CN114385987A - Dynamic multi-factor identity authentication and certification method and storage medium - Google Patents
Dynamic multi-factor identity authentication and certification method and storage medium Download PDFInfo
- Publication number
- CN114385987A CN114385987A CN202111523548.0A CN202111523548A CN114385987A CN 114385987 A CN114385987 A CN 114385987A CN 202111523548 A CN202111523548 A CN 202111523548A CN 114385987 A CN114385987 A CN 114385987A
- Authority
- CN
- China
- Prior art keywords
- authentication
- password
- user
- algorithm
- registration
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/31—User authentication
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/45—Structures or tools for the administration of authentication
- G06F21/46—Structures or tools for the administration of authentication by designing passwords or checking the strength of passwords
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/602—Providing cryptographic facilities or services
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Health & Medical Sciences (AREA)
- Bioethics (AREA)
- General Health & Medical Sciences (AREA)
- Storage Device Security (AREA)
Abstract
The invention relates to the technical field of identity authentication, and provides a dynamic multi-factor identity authentication and authentication method and a storage medium, wherein after an authentication request sent by a user is obtained, the authentication qualification of the user is verified, and preliminary safety monitoring is carried out; then, a target encryption algorithm is determined according to a preset matching strategy, and an authentication request of a user is encrypted at a client to obtain a user password ciphertext, so that the data security in the data transmission process is improved; then, a target decryption algorithm is determined according to a preset matching strategy, and the obtained user password ciphertext is decrypted in a targeted manner at the server; finally, comparing whether the authentication password is consistent with the pre-stored registration password or not, and determining whether the identity authentication is passed or not; the combined encryption is carried out by utilizing various encryption rules, the cracking difficulty is high under the condition that the encryption rules cannot be determined, and multi-level verification is designed by combining various factors such as 'request IP, user account number and password', so that the safety and reliability of the system are greatly improved.
Description
Technical Field
The invention relates to the technical field of identity authentication, in particular to a dynamic multi-factor identity authentication and certification method and a storage medium.
Background
With the development of information technology, identity authentication technology becomes the basis of information security, and especially, the authentication problem between a client and a cloud server in cloud service becomes an important direction for researching cloud computing. How to ensure that an operator who operates with digital identity is the legal owner of the digital identity, that is, the physical identity of the operator is ensured to be corresponding to the digital identity, and identity authentication is used for solving the problem and has a very important role as a first gateway for protecting network assets.
At present, in the stage of the rapid development of the internet, various security problems also become problems which need to be solved urgently by enterprises. The security authentication is the first threshold of information security, but the security authentication in the market at present only adopts one encryption rule for encryption processing, and is very easy to be cracked by lawbreakers, so that confidential data is leaked, and serious persons are more likely to be modified, and serious economic loss is caused to enterprises.
Disclosure of Invention
The invention provides a dynamic multi-factor identity authentication and certification method and a storage medium, which solve the technical problem that confidential data is easy to leak or modify because the existing security certification adopts an encryption rule for encryption processing and has low cracking difficulty.
In order to solve the technical problems, the invention provides a dynamic multi-factor identity authentication and certification method, which comprises the following steps:
s1, acquiring an authentication request sent by a user, judging whether the authentication request meets the verification qualification, and if so, entering the next step;
s2, identifying the obtained authentication request according to a preset matching strategy, and determining a target encryption algorithm to encrypt the authentication request to obtain a user password ciphertext;
s3, identifying the user password ciphertext, determining a target decryption algorithm according to the preset matching strategy, and decrypting the user password ciphertext to obtain an authentication password;
and S4, comparing the authentication password with the authentication password, if the authentication password is consistent with the authentication password, judging that the authentication is passed and the authentication is successful, and if the authentication password is not consistent with the authentication password, judging that the authentication is not passed and the authentication is failed.
