CN117294441A - Identity authentication system and method based on business secret dynamic password - Google Patents
Identity authentication system and method based on business secret dynamic password Download PDFInfo
- Publication number
- CN117294441A CN117294441A CN202311189868.6A CN202311189868A CN117294441A CN 117294441 A CN117294441 A CN 117294441A CN 202311189868 A CN202311189868 A CN 202311189868A CN 117294441 A CN117294441 A CN 117294441A
- Authority
- CN
- China
- Prior art keywords
- otp
- authentication
- module
- seed key
- dynamic password
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 21
- 238000013475 authorization Methods 0.000 claims abstract description 31
- 238000012795 verification Methods 0.000 claims description 15
- 230000002457 bidirectional effect Effects 0.000 claims description 6
- 238000004364 calculation method Methods 0.000 claims description 5
- 230000005540 biological transmission Effects 0.000 abstract description 5
- 238000007726 management method Methods 0.000 description 33
- 238000005516 engineering process Methods 0.000 description 5
- 238000010586 diagram Methods 0.000 description 3
- 230000003068 static effect Effects 0.000 description 3
- 230000006854 communication Effects 0.000 description 2
- 238000013461 design Methods 0.000 description 2
- 230000003213 activating effect Effects 0.000 description 1
- 238000012550 audit Methods 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 239000000284 extract Substances 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000003032 molecular docking Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/321—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority
- H04L9/3213—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority using tickets or tokens, e.g. Kerberos
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
- H04L63/0442—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply asymmetric encryption, i.e. different keys for encryption and decryption
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0807—Network architectures or network communication protocols for network security for authentication of entities using tickets, e.g. Kerberos
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/083—Network architectures or network communication protocols for network security for authentication of entities using passwords
- H04L63/0846—Network architectures or network communication protocols for network security for authentication of entities using passwords using time-dependent-passwords, e.g. periodically changing passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/16—Implementing security features at a particular protocol layer
- H04L63/168—Implementing security features at a particular protocol layer above the transport layer
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3226—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a predetermined code, e.g. password, passphrase or PIN
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/40—Network security protocols
Abstract
The invention discloses an identity authentication system and method based on a password dynamic password, comprising an OTP generating module, an OTP authentication PAM module and a token management module, wherein the OTP generating module is used for applying an OTP seed secret key file to the token management module and generating a dynamic password OTP based on the OTP seed secret key file, the token management module is used for generating the OTP seed secret key file and respectively distributing the OTP seed secret key file to the OTP generating module and the OTP authentication PAM module, and the OTP authentication PAM module generates the dynamic password OTP based on the OTP seed secret key file issued by the token management module and compares the dynamic password OTP with the dynamic password OTP of the OTP generating module, thereby completing identity authentication. The scheme of the invention improves the original OTP algorithm based on time, applies the SM2 and SM3 algorithms of the secret, increases the authorization time, greatly improves the safety and efficiency of OTP, transmits the password based on the TLCP protocol, and can realize safe, convenient and efficient password management without depending on an external hardware token or other transmission means.
Description
Technical Field
The invention belongs to the field of remote login identity authentication, and particularly relates to an identity authentication system and method based on a password dynamic password.
Background
The SSH protocol (Secure Shell) is a remote login security protocol for realizing services such as Secure access and file transmission, and based on the TCP protocol, an asymmetric encryption mode is adopted for realizing end-to-end data encryption and identity authentication, so that the security of a communication process can be ensured. The SSH protocol adopts a public key encryption technology, and various aspects of the communication process are protected through identity authentication and session encryption, so that the data security and privacy of a user can be effectively protected.
