CN1937498A - Dynamic cipher authentication method, system and device - Google Patents
Dynamic cipher authentication method, system and device Download PDFInfo
- Publication number
- CN1937498A CN1937498A CN 200610113609 CN200610113609A CN1937498A CN 1937498 A CN1937498 A CN 1937498A CN 200610113609 CN200610113609 CN 200610113609 CN 200610113609 A CN200610113609 A CN 200610113609A CN 1937498 A CN1937498 A CN 1937498A
- Authority
- CN
- China
- Prior art keywords
- dynamic password
- user
- time
- authentication
- challenge code
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Landscapes
- Storage Device Security (AREA)
Abstract
This method includes the relation between the user's account number and the tag info about storing dynamic code generator (DCG) and the preset algorithm (PA) of DCG. The user end (UE) sends the authentication request to the authentication server (AS). The latter returns a generating challenge code (CC). According to CC, DCG generates 1st dynamic code (DC) by means of PA. UE sends to AS the authentication info including user account number and the 1st DC. The AS confirms the tag info of the related DCG via the user account number, and then obtains PA of DCG. The 2nd DC is obtained from PA and calculating the CC. The authentication will be passed if the 1st DC is equal to the 2nd. This can prevents effectively code leakage from network attack, e.g. interception, peep, social engineering, etc.
Description
Technical field
The present invention relates to field of identity authentication, particularly relate to a kind of dynamic cipher authentication method, system and device.
Background technology
In actual life; we individual's identity is mainly confirmed by various certificates; such as identity card, residence booklet etc., the various system resources of computer (as: file, database and application system etc.) also need the protection of authentication mechanism, thereby guarantee that these resources are used by legal users.
Present all kinds of computational resource is mainly protected by the cipher authentication mode, generally uses static password authentication and dynamic cipher verification dual mode.
What the static password authentication mode adopted is the authentication mode of " user name+password ".When the user logined, application server carried out authentication by static password, confirmed whether be legal authorized user.The shortcoming of this authentication is: because user's account number is the plaintext of fixing, password is static, and the user can not change password in for a long time, cause this password to be easy to be stolen; Modes such as the attack pattern commonly used to this authentication mode has network data flow eavesdropping, authentication information intercepting/playback, dictionary attack, exhaustive trial, spies upon, Social Engineering; Because there are more security breaches in this authentication mode, the security intensity that client identity authentication is confirmed can not satisfy the requirement of modern types of applications system.
At the shortcoming of static password authentication, dynamic cipher verification can improve the security intensity of authentication.Dynamic password also claims a password OTP (One-time Password), and it dynamically derives from the operational factor that produces password and changes in time.Disclose a kind of system and method for dynamic cipher verification as Chinese patent 200410084210.X patent application document, its Verification System mainly contains formations such as time dynamic password generator, certificate server and client, when logining, the client inputs the random dynamic puzzle that user name, static password and time dynamic password generator produce, after the application server checking, whether decision allows the user to login, and this method has solved the problem that static password is attacked easily.But also there is certain problem in dynamic cipher authentication method: in unsafe environment, the user is in input OTP, OTP just may be stolen, if the stealer has also stoped the serviced device authentication of OTP, the stealer just can obtain an effective OTP so, thereby can enter user's account number at short notice.For example: the assailant can be provided with the logon server of a personation, the guiding user logins, gain user's user name, static password and the dynamic password of this moment by cheating, if the assailant can stop the serviced device authentication of OTP, then at dynamic password in the effective time, the assailant just can login the user account of real service device.
In a word, all there are some defectives in existing cipher authentication method, is difficult to effectively prevent man-in-the-middle attack.
Summary of the invention
Technical problem to be solved by this invention provides a kind of method of safer dynamic cipher verification, to solve the problem that prior art can not effectively stop impersonation attack.
In order to address the above problem, the invention discloses a kind of dynamic cipher authentication method, comprise the following steps: to store the identification information of time dynamic password generator and the corresponding relation of user account number, and preset algorithm in this time dynamic password generator; User terminal sends authentication request to certificate server; Described certificate server returns the challenge code of generation; Described time dynamic password generator is according to described challenge code, and employing is preset algorithm and generated first dynamic password; Described user terminal sends authentication information to certificate server, and described authentication information comprises the user account number and first dynamic password; Described certificate server is determined the identification information of corresponding dynamic password generator according to user account number, obtains the algorithm that presets of this time dynamic password generator, according to described challenge code and preset algorithm computation and obtain second dynamic password; Compare first dynamic password and second dynamic password, if consistent, then authentication is passed through.
Preferably, described presetting also comprises time parameter in the algorithm, and described time parameter is produced by time dynamic password generator hardware or the certificate server clock obtains.
Preferably, described certificate server adopts the time window certification policy to the checking of dynamic password, allow the dynamic password in this time window to pass through authentication, described time window was dynamically adjusted according to the time interval of user's login and the clock cumulative errors of time dynamic password generator.
Preferably, described authentication information also comprises static password, and described certificate server is verified described static password, if the verification passes, then proceeds the checking of dynamic password, otherwise, authentication failed.
Preferably, described method also comprises: when the corresponding relation of the identification information of setting up described time dynamic password generator and user account number, the setting check phase, the described affirmation phase is used to point out the user whether to confirm the corresponding relation of having set up.Preferably, described corresponding relation for one to one, many-one or one-to-many.
The present invention also provides a kind of dynamic cipher authentication system, comprises,
User terminal is used for sending authentication request to certificate server, receives the challenge code that returns; And the authentication information that comprises the user account number and first dynamic password to the certificate server transmission;
Time dynamic password generator is used for according to described challenge code, and employing is preset algorithm and generated first dynamic password;
Certificate server comprises with lower member: interface unit is used to receive authentication request, the authentication information that user terminal sends, and returns corresponding information; The challenge code generation unit is used to generate challenge code; First database is used to store the identification information of time dynamic password generator and the corresponding relation of user account number, and this time dynamic password generator preset algorithm; The dynamic password verification server, link to each other with first database, be used for determining the identification information of corresponding dynamic password generator, obtain the algorithm that presets of this time dynamic password generator, according to described challenge code and preset algorithm computation and obtain second dynamic password according to user account number; And compare first dynamic password and second dynamic password, if consistent, then authentication is passed through.
Preferably, described presetting also comprises time parameter in the algorithm, and described time parameter is produced by time dynamic password generator hardware or the certificate server clock obtains.
Preferably, described dynamic password verification server adopts the time window certification policy to the checking of dynamic password, allow the dynamic password in this time window to pass through authentication, described time window was dynamically adjusted according to the time interval of user's login and the clock cumulative errors of time dynamic password generator.
Preferably, when the authentication information of described user terminal transmission also comprised static password, described certificate server also comprises: second database was used for user's account number storing and corresponding static password; The static password authentication server links to each other with the dynamic password verification server with second database, is used to the static password of verifying that the user imports.
Preferably, described certificate server also comprises: the binding acknowledgement unit, be used for when the corresponding relation of the identification information of setting up described time dynamic password generator and user account number, the setting check phase, the described affirmation phase is used to point out the user whether to confirm the corresponding relation of having set up.
The also claimed a kind of dynamic password generating apparatus of the present invention comprises: input unit, be used to receive challenge code, and described challenge code is generated according to user authentication request by certificate server; Operation processing unit is used for according to described challenge code and present clock data, adopts and presets the algorithm computation dynamic password; Clock unit is used to provide the present clock data; Output unit is used to export described dynamic password.
The also claimed another kind of dynamic password generating apparatus of the present invention comprises: input unit, be used to receive challenge code, and described challenge code is generated according to user authentication request by certificate server; Operation processing unit is used for presetting the algorithm computation dynamic password according to described challenge code employing; Output unit is used to export described dynamic password.
Compared with prior art, the present invention can effectively prevent man-in-the-middle attack.In the methods of the invention, when logining at every turn, the user generates and sends a new challenge code at random by application server, password generator generates the dynamic password of this login according to this challenge code, challenge code and dynamic password are only effective in this login, when the assailant has stolen dynamic password and has logined, server can generate another challenge code, the dynamic password login that the assailant can not be used steal, thus effectively prevented network intercepting, spied upon, the attack of type such as Social Engineering caused password to reveal.
Description of drawings
Fig. 1 is the flow chart of method of the present invention;
Fig. 2 is a method embodiment running environment block diagram of the present invention;
Fig. 3 is the time dynamic password generator binding procedure block diagram of method embodiment of the present invention;
Fig. 4 is the verification process block diagram of method embodiment of the present invention;
Fig. 5 is that the time dynamic password generator of method embodiment of the present invention is separated and tied up the process block diagram;
Fig. 6 is a system block diagram of the present invention;
Fig. 7 is dynamic password generating apparatus embodiment 1 block diagram of the present invention;
Fig. 8 is dynamic password generating apparatus embodiment 2 block diagrams of the present invention.
Embodiment
For above-mentioned purpose of the present invention, feature and advantage can be become apparent more, the present invention is further detailed explanation below in conjunction with the drawings and specific embodiments.
With reference to Fig. 1, be the flow chart of method of the present invention.The equipment that this method relates to has: with the user terminal that certificate server is connected by network, off-line is time dynamic password generator etc. movably.
Concrete steps comprise:
Step 101 at the identification information of server end storage time dynamic password generator and the corresponding relation of user account number, and presets algorithm in this time dynamic password generator.
For each time dynamic password generator, its inside comprises unique identification information, in order to distinguish different time dynamic password generators, the general sequence number that dispatches from the factory that can not rewrite that solidifies by hardware that adopts of this unique identification information, also adopt rewritable mode to deposit identification information, for example, can write number by the publisher of time dynamic password generator as identification information.In the time will using time dynamic password generator to carry out authentication, must bind user account and time dynamic password generator earlier, binding can be undertaken by the user, when binding, the user at first obtains time dynamic password generator, and the user is connected to service end by user terminal, the identification information of input personal information and time dynamic password generator, application is bound, and after binding was finished, server end was recorded in the corresponding relation of the identification information of time dynamic password generator and user account in the database.
Server end is also preserved the algorithm of each time dynamic password generator in advance, in order to calculating dynamic password, and and the dynamic password of the user's input usefulness of comparing.
Preferably, can only be tied to a time dynamic password generator on the user account, also can be tied to a plurality of time dynamic password generators on the user account, also can be tied to a time dynamic password generator on a plurality of user accounts.
When a plurality of time dynamic password generators are tied on the user account number, can use separately time dynamic password generator and same user account number to carry out authentication by many people, but they can not use simultaneously, fail safe and convenience problem when this mode has made things convenient for many people to use same user account number.
When a dynamic password is tied on a plurality of user account numbers, a plurality of user account numbers can not be in the same application system, be that the user can use same time dynamic password generator to be tied on the account number of the different application system that same service provider provides, for example, can use on the user account number of the application systems such as website, mailbox, recreation or forum that same time dynamic password generator is bound same service provider to be provided.
Preferably, can set an affirmation phase when time dynamic password generator and user account binding,, be used to point out the user whether to confirm the corresponding relation of having set up as being set at 6 days.After having only the user to confirm binding in the affirmation phase, this binding just can come into force.Under the situation that user's static password leaks, other malicious user may use time dynamic password generator to carry out the binding of user account, if bind successfully, malicious user just can be by authentication, and set the affirmation after date, the information indicating that normal user will point out time dynamic password generator to bind, need the user to confirm when logining if not the binding of oneself carrying out, can take to change the binding that modes such as static password, cancellation binding are avoided malicious user.Can also be for the binding of the user applies of new registration, not needing the setting check phase, binding comes into force.
Preferably, the dynamic password algorithm that preset time dynamic password generator inside can adopt discrete function algorithms such as Hash, can also comprise time parameter in the parameter of described dynamic password algorithm, and described time parameter can be produced by the hardware of time dynamic password generator.For example, time parameter can be produced by built-in clock unit, and clock unit and standard time keep synchronously.When importing different challenge codes, the dynamic password of generation also is different, when same challenge code was imported and imported on different time dynamic password generators in the different time, all can generate different dynamic passwords.Certainly also can adopt other algorithm to produce dynamic password here.
Step 102, user terminal sends authentication request to certificate server.
When the user need authenticate the identity of oneself, the user can operate user terminal certificate server connected directly or indirectly, concurrent class origin authentication request.Application can comprise the information of user terminal, can also comprise user account information.
Step 103, described certificate server are returned the challenge code that generates at random.
After certificate server receives the authentication request that the user sends, generate challenge code at random, and preserve the challenge code that generates at certificate server.Challenge code can adopt the mode of pseudo random number or true random number to generate, thereby guarantees that the challenge code that generates can not repeat.Certainly, also can adopt other algorithms well known to those skilled in the art to obtain the challenge code that can not repeat within the specific limits, the present invention not merely is limited at random and generates.
Certificate server sends to user terminal as the return information to authentication request with the challenge code that generates; After user terminal receives challenge code, show.
Step 105, described time dynamic password generator receives the challenge code of user's input, and employing is preset algorithm and is generated first dynamic password.
The user opens time dynamic password generator, and the challenge code that shows on the described user terminal is imported dynamic secret code generator, and time dynamic password generator generates first dynamic password according to the challenge code of input according to presetting algorithm, is presented on the display.
Step 106, the user sends authentication information to certificate server by described user terminal, and described authentication information comprises first dynamic password that user account number and time dynamic password generator generate; Described certificate server is determined the identification information of corresponding dynamic password generator according to user account number, obtains the algorithm that presets of this time dynamic password generator, according to described challenge code and preset algorithm computation and obtain second dynamic password.
Preferably, when the authentication server computes dynamic password, described time parameter obtains from the certificate server clock, and server clock and standard time clock keep synchronously.
Step 107 is compared first dynamic password and second dynamic password, if both unanimities, then authentication is passed through.
Preferably, for avoiding since the authentication that the time error of time dynamic password generator and certificate server causes do not pass through, when dynamic password verification, by certificate server, calculate the dynamic password in the current time front and back certain hour window, for example, when set allowing login preceding 1 minute and back 2 minutes dynamic password can be logined, when the dynamic password of user input is in time window, think that authentification of user passes through, and, the time error of certificate server record time dynamic password generator and certificate server, adjustment participates in the parameter of the time of cryptographic calculations when authenticating as next time; Under the situation of avoiding the long-time not login of user, the time error of accumulative total is bigger, the scope that has exceeded the adjusting of time window, cause that the user can not be by the problem of authentication, login time is not long more as the user, and then the scope of setting-up time window is wide more, for example, when the user did not login in one week, can on time window, add 1 minute in front and back, when logining, two weeks can on time window, not add 2 minutes in front and back.
Preferably, above-mentioned steps also comprises, the user also comprises predefined static password by user terminal in the authentication information that certificate server sends, user terminal sends to certificate server to static password and user profile, through and the static password comparison set of the user that preserves after, determining whether user's static password is verified passes through, if the verification passes, then proceed the checking of dynamic password, if checking is not passed through.Also can adopt the mode of dynamic password and static password simultaneous verification, when both checkings all by the time think that user account authentication passes through, when having Xiang Wei to pass through, authentication failed.
Preferably, when user account is bound a plurality of time dynamic password generator, certificate server calculates a plurality of second dynamic passwords according to the sequence number of a plurality of time dynamic password generators of challenge code, user binding, compare with first dynamic password of user's input then, meet if having, then think the checking pass through, in this case, do not need the user to import the sequence number of the time dynamic password generator of this login use, convenient for users, and can satisfy the demand that many people use same user account.
Time dynamic password generator described in Fig. 1 is an off-line equipment, so challenge code needs the user to import by hand, and the generation of virus, password or algorithm taking and carring away in the time of can avoiding line so further guarantees the safety of time dynamic password generator.Certainly, with time dynamic password generator be designed to can with user terminal or Server Transport data, also be that those skilled in the art can realize fully, the present invention does not need this to be limited.
Verification process with user's logging in game server is that example is further introduced method of the present invention below.The details that show this specific embodiment that Fig. 2-Fig. 5 is complete.
With reference to Fig. 2, it is method embodiment running environment block diagram of the present invention, comprise, the game server 201 that is connected by network, recreation certificate server 202 (being the static password certificate server), game database server 203, token certificate server 204 (being the dynamic cipher verification server), token database server 205 and user terminal 206, and off-line time dynamic password generator 207 movably.
In the present embodiment, a user account number can be bound a plurality of time dynamic password generators, and convenient different user uses same user account number logging in game with time dynamic password generator separately.
With reference to Fig. 3, be the time dynamic password generator binding procedure block diagram of embodiments of the invention, specifically comprise the following steps:
Step 204,201 pairs of user accounts of game server and static password authenticate, if the static password authentication is passed through execution in step 306 for by execution in step 305 if authenticate.The static password verification process is finished by recreation certificate server 202, recreation certificate server 202 is compared to the static password of user's input according to the user's who preserves in the game database server 203 static password, confirms whether the authentication of user's static password is passed through.
Binding back game server can be provided with a checking phase, is generally about 6 days, and in the meantime, the user does not separate to tie up and thinks that promptly the user confirms binding.Account number still can be used during the application binding, and system can point out and apply for binding account number when login.Can also be set an affirmation phase at the checking after date, carry out last affirmation by the user, have only through after user's affirmation, binding just comes into force.Can according to circumstances set the time of the two in actual the use, as the checking phase being made as 0 day, the affirmation phase was made as 6 days, after the user applies binding, can confirm binding at once, thereby make user account number obtain the protection of dynamic password at once like this.
With reference to Fig. 4, be the verification process block diagram of method embodiment of the present invention, specifically comprise the following steps:
Step 406 judges whether user account has bound time dynamic password generator, if not binding, execution in step 407, if bind, execution in step 410.
Step 407 judges whether the user has imported dynamic password, if not input, execution in step 408, if imported dynamic password, execution in step 409.
Step 413 judges whether time dynamic password generator is reported the loss, as reporting the loss, and execution in step 414, as do not report the loss execution in step 416.
Step 414 judges whether allow the user to login after time dynamic password generator is reported the loss, if allow, execution in step 408 is not if allow login, execution in step 415.
Step 415 notifies user's time dynamic password generator to report the loss, forbids that the user logins.
With reference to Fig. 5, be that the time dynamic password generator of method embodiment of the present invention is separated and tied up the process block diagram, specifically comprise the following steps.
Step 501, the user sends the binding application of removing time dynamic password generator at user terminal 206.
Step 502, game server 201 receive to separate ties up application, generates challenge code at random, and sends challenge code to user terminal 206.
Step 503, user terminal 206 receives challenge code, and show, the user is input to time dynamic password generator 207 to challenge code, time dynamic password generator 207 obtains dynamic password by the algorithm that presets, the user imports number of the account, static password, dynamic password on user terminal, submit to game server 201.
Step 504,201 pairs of user accounts of game server and static password verify that if the static password checking is not passed through, execution in step 505 is if execution in step 506 is passed through in authentication.
Step 505, informing user terminal 206, the static password mistake is separated and is tied up failure.
Step 506 judges whether user account has bound time dynamic password generator, if not binding, execution in step 507, if bind, execution in step 508.
Step 507, informing user terminal 206, this user account are not bound time dynamic password generator, separate and tie up failure
Step 508 is submitted to token certificate server 204 with sequence number, random number and the dynamic password of time dynamic password generator.
Step 509, token certificate server 204 goes out authentication password (i.e. second dynamic password) according to the sequence number of time dynamic password generator and the algorithm computation that presets of challenge code and this sequence number correspondence, compare with the dynamic password of user's input, and return authentication result, if authentication is passed through, execution in step 511 is not if execution in step 510 is passed through in authentication.
Step 510, informing user terminal 206, the dynamic password mistake is separated and is tied up failure.
Step 511 is removed the binding relationship between user account and time dynamic password generator, is recorded in the database, and issues the prompt for successful information of tying up of separating.
Certificate server has adopted distributedly in the foregoing description, finishes the authentication of static password and the authentication that the dynamic cipher verification server is finished dynamic password by the static password certificate server respectively, and the result is returned to the application system server.The dynamic cipher verification server is verified the dynamic password in the certain hour window, because difference can appear in the time of server and the time of time dynamic password generator, so at the strategy of server end employing window authentication, and this window can dynamically be adjusted according to the interval and the clock cumulative errors of login time.
If can report the loss to system's application with losing time dynamic password generator, when application was reported the loss, user account number can select to enter a kind of of two states, if forbid logging in game after selecting to report the loss, then all can't enter recreation before releasing is reported the loss; Lost efficacy if select to report the loss the back time dynamic password generator, then account number loses the time dynamic password generator protection, need not get final product logging in game by dynamic password.
If find time dynamic password generator after user applies is reported the loss, can remove to system's application and report the loss, after reporting the loss, releasing reverts to binding state automatically.
The user can also apply for that time dynamic password generator is inactive, and after stopping using, account number loses the dynamic password protection, and time dynamic password generator also can't reuse.
If it is old that the user wants to replace with new time dynamic password generator, can apply for changing time dynamic password generator.The time dynamic password generator that more renews must use the time dynamic password generator of another not enabled, after changing to the authentication of original password generator all transfer to new above.
Preferably, in order to prevent dynamic password and account's confusion, same at one time account can only login use by a user.
With reference to Fig. 6, be system block diagram of the present invention, specifically comprise,
User terminal 601 is used for sending authentication request to certificate server, receives the challenge code that returns; And the authentication information that comprises the user account number and first dynamic password to the certificate server transmission;
Time dynamic password generator 602 is used to receive the challenge code that the user imports, and employing is preset algorithm and generated first dynamic password;
Certificate server 603 comprises with lower member:
Interface unit 6031 is used to receive authentication request, the authentication information that user terminal 601 sends, and returns corresponding information;
Challenge code generation unit 6031 is used to generate challenge code at random;
First database 6032 is used to store the identification information of time dynamic password generator 602 and the corresponding relation of user account number, and time dynamic password generator 602 preset algorithm;
Dynamic password verification server 6033, link to each other with interface unit 6013 with first database 6032, be used for determining the identification information of corresponding dynamic password generator 602 according to user account number, thereby obtain the algorithm that presets of this time dynamic password generator 602, according to described challenge code and preset algorithm computation and obtain second dynamic password; And compare first dynamic password and second dynamic password, if consistent, then authentication is passed through.
User terminal 601 is connected with certificate server 603 by network, time dynamic password generator 602 off-line operations.Certainly, as previously mentioned, it also is feasible adopting time dynamic password generator 602 connection modes.So in Fig. 6, adopted dotted line to identify.
User terminal 601 sends authentication request to certificate server 603, the interface unit 6031 of certificate server 603 receives authentication request, the challenge code that challenge code generation unit 6031 generates at random, and send to described user terminal 601 by interface unit 6031, the user is input to described challenge code on the time dynamic password generator 602, generate first dynamic password according to the algorithm that presets, the user sends to certificate server 603 with the user authentication information and first dynamic password by user terminal 601, the interface unit 6031 of certificate server 603 sends to dynamic password verification server 6033 to the authentication information and first dynamic password, dynamic password verification server 6033 is determined the identification information of corresponding dynamic password generator 602 according to the user account number in the user authentication information, obtain the algorithm that presets of this time dynamic password generator 602, according to described challenge code and preset algorithm computation and obtain second dynamic password; And compare first dynamic password and second dynamic password, if consistent, then authentication is passed through.
Preferably, described presetting also comprises time parameter in the algorithm, and described time parameter is produced by time dynamic password generator 502 hardware or certificate server 503 clocks obtain.
Preferably, for avoiding since the authentication that the time error of time dynamic password generator 602 and certificate server 603 causes do not pass through, when dynamic password verification, by second dynamic password in 602 calculating current time of the time dynamic password generator front and back certain hour window, for example, set to allow preceding 1 minute of login and back 2 minutes dynamic password can be logined, when the dynamic password of user input is in time window, think that authentification of user passes through, and, the time error of certificate server 603 record time dynamic password generators 602, adjustment participates in the parameter of the time of cryptographic calculations when authenticating as next time; Under the situation of avoiding the long-time not login of user, the time error of accumulative total is bigger, the scope that has exceeded the adjusting of time window, cause that the user can not be by the problem of authentication, login time is not long more as the user, and then the scope of setting-up time window is wide more, for example, when the user did not login in one week, can on time window, add 1 minute in front and back, when logining, two weeks can on time window, not add 2 minutes in front and back.
Preferably, described certificate server also comprises:
Second database 6034 is used for user's account number storing and corresponding static password;
Static password authentication server 6035 links to each other with the dynamic password verification server with second database, is used to the static password of verifying that the user imports.
Preferably, also comprise binding acknowledgement unit 6037, be used for when the corresponding relation of the identification information of setting up described time dynamic password generator 602 and user account number the setting check phase, the described affirmation phase is used to point out the user whether to confirm the corresponding relation of having set up.
With reference to Fig. 7, be dynamic password generating apparatus embodiment 1 block diagram of the present invention, specifically comprise:
Input unit 701 is used to receive challenge code, and described challenge code is generated according to user authentication request and at random by certificate server, what described challenge code can be for user's input;
Operation processing unit 702 is used for presetting the algorithm computation dynamic password according to described challenge code and present clock The data;
Clock unit 703 is used to provide the present clock data;
Output unit 704 is used to export described dynamic password, and described output can be direct demonstration.
After the user opens the dynamic password generating apparatus, the challenge code that server end returns is imported dynamic secret code generator by input unit 701, operation processing unit 702, is presented on the output unit 704 according to presetting the algorithm computation dynamic password according to the challenge code of input and the current time parameter that provides of clock unit 703.
Preferably, input unit 701 can be a keyboard, and output unit 704 can be a nixie display.
With reference to Fig. 8, be dynamic password generating apparatus embodiment 2 block diagrams of the present invention, specifically comprise:
Input unit 801 is used to receive challenge code, and described challenge code is generated according to user authentication request and at random by certificate server, what described challenge code can be for user's input;
Operation processing unit 802 is used for according to described challenge code, adopts and presets the algorithm computation dynamic password;
Output unit 803 is used to export described dynamic password, and described output can be direct demonstration.
The difference of present embodiment and Fig. 7 is, does not adopt the current time as calculating parameter when calculating dynamic password, and dynamic password of Sheng Chenging and current time have nothing to do like this.Can prevent when the user does not operate in verification process for a long time, the problem of user rs authentication failure, user-friendly.
Dynamic cipher authentication system and method based on challenge code of the present invention can be used for recreation, finance, security, commerce, government, science, enterprise computer system login and corporate virtual private networks.
More than to a kind of dynamic cipher authentication method provided by the present invention, system and device, be described in detail, used specific case herein principle of the present invention and execution mode are set forth, the explanation of above embodiment just is used for helping to understand method of the present invention and core concept thereof; Simultaneously, for one of ordinary skill in the art, according to thought of the present invention, the part that all can change in specific embodiments and applications, in sum, this description should not be construed as limitation of the present invention.
Claims (13)
1, a kind of dynamic cipher authentication method is characterized in that, comprises the following steps:
The storage identification information of time dynamic password generator and the corresponding relation of user account number, and preset algorithm in this time dynamic password generator;
User terminal sends authentication request to certificate server;
Described certificate server returns the challenge code of generation;
Described time dynamic password generator is according to described challenge code, and employing is preset algorithm and generated first dynamic password;
Described user terminal sends authentication information to certificate server, and described authentication information comprises the user account number and first dynamic password; Described certificate server is determined the identification information of corresponding dynamic password generator according to user account number, obtains the algorithm that presets of this time dynamic password generator, according to described challenge code and preset algorithm computation and obtain second dynamic password;
Compare first dynamic password and second dynamic password, if consistent, then authentication is passed through.
2, method according to claim 1 is characterized in that, described presetting also comprises time parameter in the algorithm, and described time parameter is produced by time dynamic password generator hardware or the certificate server clock obtains.
3, method according to claim 2, it is characterized in that, described certificate server adopts the time window certification policy to the checking of dynamic password, allow the dynamic password in this time window to pass through authentication, described time window was dynamically adjusted according to the time interval of user's login and the clock cumulative errors of time dynamic password generator.
4, method according to claim 1 is characterized in that, described authentication information also comprises static password, and described certificate server is verified described static password, if the verification passes, then proceeds the checking of dynamic password, otherwise, authentication failed.
5, method according to claim 1 is characterized in that, also comprises:
When the corresponding relation of the identification information of setting up described time dynamic password generator and user account number, the setting check phase, the described affirmation phase is used to point out the user whether to confirm the corresponding relation of having set up.
6, method according to claim 1 is characterized in that, described corresponding relation for one to one, many-one or one-to-many.
7, a kind of dynamic cipher authentication system is characterized in that, comprising:
User terminal is used for sending authentication request to certificate server, receives the challenge code that returns; And the authentication information that comprises the user account number and first dynamic password to the certificate server transmission;
Time dynamic password generator is used for according to described challenge code, and employing is preset algorithm and generated first dynamic password;
Certificate server comprises with lower member:
Interface unit is used to receive authentication request, the authentication information that user terminal sends, and returns corresponding information;
The challenge code generation unit is used to generate challenge code;
First database is used to store the identification information of time dynamic password generator and the corresponding relation of user account number, and this time dynamic password generator preset algorithm;
The dynamic password verification server, link to each other with first database, be used for determining the identification information of corresponding dynamic password generator, obtain the algorithm that presets of this time dynamic password generator, according to described challenge code and preset algorithm computation and obtain second dynamic password according to user account number; And compare first dynamic password and second dynamic password, if consistent, then authentication is passed through.
8, system according to claim 7 is characterized in that, described presetting also comprises time parameter in the algorithm, and described time parameter is produced by time dynamic password generator hardware or the certificate server clock obtains.
9, system according to claim 7, it is characterized in that, described dynamic password verification server adopts the time window certification policy to the checking of dynamic password, allow the dynamic password in this time window to pass through authentication, described time window was dynamically adjusted according to the time interval of user's login and the clock cumulative errors of time dynamic password generator.
10, system according to claim 7 is characterized in that, when the authentication information of described user terminal transmission also comprised static password, described certificate server also comprised:
Second database is used for user's account number storing and corresponding static password;
The static password authentication server links to each other with the dynamic password verification server with second database, is used to the static password of verifying that the user imports.
11, system according to claim 7 is characterized in that, described certificate server also comprises:
The binding acknowledgement unit is used for when the corresponding relation of the identification information of setting up described time dynamic password generator and user account number, and the setting check phase, the described affirmation phase is used to point out the user whether to confirm the corresponding relation of having set up.
12, a kind of dynamic password generating apparatus is characterized in that, comprising:
Input unit is used to receive challenge code, and described challenge code is generated according to user authentication request by certificate server;
Operation processing unit is used for according to described challenge code and present clock data, adopts and presets the algorithm computation dynamic password;
Clock unit is used to provide the present clock data;
Output unit is used to export described dynamic password.
13, a kind of dynamic password generating apparatus is characterized in that, comprising:
Input unit is used to receive challenge code, and described challenge code is generated according to user authentication request by certificate server;
Operation processing unit is used for presetting the algorithm computation dynamic password according to described challenge code employing;
Output unit is used to export described dynamic password.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN 200610113609 CN1937498A (en) | 2006-10-09 | 2006-10-09 | Dynamic cipher authentication method, system and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN 200610113609 CN1937498A (en) | 2006-10-09 | 2006-10-09 | Dynamic cipher authentication method, system and device |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN1937498A true CN1937498A (en) | 2007-03-28 |
Family
ID=37954787
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN 200610113609 Pending CN1937498A (en) | 2006-10-09 | 2006-10-09 | Dynamic cipher authentication method, system and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN1937498A (en) |
Cited By (39)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101651675A (en) * | 2009-08-27 | 2010-02-17 | 北京飞天诚信科技有限公司 | Method and system for enhancing security of network transactions |
| CN102055728A (en) * | 2009-11-02 | 2011-05-11 | 中华电信股份有限公司 | System login method for avoiding account number from being falsely used |
| CN101051908B (en) * | 2007-05-21 | 2011-05-18 | 北京飞天诚信科技有限公司 | Dynamic cipher certifying system and method |
| CN102075547A (en) * | 2011-02-18 | 2011-05-25 | 北京天地融科技有限公司 | Dynamic password generating method and device and authentication method and system |
| CN102307181A (en) * | 2011-04-27 | 2012-01-04 | 上海动联信息技术有限公司 | Method for preventing phishing attack for dynamic password |
| CN102468958A (en) * | 2010-11-03 | 2012-05-23 | 虎昂科技股份有限公司 | Hardware lock device authentication method and related hardware lock device |
| CN102480474A (en) * | 2010-11-30 | 2012-05-30 | 金蝶软件(中国)有限公司 | Method, device and enterprise system for verifying user logging status |
| CN102594561A (en) * | 2012-02-10 | 2012-07-18 | 济南二机床集团有限公司 | Password changing type encryption method of numerical control system access rights |
| CN102609646A (en) * | 2012-01-20 | 2012-07-25 | 华为终端有限公司 | Information protection method, information protection device and terminal equipment |
| CN102622539A (en) * | 2011-01-31 | 2012-08-01 | F2威尔股份有限公司 | Verification method for electronic commerce |
| CN101162996B (en) * | 2007-11-16 | 2012-11-14 | 李巩令 | Multiple dynamic cipher device authorization identifying system and identifying method thereof |
| CN103152732A (en) * | 2013-03-15 | 2013-06-12 | 汪德嘉 | Cloud password system and operation method thereof |
| CN103368918A (en) * | 2012-04-01 | 2013-10-23 | 西门子公司 | Method, device and system for dynamic password authentication |
| WO2013182151A1 (en) * | 2012-11-14 | 2013-12-12 | 中兴通讯股份有限公司 | Authentication method and system based on web service application |
| CN103475658A (en) * | 2011-04-06 | 2013-12-25 | 天地融科技股份有限公司 | Dynamic password generating method and device and authentication method and system |
| CN103580856A (en) * | 2013-11-19 | 2014-02-12 | 上海众人网络安全技术有限公司 | Method for synchronizing token device according to sizes of certification windows |
| CN103685164A (en) * | 2012-09-05 | 2014-03-26 | 国际商业机器公司 | Method for dynamically providing algorithm password for cross-examination authentication as well as computer device |
| CN103731272A (en) * | 2014-01-06 | 2014-04-16 | 飞天诚信科技股份有限公司 | Identity authentication method, system and equipment |
| CN104022873A (en) * | 2013-02-28 | 2014-09-03 | 北京网河时代科技有限公司 | Offline dynamic identifying code generating method |
| WO2014201830A1 (en) * | 2013-06-20 | 2014-12-24 | Tencent Technology (Shenzhen) Company Limited | Method and device for detecting software-tampering |
| US8935762B2 (en) | 2007-06-26 | 2015-01-13 | G3-Vision Limited | Authentication system and method |
| CN104348791A (en) * | 2013-07-30 | 2015-02-11 | 北京神州泰岳软件股份有限公司 | Single sign on method and system |
| CN104753679A (en) * | 2015-03-05 | 2015-07-01 | 北京畅游天下网络技术有限公司 | User authentication method and system as well as intelligent wearing equipment |
| CN105376221A (en) * | 2015-10-30 | 2016-03-02 | 福建天晴数码有限公司 | Game message encryption mechanism based on dynamic password, and game system |
| CN103795724B (en) * | 2014-02-07 | 2017-01-25 | 陈珂 | Method for protecting account security based on asynchronous dynamic password technology |
| WO2017016415A1 (en) * | 2015-07-30 | 2017-02-02 | 华为技术有限公司 | Access authentication method, server and authentication system of wireless local area network |
| CN106506143A (en) * | 2016-09-27 | 2017-03-15 | 天地融科技股份有限公司 | A kind of dynamic cipher generating method and device |
| CN106789850A (en) * | 2015-11-24 | 2017-05-31 | 中国移动通信集团公司 | Information processing method, the method for login service device, device, server and terminal |
| CN107040524A (en) * | 2017-03-21 | 2017-08-11 | 北京信安世纪科技有限公司 | A kind of program file verification method and program file verify device |
| CN107222460A (en) * | 2017-05-03 | 2017-09-29 | 飞天诚信科技股份有限公司 | A kind of shared method and device of server data memory space |
| CN107895436A (en) * | 2017-11-08 | 2018-04-10 | 东莞市康茂电子有限公司 | One kind is shared with screen device management system and its control method |
| CN108198278A (en) * | 2017-12-01 | 2018-06-22 | 王群 | A kind of control mode of chest lock administration system |
| CN109617791A (en) * | 2019-01-14 | 2019-04-12 | 山东超越数控电子股份有限公司 | A kind of E-mail address identity identifying method and system |
| CN109997141A (en) * | 2016-10-24 | 2019-07-09 | 乐威指南公司 | The system and method to media asset access are controlled for using two-factor authentication |
| CN110572388A (en) * | 2019-09-05 | 2019-12-13 | 北京宝兰德软件股份有限公司 | method for connecting unified authentication server and unified authentication adapter |
| CN110611598A (en) * | 2019-10-15 | 2019-12-24 | 浙江齐治科技股份有限公司 | Method, device and system for realizing challenge code |
| CN110704823A (en) * | 2019-09-10 | 2020-01-17 | 平安科技(深圳)有限公司 | Data request method, device, storage medium and electronic equipment |
| CN111711628A (en) * | 2020-06-16 | 2020-09-25 | 北京字节跳动网络技术有限公司 | Network communication identity authentication method, device, system, equipment and storage medium |
| CN113268780A (en) * | 2021-06-08 | 2021-08-17 | 天津赢达信科技有限公司 | Identity authentication method and device, computer equipment and storage medium |
-
2006
- 2006-10-09 CN CN 200610113609 patent/CN1937498A/en active Pending
Cited By (53)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101051908B (en) * | 2007-05-21 | 2011-05-18 | 北京飞天诚信科技有限公司 | Dynamic cipher certifying system and method |
| US8935762B2 (en) | 2007-06-26 | 2015-01-13 | G3-Vision Limited | Authentication system and method |
| CN101162996B (en) * | 2007-11-16 | 2012-11-14 | 李巩令 | Multiple dynamic cipher device authorization identifying system and identifying method thereof |
| CN101651675A (en) * | 2009-08-27 | 2010-02-17 | 北京飞天诚信科技有限公司 | Method and system for enhancing security of network transactions |
| CN101651675B (en) * | 2009-08-27 | 2015-09-23 | 飞天诚信科技股份有限公司 | By the method and system that authentication code is verified client |
| CN102055728A (en) * | 2009-11-02 | 2011-05-11 | 中华电信股份有限公司 | System login method for avoiding account number from being falsely used |
| CN102055728B (en) * | 2009-11-02 | 2013-11-06 | 中华电信股份有限公司 | System login method for avoiding account number from being falsely used |
| CN102468958A (en) * | 2010-11-03 | 2012-05-23 | 虎昂科技股份有限公司 | Hardware lock device authentication method and related hardware lock device |
| CN102480474A (en) * | 2010-11-30 | 2012-05-30 | 金蝶软件(中国)有限公司 | Method, device and enterprise system for verifying user logging status |
| CN102622539A (en) * | 2011-01-31 | 2012-08-01 | F2威尔股份有限公司 | Verification method for electronic commerce |
| CN102075547A (en) * | 2011-02-18 | 2011-05-25 | 北京天地融科技有限公司 | Dynamic password generating method and device and authentication method and system |
| CN103475658A (en) * | 2011-04-06 | 2013-12-25 | 天地融科技股份有限公司 | Dynamic password generating method and device and authentication method and system |
| CN103475658B (en) * | 2011-04-06 | 2017-01-11 | 天地融科技股份有限公司 | Dynamic password generating method and device and authentication method and system |
| CN102307181A (en) * | 2011-04-27 | 2012-01-04 | 上海动联信息技术有限公司 | Method for preventing phishing attack for dynamic password |
| CN102609646A (en) * | 2012-01-20 | 2012-07-25 | 华为终端有限公司 | Information protection method, information protection device and terminal equipment |
| CN102594561A (en) * | 2012-02-10 | 2012-07-18 | 济南二机床集团有限公司 | Password changing type encryption method of numerical control system access rights |
| CN103368918A (en) * | 2012-04-01 | 2013-10-23 | 西门子公司 | Method, device and system for dynamic password authentication |
| CN103685164A (en) * | 2012-09-05 | 2014-03-26 | 国际商业机器公司 | Method for dynamically providing algorithm password for cross-examination authentication as well as computer device |
| WO2013182151A1 (en) * | 2012-11-14 | 2013-12-12 | 中兴通讯股份有限公司 | Authentication method and system based on web service application |
| CN104022873A (en) * | 2013-02-28 | 2014-09-03 | 北京网河时代科技有限公司 | Offline dynamic identifying code generating method |
| CN104022873B (en) * | 2013-02-28 | 2017-09-29 | 北京网河时代科技有限公司 | A kind of offline dynamic authentication code generating method |
| CN103152732A (en) * | 2013-03-15 | 2013-06-12 | 汪德嘉 | Cloud password system and operation method thereof |
| WO2014201830A1 (en) * | 2013-06-20 | 2014-12-24 | Tencent Technology (Shenzhen) Company Limited | Method and device for detecting software-tampering |
| US9607147B2 (en) | 2013-06-20 | 2017-03-28 | Tencent Technology (Shenzhen) Company Limited | Method and device for detecting software-tampering |
| CN104348791A (en) * | 2013-07-30 | 2015-02-11 | 北京神州泰岳软件股份有限公司 | Single sign on method and system |
| CN104348791B (en) * | 2013-07-30 | 2017-12-01 | 北京神州泰岳软件股份有限公司 | A kind of single-point logging method and system |
| CN103580856A (en) * | 2013-11-19 | 2014-02-12 | 上海众人网络安全技术有限公司 | Method for synchronizing token device according to sizes of certification windows |
| CN103731272A (en) * | 2014-01-06 | 2014-04-16 | 飞天诚信科技股份有限公司 | Identity authentication method, system and equipment |
| CN103795724B (en) * | 2014-02-07 | 2017-01-25 | 陈珂 | Method for protecting account security based on asynchronous dynamic password technology |
| CN104753679A (en) * | 2015-03-05 | 2015-07-01 | 北京畅游天下网络技术有限公司 | User authentication method and system as well as intelligent wearing equipment |
| CN104753679B (en) * | 2015-03-05 | 2019-01-29 | 北京畅游天下网络技术有限公司 | User authen method and system and intelligent wearable device |
| WO2017016415A1 (en) * | 2015-07-30 | 2017-02-02 | 华为技术有限公司 | Access authentication method, server and authentication system of wireless local area network |
| CN106713222A (en) * | 2015-07-30 | 2017-05-24 | 华为技术有限公司 | Access authentication method of wireless local area network, server and authentication system |
| CN106713222B (en) * | 2015-07-30 | 2020-10-09 | 华为技术有限公司 | Access authentication method, server and authentication system of wireless local area network |
| CN105376221B (en) * | 2015-10-30 | 2019-05-21 | 福建天晴数码有限公司 | Game message encryption mechanism and game system based on dynamic password |
| CN105376221A (en) * | 2015-10-30 | 2016-03-02 | 福建天晴数码有限公司 | Game message encryption mechanism based on dynamic password, and game system |
| CN106789850A (en) * | 2015-11-24 | 2017-05-31 | 中国移动通信集团公司 | Information processing method, the method for login service device, device, server and terminal |
| CN106506143A (en) * | 2016-09-27 | 2017-03-15 | 天地融科技股份有限公司 | A kind of dynamic cipher generating method and device |
| CN106506143B (en) * | 2016-09-27 | 2019-10-22 | 天地融科技股份有限公司 | A kind of dynamic cipher generating method and device |
| CN109997141B (en) * | 2016-10-24 | 2023-10-17 | 乐威指南公司 | System and method for controlling access to media assets using two-factor authentication |
| CN109997141A (en) * | 2016-10-24 | 2019-07-09 | 乐威指南公司 | The system and method to media asset access are controlled for using two-factor authentication |
| CN107040524A (en) * | 2017-03-21 | 2017-08-11 | 北京信安世纪科技有限公司 | A kind of program file verification method and program file verify device |
| CN107222460A (en) * | 2017-05-03 | 2017-09-29 | 飞天诚信科技股份有限公司 | A kind of shared method and device of server data memory space |
| CN107222460B (en) * | 2017-05-03 | 2019-10-08 | 飞天诚信科技股份有限公司 | A kind of method and device that server data memory space is shared |
| CN107895436A (en) * | 2017-11-08 | 2018-04-10 | 东莞市康茂电子有限公司 | One kind is shared with screen device management system and its control method |
| CN108198278A (en) * | 2017-12-01 | 2018-06-22 | 王群 | A kind of control mode of chest lock administration system |
| CN109617791A (en) * | 2019-01-14 | 2019-04-12 | 山东超越数控电子股份有限公司 | A kind of E-mail address identity identifying method and system |
| CN110572388A (en) * | 2019-09-05 | 2019-12-13 | 北京宝兰德软件股份有限公司 | method for connecting unified authentication server and unified authentication adapter |
| CN110704823A (en) * | 2019-09-10 | 2020-01-17 | 平安科技(深圳)有限公司 | Data request method, device, storage medium and electronic equipment |
| CN110611598A (en) * | 2019-10-15 | 2019-12-24 | 浙江齐治科技股份有限公司 | Method, device and system for realizing challenge code |
| CN110611598B (en) * | 2019-10-15 | 2022-03-18 | 浙江齐治科技股份有限公司 | Method, device and system for realizing challenge code |
| CN111711628A (en) * | 2020-06-16 | 2020-09-25 | 北京字节跳动网络技术有限公司 | Network communication identity authentication method, device, system, equipment and storage medium |
| CN113268780A (en) * | 2021-06-08 | 2021-08-17 | 天津赢达信科技有限公司 | Identity authentication method and device, computer equipment and storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN1937498A (en) | Dynamic cipher authentication method, system and device | |
| CN109309565B (en) | Security authentication method and device | |
| US8627424B1 (en) | Device bound OTP generation | |
| CN101166091B (en) | A dynamic password authentication method and service end system | |
| US8209744B2 (en) | Mobile device assisted secure computer network communication | |
| CN108834144B (en) | Method and system for managing association of operator number and account | |
| CN104767731B (en) | A kind of Restful move transactions system identity certification means of defence | |
| CN105024819B (en) | A kind of multiple-factor authentication method and system based on mobile terminal | |
| CA2591968C (en) | Authentication device and/or method | |
| AU2005318933B2 (en) | Authentication device and/or method | |
| TWI436627B (en) | Method and apparatus for authenticatiing online transactions using a browser | |
| US20150349960A1 (en) | Two factor authentication using a protected pin-like passcode | |
| US20070192829A1 (en) | Authenticated communication using a shared unpredictable secret | |
| CN106453361B (en) | A kind of security protection method and system of the network information | |
| CN102215221A (en) | Methods and systems for secure remote wake, boot, and login to a computer from a mobile device | |
| KR100951094B1 (en) | Maintaining privacy for transactions performable by a user device having a security module | |
| CN107920052B (en) | Encryption method and intelligent device | |
| CN101420302A (en) | Safe identification method and device | |
| US20090220075A1 (en) | Multifactor authentication system and methodology | |
| US20090119505A1 (en) | Transaction method and verification method | |
| CN111275419A (en) | Block chain wallet signature right confirming method, device and system | |
| CN111355591A (en) | Block chain account safety management method based on real-name authentication technology | |
| Alqubaisi et al. | Should we rush to implement password-less single factor FIDO2 based authentication? | |
| CN108769029A (en) | It is a kind of to application system authentication device, method and system | |
| Gouda et al. | SPP: An anti-phishing single password protocol |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C12 | Rejection of a patent application after its publication | ||
| RJ01 | Rejection of invention patent application after publication |
Open date: 20070328 |