Background technology
At present, mostly the auth method that provides of each service organization is to provide a static password for the client.The user carries out authentication by this static password between service organization and the user when accepting the electronics automated transaction service that service organization provides, finish the transmission of transaction or commodity.But, the verification method of this identity is very dangerous, because this static password is easy to be decoded by other people, and the method for decoding this static password much also is easy to, as: adopt computer technology intercepted data, artificial theft, the means such as deceiving the robber of colluding from both within and without to obtain user's static password, the false claiming customer deposit, this type of incident often is reported in media.This uses electronically to be engaged in social and economic activities to people and has brought very big risk, brought the machine adverse influence also for simultaneously the development of the electronics automated transaction (as ecommerce, E-Payment etc.) that is rising, hindered these industries and developed to darker farther direction.
The digital certificate encryption technology can be carried out encryption and decryption, digital signature and signature verification to the information of transmission over networks, guarantee to transmit confidentiality, the integrality of information on the net, and the authenticity of transaction entity identities etc., the non-repudiation of signing messages, thereby the fail safe of guarantee network application.Digital certificate has strengthened the fail safe in the communication process to the full extent, but need storage medium (storage cards of USB or other media) could preserve use, " based on the diploma system of USB flash disk ", the basic ideas of this device authentication system are: Store Credentials information in USB flash disk, accomplish that certificate walks with oneself, but this equipment has increased the cost of whole Verification System, if certificate is lost, consequence is still as above-mentioned serious.And certificate popular in the employing industry will be paid high usage charges, installs also inconveniently, must each user all carry out the installation of software in computer, difficult well imagining for the not high common user of computer level.
Occurred dynamic password mechanism at present, dynamic password (Dynamic Password) also claims disposal password (One-time Password).Dynamic password is the password of change, and its change derives from the operational factor that produces password and changes.The generation factor of dynamic password generally all adopts two operational factors (Two Factor): one is user's privately owned password.The identification code of its representative of consumer identity is changeless.Its two, be the change factor.Change the continuous variation of the factor just, just produced the dynamic password of continuous change.Adopt the different change factors, formed different dynamic cipher verification technology: based on time synchronized (TimeSynchronous) authentication techniques, based on asynchronous (Challenge/Response Asynchronous) authentication techniques of event synchronization (Event Synchronous) authentication techniques and challenge/response mode.
Based on the time synchronized authentication techniques be the passage time as the change factor, generally with 60 seconds as the variation unit.So-called " synchronously " is meant that the password that user cipher card and certificate server are produced in time must be synchronously.The method for synchronizing time here is not with " time system " technology, but with " sliding window " technology.When figure is the client terminal access system, based on the verification process of time synchronized.The terminal of user side and the clock synchronization of server end, the dynamic password that will utilize user terminal to generate dynamic password and server when the user accesses to your password is complementary, otherwise can not be by the cipher authentication of server, this system needs the great number cost of user terminal equally.
A kind of dynamic data cipher-code input method and the device that are disclosed in the Chinese invention patent 03106069.2, its method is: offer the data saltus step unit that the operator imports selection and be in the dynamic change state automatically, so that the different contents of confirming constantly of operator are decided with the represented implication in data saltus step unit; Input whole passwords up to the operator, the total data of operator input is read in and preserved in system, and the data of reading in and preserving are carried out uniqueness judge, when the data of reading in and preserving when system were unique, this unique data was the operator and inputs password.But this method is not carried out real dynamic operation to information such as passwords, has just done the processing of saltus step on inputting interface, and fail safe is not high.
Chinese invention patent 00109820.9 has disclosed a kind of method and corresponding electronic installation that adopts the confirming payment of dynamic password, send the on the same day sign indicating number that at random produce with direct to trade company or bank to the user through retransmission center by the dynamic cipher verification device, the user imports the common dynamic password of forming of heart sign indicating number that above-mentioned sky sign indicating number and trade company or bank give the user in advance to trade company or bank, supplies trade company or bank to check.But this method needs the third party to participate in, and need to notify the user password of today through modes such as mail or mobile phone short messages, the work of encrypting is finished the just simple password that receives of user by service end entirely, caused the possibility of further divulging a secret like this, and use and inconvenience, the user needs to obtain password from the dynamic cipher verification device through transmitting in each transaction, and the acquisition of password is passive from the user.
Summary of the invention
The present invention proposes in view of addressing the above problem just, therefore the object of the present invention is to provide a kind of identity identifying method and system of dynamic password.Utilize the mode of the dynamic change prompting user cipher variation of server end password, input corresponding password by the user, to guarantee the dynamic change of user cipher, the fail safe of raising system such as user account.
A kind of dynamic cipher method, user side have at least one index and at least one cipher symbol, set up the corresponding relation between described index and the cipher symbol; Generate dynamic password by the operating side, and, provide current dynamic password pairing index to user side according to the corresponding relation between described index and the cipher symbol; User side promptly obtains the pairing dynamic password of index.
The synchronizing step that before user side provides the pairing index of dynamic password, also comprises corresponding relation between a user side and operating side index and the cipher symbol in the operating side, that in this step, be provided with by the user that the operating side offers the user and rule change current dynamic password institute manipulative indexing symbol.
Corresponding relation between described index and the cipher symbol is formulated by the user, and the notice operating side.
Corresponding relation between described index and the cipher symbol is formulated by the operating side.
The described corresponding relation corresponding cipher symbol of at least one index of serving as reasons.
Described index is meant wherein one or more the combination of numeral, letter, punctuate, sign symbol.
Described cipher symbol is meant wherein one or more the combination of numeral, letter, punctuate, sign symbol.
Described index and cipher symbol and corresponding relation thereof are stored in the encrypted card or mobile communication terminal of user side.
Described encrypted card is paper products, plastic products, metallic article.
Described mobile communication terminal is by multimedia messages mode or the storage of dynamic password modular manner, the described index of processing and described cipher symbol.
The described dynamic cipher method of mobile communication terminal that utilizes comprises: step 1, and the user imports user's sequence number on application system; Step 2, application system is communicated by letter with the dynamic password device on backstage; Step 3 according to the corresponding relation of index and cipher symbol, dynamically generates cipher symbol string and corresponding index string, and the index symbol string is sent to application system; Step 4 show the index string on the interface of application system, and the prompting user is imported corresponding cipher symbol string; Step 5, the user is according to the index string startup mobile phone of application system interface display or the dynamic password module on other portable terminals; Step 6 stores the corresponding relation of index and cipher symbol in this dynamic password module, find corresponding cipher symbol string according to the index string of user's input, and be presented on the screen of portable terminal; Step 7, the user imports the cipher symbol string according to the cipher symbol string that portable terminal shows on the application system display interface; Step 8, application system obtain transmitting this cipher symbol string to the dynamic password device behind this cipher symbol string, verify by the dynamic password device whether this cipher symbol string is consistent with the dynamic password symbol string that generates.
If the dynamic password of user's input error then write down this time login, and the number of times of misjudgment input are accumulated to then refusing user's input password of certain number of times.
A kind of dynamic cipher system comprises:
The dynamic password device is used to generate dynamic password, manages and safeguard dynamic password;
Background application system is connected with described dynamic password device, finishes user's identity validation;
User's input terminal is connected with described dynamic password device, is used for showing and input user profile and password;
User side dynamic password unit, described dynamic password has at least one index on the unit, at least by the corresponding cipher symbol of an index, described dynamic password device provides pairing at least one index of current dynamic password to be presented at user's input terminal, and the user imports the pairing cipher symbol of this at least one index at this user's input terminal, the cipher symbol of input is correct then by user's identity validation, allows the user to enter system and finishes associative operation.
Described user side dynamic password unit comprises password card or mobile communication terminal.
Described password card is paper products, plastic products, metallic article.
Described mobile communication terminal comprises: mobile phone, PDA, computer, calculator.
Beneficial effect of the present invention is that the keying sequence of Sheng Chenging makes that the each login password of user is uncertain at random, even adopt network monitoring, Brute Force, related conjecture also can't crack; The intensity of password is very high; Owing to the variability of password, uncertain regular job of also having saved the user's modification password, reached the purpose of frequent modification password; Lose the fail safe that also can guarantee user cipher even guarantee the medium (as the password card) of storage password string by other safeguard measures; saved the cryptographic calculations device of user side special use in the existing dynamic cipher system; reduced cost, have that fail safe is higher, cost of investment is low, applied widely, with advantages such as application integration is relatively easy.
Embodiment
Below, carry out following detailed description for the present invention in conjunction with the accompanying drawings.
Be illustrated in figure 1 as user side dynamic password card schematic diagram of the present invention.In order to reduce the cost of user side dynamic password card; can adopt paper products or plastic products as user account; the carrier of index and cipher symbol; at the surface-coated protective layer of index and cipher symbol, learn index and cipher symbol in order to prevent methods such as high light searchlighting.Wherein index and cipher symbol can be optional sign, comprising: letter, numeral, punctuation mark, other characters.Index is single numeral in this example, cipher symbol is a capitalization, the mixed type of lowercase or numeral, corresponding cipher symbol of each group index symbol here, the first corresponding cipher symbol of group index symbol " 1 " " e " for example, the second corresponding cipher symbol of group index symbol " 2 " " u ".
Be illustrated in figure 2 as the another kind of user side dynamic password of the present invention card schematic diagram.Every group index symbol adopts 2 symbols to form among the figure, a symbology is capable, symbology row, constitute a matrix, the cipher symbol that each row is corresponding different with each row, for example the pairing cipher symbol of the 1st group index symbol " 11 " is " a ", and the cipher symbol that another group index symbol " 12 " is corresponding is " b ", and index " 45 " is represented cipher symbol " t ".
Be illustrated in figure 5 as the dynamic password card schematic diagram of practical portable terminal of the present invention.User's index and cipher symbol set up on their own by the user, are sent to server end in the mode of network, are set to simultaneously on user's the portable terminal.Need carry out identity validation requirement user when inputing password in system, can point out user cipher index string, the user is input to the index string in the dynamic password module of portable terminal, and the dynamic password module will be concatenated into dynamic password with the cipher symbol of setting in advance according to the index string of input.Step 1 is when the user goes up input user sequence number at the input terminal (application system) of password; Step 2, application system is communicated by letter with the dynamic password device on backstage; Step 3, index and password correspondence table according to prior user sends the dynamic password device to dynamically generate cipher symbol string and corresponding index string, and the index symbol string are sent to application system; Step 4 show the index string on the interface of application system, and the prompting user is imported corresponding cipher symbol string; Step 5, the user is according to the index string startup mobile phone of application system interface display or the dynamic password module on other portable terminals; Step 6, this dynamic password module is stored in the mobile phone or the memory of other portable terminals, and in this dynamic password module, store index and password corresponding lists that the user is provided with, index string according to user's input finds corresponding cipher symbol string, and is presented on the screen of portable terminal; Step 7, the user imports the cipher symbol string according to the cipher symbol string that portable terminal shows on the application system display interface; Step 8, application system obtain transmitting this cipher symbol string to the dynamic password device behind this cipher symbol string, verify by the dynamic password device whether this cipher symbol string is consistent with the dynamic password symbol string that generates.
Also can receive picture form or the index string of tabular form and the mapping table of cipher symbol string that the dynamic password device sends as another embodiment portable terminal recited above or mobile phone, this picture or tabulation can cease the mode method by multi-media SMS and send, mapping table as shown in Figure 1, the user carries out the input of each password according to this mapping table.
Figure 3 shows that and use bank system of web schematic diagram of the present invention.Bank system of web has following feature: number of users is big---especially popular version user; although safety requirements height---there are not ample capital or demand to buy certificate; the user of popular version still is desirable to provide the more protections to its Web bank's account; the service requirement of performance requirement height---Web bank 7 * 24 hours; in the return time of user expectation, the Capability Requirement of the Business Processing of peak period is very high.
In view of the feature of above Web bank, adopt embedded dynamic cipher system, improved the runnability of user's level of security reduction bank business risk assurance bank system of web originally with the one-tenth of minimum.
At first the user after taking user side dynamic password card, need the online or the mode of making a phone call activates the dynamic password card, just make the dynamic password device of bank's end begin computing, and in this process, also can set user's oneself index sequence and pairing cipher symbol sequence, these user profile all are stored in the dynamic password device, this dynamic password device is according to stored information (the index sequence and the cipher symbol sequence that comprise user's appointment of each user side, perhaps user's index sequence and cipher symbol sequence that card carries that access to your password) generating dynamic password, when the user to individual Web bank, public network is gone to bank, bank is interconnected to be waited when initiating connection or transaction request, Web bank's core transaction platform starts the dynamic password device and obtains the dynamic password of current time and deposit buffer memory in, the dynamic password symbol that generates all is the symbol in the cipher symbol of user side password card, start the information that stays when synchronous index and cipher symbol in conjunction with user side dynamic password card by the user according to the dynamic password device, convert the dynamic password of this generation to corresponding index, the prompting user imports the pairing cipher symbol of corresponding certain several index, if the dynamic password that produces in conjunction with Fig. 1 dynamic password device is: eu8u, then should point out the user to import on this user side dynamic password card the 1st, the 2nd, the 4th, the 5th the pairing cipher symbol of index, the user promptly can import " eu8u " with reference to the dynamic password card, after receiving the password of user's input, the dynamic password device compares with the dynamic password in the buffer memory, prove user identity if both are identical, bank concludes the business on the net, if both differences then generate a dynamic password once more by the dynamic password device, require the user to carry out the 2nd input, if the input of user's password attempts surpassing certain number of times, such as 3 times, then note the time that this user imports trial at last, and denial of service a period of time, prevent that to play the non-dynamic password card owner from importing the purpose of trial.
When prompting user's cipher key symbol, can point out the user with index by the mode that distortion generates figure as mentioned above, strengthen confidentiality and prevent network interception by the operating side.
For popular version user, the login link:
When each login, corresponding password string is imported in dynamic password position according to system suggestion, and its formality does not have too many increase;
The customer service link:
Some management functions of password are provided in the respective client service page of bank on the net, as: password skew setting, password calcellation regulation management etc.;
Web bank's core transaction platform:
The corresponding controlled step that adds the dynamic password card.As: dynamic password check and correction, dynamic password skew are provided with, dynamic password cancels rule setting.
Individual's bank system of web:
Increase customer service functions, as: password skew setting, password calcellation regulation management etc.;
In the login process, original password comparison part is replaced with the controlled step of dynamic password check and correction;
Internal Management System:
User's register flow path for user's register flow path of non-certificate, increases the step of providing the dynamic password card;
Increase functional modules such as the reporting the loss of dynamic password card, rule maintenance.
Further, can also adopt migration technology for the confidentiality of strengthening dynamic password.Migration technology is exactly to carry out selection side-play amount when synchronous the user according to dynamic password card and dynamic password device, when the client sends the cryptographic check request, the index of system prompt must be recombinated according to the predefined side-play amount of client, and the pairing cipher symbol of index sequence of this reorganization is only the login password (if exceeding then circulation) that this client should import.For example: the password string of client A as shown in Figure 1; The unification of setting side-play amount to the right is 1; System prompt index sequence is: 20,1,3,4, if the importer does not know that the direction or the side-play amount that are offset are exactly directly to import: rej8, the user this time true index sequence of login should be: 1 (20+1 circulates), 2 (1+1), 4 (3+1), 5 (4+1).Hence one can see that password that this client this time lands should be eu8u.The unification that also can set simultaneously side-play amount left is 1; System prompt index sequence is: 2,3,5,6, if the importer does not know that the direction or the side-play amount that are offset will directly import: uju6, but the user this time true index sequence of login should be: 1 (2-1), 2 (3-1), 4 (5-11), 5 (6-1).Hence one can see that password that this client this time lands should be eu8u.
Set different side-play amounts: when the client sends the cryptographic check request, the index of system prompt must be recombinated according to the predefined side-play amount of client in step-by-step, and the index sequence of this reorganization is only that this client should input lands password (if exceeding then circulation).For example: the cipher symbol matrix of client A as shown in Figure 2; Set unified for behavior base cycle offset 1,2,3,4 to the right; The password that generates is: abty, the dynamic password device then points out the user to import the index sequence: 15 (the 1st row the 5th row), 15 (the 1st row the 5th row), 42 (the 4th row the 2nd row), 51 (the 5th row the 1st row), if the importer does not know that the direction or the side-play amount that are offset will directly import: eequ, and the true sequence that the user this time lands should be: 11 (the 1st the row constant, 1 row are moved in the circulation to the right of the 5th row), 12 (the 1st the row constant, 2 row are moved in the circulation to the right of the 5th row), 45 (the 4th the row constant, 3 row are moved in the circulation to the right of the 2nd row), 55 (the 5th row is constant, and 4 row are moved in the circulation to the right of the 1st row).Hence one can see that password that this client this time lands should be abty.Equally also can move to left.
Be set to classify upwards cycle offset 1,2,3,4 of basis as when moving; The password that generates is: abty, the dynamic password device then points out the user to import the index sequence: 21 (the 2nd row the 1st row), 32 (the 3rd row the 2nd row), 25 (the 2nd row the 5th row), 45 (the 4th row the 5th row), if the importer does not know that the direction or the side-play amount that are offset will directly import: fljt, and the user this time true sequence of login should be: 11 (the 2nd row moves 1 row to cocycle, the 1st row are constant), 12 (the 3rd the row to cocycle move 2 the row, the 2nd row are constant), 45 (the 2nd the row to cocycle move 3 the row, the 5th row are constant), 55 (the 4th row moves 4 row to cocycle, and the 5th row are constant).Hence one can see that password that this client this time lands should be abty.Adopting uses the same method also can circulate downwards mobile.
As shown in Figure 4, for numerous application systems towards the interior employee, employing the present invention independently dynamic cipher system transforms the authentication of all application systems of inside, adopts the relatively low scheme of this cost, can solve the problem of the authentication of inner single-sign-on.The dynamic password device can produce different dynamic passwords according to event driven mode when enterprises is used, index on the user side dynamic password card can adopt letter or other optional sign, just play the effect of index, and the value of cipher symbol also is unrestricted, kind (the letter of the cipher symbol that on same password card, adopts, other symbols such as punctuate) many more safe more, user's input terminal can be for joining the computer of network, also can be other platforms that transactional services side provides, as ATM etc.
Beneficial effect of the present invention is, has saved the cryptographic calculations device of user side in the existing dynamic cipher system, has reduced cost and has guaranteed suitable fail safe, and cryptographic system algorithm diversity is strong, meets the demand of usefulness more.
Above embodiment only is used to illustrate the present invention, but not is used to limit the present invention.