmetric encryption using a specific calculation method, where the symmetric key enc _ key is Func (R _ c, R _ s, Pre-master). And then, encrypting the Pre-master by using a public key S.pub provided by the server, processing the handshake information by using a well agreed hash function, symmetrically encrypting the handshake information by using the previously obtained symmetric secret key enc _ key, and sending the information to the server. And the server decrypts the Pre-master by using the private key S.pri after receiving the key, generates the same symmetric key enc _ key by calculation through the same method, and is used for decrypting handshake information of the browser and verifying the correctness of the key. And then calculating handshake information by using the same hash function, and comparing whether the two handshake information are consistent. If the two information exchange messages are consistent, the handshake flow is completed, the two browser servers use the same symmetric secret key to encrypt and decrypt the sent and received information, and information exchange of anti-eavesdropping, anti-tampering and anti-replay attack is achieved.

After the HTTPS connection is successfully established, the user can securely transmit his own sensitive information in an unsecured network environment without worrying about eavesdropping, tampering with the information by third parties in the network, or other sensitive operations with replay attacks. However, this only ensures the security of information transmission, and a series of processing needs to be performed on the user password to improve the account security of the user. The user password is stored in the back-end database in a plaintext mode, once the data of the database is broken and revealed, the account security of the user on the website is threatened, and the account using the same account password on other websites is equivalent to be broken. Based on this consideration, a solution has been created to store the resulting hash value in a database after the cryptographic plaintext has been processed using a one-way hash function. If the attacker breaks the website database, although the password plaintext cannot be directly and reversely broken through the hash value, the attacker still can break the password plaintext through dictionary attack. The schematic diagram of the dictionary attack is shown in fig. 2. The principle is that an attacker collects the common passwords of the user as much as possible, such as some common word combinations, simple characters, numbers or the concatenation of the two, then the common passwords are processed by using the disclosed hash functions, including MD4/5, SHA-1/2/128 and the like, and the obtained hash values are stored in a table to obtain a dictionary of the common passwords. Dictionary attacks save a lot of time compared to brute force exhaustion and can attack most simple passwords that are processed only with hash functions. In addition, the method has an improved rainbow table based on dictionary attack and hash chain set, and has lower time complexity when cracking. In order to resist this type of attack, a solution is created in which a password is hashed after being "salted", and the user password confusion authentication scheme herein is based on this invention.

The Password authentication scheme of adding salt and mixing up is as follows, when the website server is registered by the user, a random value with the length of 8-16 characters or longer is needed to be generated and is used as salt to be spliced with the Password plaintext, the spliced value is processed by using a one-way hash function, and the obtained hash value P is obtained_HThe proof as password authentication is stored in a database together with the salt. Every time a user logs in a website, salt corresponding to the user needs to be obtained from a database, and a hash value obtained after the same splicing mode and hash function processing is compared with a hash value P stored in the database_HAnd if the password is consistent, the user password is correct, and the login is successful. When the password is modified, new salt is generated and is subjected to the same processing, and the new salt and the password hash value are updated to the database.

Database storage example:

account/user name	Cipher code	Salt (salt)
			XXX	P_H	salt
xxx@XX.com	I61c11b3642a079e9a117f9efcd4d4692a9a262a8	U1pm93br

P_H＝Hash(Password+salt)

Fig. 3 is a schematic diagram of the principle of the password salt adding for resisting dictionary attack and rainbow table attack. Assuming that the number of common password combinations is n, the number of dictionary or rainbow table records obtained by only using the hash function processing is also n. If the number of website users is m, and a password confusion scheme of adding salt and then carrying out hash processing is adopted for the user password, and the salt of all the users is different, the dictionary/rainbow table which is previously established by an attacker only based on the hash function will be completely invalid. After an attacker breaks a database to obtain all data in a user table, because m different salts exist, a dictionary/rainbow table with the record number of n m needs to be established again, namely, a dictionary/rainbow table with the record number of n is established for each user, and the table cannot be reused, so that the time cost and the storage cost required by the attacker for breaking the user password are greatly increased.

Similarly, the cryptographic obfuscation and authentication logic may be compared to the cryptographic concatenation salts mentioned herein to calculate a hash value using a hash function. On the premise of ensuring the safe transmission of information, when a user registers an account number in a website, a random salt with the length of 16 characters is generated_fAnd sent to the front end. And setting a certain check rule, such as forbidding to use a password with the length of less than 8 bits, pure numbers or pure English, and the like. After the front-end form is checked, salt sent by the back end of the server is used_fSplicing with a password plaintext P meeting the requirement, and then calculating a hash value Ph of a splicing result by using a hash function_f. The hash value Ph_fSalt used in front end_fSending the information to the server together with the related information, and storing salt in the front end_fIn the database, the hash value Ph_fAnd (5) carrying out back-end password confusion processing. The clear text password of the user is not directly transmitted to the back-end processing, so that the risk of leakage of the real password caused by malicious log recording of the user password is reduced. For the back end, the hash value Ph obtained after the front end processing_fIt can be regarded as the password of the user.

Database storage example:

Ph_f＝Hash(P+salt_f)

when the back end carries out the code confusion processing, a random value salt with the length of 256 bits or more is generated _bAs backend password splice obfuscated salts. And introduces a notion of the number of iterations. When designing a cipher confusion and authentication scheme, an iteration coefficient r calculated by a hash function needs to be set, wherein r is an exponent with a base number of 2, and the final iteration number n is 2^r. The value range of r is 3-16, and the default value is 10. The iteration number n represents that the password needs n times of circular salt adding and then hash calculation, and the finally obtained hash value Ph_bIs stored in the database as a password authentication credential. The schematic steps of iterative salted hashing are as follows:

P₁＝Hash(Ph_f+salt_b)

P₂＝Hash(P₁+salt_b)

P₃＝Hash(P₂+salt_b)

......

Ph_b＝Hash(P_n-1+salt_b)

wherein n is 2^r

The password confusion and authentication process of the front end and the back end of the user logging in the website is shown in figure 4. Each time a user logs in a website, the front-end salt corresponding to the user needs to be obtained from a database_fThe hash value Ph obtained after the same splicing mode and hash function processing_fSending to the back-end over an HTTPS connection, fromObtaining back-end salt from database_bIterative coefficient r, cyclic salt addition hash 2^rThen, the obtained hash value is compared with the hash value Ph stored in the database_bAnd if the password is consistent, the user password is correct, and the login is successful. When the password is modified, new salt is generated and processed by the same logic, and the new salt and the password hash value are updated to the database.

The purpose of performing multiple rounds of salted hash calculations is to maximize the time and hardware resources spent on single-sign-on authentication. Compared with single hash function calculation, when the iteration coefficient is 10, namely the iteration loop is required for 1024 times, the time spent on hash operation is increased by three orders of magnitude, only hundreds of milliseconds are spent on user login, and the use experience is not influenced. But the time cost and economic cost (hardware resources, power) spent on attacking systems using such cryptographic obfuscation and authentication schemes on a large scale are prohibitive for attackers using brute force exhaustion methods and rainbow tables. Therefore, institutions such as banks and security companies which have high requirements on the security of user accounts are suitable for adopting the scheme as a user password confusion and authentication mode.

The invention realizes a scheme for safely obfuscating and authenticating the user password by logging in through the webpage by comprehensively using the cryptography such as a symmetric/asymmetric encryption algorithm, a one-way hash function, HTTPS and the like and the related technologies of computer networks.

1. Anti-eavesdropping, anti-tampering, anti-replay attack: the scheme uses HTTPS as a connected network protocol, wherein SSL/TLS can ensure that sensitive information of a user is transmitted in a safe channel, and the information of the user is prevented from being leaked in an unsafe network environment.

2. The whole process cannot obtain the cipher plaintext: the system firstly confuses the password by adopting a salt hashing mode on the password plaintext at the front end, and transmits the calculated hash value to the rear end for subsequent authentication, so that the safety risk caused by malicious recording of the password by a log is prevented.

3. It is not feasible to break the plaintext of the password in cost: the back end can carry out repeated circular salt adding hash calculation on the password hash value, and on the premise that the time increase of single login of a user is not obvious, the calculation cost of violent exhaustion and rainbow table attack is greatly increased, so that the attack is not feasible in the aspect of income and cost measurement.

The method aims to solve the problems that sensitive information such as user passwords and the like in the processes of network transmission and background processing is subjected to confusion and hash processing and persistent storage in a database when a user registers and logs in an account in the prior art, so that the user passwords are ensured to pass system authentication under the conditions of not being leaked, cracked and tampered as much as possible. However, in practical applications, various vulnerabilities may occur more or less, for example, when the password is hashed without adding salt, a hash function with a collision is used, and the plaintext password is transmitted to a background process, which all may generate risks in different degrees, and reduce the security of the user account, in one or more embodiments of the present invention, the present invention provides a device for a user request permission method based on password confusion, as shown in fig. 6, including:

The acquisition module 11 acquires a password and a user request input by a user, and calls a first salt value and preset hash value data corresponding to the user from a database; the preset hash value data is obtained by splicing the first salt value and a set password and then performing hash function processing; the salt value is a random value of finite length;

a hash value data generation module 12, which processes the first salt value and the password in the same generation manner as the hash value data to generate a hash value data;

and the comparison module 13 is used for comparing the hash value data with the preset hash value data, and if the comparison is consistent, the user request is permitted.

According to the technical scheme, the device performs salt adding confusion by combining a hash function through a reasonable salt adding processing mode, so that the device has the characteristics of camouflage prevention, eavesdropping prevention, replay attack prevention, dictionary attack prevention after database leakage, incapability of acquiring a password plaintext in a whole process, inexhaustible brute force, infeasibility of reversely cracking the password plaintext in calculation cost and the like, and the safety of logging in an account by a user through a webpage is ensured to the greatest extent.

In a preferred embodiment, the hash value data generation module includes:

In a preferred embodiment, further comprising:

In terms of hardware, in the prior art, sensitive information such as a user password in the processes of network transmission and background processing is subjected to confusion and hash processing and persistent storage in a database when a user registers and logs in an account, so that the user password is ensured to pass system authentication under the conditions of no leakage, cracking and tampering as much as possible. However, in practical applications, various vulnerabilities may occur to a greater or lesser extent, for example, when the password is hashed without adding salt, a hash function with a collision is used, and the plaintext password is transmitted to a background process, which all may cause risks to a different extent, and thus the security of the user account is reduced, the present invention provides an embodiment of an electronic device for implementing all or part of the contents in the method for requesting permission by a user based on password confusion, where the electronic device specifically includes the following contents:

Fig. 7 is a schematic block diagram of an apparatus configuration of an electronic device 9600 according to an embodiment of the present invention. As shown in fig. 7, the electronic device 9600 can include a central processor 9100 and a memory 9140; the memory 9140 is coupled to the central processor 9100. Notably, this fig. 7 is exemplary; other types of structures may also be used in addition to or in place of the structure to implement telecommunications or other functions.

In one embodiment, the password obfuscation based user request licensing method functionality may be integrated into the central processor. Wherein the central processor may be configured to control:

According to the technical scheme, the electronic equipment provided by the invention has the characteristics of preventing disguise, eavesdropping and replay attack, preventing dictionary attack after database leakage, being incapable of acquiring cipher plaintext in the whole process, being incapable of realizing violent exhaustion, reversely cracking the cipher plaintext on the aspect of calculation cost and the like by combining a hash function to perform salting confusion in a reasonable salting processing mode, and ensures the safety of logging in an account by a user through a webpage to the greatest extent.

In another embodiment, the server may be configured separately from the central processor 9100, for example, the server may be a chip connected to the central processor 9100, and the function of the user request permission method based on password confusion is implemented by the control of the central processor.

As shown in fig. 7, the electronic device 9600 may further include: a communication module 9110, an input unit 9120, an audio processor 9130, a display 9160, and a power supply 9170. It is noted that the electronic device 9600 also does not necessarily include all of the components shown in fig. 7; further, the electronic device 9600 may further include components not shown in fig. 7, which may be referred to in the art.

As shown in fig. 7, a central processor 9100, sometimes referred to as a controller or operational control, can include a microprocessor or other processor device and/or logic device, which central processor 9100 receives input and controls the operation of the various components of the electronic device 9600.

The memory 9140 can be, for example, one or more of a buffer, a flash memory, a hard drive, a removable media, a volatile memory, a non-volatile memory, or other suitable device. The information relating to the failure may be stored, and a program for executing the information may be stored. And the central processing unit 9100 can execute the program stored in the memory 9140 to realize information storage or processing, or the like.

The input unit 9120 provides input to the central processor 9100. The input unit 9120 is, for example, a key or a touch input device. Power supply 9170 is used to provide power to electronic device 9600. The display 9160 is used for displaying display objects such as images and characters. The display may be, for example, an LCD display, but is not limited thereto.

The memory 9140 can be a solid state memory, e.g., Read Only Memory (ROM), Random Access Memory (RAM), a SIM card, or the like. There may also be a memory that holds information even when power is off, can be selectively erased, and is provided with more data, an example of which is sometimes called an EPROM or the like. The memory 9140 could also be some other type of device. Memory 9140 includes a buffer memory 9141 (sometimes referred to as a buffer). The memory 9140 may include an application/function storage portion 9142, the application/function storage portion 9142 being used for storing application programs and function programs or for executing a flow of operations of the electronic device 9600 by the central processor 9100.

The memory 9140 can also include a data store 9143, the data store 9143 being used to store data, such as contacts, digital data, pictures, sounds, and/or any other data used by an electronic device. The driver storage portion 9144 of the memory 9140 may include various drivers for the electronic device for communication functions and/or for performing other functions of the electronic device (e.g., messaging applications, contact book applications, etc.).

The communication module 9110 is a transmitter/receiver 9110 that transmits and receives signals via an antenna 9111. The communication module (transmitter/receiver) 9110 is coupled to the central processor 9100 to provide input signals and receive output signals, which may be the same as in the case of a conventional mobile communication terminal.

Based on different communication technologies, a plurality of communication modules 9110, such as a cellular network module, a bluetooth module, and/or a wireless local area network module, may be provided in the same electronic device. The communication module (transmitter/receiver) 9110 is also coupled to a speaker 9131 and a microphone 9132 via an audio processor 9130 to provide audio output via the speaker 9131 and receive audio input from the microphone 9132, thereby implementing ordinary telecommunications functions. The audio processor 9130 may include any suitable buffers, decoders, amplifiers and so forth. In addition, the audio processor 9130 is also coupled to the central processor 9100, thereby enabling recording locally through the microphone 9132 and enabling locally stored sounds to be played through the speaker 9131.

An embodiment of the present invention further provides a computer-readable storage medium capable of implementing all the steps in the user request permission method based on password obfuscation in the above embodiment, where the computer-readable storage medium stores thereon a computer program, and when the computer program is executed by a processor, the computer program implements all the steps of the user request permission method based on password obfuscation, where the execution subject of the computer program is a server or a client, for example, the processor implements the following steps when executing the computer program:

According to the technical scheme, the computer storage medium provided by the invention is subjected to salt adding confusion by combining a hash function in a reasonable salt adding mode, so that the computer storage medium has the characteristics of camouflage prevention, eavesdropping prevention, replay attack prevention, dictionary attack prevention after database leakage, incapability of acquiring a cipher plaintext in the whole process, inexhaustibility, infeasibility of reversely cracking the cipher plaintext in the aspect of calculation cost and the like, and the safety of a user logging in an account through a webpage is ensured to the greatest extent.

As will be appreciated by one skilled in the art, embodiments of the present invention may be provided as a method, apparatus, or computer program product. Accordingly, the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present invention may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.

The present invention is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (devices), and computer program products according to embodiments of the invention. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.

These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.

These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.

The principle and the implementation mode of the invention are explained by applying specific embodiments in the invention, and the description of the embodiments is only used for helping to understand the method and the core idea of the invention; meanwhile, for a person skilled in the art, according to the idea of the present invention, there may be variations in the specific embodiments and the application scope, and in summary, the content of the present specification should not be construed as a limitation to the present invention.

Claims

1. A method for requesting permission from a user based on password obfuscation, comprising:

2. The password confusion-based user request permission method as claimed in claim 1, wherein the generating of the preset hash value data comprises:

3. The password confusion-based user request permission method as claimed in claim 2, wherein the generating the preset hash value data according to the second combined character string and the number of iterations comprises:

4. The method of claim 2, wherein the processing the first salt and the password in the same manner as the hash value data to generate a hash value data comprises:

5. The password confusion-based user request permission method of claim 4, further comprising:

6. The password confusion-based user request permission method of claim 2, further comprising:

7. A password confusion-based user request permission apparatus, comprising:

8. The password confusion-based user request permission apparatus as claimed in claim 7, wherein the generating of the preset hash value data comprises:

9. The password confusion-based user request permission apparatus as claimed in claim 8, wherein the generating the preset hash value data according to the second combined character string and the number of iterations comprises:

10. The password confusion-based user request permission apparatus as claimed in claim 8, wherein the hash value data generation module comprises:

11. The password confusion-based user request permission apparatus as recited in claim 10, further comprising:

12. The password confusion-based user request permission apparatus of claim 8, further comprising:

13. An electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, characterized in that the processor implements the method of any of claims 1 to 6 when executing the program.

14. A computer-readable storage medium, on which a computer program is stored, which, when being executed by a processor, carries out the method of any one of claims 1 to 6.