SSH login identity authentication plays an important role in a server security system, and currently common SSH identity authentication technologies comprise static password authentication, dynamic password (Google-OTP) authentication and public key-based authentication. The application range of static password authentication is wider, however, due to the static characteristic and repeated use of the password, the password is easy to be stolen, guessed or cracked, and is not easy to manage. Dynamic password authentication and public key-based authentication are relatively high in security. Under the condition that only public key authentication is used, the public key can be unchanged for a long time, so that overall management is facilitated, but the public key authentication cannot limit the legal access time range of a user and needs to be supplemented by other technologies. Currently, dynamic password authentication uses more Google OTP technology and products, which are inconsistent with the current autonomous and controllable information security target, and particularly the core algorithm SHA-1 adopted by Google OTP technology has proved to be unsafe. Therefore, an OTP authentication based on a domestic secret algorithm is needed, and a mechanism for limiting the effective time range of user identity authentication in a multi-user complex environment is designed.
Disclosure of Invention
In view of the above problems, an object of the present invention is to provide an identity authentication system and method based on a password.
The specific technical scheme for realizing the purpose of the invention is as follows:
an identity authentication system based on a password dynamic password comprises an OTP generating module, an OTP authentication PAM module and a token management module;
the OTP generation module is used for applying an OTP seed key file to the token management module and generating a dynamic password OTP based on the OTP seed key file;
the token management module is used for generating an OTP seed key file and distributing the OTP seed key file to the OTP generation module and the OTP authentication PAM module respectively;
the OTP authentication PAM module generates a dynamic password OTP based on the OTP seed key file issued by the token management module and compares the dynamic password OTP with the dynamic password OTP of the OTP generation module, thereby completing identity authentication.
Further, the OTP seed key file generated by the token management module comprises a seed key, an authorized time element and a digital signature;
the seed key is generated by a secure random number generation algorithm, and the authorization time element comprises authorization starting time and authorization ending time in an application request of the OTP generation module.
Further, the OTP generation module realizes the generation of a dynamic password OTP based on a commercial secret SM3 algorithm:
OTP=Truncate(HMAC-SM3(K,T/X))
wherein the trunk function intercepts the message digest string; HMAC-SM3 represents an SM 3-based HMAC algorithm; k represents a shared OTP seed key, which is also a key of an HMAC algorithm, T represents the number of seconds from the CUT time of 1 month 1 day 00:00:00 in 1970 to the current moment, and X represents the number of time steps; T/X represents the 4 byte integer after division rounding calculation.
Further, the dynamic password OTP further includes a set authorization start time and an authorization end time.
Further, the OTP authentication PAM module comprises a seed key verification unit, an authorized access time range validity judging unit and an OTP authentication unit;
the seed key verification unit is used for judging whether the digital signature in the seed key file in the OTP authentication PAM module is credible or not;
the authorization access time range validity judging unit is used for judging whether the current time period is within the set authorization starting time and the set authorization ending time;
the OTP authentication unit generates a dynamic password OTP based on the OTP seed key file generated by the token management module, and judges whether the dynamic password OTP is consistent with the dynamic password OTP generated by the OTP generation module;
if all of the three units are judged to be identical, the authentication is considered to be passed, and if any one of the three units is judged to be inconsistent, the authentication is considered to be failed.
Further, the token management module transmits the generated OTP seed key file to the OTP authentication PAM module through a bidirectional authentication encryption channel based on a national secret TLCP protocol.
The invention also provides an identity authentication method based on the password dynamic password, which comprises the following steps:
step 1, when an authentication requirement is generated, a token management module generates an OTP seed key based on the authentication requirement, and digitally signs the OTP seed key based on a set authorization time range to form an OTP seed key file;
step 2, the OTP seed key file generated by the token management module is respectively transmitted to an OTP generation module and an OTP authentication PAM module arranged on equipment to be authenticated;
step 3, the OTP generating module generates a dynamic password OTP based on a commercial secret SM3 algorithm by utilizing a seed key in the OTP seed key file;
and 4, the OTP authentication PAM module verifies the authenticity and the validity of the OTP seed key file by using an SM2 algorithm, generates a dynamic password OTP if verification is passed, and compares the dynamic password OTP with the dynamic password OTP generated by the OTP generating module so as to finish identity authentication.