According to the basic scheme, a security authentication threshold is deployed at an access entrance of a client, after an authentication request sent by a user is obtained, the verification qualification of the user is verified, whether the application of the user is normal or not and whether the user identity is legal or not are determined, and preliminary security monitoring is carried out; then, a target encryption algorithm is determined according to a preset matching strategy, and an authentication request of a user is encrypted at a client to obtain a user password ciphertext, so that the data security in the data transmission process is improved; then, a target decryption algorithm is determined according to a preset matching strategy, and the obtained user password ciphertext is decrypted in a targeted manner at the server; and finally, comparing whether the authentication password is consistent with the pre-stored registration password or not, and determining whether the identity authentication is passed or not. The invention designs the preset matching strategy, so that the combined encryption is carried out by utilizing various encryption rules, the cracking difficulty is high under the condition that the encryption rules cannot be determined, and the multi-stage verification is designed by combining various factors such as 'request ip, user account number, password' and the like, thereby greatly improving the safety and reliability of the system.
In a further embodiment, the preset matching policy specifically includes: setting a plurality of preset threshold intervals corresponding to different preset algorithms according to any one or more digits of the registered account as a zone bit; after an authentication request sent by a user is obtained, a corresponding registration account and flag bit data are determined, the flag bit data are matched with the preset threshold interval, and if the matching is successful, a preset algorithm corresponding to the preset threshold interval is determined as a target encryption algorithm and/or a target decryption algorithm of the registration account.
In the scheme, all users adopt the same encryption algorithm in identity authentication and are easily cracked by lawbreakers, so that any one or multiple digits in a registered account are preselected as a mark bit on the basis of the registered account of the user, a plurality of different preset algorithms corresponding to different preset threshold intervals are set at the same time, and the encryption algorithm corresponding to the identity authentication of the user is determined by matching the mark bit with the preset threshold intervals, so that the combined encryption of various encryption rules is realized, the cracking difficulty is high, and the safety is effectively improved.
In a further embodiment, the present invention further comprises:
s01, acquiring a registration account and a registration password when the user registers;
s02, storing the registered account and the registered password in a database in a one-to-one correspondence relationship;
wherein the registration password is stored in the database in the form of an MD5 value.
In a further embodiment, the step S1 specifically includes: acquiring and identifying an authentication request sent by a user, determining a corresponding request IP, matching the request IP with a preset white list, judging that the request IP meets the verification qualification if the request IP is successfully matched with the preset white list, and entering the next step, otherwise, judging that the authentication fails.
According to the scheme, the white list filtering rule is set, network requests of unauthorized and illegal identities are rejected, part of illegal applications can be removed quickly, unnecessary request analysis is reduced on the premise of realizing safety certification, and further the operating efficiency of the client is improved.
In further embodiments, the step S2 includes:
s21, the client identifies the acquired authentication request, and determines a corresponding registration account and an input password;
s22, determining a target encryption algorithm according to the preset matching strategy and the registered account;
and S23, encrypting the input password according to the target encryption algorithm to obtain a user password ciphertext, integrating the user password ciphertext with the registered account, and uploading the user password ciphertext to a server side.
In further embodiments, the step S3 includes:
s31, the server receives the user password ciphertext and the registration account;
s32, determining a target decryption algorithm according to the preset matching strategy and the registered account;
s33, decrypting the user password ciphertext according to the target decryption algorithm to obtain a decrypted plaintext;
and S34, encrypting the decrypted plaintext by using the MD5 algorithm to obtain an authentication password.
According to the scheme, before the authentication request is uploaded to the server side by the client side, the target encryption algorithm corresponding to each user is dynamically determined according to the preset matching strategy and the registered account, and targeted encryption is carried out, so that the risk of password leakage in the data transmission process can be reduced; and correspondingly, the target decryption algorithm corresponding to each user is dynamically determined at the server according to the preset matching strategy and the registered account, and the target decryption algorithm and the registered account correspond to each other, so that the safety of communication and information transmission of the system is guaranteed, and the safety performance of the system can be further improved.
In further embodiments, the predetermined algorithm includes an even bit padding algorithm, an RSA algorithm, an MD5 algorithm.
In a further embodiment, the step S4 specifically includes: acquiring a corresponding registration password from a database according to the registration account, comparing the authentication password with a prestored registration password, if the authentication password is consistent with the prestored registration password, judging that the authentication is passed and the authentication is successful, and if the authentication password is not consistent with the prestored registration password, judging that the authentication is not passed and the authentication is failed;
the database is a data storage area in the server.
The present invention also provides a storage medium having stored thereon a computer program for implementing a method of dynamic multi-factor identity authentication and certification as described above. The storage medium may be a magnetic disk, an optical disk, a Read Only Memory (ROM), a Random Access Memory (RAM), or the like.
Drawings
Fig. 1 is a flowchart of a method for dynamic multi-factor identity authentication and authorization according to an embodiment of the present invention.
Detailed Description
The embodiments of the present invention will be described in detail below with reference to the accompanying drawings, which are given solely for the purpose of illustration and are not to be construed as limitations of the invention, including the drawings which are incorporated herein by reference and for illustration only and are not to be construed as limitations of the invention, since many variations thereof are possible without departing from the spirit and scope of the invention.
Example 1
As shown in fig. 1, the method for dynamic multi-factor identity authentication and certification according to the embodiment of the present invention includes steps S01, S02, S1 to S4:
s01, acquiring a registration account and a registration password when the user registers;
s02, storing the registered account and the registered password in a database in a one-to-one correspondence relationship;
wherein, the registration password is stored in the database in the mode of MD5 value.
S1, obtaining the authentication request sent by the user, judging whether the authentication request meets the verification qualification, if yes, entering the next step, specifically: and acquiring and identifying an authentication request sent by a user, determining a corresponding request IP, matching the request IP with a preset white list, judging that the request IP meets the verification qualification if the request IP is successfully matched with the preset white list, and entering the next step, otherwise, judging that the authentication fails.
The embodiment sets the white list filtering rule, rejects network requests of unauthorized and illegal identities, can quickly remove part of illegal applications, reduces unnecessary request analysis on the premise of realizing security authentication, and further improves the operating efficiency of the client.
S2, identifying the obtained authentication request according to a preset matching strategy, and determining a target encryption algorithm to encrypt the authentication request to obtain a user password ciphertext, wherein the method comprises the following steps of S21-S23:
s21, the client identifies the acquired authentication request, and determines a corresponding registration account and an input password;
s22, determining a target encryption algorithm according to a preset matching strategy and a registered account;
in this embodiment, the preset matching policy specifically includes: setting a plurality of preset threshold intervals corresponding to different preset algorithms according to any one or more digits of the registered account as a zone bit; after an authentication request sent by a user is obtained, a corresponding registration account and flag bit data are determined, the flag bit data are matched with a preset threshold interval, and if the matching is successful, a preset algorithm corresponding to the preset threshold interval is determined as a target encryption algorithm and/or a target decryption algorithm of the registration account.
The preset algorithm includes, but is not limited to, an even bit padding algorithm, an RSA algorithm, and an MD5 algorithm.
And (3) even bit filling algorithm: processing the user password according to a rule of randomly filling the user password with even-numbered digits, for example, inputting the password as follows: 123456, after treatment: 1s2d3a4d5f 6.
The RSA algorithm: the RSA public key cryptosystem is a cryptosystem which uses different encryption keys and decryption keys, and the 'derivation of the decryption key from the known encryption key is computationally infeasible', and the encryption and decryption rules are that two encrypted files with a public key and a private key are firstly encrypted: carrying out encryption processing and decryption through a public key: and carrying out decryption operation through the private key.
The MD5 algorithm: i.e., MD5 Message Digest Algorithm (english: MD5 Message-Digest Algorithm), a widely used cryptographic hash function can generate a 128-bit (16-byte) hash value to ensure the integrity of the Message transmission.
For example: the preset matching strategy is that grouping is carried out according to a number (namely, the number is used as a mark bit) at the tail end of the user account; taking the interval of 0-3 as a preset threshold interval of an even bit filling algorithm; taking the interval of 4-6 as a preset threshold interval of an RSA algorithm; and taking the interval of 7-9 as a preset threshold interval of the MD5 algorithm.
When the registered account of the user is 151 XXXXXXX 13, the flag bit is 3, and the corresponding preset algorithm is an even bit filling algorithm.
In the embodiment, in the identity authentication, all users adopt the same encryption algorithm and are easily cracked by lawbreakers, so that any one or more digits in the registered account are preselected as a flag bit on the basis of the registered account of the user, a plurality of different preset algorithms corresponding to different preset threshold intervals are set at the same time, and the encryption algorithm corresponding to the identity authentication of the user is determined by matching the flag bit with the preset threshold intervals, so that the combined encryption of a plurality of encryption rules is realized, the cracking difficulty is high, and the security is effectively improved.
And S23, encrypting the input password according to the target encryption algorithm to obtain a user password ciphertext, integrating the user password ciphertext with the registered account, and uploading the user password ciphertext to the server.
S3, identifying the user password ciphertext, determining a target decryption algorithm according to a preset matching strategy, and decrypting the user password ciphertext to obtain an authentication password, wherein the method comprises the following steps of S31-S34:
s31, the server receives the user password ciphertext and the registration account;
s32, determining a target decryption algorithm according to a preset matching strategy and a registered account;
s33, decrypting the user password ciphertext according to the target decryption algorithm to obtain a decrypted plaintext;
decrypting into a decrypted plaintext according to the decryption rules of the target decryption algorithms:
RSA algorithm decryption: carrying out algorithm decryption through the corresponding private key file to obtain a decrypted plaintext;
2. and (3) even bit filling algorithm: intercepting odd numbers by traversing the ciphertext to obtain a decrypted plaintext;
the MD5 algorithm: since the registered password in the database is stored in the form of the MD5 value, if the target decryption algorithm is the MD5 algorithm, no operation is required, and the user password ciphertext is directly used as the authentication password by skipping this step. Alternatively, the decryption may be performed, and then the process proceeds to step S34 to encrypt again the authentication password.
And S34, encrypting the decrypted plaintext by using the MD5 algorithm to obtain the authentication password.
According to the embodiment, before the authentication request is uploaded to the server side by the client side, the target encryption algorithm corresponding to each user is dynamically determined according to the preset matching strategy and the registered account, and targeted encryption is performed, so that the risk of password leakage in the data transmission process can be reduced; and correspondingly, the target decryption algorithm corresponding to each user is dynamically determined at the server according to the preset matching strategy and the registered account, and the target decryption algorithm and the registered account correspond to each other, so that the safety of communication and information transmission of the system is guaranteed, and the safety performance of the system can be further improved.
S4, comparing the authentication password with the authentication password, if the authentication password is consistent with the authentication password, judging that the authentication is passed and the authentication is successful, and if the authentication password is not consistent with the authentication password, judging that the authentication is not passed and the authentication is failed, specifically: acquiring a corresponding registration password from a database according to a registration account, comparing the authentication password with a prestored registration password, if the authentication password is consistent with the prestored registration password, judging that the authentication is passed and the authentication is successful, and if the authentication password is not consistent with the prestored registration password, judging that the authentication is not passed and the authentication is failed;
the database is a data storage area in the server.
The embodiment of the invention deploys a security authentication threshold at an access entrance of a client, after an authentication request sent by a user is obtained, the authentication qualification of the user is verified, whether the application of the user is normal or not and whether the user identity is legal or not are determined, and preliminary security monitoring is carried out; then, a target encryption algorithm is determined according to a preset matching strategy, and an authentication request of a user is encrypted at a client to obtain a user password ciphertext, so that the data security in the data transmission process is improved; then, a target decryption algorithm is determined according to a preset matching strategy, and the obtained user password ciphertext is decrypted in a targeted manner at the server; and finally, comparing whether the authentication password is consistent with the pre-stored registration password or not, and determining whether the identity authentication is passed or not. The invention designs the preset matching strategy, so that the combined encryption is carried out by utilizing various encryption rules, the cracking difficulty is high under the condition that the encryption rules cannot be determined, and the multi-stage verification is designed by combining various factors such as 'request ip, user account number, password' and the like, thereby greatly improving the safety and reliability of the system.
Example 2
An embodiment of the present invention further provides a storage medium, on which a computer program is stored, where the computer program is used to implement the method for dynamic multi-factor identity authentication and authorization in embodiment 1. The storage medium may be a magnetic disk, an optical disk, a Read Only Memory (ROM), a Random Access Memory (RAM), or the like.
The above embodiments are preferred embodiments of the present invention, but the present invention is not limited to the above embodiments, and any other changes, modifications, substitutions, combinations, and simplifications which do not depart from the spirit and principle of the present invention should be construed as equivalents thereof, and all such changes, modifications, substitutions, combinations, and simplifications are intended to be included in the scope of the present invention.
Claims (9)
1. A dynamic multi-factor identity authentication and certification method is characterized by comprising the following steps:
s1, acquiring an authentication request sent by a user, judging whether the authentication request meets the verification qualification, and if so, entering the next step;
s2, identifying the obtained authentication request according to a preset matching strategy, and determining a target encryption algorithm to encrypt the authentication request to obtain a user password ciphertext;
s3, identifying the user password ciphertext, determining a target decryption algorithm according to the preset matching strategy, and decrypting the user password ciphertext to obtain an authentication password;
and S4, comparing the authentication password with the pre-stored registration password, if the authentication password is consistent with the pre-stored registration password, judging that the authentication is passed and the authentication is successful, and if the authentication password is inconsistent with the pre-stored registration password, judging that the authentication is not passed and the authentication is failed.
2. The method of claim 1, wherein the predetermined matching policy is specifically: setting a plurality of preset threshold intervals corresponding to different preset algorithms according to any one or more digits of the registered account as a zone bit; after an authentication request sent by a user is obtained, a corresponding registration account and flag bit data are determined, the flag bit data are matched with the preset threshold interval, and if the matching is successful, a preset algorithm corresponding to the preset threshold interval is determined as a target encryption algorithm and/or a target decryption algorithm of the registration account.
3. The method of dynamic multi-factor identity authentication and certification according to claim 1, further comprising:
s01, acquiring a registration account and a registration password when the user registers;
s02, storing the registered account and the registered password in a database in a one-to-one correspondence relationship;
wherein the registration password is stored in the database in the form of an MD5 value.
4. The method for dynamic multi-factor identity authentication and certification according to claim 1, wherein the step S1 specifically comprises: acquiring and identifying an authentication request sent by a user, determining a corresponding request IP, matching the request IP with a preset white list, judging that the request IP meets the verification qualification if the request IP is successfully matched with the preset white list, and entering the next step, otherwise, judging that the authentication fails.
5. The method for dynamic multi-factor identity authentication and certification according to claim 1, wherein the step S2 includes:
s21, the client identifies the acquired authentication request, and determines a corresponding registration account and an input password;
s22, determining a target encryption algorithm according to the preset matching strategy and the registered account;
and S23, encrypting the input password according to the target encryption algorithm to obtain a user password ciphertext, integrating the user password ciphertext with the registered account, and uploading the user password ciphertext to a server side.
6. The method for dynamic multi-factor identity authentication and certification according to claim 5, wherein the step S3 includes:
s31, the server receives the user password ciphertext and the registration account;
s32, determining a target decryption algorithm according to the preset matching strategy and the registered account;
s33, decrypting the user password ciphertext according to the target decryption algorithm to obtain a decrypted plaintext;
and S34, encrypting the decrypted plaintext by using the MD5 algorithm to obtain an authentication password.
7. The method of dynamic multi-factor identity authentication and certification according to claim 2, wherein: the preset algorithm comprises an even number bit filling algorithm, an RSA algorithm and an MD5 algorithm.
8. The method for dynamic multi-factor identity authentication and certification according to claim 3, wherein the step S4 specifically comprises: acquiring a corresponding registration password from a database according to the registration account, comparing the authentication password with a prestored registration password, if the authentication password is consistent with the prestored registration password, judging that the authentication is passed and the authentication is successful, and if the authentication password is not consistent with the prestored registration password, judging that the authentication is not passed and the authentication is failed;
the database is a data storage area in the server.
9. A computer-readable storage medium, characterized in that the computer-readable storage medium stores a computer program for implementing a method of dynamic multi-factor identity authentication and certification according to any one of claims 1-8.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202111523548.0A CN114385987A (en) | 2021-12-14 | 2021-12-14 | Dynamic multi-factor identity authentication and certification method and storage medium |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202111523548.0A CN114385987A (en) | 2021-12-14 | 2021-12-14 | Dynamic multi-factor identity authentication and certification method and storage medium |
Publications (1)
Publication Number | Publication Date |
---|---|
CN114385987A true CN114385987A (en) | 2022-04-22 |
Family
ID=81195588
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202111523548.0A Pending CN114385987A (en) | 2021-12-14 | 2021-12-14 | Dynamic multi-factor identity authentication and certification method and storage medium |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN114385987A (en) |
-
2021
- 2021-12-14 CN CN202111523548.0A patent/CN114385987A/en active Pending
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US20060195402A1 (en) | Secure data transmission using undiscoverable or black data | |
US10594479B2 (en) | Method for managing smart home environment, method for joining smart home environment and method for connecting communication session with smart device | |
CN109981255B (en) | Method and system for updating key pool | |
US11329835B2 (en) | Apparatus and method for authenticating IoT device based on PUF using white-box cryptography | |
CN110381055B (en) | RFID system privacy protection authentication protocol method in medical supply chain | |
CN110505055B (en) | External network access identity authentication method and system based on asymmetric key pool pair and key fob | |
CN112565265B (en) | Authentication method, authentication system and communication method between terminal devices of Internet of things | |
CN111740995B (en) | Authorization authentication method and related device | |
CN101515319A (en) | Cipher key processing method, cipher key cryptography service system and cipher key consultation method | |
CN110855695A (en) | Improved SDN network security authentication method and system | |
JP2022521525A (en) | Cryptographic method for validating data | |
CN109347923B (en) | Anti-quantum computing cloud storage method and system based on asymmetric key pool | |
JP2010231404A (en) | System, method, and program for managing secret information | |
KR20200104084A (en) | APPARATUS AND METHOD FOR AUTHENTICATING IoT DEVICE BASED ON PUF | |
CN113347143A (en) | Identity authentication method, device, equipment and storage medium | |
CN116743470A (en) | Service data encryption processing method and device | |
CN109787747B (en) | Anti-quantum-computation multi-encryption cloud storage method and system based on multiple asymmetric key pools | |
US20060053288A1 (en) | Interface method and device for the on-line exchange of content data in a secure manner | |
CN110807210B (en) | Information processing method, platform, system and computer storage medium | |
CN109617696B (en) | Data encryption and data decryption method and device | |
CN104820807B (en) | A kind of intelligent card data processing method | |
CN114553566B (en) | Data encryption method, device, equipment and storage medium | |
KR102539418B1 (en) | Apparatus and method for mutual authentication based on physical unclonable function | |
CN111541652B (en) | System for improving security of secret information keeping and transmission | |
KR102357595B1 (en) | Blockchain-based authentication system and method for preventing interception hacking attacks |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination |