WO2011023039A1 - 一种动态口令验证的方法及装置 - Google Patents
一种动态口令验证的方法及装置 Download PDFInfo
- Publication number
- WO2011023039A1 WO2011023039A1 PCT/CN2010/075009 CN2010075009W WO2011023039A1 WO 2011023039 A1 WO2011023039 A1 WO 2011023039A1 CN 2010075009 W CN2010075009 W CN 2010075009W WO 2011023039 A1 WO2011023039 A1 WO 2011023039A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- dynamic password
- mobile device
- authentication server
- code
- diffie
- Prior art date
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/0838—Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these
- H04L9/0841—Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these involving Diffie-Hellman or related key agreement protocols
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/0838—Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these
- H04L9/0841—Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these involving Diffie-Hellman or related key agreement protocols
- H04L9/0844—Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these involving Diffie-Hellman or related key agreement protocols with user authentication or key authentication, e.g. ElGamal, MTI, MQV-Menezes-Qu-Vanstone protocol or Diffie-Hellman protocols using implicitly-certified keys
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/083—Network architectures or network communication protocols for network security for authentication of entities using passwords
- H04L63/0838—Network architectures or network communication protocols for network security for authentication of entities using passwords using one-time-passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/0838—Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/30—Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy
- H04L9/3006—Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy underlying computational problems or public-key parameters
- H04L9/3013—Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy underlying computational problems or public-key parameters involving the discrete logarithm problem, e.g. ElGamal or Diffie-Hellman systems
Definitions
- the present invention relates to the field of network communications, and in particular, to a method and apparatus for dynamic password authentication. Background of the invention
- password authentication is the most commonly used in network authentication technology.
- password authentication can be divided into static password and dynamic password.
- dynamic passwords have the characteristics of "one time, one secret, one effective time", so their security is much higher.
- the carrier of dynamic passwords can usually be divided into hardware implementation and software implementation.
- the dynamic password implemented by hardware has the advantages of high security and convenient use, but its disadvantage is high cost.
- software-implemented dynamic passwords are less expensive than hardware implementations in terms of security and ease of use, but at a lower cost. Since personal mobile devices (mobile phones, PDAs, etc.) are user-friendly and highly secure, most of the existing software-implemented dynamic passwords are based on personal mobile devices.
- the system for implementing dynamic passwords based on personal mobile devices is usually composed of token software and authentication servers.
- the most important issues of such systems are: How to securely share token seeds between token software and authentication servers, here
- the card seed is secretly shared by the token software and the authentication server, which is the key to making the token software and the authentication server generate the same dynamic password.
- the user can first install the token software in the mobile device, and then separately obtain a file containing the token seed and import it into the token software; another method is to download the software in each token. All of them contain a unique token seed, and the user can directly install and use the token seed after downloading; or a series of real-time message interactions between the mobile device and the authentication server to negotiate the token seed. It can be seen from the above prior art solution that the security of the prior art is not guaranteed.
- the embodiment of the invention provides a method and a device for verifying dynamic passwords, which can improve the security of identity authentication, and is easy to use; the mobile device does not generate any message interaction with the authentication server, and does not cause additional The cost of traffic reduces user burden and certification costs.
- the embodiment of the invention provides a method for dynamic password verification, the method comprising: the mobile device generating the initial code by using the token software, and transmitting the generated initial code to the authentication server through the web page input;
- the mobile device calculates a current dynamic password according to a DH (Diffie-Hellman) algorithm, and transmits the current dynamic password to the authentication server through a webpage page input;
- DH Dynamic Hossion Initiation Protocol
- the authentication server calculates its own dynamic password according to the received initial code according to the same DH algorithm as the mobile device;
- the authentication server compares the dynamic password generated by itself with the dynamic password generated by the mobile device to verify whether the dynamic password generated by the mobile device is correct.
- the embodiment of the present invention further provides an apparatus for dynamic password verification, comprising: an initial code generating unit, configured to be used in a mobile device, to generate an initial code by using token software; wherein, the initial code is further input through a webpage page Passed to the authentication server; a dynamic password generating unit, configured to be used in the mobile device, after the initial code verification is passed, calculate a current dynamic password of the mobile device according to a DH (Diffie-Hellman) algorithm; wherein, the current dynamic password Also passed to the authentication server via web page input;
- DH Dynamic Hellman
- a dynamic password verification unit configured to be used in the authentication server, to calculate a dynamic password according to the same DH algorithm as the dynamic password generating unit according to the initial code received by the authentication server, and The dynamic password of the self is compared with the entered dynamic password to verify whether the dynamic password generated by the dynamic password generating unit is correct.
- the mobile device first generates the initial code by using the token software, and transmits the generated initial code to the authentication server through the web page input; after the initial code verification is passed, the mobile The device calculates the current dynamic password according to the DH (Diffie-Hellman) algorithm, and passes the current dynamic password to the authentication server through the web page input; the authentication server according to the received initial code, according to the The mobile device has the same DH algorithm to calculate its own dynamic password; the authentication server compares the dynamic password generated by itself with the dynamic password input by the mobile device to verify whether the dynamic password generated by the mobile device is correct. .
- the security of the identity authentication can be improved, and the device is easy to use; at the same time, no message interaction occurs between the mobile device and the authentication server, and no additional traffic cost is incurred, which is reduced. User burden and certification costs.
- FIG. 1 is a schematic flowchart of a dynamic password verification method according to Embodiment 1 of the present invention
- FIG. 2 is a schematic diagram of signaling interaction for verifying a dynamic password between a mobile device and an authentication server according to Embodiment 1 of the present invention
- FIG. 4 is the present invention
- Figure 5 is the hair
- FIG. 6 is a schematic structural diagram of a dynamic password verification apparatus according to Embodiment 2 of the present invention.
- Embodiments of the present invention provide a method and apparatus for dynamic password verification, which utilizes a DH (Diffie-Hellman) key exchange algorithm.
- DH Densfie-Hellman
- it is safe to share the same key between two entities, thus realizing the verification of dynamic passwords, improving the security of identity authentication, and easy to use; at the same time, due to mobile devices and authentication
- FIG. 1 is a schematic flowchart of a dynamic password verification method according to Embodiment 1 of the present invention.
- the method includes:
- Step 11 Generate an initial code and pass the initial code to the authentication server.
- the mobile device first uses the downloaded token software to generate the initial code, and then passes the generated initial code to the authentication server through the web page input.
- the initial code generated by the mobile device by using the token software may be composed of a string of numbers and letters or a string of numbers or a string of letters, specifically a DH public key generated on the mobile device, and the DH public key may be as follows To obtain: First, the mobile device generates a DH private key private to the mobile device through the token software, and then uses the DH private key to calculate a corresponding DH public key through the DH algorithm.
- the generated initial code may further include version number information, and the version number information refers to the version number hardcoded into the mobile device during initialization.
- the obtained initial code may also be represented by a multi-coded representation, for example, a 32-ary coded representation of the initial code, so as to effectively reduce the input characters of the initial code, which is convenient to be generated.
- the initial code is entered on the web page.
- Step 12 After the initial code verification is passed, the current dynamic password is generated according to the DH algorithm, and the dynamic password is delivered to the authentication server.
- the mobile device may calculate the current dynamic password according to the DH (Diffie-Hellman) algorithm, and then pass the current dynamic password through the webpage page.
- the input is passed to the authentication server.
- the process of the initial code verification may be: first, the authentication server performs a preset algorithm processing on the received initial code to generate a confirmation code; then the mobile device obtains the confirmation code generated by the authentication server, and according to The same algorithm as the authentication server calculates the confirmation code of the mobile device according to the initial code generated by the authentication server; and compares the obtained self-confirmation code with the confirmation code generated by the authentication server to verify the movement.
- the preset algorithm processing may be an algorithm strategy pre-defined by the operator. For example, the first four digits of the initial code may be set as the confirmation code, or the last two digits of the initial code may be the confirmation code.
- the authentication server may generate a random number string, and then the generated random number string and the received initial code are processed by a preset algorithm to obtain a corresponding school. The code is verified; then the obtained check code is combined with the generated random number string to generate a confirmation code. This makes the process of initial code verification more accurate and secure.
- the authentication server first generates a random DH private key, and calculates a corresponding DH public key according to the generated DH private key according to the DH algorithm; After the DH public key and the received initial code are processed by a preset algorithm, a corresponding check code is obtained; and the obtained check code is combined with the calculated DH public key to generate a confirmation code. This also allows the initial code to be verified. The process is more accurate and safe.
- the mobile device first obtains a token seed by the token software and the background server through an initialization process, and the mobile device saves the token seed, and directly uses the token seed in a subsequent dynamic password generation phase.
- a dynamic password is generated with the current time value.
- the process for the mobile device to calculate the current dynamic password according to the DH algorithm may be: First, the mobile device calculates its own DH key by using the DH private key according to its own DH private key, and then obtains its own DH key. The DH key obtains the corresponding token seed through the hash algorithm, and saves the token seed. The mobile device then processes the obtained token seed and the current time value through a preset algorithm to obtain the current dynamic password.
- the preset algorithm processing may also be an algorithm strategy pre-defined by the operator, for example, the token seed and the current time value are first subjected to a hash algorithm, and then the hash value is taken to a specific value to obtain a corresponding dynamic. Password.
- Step 13 The authentication server generates its own dynamic password based on the received initial code.
- the authentication server may calculate its own dynamic password according to the received initial code according to the same DH algorithm as the mobile device.
- the process that the authentication server obtains its own dynamic password may be: the authentication server obtains the DH public key of the mobile device according to the received initial code parsing; and then calculates the mobile according to the obtained DH public key.
- the DH key of the device, and according to the obtained DH key, the token seed is obtained according to the same algorithm as the mobile device, and the token seed is saved, and the saved password is used in each process of generating the dynamic password in the future.
- the token seed computes its own dynamic password by the same algorithm as the mobile device.
- Step 14 Verify that the dynamic password generated by the mobile device and the dynamic password generated by the mobile device are correct.
- the authentication server compares the dynamic password generated by itself with the dynamic password generated by the mobile device to verify whether the dynamic password generated by the mobile device is correct.
- the time displayed by the mobile device and the time of the authentication server may be deviated, it may be set within a specified time deviation range, if the dynamic password generated by the authentication server and the dynamic password generated by the mobile device Consistent However, it can be judged that the verification is correct, thereby improving the scientificity of the verification.
- a corresponding challenge policy is added in the authentication server, thereby further improving the security of the dynamic password verification, specifically: if the mobile The device calculates a current dynamic password represented by a string of numbers according to the DH algorithm; the authentication server generates a challenge policy, prompting the mobile device to input a specific number in the current dynamic password; and the mobile device according to the challenge policy, Passing a specific number in the current dynamic password to the authentication server via web page input; the authentication server can then verify that the dynamic password generated by the mobile device is correct in conjunction with the generated challenge policy.
- the mobile device calculates a current dynamic password represented by a plurality of strings in accordance with the DH algorithm; the authentication server generates a challenge policy, prompting the mobile device to input one of the current dynamic passwords Serial number; the mobile device transmits the number of the corresponding string in the current dynamic password to the authentication server through the web page input according to the challenge policy; then the authentication server can verify the mobile device according to the generated challenge policy Is the generated dynamic password correct?
- the authentication server if the mobile device calculates a current dynamic password represented by a digital matrix according to the DH algorithm; the authentication server generates a challenge policy, prompting the mobile device to input a matrix coordinate of the current dynamic password. Corresponding digit string; the mobile device transmits, according to the challenge policy, a digit string corresponding to a corresponding matrix coordinate in the current dynamic password to the authentication server through a webpage page input; and then the authentication server can combine the generated Challenge the strategy to verify that the dynamic password generated by the mobile device is correct.
- the security of the identity authentication can be improved, and the interaction does not cause additional traffic charges, thereby reducing the user burden and the authentication cost.
- FIG. 2 a schematic diagram of signaling interaction for verifying a dynamic password between a mobile device and an authentication server according to Embodiment 1 is shown in FIG.
- the authentication server determines the Diffie-Hellman global public quantity used, and randomly selects its own Diffie-Hellman private key, and then calculates the corresponding Diffie-Hellman public key; then hard code Diffie-Hellman global public quantity, authentication server Diffie-Hellman public key to the mobile device.
- the authentication server Diffie-Hellman public key in the mobile device is also hard coded with a version number.
- the mobile device generates an initial code.
- the mobile device generates a series of initial codes represented by numbers and letters, which are composed as follows:
- Initial code 32-ary representation (version number + mobile device's Diffie-Hellman public key)
- the version number refers to the version number hard-coded into the mobile device during the initialization process.
- the Diffie-Hellman public key of the mobile device is obtained as follows: First, the Diffie-Hellman private key of the mobile device is generated according to the DH algorithm, and then the calculation can be performed. Its corresponding Diffie-Hellman public key.
- the authentication server may not generate the authentication server private key and the public key in advance, nor hard-code the public key of the authentication server to the mobile device, and also cancel the hard-coded version. number.
- the meaning of the initial code generated by the mobile device expressed as: 3 ⁇ 4 mouth:
- Initial code 32-bit representation (Diffie-Hellman public key of mobile device)
- 32-ary code 32-bit representation
- the initial code generated by the mobile device it is transmitted to the authentication server through the webpage webpage input.
- it can be manually input by the user, or the corresponding device can be specified to input according to the policy.
- the authentication server can generate a confirmation code and echo it back to the mobile device.
- the definition of the confirmation code can be expressed as follows:
- the preset algorithm processing may be an algorithm strategy pre-defined by the operator.
- the first four digits of the initial code may be set as the confirmation code, or the last two digits of the initial code are the confirmation codes, in order to consider the convenience of the confirmation code input.
- the confirmation code can generally be set to a 4-digit string.
- confirmation code generation process can be correspondingly improved.
- definition of the confirmation code can be modified as follows:
- the above-mentioned authentication server random number string is a string of 6 or more digits, which is used to increase the randomness from the authentication server in the process of generating the token seed; and the function of the check code is to verify the user input initial code, authentication
- the correctness of the server's random number string which is typically a string of 2 to 4 digits.
- the above authentication server Diffie-Hellman public key is: The authentication server first generates a random Diffie-Hellman private key, and then calculates the corresponding DH public key according to the Diffie-Hellman algorithm.
- the function of the above check code is to verify the correctness of the user input initial code and the authentication server random number string, which is generally a 2 to 4 digit string.
- Verify the confirmation code and generate a dynamic password The same DH algorithm as the authentication server, and the mobile device's own confirmation code is calculated according to the previous initial code; and then compared with the confirmation code generated by the authentication server; if not, the verification fails, prompting the input initial code error And exit the process. If the verification is successful, the mobile device can calculate the corresponding token seed according to the Diffie-Hellman algorithm and generate the current dynamic password.
- the process of calculating a dynamic password can be:
- Diffie-Hellman key Diffie-Hellman algorithm (Diffie-Hellman private key of mobile device + Diffie-Hellman public key of pre-hardcoded authentication server), ie, Diffie -
- the Hellman key is the result of processing the Diffie-Hellman private key of the mobile device and the Diffie-Hellman public key of the pre-hardcoded authentication server using the Diffie-Hellman algorithm.
- the Diffie-Hellman private key of the mobile device and the pre-hardcoded authentication server Diffie-Hellman public key is used as two inputs, and the two inputs are calculated by the Diffie-Hellman algorithm, and the result is a Diffie-Hellman key.
- the token seed hash algorithm (Diffie-Hellman key), that is, the token seed is a result obtained by processing the Diffie-Hellman key by using a hash algorithm;
- the above hash algorithm can select standard hash algorithms such as MD5 and SHA256 for calculation.
- step 4 the authentication server generates a random number string
- the mobile device first The server random number string.
- Token seed hash algorithm (Diffie-Hellman key + authentication server random number string), that is, the token seed is hashed The result of the algorithm processing the Diffie-Hellman key and the authentication server random number string.
- step 4 if in step 4, if the authentication server generates the authentication server DH public key, the mobile device first ensures that the mobile device exchanges the correct initial code and the authentication server Diffie-Hellman public key with the authentication server by verifying the check code, and then the verification is passed. After that, the token seed generation algorithm will change to the following:
- Diffie-Hellman key Diffie-Hellman algorithm (Diffie-Hellman private key for mobile device + Diffie-Hellman public key for authentication server), that is, Diffie-Hellman key is Diffie-Hellman private key for mobile device using Diffie-Hellman algorithm And the result of processing the symbol string composed of the Diffie-Hellman public key of the authentication server.
- Token Seed Hash Algorithm (Diffie-Hellman Key).
- the current dynamic password of the mobile device can be calculated, which can be generally 6 to 8 digits of pure digits, specifically:
- Dynamic Password Algorithm Processing (Token Seed + Current Time Value), ie Dynamic Password is the result of algorithmic processing of the token seed and the current time value.
- the token seed and the time value may be processed by a preset algorithm to obtain a series of pure numbers.
- the preset algorithm processing may also be an algorithm strategy pre-defined by the operator, for example, the token seed and the current time value are first subjected to a hash algorithm processing, and then the hash result value is given a specific value to obtain a corresponding dynamic password.
- the authentication server verifies that the dynamic password is correct.
- the authentication server parses the Diffie-Hellman public key of the mobile device according to the previously obtained initial code; then, a Diffie-Hellman key can be calculated, which is necessarily the Diffie-Hellman calculated by the mobile device in step 6.
- the key is consistent; after obtaining the Diffie-Hellman key, the authentication server uses the mobile device described in step 6.
- the same DH algorithm is prepared to obtain the token seed and its own dynamic password; then the obtained dynamic password is compared with the dynamic password generated by the mobile device, and then the dynamic password generated by the mobile device is verified to be correct.
- the time displayed on the mobile device may deviate from the time of the authentication server, in a specific implementation process, it may be set within a certain time deviation range, if the dynamic password generated by the authentication server and the dynamic password generated by the mobile device Consistent, it can also be regarded as correct verification; the above-mentioned certain time deviation range can be 1 ⁇ 2 minutes, which can be set by the operator.
- the corresponding challenge policy may be added to the authentication server according to different dynamic password expression modes generated by the mobile device, thereby further improving the security of the dynamic password verification. for example:
- Figure 3 shows a signaling interaction diagram of the authentication server generating a challenge policy.
- Step 1 The mobile device generates a dynamic password. Usually 6 digits, such as: 528639.
- Step 2 The authentication server generates a challenge policy that prompts the user to enter certain numbers displayed by the mobile device. For example: The current mobile device displays: 528639; The authentication server has a challenge: "Please enter the first 1, 3, 5, 6 digits"; the user only has to correctly enter the "5839" 4 digits to verify that it is correct.
- Step 3 The user enters the corresponding dynamic password according to the prompt of the authentication server.
- the fourth step the authentication server combines the previous challenge policy to verify whether the user's dynamic password is correct according to the method described in the first embodiment.
- Step 5 Display the verification results.
- FIG. 4 Another signaling interaction diagram of the authentication server generating a challenge policy is shown in Figure 4:
- Step 1 The mobile device does not generate a 6-bit pure number, but generates a fixed n-line dynamic password based on the token seed and the current time, such as:
- Step 2 The authentication server generates a challenge strategy and prompts the user to enter the numeric string of the Xth line. For example, "Please enter the dynamic password of line 2".
- Step 3 The user correctly enters the numeric string of the Xth line according to the prompt of the authentication server. For example, suppose the second step above is "Please enter the dynamic password of line 2", then the user should enter "985570".
- the fourth step the authentication server combines the previous challenge policy to verify whether the user's dynamic password is correct according to the method described in the first embodiment.
- Step 5 Display the verification results.
- FIG. 5 Another signaling interaction diagram of the authentication server generating a challenge policy is shown in FIG. 5:
- Step 1 The mobile device generates a dynamic matrix password with a fixed n * m based on the token seed and the current time, such as a dynamic matrix password that produces 4 * 4:
- Step 2 The authentication server generates a challenge strategy, prompting the user to enter a numeric string corresponding to some coordinates. For example, "Please enter the number corresponding to A2, C3, D1".
- Step 3 The user correctly enters the number corresponding to the coordinates according to the prompt of the authentication server. For example, according to the prompt in step 2, the user should enter "90 89 01".
- the fourth step the authentication server combines the previous challenge policy to verify whether the dynamic password of the user is correct according to the method described in the first embodiment.
- Step 5 Display the verification results.
- the verification of the dynamic password can be realized, thereby improving the security of the identity authentication, and the cartridge is easy to use; meanwhile, due to the initial code, Both the confirmation code and the dynamic password are input into the authentication server through the webpage page, and no direct message interaction occurs between the mobile device and the authentication server, so that no additional traffic charges are incurred, thereby reducing user burden and authentication. cost.
- Embodiment 2 of the present invention provides a device for dynamic password verification, as shown in FIG. 6 is a schematic structural diagram of the device, where the device includes an initial code generating unit, a dynamic password generating unit and a dynamic password verifying unit, where:
- the initial code generating unit is disposed in the mobile device, and is configured to generate an initial code by using token software; wherein the initial code is further transmitted to the authentication server through the webpage page input.
- the manner in which the initial code is specifically generated and input is as described in Embodiment 1 of the above method.
- the dynamic password generating unit is configured in the mobile device, configured to calculate, according to a DH (Diffie-Hellman) algorithm, a current dynamic password of the mobile device after the initial code verification is passed; wherein, the current dynamic The password is also passed to the authentication server via web page input.
- DH Dynamic Hossion Initiation Protocol
- the dynamic password verification unit is disposed in the authentication server, configured to calculate a dynamic password according to the same DH algorithm as the dynamic password generating unit according to the initial code received by the authentication server, and The own dynamic password is compared with the entered dynamic password to verify whether the dynamic password generated by the dynamic password generating unit is correct.
- the device described above may further include a confirmation code generating unit and a confirmation code verification unit, wherein:
- the confirmation code generating unit is configured to perform predetermined algorithm processing on the initial code received by the authentication server to generate a confirmation code.
- the manner in which the identification code is specifically generated is as described in Embodiment 1 of the above method.
- the confirmation code verification unit is disposed in the mobile device, configured to obtain a confirmation code generated by the confirmation code generation unit, and generated according to the initial code generation unit according to an algorithm identical to the confirmation code generation unit Initial code to calculate its own confirmation code, and compare the self-confirmation code and the confirmation code generated by the confirmation code generation unit to verify the Whether the initial code received by the authentication server is correct.
- the manner of specific verification is as described in the above method embodiment 1.
- each unit included is only divided according to functional logic, but is not limited to the above division, as long as the corresponding function can be implemented; in addition, the specific name of each functional unit It is also for convenience of distinguishing from each other and is not intended to limit the scope of protection of the present invention.
- the storage medium may be a read only memory, a magnetic disk or an optical disk or the like.
- the specific embodiment of the present invention can improve the security of identity authentication, and the device does not incur additional traffic charges, thereby reducing user burden and authentication cost.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computing Systems (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Mobile Radio Communication Systems (AREA)
- Telephonic Communication Services (AREA)
Abstract
Description
Claims
Priority Applications (4)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
BR112012004151-7A BR112012004151B1 (pt) | 2009-08-26 | 2010-07-06 | método e dispositivo para verificar senha dinâmica |
MX2012002367A MX2012002367A (es) | 2009-08-26 | 2010-07-06 | Metodo y dispositivo para verificar una contraseña dinamica. |
RU2012110323/08A RU2506637C2 (ru) | 2009-08-26 | 2010-07-06 | Способ и устройство верификации динамического пароля |
US13/399,052 US8850540B2 (en) | 2009-08-26 | 2012-02-17 | Method and device for verifying dynamic password |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN200910091621.4 | 2009-08-26 | ||
CN2009100916214A CN101662465B (zh) | 2009-08-26 | 2009-08-26 | 一种动态口令验证的方法及装置 |
Related Child Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US13/399,052 Continuation US8850540B2 (en) | 2009-08-26 | 2012-02-17 | Method and device for verifying dynamic password |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2011023039A1 true WO2011023039A1 (zh) | 2011-03-03 |
Family
ID=41790252
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/CN2010/075009 WO2011023039A1 (zh) | 2009-08-26 | 2010-07-06 | 一种动态口令验证的方法及装置 |
Country Status (7)
Country | Link |
---|---|
US (1) | US8850540B2 (zh) |
CN (1) | CN101662465B (zh) |
BR (1) | BR112012004151B1 (zh) |
HK (1) | HK1144504A1 (zh) |
MX (1) | MX2012002367A (zh) |
RU (1) | RU2506637C2 (zh) |
WO (1) | WO2011023039A1 (zh) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111711628A (zh) * | 2020-06-16 | 2020-09-25 | 北京字节跳动网络技术有限公司 | 网络通信身份认证方法、装置、系统、设备及存储介质 |
Families Citing this family (44)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101662465B (zh) | 2009-08-26 | 2013-03-27 | 深圳市腾讯计算机系统有限公司 | 一种动态口令验证的方法及装置 |
CN102185838B (zh) * | 2011-04-21 | 2014-06-25 | 杭州驭强科技有限公司 | 基于时间因子的主动式动态密码生成和认证系统及方法 |
US9071424B1 (en) * | 2013-03-29 | 2015-06-30 | Emc Corporation | Token-based key generation |
CN104134021B (zh) * | 2013-06-20 | 2016-03-02 | 腾讯科技(深圳)有限公司 | 软件的防篡改验证方法及装置 |
CN104468099A (zh) * | 2013-09-12 | 2015-03-25 | 全联斯泰克科技有限公司 | 基于cpk的动态口令生成和验证方法及装置 |
CN103618717B (zh) * | 2013-11-28 | 2017-12-05 | 北京奇虎科技有限公司 | 多账户客户信息的动态认证方法、装置和系统 |
WO2015126398A1 (en) * | 2014-02-20 | 2015-08-27 | Empire Technology Development, Llc | Device authentication in ad-hoc networks |
US9332008B2 (en) * | 2014-03-28 | 2016-05-03 | Netiq Corporation | Time-based one time password (TOTP) for network authentication |
KR101934321B1 (ko) | 2014-04-09 | 2019-01-02 | 엠파이어 테크놀로지 디벨롭먼트 엘엘씨 | 센서 데이터 이상 검출기 |
US9432339B1 (en) | 2014-09-29 | 2016-08-30 | Emc Corporation | Automated token renewal using OTP-based authentication codes |
CN105744049A (zh) * | 2014-12-09 | 2016-07-06 | 联芯科技有限公司 | 一种移动终端管理模式管理方法及系统 |
CN104579686B (zh) * | 2015-01-15 | 2018-10-30 | 上海动联信息技术股份有限公司 | 一种用于手机令牌的种子匹配方法 |
KR102033465B1 (ko) * | 2015-02-27 | 2019-10-17 | 텔레호낙티에볼라게트 엘엠 에릭슨(피유비엘) | 통신 디바이스와 네트워크 디바이스 사이의 통신에서의 보안 설비 |
US10050942B2 (en) * | 2015-03-17 | 2018-08-14 | Ca, Inc. | System and method of mobile authentication |
US10360558B2 (en) | 2015-03-17 | 2019-07-23 | Ca, Inc. | Simplified two factor authentication for mobile payments |
US10387884B2 (en) | 2015-03-18 | 2019-08-20 | Ca, Inc. | System for preventing mobile payment |
US10089631B2 (en) | 2015-03-18 | 2018-10-02 | Ca, Inc. | System and method of neutralizing mobile payment |
US9842205B2 (en) | 2015-03-30 | 2017-12-12 | At&T Intellectual Property I, L.P. | Time-varying passwords for user authentication |
US9742761B2 (en) * | 2015-11-10 | 2017-08-22 | International Business Machines Corporation | Dynamic authentication for a computing system |
US9800580B2 (en) * | 2015-11-16 | 2017-10-24 | Mastercard International Incorporated | Systems and methods for authenticating an online user using a secure authorization server |
WO2017096603A1 (zh) * | 2015-12-10 | 2017-06-15 | 深圳市大疆创新科技有限公司 | 数据连接、传送、接收、交互的方法及系统,及存储器、飞行器 |
US9626506B1 (en) | 2015-12-17 | 2017-04-18 | International Business Machines Corporation | Dynamic password generation |
US10216943B2 (en) | 2015-12-17 | 2019-02-26 | International Business Machines Corporation | Dynamic security questions in electronic account management |
US9876783B2 (en) * | 2015-12-22 | 2018-01-23 | International Business Machines Corporation | Distributed password verification |
WO2017202136A1 (zh) * | 2016-05-24 | 2017-11-30 | 飞天诚信科技股份有限公司 | 一种认证动态口令的方法和设备 |
CN107453871B (zh) * | 2016-05-30 | 2020-07-03 | 阿里巴巴集团控股有限公司 | 口令生成方法、口令验证方法、支付方法及装置 |
CN106559212B (zh) * | 2016-11-08 | 2018-04-06 | 北京海泰方圆科技股份有限公司 | 数据处理方法和装置 |
WO2018108062A1 (zh) * | 2016-12-15 | 2018-06-21 | 腾讯科技(深圳)有限公司 | 身份验证方法、装置及存储介质 |
CN106603574B (zh) * | 2017-01-23 | 2018-05-08 | 北京海泰方圆科技股份有限公司 | 动态口令生成和认证方法及装置 |
US10972273B2 (en) * | 2017-06-14 | 2021-04-06 | Ebay Inc. | Securing authorization tokens using client instance specific secrets |
US10789179B1 (en) * | 2017-10-06 | 2020-09-29 | EMC IP Holding Company LLC | Decentralized access management in information processing system utilizing persistent memory |
CN108040090A (zh) * | 2017-11-27 | 2018-05-15 | 上海上实龙创智慧能源科技股份有限公司 | 一种多Web的系统整合方法 |
US11122033B2 (en) * | 2017-12-19 | 2021-09-14 | International Business Machines Corporation | Multi factor authentication |
US11012435B2 (en) | 2017-12-19 | 2021-05-18 | International Business Machines Corporation | Multi factor authentication |
CN109146470B (zh) * | 2018-08-24 | 2023-02-28 | 北京小米移动软件有限公司 | 生成付款码的方法及装置 |
CN111723362B (zh) * | 2019-03-22 | 2023-09-08 | 倪晓 | 一种权限密码生成方法、系统、装置及终端设备 |
CN110400405B (zh) * | 2019-07-29 | 2021-10-26 | 北京小米移动软件有限公司 | 一种控制门禁的方法、装置及介质 |
WO2021032304A1 (en) * | 2019-08-22 | 2021-02-25 | Huawei Technologies Co., Ltd. | Gateway devices and methods for performing a site-to-site communication |
US11240661B2 (en) * | 2019-09-03 | 2022-02-01 | Cisco Technology, Inc. | Secure simultaneous authentication of equals anti-clogging mechanism |
US20210125194A1 (en) * | 2019-10-23 | 2021-04-29 | Allclear Id, Inc. | Method and system for completing cross-channel transactions |
CN112000853B (zh) * | 2020-07-31 | 2024-05-24 | 天翼电子商务有限公司 | 设备唯一标识的生成/反馈方法、介质及客户端、服务端 |
CN112333154A (zh) * | 2020-10-16 | 2021-02-05 | 四川九八村信息科技有限公司 | 一种基于动态密码进行权限控制方法及其血浆采集机 |
US11569999B1 (en) | 2021-07-09 | 2023-01-31 | Micro Focus Llc | Dynamic tokenization table exchange |
CN116827560B (zh) * | 2023-08-31 | 2023-11-17 | 北京云驰未来科技有限公司 | 一种基于异步口令的动态密码认证方法及系统 |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20070136581A1 (en) * | 2005-02-15 | 2007-06-14 | Sig-Tec | Secure authentication facility |
CN101051908A (zh) * | 2007-05-21 | 2007-10-10 | 北京飞天诚信科技有限公司 | 动态密码认证系统及方法 |
CN101500011A (zh) * | 2009-03-13 | 2009-08-05 | 北京华大智宝电子系统有限公司 | 实现动态口令安全保护的方法及系统 |
CN101662465A (zh) * | 2009-08-26 | 2010-03-03 | 深圳市腾讯计算机系统有限公司 | 一种动态口令验证的方法及装置 |
Family Cites Families (15)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US5319735A (en) * | 1991-12-17 | 1994-06-07 | Bolt Beranek And Newman Inc. | Embedded signalling |
US5394508A (en) * | 1992-01-17 | 1995-02-28 | Massachusetts Institute Of Technology | Method and apparatus for encoding decoding and compression of audio-type data |
BR9709534A (pt) * | 1996-06-05 | 2000-05-09 | Siemens Ag | Processo para o gerenciamento de códigos cifrados entre uma primeira unidade de computador e uma segunda unidade de computador |
US7120797B2 (en) * | 2002-04-24 | 2006-10-10 | Microsoft Corporation | Methods for authenticating potential members invited to join a group |
US20030204732A1 (en) * | 2002-04-30 | 2003-10-30 | Yves Audebert | System and method for storage and retrieval of a cryptographic secret from a plurality of network enabled clients |
US7600118B2 (en) | 2002-09-27 | 2009-10-06 | Intel Corporation | Method and apparatus for augmenting authentication in a cryptographic system |
US8924728B2 (en) * | 2004-11-30 | 2014-12-30 | Intel Corporation | Apparatus and method for establishing a secure session with a device without exposing privacy-sensitive information |
US20060149676A1 (en) * | 2004-12-30 | 2006-07-06 | Sprunk Eric J | Method and apparatus for providing a secure move of a decrpytion content key |
NO20050152D0 (no) * | 2005-01-11 | 2005-01-11 | Dnb Nor Bank Asa | Fremgangsmate ved frembringelse av sikkerhetskode og programmbar anordning for denne |
US9143323B2 (en) * | 2005-04-04 | 2015-09-22 | Blackberry Limited | Securing a link between two devices |
US9137012B2 (en) * | 2006-02-03 | 2015-09-15 | Emc Corporation | Wireless authentication methods and apparatus |
EP1997270B1 (en) * | 2006-03-09 | 2014-12-03 | Vasco Data Security International GmbH | Method and system for authenticating a user |
JP4960446B2 (ja) | 2006-06-19 | 2012-06-27 | インターデイジタル テクノロジー コーポレーション | 初期の信号メッセージにおいて初期のユーザ識別情報のセキュリティを保護する方法および装置 |
CN101459513B (zh) * | 2007-12-10 | 2011-09-21 | 联想(北京)有限公司 | 一种计算机和用于认证的安全信息的发送方法 |
CN101304315B (zh) * | 2008-06-30 | 2010-11-03 | 北京飞天诚信科技有限公司 | 基于口令卡提高身份认证安全性的方法 |
-
2009
- 2009-08-26 CN CN2009100916214A patent/CN101662465B/zh active Active
-
2010
- 2010-07-06 RU RU2012110323/08A patent/RU2506637C2/ru active
- 2010-07-06 MX MX2012002367A patent/MX2012002367A/es active IP Right Grant
- 2010-07-06 BR BR112012004151-7A patent/BR112012004151B1/pt active IP Right Grant
- 2010-07-06 WO PCT/CN2010/075009 patent/WO2011023039A1/zh active Application Filing
- 2010-09-02 HK HK10108366.7A patent/HK1144504A1/xx unknown
-
2012
- 2012-02-17 US US13/399,052 patent/US8850540B2/en active Active
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20070136581A1 (en) * | 2005-02-15 | 2007-06-14 | Sig-Tec | Secure authentication facility |
CN101051908A (zh) * | 2007-05-21 | 2007-10-10 | 北京飞天诚信科技有限公司 | 动态密码认证系统及方法 |
CN101500011A (zh) * | 2009-03-13 | 2009-08-05 | 北京华大智宝电子系统有限公司 | 实现动态口令安全保护的方法及系统 |
CN101662465A (zh) * | 2009-08-26 | 2010-03-03 | 深圳市腾讯计算机系统有限公司 | 一种动态口令验证的方法及装置 |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111711628A (zh) * | 2020-06-16 | 2020-09-25 | 北京字节跳动网络技术有限公司 | 网络通信身份认证方法、装置、系统、设备及存储介质 |
Also Published As
Publication number | Publication date |
---|---|
RU2012110323A (ru) | 2013-10-10 |
BR112012004151B1 (pt) | 2021-05-04 |
HK1144504A1 (en) | 2011-02-18 |
RU2506637C2 (ru) | 2014-02-10 |
MX2012002367A (es) | 2012-03-29 |
BR112012004151A2 (pt) | 2017-05-30 |
CN101662465A (zh) | 2010-03-03 |
CN101662465B (zh) | 2013-03-27 |
US20120151566A1 (en) | 2012-06-14 |
US8850540B2 (en) | 2014-09-30 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
WO2011023039A1 (zh) | 一种动态口令验证的方法及装置 | |
AU2019240671B2 (en) | Methods for secure cryptogram generation | |
CN109951489B (zh) | 一种数字身份认证方法、设备、装置、系统及存储介质 | |
US9853816B2 (en) | Credential validation | |
US9887838B2 (en) | Method and device for secure communications over a network using a hardware security engine | |
WO2018046009A1 (zh) | 一种区块链身份系统 | |
CN106533687B (zh) | 一种身份认证方法和设备 | |
US20160080157A1 (en) | Network authentication method for secure electronic transactions | |
US9185111B2 (en) | Cryptographic authentication techniques for mobile devices | |
US10924289B2 (en) | Public-private key pair account login and key manager | |
US20110238989A1 (en) | Method and system for secure communication using hash-based message authentication codes | |
JPWO2019239591A1 (ja) | 認証システム、認証方法、アプリケーション提供装置、認証装置、及び認証用プログラム | |
CN112671720A (zh) | 一种云平台资源访问控制的令牌构造方法、装置及设备 | |
WO2012037886A1 (zh) | 安全访问受保护资源的方法及系统 | |
SG175860A1 (en) | Methods of robust multi-factor authentication and authorization and systems thereof | |
KR20120091618A (ko) | 연쇄 해시에 의한 전자서명 시스템 및 방법 | |
CN111245594B (zh) | 一种基于同态运算的协同签名方法及系统 | |
WO2017029708A1 (ja) | 個人認証システム | |
CN116528230A (zh) | 验证码处理方法、移动终端及可信服务系统 | |
JP2021100227A (ja) | IoT鍵管理システム,セキュアデバイス,IoTデバイス,デバイス管理装置およびセキュアエレメントの公開鍵証明書生成方法 | |
CN112150151B (zh) | 安全支付方法、装置、电子设备及存储介质 | |
US9820147B2 (en) | Authentification method for a communication network | |
TWI437868B (zh) | A method, system and device for dynamic password verification | |
CN112235105B (zh) | 一种抗中间人攻击的动态口令认证方法 | |
CN116188007B (zh) | 一种身份验证方法及系统 |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 10811199 Country of ref document: EP Kind code of ref document: A1 |
|
WWE | Wipo information: entry into national phase |
Ref document number: MX/A/2012/002367 Country of ref document: MX |
|
WWE | Wipo information: entry into national phase |
Ref document number: 1201000722 Country of ref document: TH |
|
NENP | Non-entry into the national phase |
Ref country code: DE |
|
WWE | Wipo information: entry into national phase |
Ref document number: 2356/CHENP/2012 Country of ref document: IN |
|
WWE | Wipo information: entry into national phase |
Ref document number: 2012110323 Country of ref document: RU |
|
32PN | Ep: public notification in the ep bulletin as address of the adressee cannot be established |
Free format text: NOTING OF LOSS OF RIGHTS PURSUANT TO RULE 112(1) EPC OF 290812 |
|
REG | Reference to national code |
Ref country code: BR Ref legal event code: B01A Ref document number: 112012004151 Country of ref document: BR |
|
122 | Ep: pct application non-entry in european phase |
Ref document number: 10811199 Country of ref document: EP Kind code of ref document: A1 |
|
ENP | Entry into the national phase |
Ref document number: 112012004151 Country of ref document: BR Kind code of ref document: A2 Effective date: 20120224 |