Compared with the prior art, the invention has the beneficial effects that:
(1) The scheme of the invention improves the original OTP algorithm based on time, and adopts the SM2 and SM3 algorithms of the commercial secret, so that the safety and efficiency of the OTP are greatly improved;
(2) According to the scheme, the TLCP encryption channel is introduced to realize safe and reliable transmission of the seed key file, so that the safety and efficiency of password management are further improved, and the safe, convenient and efficient password management can be realized without depending on an external hardware token or other transmission means;
(3) The scheme of the invention adopts an OTP generation algorithm based on SM3 and an electronic signature to protect the integrity and authenticity of the OTP seed key file, combines an OTP generation module, an OTP authentication PAM module and a token management module, introduces a TLCP encryption authentication channel to protect the release of the seed key file from the token management module, realizes a reliable identity authentication mechanism, and improves the convenience and safety of password resource management.
The invention is further described in connection with the following detailed description.
Drawings
FIG. 1 is a schematic diagram of an authentication system architecture based on a password in an embodiment of the present invention.
Fig. 2 is a schematic diagram of a seed key file format in an embodiment of the present invention.
Fig. 3 is a schematic diagram of a verification process of an OTP authentication PAM module in an embodiment of the invention.
FIG. 4 is a flow chart of steps of an identity authentication method based on a password dynamic password of the present invention.
Detailed Description
Examples
Referring to fig. 1, an identity authentication system based on a password dynamic password comprises an OTP generation module, an OTP authentication PAM module and a token management module;
the OTP generation module is used for applying an OTP seed key file to the token management module and generating a dynamic password OTP based on the OTP seed key file;
the token management module is used for generating an OTP seed key file and distributing the OTP seed key file to the OTP generation module and the OTP authentication PAM module respectively;
the OTP authentication PAM module generates a dynamic password OTP based on the OTP seed key file issued by the token management module and compares the dynamic password OTP with the dynamic password OTP of the OTP generation module, thereby completing identity authentication.
Referring to fig. 2, the seed key file generated by the token management module includes a seed key, an authorized time element, and a digital signature;
in the specific implementation, the token management module has the core functions of applying, authorizing and distributing the account number and the OTP seed key of the binding equipment, carrying out centralized management on password resources and computing resources, uniformly managing the equipment resources, the account number and the token, completing user registration, equipment use authorization application, authorization multi-level audit, equipment allocation scheduling, distributing, activating and destroying the account number token, and the like, and counting and tracing the service condition of the computing equipment in real time.
A seed key file is generated in the token management module, which contains a seed key for generating the OTP, an authorization time range, and signature information. The seed key and the authorized time range form a seed key element, the seed key is encoded into a 16-byte visible character string by adopting Base32 after a 10-byte stream is generated by a secure random number generation algorithm, and the starting time and the ending time of the authorized time range are both converted into hexadecimal visible character forms. In the invention, the SM2 and SM3 algorithms based on the commercial secret are adopted to carry out digital signature, so that the integrity and the authenticity of the seed key element can be protected.
More specifically, the token management module can create two-dimensional code information corresponding to a user identifier, a device address, a seed key and an authorized time range, and the OTP generation module can add information by scanning the two-dimensional code, and only when the current time is in the authorized time range, the applet can display and update the OTP;
in addition, the issuing process of the seed key file transfers the seed key file from the token management module to the corresponding OTP authentication PAM module, that is, the device applied for use by the corresponding user, by constructing a bidirectional authentication encryption channel based on the national secret TLCP protocol, and the following is a detailed description of the process:
1) The token management module extracts application information of the computing device, such as an IP address, a user name and an OTP seed key file, submitted by a user;
2) Starting a TLCP client, and performing bidirectional identity authentication with a TLCP server where an IP address of the computing equipment is located to construct a TLCP encryption channel;
3) The client sends the user name and the OTP seed key file to the TLCP server;
4) And the TLCP server writes the OTP seed key file into the root directory of the user according to the received user name, wherein the file name is gmotop, and the file attribute is modified to be read-only by the current user.
The OTP generation module realizes the generation of a dynamic password OTP based on a commercial secret SM3 algorithm:
OTP=Truncate(HMAC-SM3(K,T/X))
wherein the trunk function intercepts the message digest string; HMAC-SM3 represents an SM 3-based HMAC algorithm; k represents a shared OTP seed key, which is also a key of an HMAC algorithm, T represents the number of seconds from the CUT time of 1 month 1 day 00:00:00 in 1970 to the current moment, X represents the number of time steps, namely how long to generate a dynamic password, and the default time is 30 seconds; T/X represents the 4 byte integer after division rounding calculation.
The dynamic password OTP also comprises a set authorization starting time and an authorization ending time.
In specific implementation, the OTP generating module can generate a multi-digit dynamic password according to the secret key, the password is updated once every a certain time, and the identity authentication is completed by matching with the OTP authentication PAM module.
In order to solve the problem, the scheme of the invention increases the user authorization time range behind the seed key data, wherein the authorization time range is set by the user when the user submits the application, and is divided into a start time and an end time, and the CUT time is taken as a timing starting point, thereby being accurate to seconds.
Specifically, the invention adds the authorized time range after the seed key is generated, so that the authorized time range can be accurately stored and processed, and is convenient to compare with the current time, namely, the validity of the user login time is ensured by introducing a time range verification mechanism, and in the verification process, the system can compare the current time with the authorized time range to determine whether the password is in the validity period. The dynamic password will be considered valid if the current time is within the time frame, and invalid otherwise. This time-range based authentication mechanism provides greater security and flexibility. The method effectively controls the legal time of user access, equivalently sets the validity period for OTP, prevents the use of unauthorized time and successfully solves the problem of controlling the authorized time range of the user.
In this embodiment, the OTP generation module may be in the form of a micro-letter applet, and its features and functions include:
(1) Dynamically updating the password every thirty seconds reduces the likelihood of unauthorized access to restricted resources;
(2) The seed key of the dynamic password is obtained in two modes of manually inputting and scanning the two-dimensional code, so that the convenience of the user is improved;
(3) The dynamic password is not updated and displayed any more beyond the authorized time range.
The OTP authentication PAM module comprises a seed key verification unit, an authorized access time range validity judging unit and an OTP authentication unit;
referring to fig. 3, the seed key verification unit is configured to determine whether the digital signature in the seed key file in the OTP authentication PAM module is authentic;
the authorization access time range validity judging unit is used for judging whether the current time period is within the set authorization starting time and the set authorization ending time;
the OTP authentication unit generates a dynamic password OTP based on the seed key file generated by the token management module, and judges whether the dynamic password OTP is consistent with the dynamic password OTP generated by the OTP generation module;
if all of the three units are judged to be identical, the authentication is considered to be passed, and if any one of the three units is judged to be inconsistent, the authentication is considered to be failed.
The token management module transmits the generated seed key file to the OTP authentication PAM module through a bidirectional authentication encryption channel based on a national secret TLCP protocol.
In addition, the signature part is arranged in the token management module, the digital signature algorithm is adopted to sign the seed key file, and the signature verification by using the commercial secret SM3 and SM2 algorithms can ensure the integrity and reliability of the seed key file in the transmission and storage processes, so that the falsification and counterfeiting of the seed key file data can be prevented, and the security of the system can be improved.
Next, we need to generate SM2 public and private key pairs for signing and verification. The private key is used for generating a signature and is deployed in the token management module; the public key is used for verifying the validity of the signature information of the seed key file and is arranged in the PAM module. In practical use, we use the private key to sign the seed key element data in the seed key file, the signing process is to encrypt the SM3 hash value of the key data with the SM2 private key, thereby generating a digital signature, and the generated digital signature is attached to the seed key file. When the user starts to verify the OTP after logging in through public key authentication, the PAM module needs to verify the integrity and authenticity of the seed key element data by using SM3 and SM2 algorithms.
In this embodiment, in combination with fig. 2, the OTP authentication PAM module is set in the SSH server, when remotely logging in the computing device, an SSH protocol is adopted, the SSH client initiates an authentication request to the SSH server, the server authenticates the client, and the two-factor authentication scheme designed in this method requires the SSH server to authenticate the user public key and the dynamic password of the client, where the module supporting the OTP authentication of the dynamic password meets the design requirement of the PAM module to achieve docking with the SSH, the user public key distributes the public key according to the packet to which the user belongs and is preset under each user directory by the system administrator, the general user public key is kept for one year, and the OTP seed key is different from each application form.
The SSH two-factor authentication mechanism is as follows:
1) Before SSH connection is carried out, a user public and private key pair and an OTP seed key file for public key authentication are required to be generated, and the user public key and the OTP seed key file are stored in an SSH server user directory;
2) After the SSH client establishes an SSH encryption channel with the server, a user login request is sent, the server searches a user public key according to the information such as the user name and the like of the request login, encrypts a random number by using the public key and sends the random number to the client;
3) The client decrypts the returned information by using the user private key, decrypts the data and sends the decrypted data to the server;
4) The server verifies whether the information decrypted by the client is correct, if so, the public key authentication is passed, otherwise, the client logs out in error;
5) The client sends the OTP to the server;
6) The server loads the OTP seed key file of the user, identifies the integrity and the authenticity of the seed key element data, judges the legality of the login time of the user, identifies the correctness of the OTP, and completes the identity authentication of the user only after passing through the OTP.
The Linux pluggable authentication module PAM is based on a modular design and has a pluggable function, and is independent of verification modes outside application programs.
The invention also provides an identity authentication method based on the password dynamic password, which comprises the following steps:
step 1, when an authentication requirement is generated, a token management module generates an OTP seed key based on the authentication requirement, and digitally signs the OTP seed key based on a set authorization time range to form an OTP seed key file;
step 2, the OTP seed key file generated by the token management module is respectively transmitted to an OTP generation module and an OTP authentication PAM module arranged on equipment to be authenticated;
the OTP seed key file generated by the token management module is transmitted to the OTP authentication PAM module based on a bidirectional authentication encryption channel of a national-security TLCP protocol
Step 3, the OTP generating module generates a dynamic password OTP based on a commercial secret SM3 algorithm by utilizing a seed key in the OTP seed key file:
OTP=Truncate(HMAC-SM3(K,T/X))
wherein the trunk function intercepts the message digest string; HMAC-SM3 represents an SM 3-based HMAC algorithm; k represents a shared OTP seed key, which is also a key of an HMAC algorithm, T represents the number of seconds from the CUT time of 1 month 1 day 00:00:00 in 1970 to the current moment, and X represents the number of time steps; T/X represents the 4 byte integer after division rounding calculation.
Step 4, the OTP authentication PAM module verifies the authenticity and the validity of the OTP seed key file by using an SM2 algorithm, if verification is passed, a dynamic password OTP is generated and is compared with the dynamic password OTP generated by the OTP generating module, so that identity authentication is completed, specifically:
referring to fig. 3, it is first determined whether the current access time is within a set valid time range;
firstly, judging whether the current access time is within a set effective time range;
if the current access time is within the set effective time range, judging whether the digital signature in the seed key file in the OTP authentication PAM module is credible or not;
if the digital signature in the OTP seed key file is credible, judging whether the dynamic password OTP generated by the OTP authentication PAM module is consistent with the dynamic password OTP generated by the OTP generation module, and if not, judging that the identity authentication fails;
if the dynamic password OTP is consistent, the identity authentication is considered to be successful, otherwise, the identity authentication is considered to be failed.
The foregoing embodiments illustrate and describe the basic principles, principal features of the invention. It will be understood by those skilled in the art that the present invention is not limited to the embodiments described above, and that the above embodiments and descriptions are merely illustrative of the principles of the present invention, and various changes and modifications may be made without departing from the spirit and scope of the invention, which is defined in the appended claims.
Claims (10)
1. An identity authentication system based on a password dynamic password is characterized by comprising an OTP generating module, an OTP authentication (PAM) module and a token management module;
the OTP generation module is used for applying an OTP seed key file to the token management module and generating a dynamic password OTP based on the OTP seed key file;
the token management module is used for generating an OTP seed key file and distributing the OTP seed key file to the OTP generation module and the OTP authentication PAM module respectively;
the OTP authentication PAM module generates a dynamic password OTP based on the OTP seed key file issued by the token management module and compares the dynamic password OTP with the dynamic password OTP of the OTP generation module, thereby completing identity authentication.
2. The authentication system of claim 1, wherein the OTP seed key file generated by the token management module comprises a seed key, an authorization time element, and a digital signature;
the seed key is generated by a secure random number generation algorithm, and the authorization time element comprises authorization starting time and authorization ending time in an application request of the OTP generation module.
3. The identity authentication system based on a password of claim 2, wherein the OTP generation module is configured to generate the password OTP based on a password SM3 algorithm:
OTP=Truncate(HMAC-SM3(K,T/X))
wherein the trunk function intercepts the message digest string; HMAC-SM3 represents an SM 3-based HMAC algorithm; k represents a shared OTP seed key, which is also a key of an HMAC algorithm, T represents the number of seconds from the CUT time of 1 month 1 day 00:00:00 in 1970 to the current moment, and X represents the number of time steps; T/X represents the 4 byte integer after division rounding calculation.
4. The authentication system based on the password as recited in claim 3, wherein the password OTP further comprises a set authorization start time and an authorization end time.
5. The identity authentication system based on a password of claim 2, wherein the OTP authentication PAM module comprises a seed key verification unit, an authorized access time range validity discrimination unit, and an OTP authentication unit;
the seed key verification unit is used for judging whether the digital signature in the seed key file in the OTP authentication PAM module is credible or not;
the authorization access time range validity judging unit is used for judging whether the current time period is within the set authorization starting time and the set authorization ending time;
the OTP authentication unit generates a dynamic password OTP based on the OTP seed key file generated by the token management module, and judges whether the dynamic password OTP is consistent with the dynamic password OTP generated by the OTP generation module;
if all of the three units are judged to be identical, the authentication is considered to be passed, and if any one of the three units is judged to be inconsistent, the authentication is considered to be failed.
6. The authentication system of claim 5, wherein the token management module transmits the generated OTP seed key file to the OTP authentication PAM module via a bi-directional authentication encryption channel based on a national-security TLCP protocol.
7. The identity authentication method based on a dynamic password of a business secret according to any one of claims 1 to 6, comprising the steps of:
step 1, when an authentication requirement is generated, a token management module generates an OTP seed key based on the authentication requirement, and digitally signs the OTP seed key based on a set authorization time range to form an OTP seed key file;
step 2, the OTP seed key file generated by the token management module is respectively transmitted to an OTP generation module and an OTP authentication PAM module arranged on equipment to be authenticated;
step 3, the OTP generating module generates a dynamic password OTP based on a commercial secret SM3 algorithm by utilizing a seed key in the OTP seed key file;
and 4, the OTP authentication PAM module verifies the authenticity and the validity of the OTP seed key file by using an SM2 algorithm, generates a dynamic password OTP if verification is passed, and compares the dynamic password OTP with the dynamic password OTP generated by the OTP generating module so as to finish identity authentication.
8. The identity authentication method based on a password of claim 7, wherein the OTP seed key file generated by the token management module in step 2 is transmitted to the OTP authentication PAM module based on a bidirectional authentication encryption channel of a national password TLCP protocol.
9. The identity authentication method based on the password of claim 7, wherein the OTP generation module in step 3 generates the dynamic password OTP, specifically:
OTP=Truncate(HMAC-SM3(K,T/X))
wherein the trunk function intercepts the message digest string; HMAC-SM3 represents an SM 3-based HMAC algorithm; k represents a shared OTP seed key, which is also a key of an HMAC algorithm, T represents the number of seconds from the CUT time of 1 month 1 day 00:00:00 in 1970 to the current moment, and X represents the number of time steps; T/X represents the 4 byte integer after division rounding calculation.
10. The identity authentication method based on a password as claimed in claim 7, wherein the specific process of comparing the OTP authentication PAM module in step 4 with the dynamic password OTP generated by the OTP generation module is:
firstly, judging whether the current access time is within a set effective time range;
if the current access time is within the set effective time range, judging whether the digital signature in the seed key file in the OTP authentication PAM module is credible or not;
if the digital signature in the OTP seed key file is credible, judging whether the dynamic password OTP generated by the OTP authentication PAM module is consistent with the dynamic password OTP generated by the OTP generation module, and if not, judging that the identity authentication fails;
if the dynamic password OTP is consistent, the identity authentication is considered to be successful, otherwise, the identity authentication is considered to be failed.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311189868.6A CN117294441A (en) | 2023-09-15 | 2023-09-15 | Identity authentication system and method based on business secret dynamic password |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311189868.6A CN117294441A (en) | 2023-09-15 | 2023-09-15 | Identity authentication system and method based on business secret dynamic password |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN117294441A true CN117294441A (en) | 2023-12-26 |
Family
ID=89250991
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202311189868.6A Pending CN117294441A (en) | 2023-09-15 | 2023-09-15 | Identity authentication system and method based on business secret dynamic password |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117294441A (en) |
-
2023
- 2023-09-15 CN CN202311189868.6A patent/CN117294441A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN107257334B (en) | Identity authentication method for Hadoop cluster | |
| US7334255B2 (en) | System and method for controlling access to multiple public networks and for controlling access to multiple private networks | |
| JP5345675B2 (en) | Network helper for authentication between token and verifier | |
| CN111416807B (en) | Data acquisition method, device and storage medium | |
| WO2018046009A1 (en) | Block chain identity system | |
| US7395549B1 (en) | Method and apparatus for providing a key distribution center without storing long-term server secrets | |
| CN109728909A (en) | Identity identifying method and system based on USBKey | |
| US10637818B2 (en) | System and method for resetting passwords on electronic devices | |
| CA2551113A1 (en) | Authentication system for networked computer applications | |
| US20100266128A1 (en) | Credential provisioning | |
| JP2002501218A (en) | Client-side public key authentication method and device using short-lived certificate | |
| CN103312691A (en) | Method and system for authenticating and accessing cloud platform | |
| EP2984782A1 (en) | Method and system for accessing device by a user | |
| US20130019093A1 (en) | Certificate authority | |
| CN108809633B (en) | Identity authentication method, device and system | |
| ES2665887T3 (en) | Secure data system | |
| CN114513339A (en) | Security authentication method, system and device | |
| CN115277168A (en) | Method, device and system for accessing server | |
| CN115865520B (en) | Authentication and access control method with privacy protection in mobile cloud service environment | |
| CN114726555B (en) | Authentication and key agreement method, device and storage medium | |
| KR19990038925A (en) | Secure Two-Way Authentication Method in a Distributed Environment | |
| CN111682941B (en) | Centralized identity management, distributed authentication and authorization method based on cryptography | |
| CN117294441A (en) | Identity authentication system and method based on business secret dynamic password | |
| JP2002051036A (en) | Key escrow system | |
| JP2000261428A (en) | Authentication device in decentralized processing system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |