WO2016049870A1 - Method and system for generating dynamic login credential - Google Patents

Method and system for generating dynamic login credential Download PDF

Info

Publication number
WO2016049870A1
WO2016049870A1 PCT/CN2014/087979 CN2014087979W WO2016049870A1 WO 2016049870 A1 WO2016049870 A1 WO 2016049870A1 CN 2014087979 W CN2014087979 W CN 2014087979W WO 2016049870 A1 WO2016049870 A1 WO 2016049870A1
Authority
WO
WIPO (PCT)
Prior art keywords
dynamic
update
server
communication terminal
key
Prior art date
Application number
PCT/CN2014/087979
Other languages
French (fr)
Chinese (zh)
Inventor
钟焰涛
Original Assignee
宇龙计算机通信科技(深圳)有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 宇龙计算机通信科技(深圳)有限公司 filed Critical 宇龙计算机通信科技(深圳)有限公司
Priority to PCT/CN2014/087979 priority Critical patent/WO2016049870A1/en
Publication of WO2016049870A1 publication Critical patent/WO2016049870A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/14Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols using a plurality of keys or algorithms
    • H04L9/16Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols using a plurality of keys or algorithms the keys or algorithms being changed during operation
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/08Access security
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • H04W12/043Key management, e.g. using generic bootstrapping architecture [GBA] using a trusted network node as an anchor
    • H04W12/0433Key management protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0891Revocation or update of secret information, e.g. encryption key update or rekeying

Definitions

  • the present invention relates to the field of communications technologies, and in particular, to a method and system for generating dynamic login credentials.
  • the login mode widely used in existing network services is that a user logs in to the server by using a login credential such as a password on a communication terminal such as a mobile phone.
  • the login credentials include answers to specific questions, specific pluggable hardware, one-time passwords that the server sends to the mobile terminal, fingerprint information, and so on.
  • a password or the like is stolen, there is no security. This problem is more serious when the user uses the mobile terminal, because mobile terminals such as mobile phones and tablets are more likely to be stolen, and login credentials such as passwords may be read by the offender in a cache such as a cookie (small text file). Therefore, there are serious security risks.
  • an object of the present invention is to provide a method and system for generating dynamic login credentials, which can secure the dynamic login credentials by continuously updating the dynamic login credentials, thereby protecting the security of the user.
  • the present invention provides a method for generating dynamic login credentials, including the following steps:
  • the dynamic key update step if data interaction occurs between the server and the communication terminal, updating at least one dynamic key according to a predetermined key update algorithm
  • the dynamic key judging step determines whether the dynamic key has been updated during the update period of the current time when the dynamic login credential reaches a predetermined update period
  • the dynamic login credential update step updates the dynamic login credential according to a predetermined credential update algorithm and the updated dynamic key if the dynamic key has been updated.
  • the dynamic key update step includes:
  • the server and the communication terminal determine whether the data packet is sent by the communication terminal;
  • the server and the communication terminal respectively update the first dynamic key according to the key update algorithm
  • the key update algorithm updates the second dynamic key
  • the dynamic key determining step includes:
  • the server or the communication terminal determines whether the first dynamic key or the second dynamic key has been updated in the update period of the current time;
  • the dynamic login credential update step includes:
  • the server and the communication terminal respectively according to the credential update algorithm and the updated first dynamic key and/or The second dynamic key is described, and the dynamic login credential is updated.
  • the key update algorithm is:
  • the credential update algorithm is:
  • the l 1 is a binary length of P
  • the l 2 is a binary length of sk 1 and sk 2 ;
  • the ⁇ is a bitwise XOR operation on two binary strings
  • is a connection operation to two binary strings
  • the hash 1 is a first hash function, indicating that the input is a binary string of arbitrary length, and the output is a binary string of length l 2 ;
  • the hash 2 is a second hash function, indicating that the input is a binary string of length 2l 2 and the output is a binary string of length l 1 .
  • the server or the communication terminal further includes:
  • the server or the communication terminal sends a non-update notification of the dynamic login credential to the communication terminal or the server;
  • the server or the communication terminal sends an update notification of the dynamic login credential to the communication terminal or the server;
  • the communication terminal or the server After receiving the update notification, the communication terminal or the server returns an update confirmation of the dynamic login credential to the server or the communication terminal.
  • the dynamic login credential update step further includes a credential update confirmation step, the credential update confirmation step comprising:
  • the server or the communication terminal according to the dynamically updated credential and the predetermined Confirming a value algorithm, calculating a first confirmation value, and transmitting the first confirmation value to the communication terminal or the server;
  • the communication terminal or the server calculates a second confirmation value according to the dynamically updated login credential and the confirmation value algorithm
  • the communication terminal or the server determines that the dynamic login credential update is successful, and sends a credential update success notification to the server or the communication terminal;
  • the communication terminal or the server determines that the dynamic login credential update fails, and sends a credential update failure notification to the server or the communication terminal.
  • the confirmation value algorithm is:
  • the a is the first confirmation value
  • the a' is the second confirmation value
  • the P1 is a dynamic login credential that is locally updated by the server or the communication terminal
  • the P2 is the communication Dynamic login credentials after the terminal or the server is locally updated.
  • the communication terminal logs in to the server using the updated dynamic login credential.
  • the communication terminal and the server continue to use the original dynamic login credential, and the first dynamic key and the second The dynamic key is cleared.
  • the method further includes:
  • An initial value setting step when the communication terminal registers with the server, the server and/or the communication terminal sets a login password set by the communication terminal as an initial value of the dynamic login credential;
  • the initial values of the first dynamic key and the second dynamic key are respectively set to 0 strings of length l 2 .
  • the initial value setting step further includes:
  • the length of the login password is less than l 1 , it is padded with a fixed binary string, so that the binary length of the login password reaches l 1 , and the padded login password is used as an initial value of the dynamic login credential. ; if the login password is greater than the length l 1, is taken before the login password binary string length l 1 as an initial value of the dynamic login credentials.
  • the invention also provides a system for generating dynamic login credentials, comprising:
  • a dynamic key update module configured to update at least one dynamic key according to a predetermined key update algorithm if data interaction occurs between the server and the communication terminal;
  • a dynamic key judging module configured to determine, when the dynamic login credential reaches a predetermined update period, whether the dynamic key has been updated in the update period of the current time
  • the dynamic login credential update module is configured to update the dynamic login credential according to a predetermined credential update algorithm and the updated dynamic key if the dynamic key is updated.
  • the dynamic key update module includes:
  • a first data judging submodule configured to determine, when the server and the communication terminal exchange a data packet, whether the data packet is sent by the communication terminal, where the first data judging submodule is In the server;
  • a first key update submodule configured to: if the data packet is sent by the communication terminal, update the first dynamic key according to the key update algorithm, where the first key update submodule is set In the server;
  • a second key update submodule configured to: if the data packet is sent by the server, update the second dynamic key according to the key update algorithm, where the second key update submodule is located at the In the server;
  • the dynamic key update module further includes:
  • a second data judging submodule configured to determine, when the server and the communication terminal exchange a data packet, whether the data packet is sent by the communication terminal, where the second data judging submodule is In the communication terminal;
  • a third key update submodule configured to: if the data packet is sent by the communication terminal, update the first dynamic key according to the key update algorithm, where the third key update submodule is set In the communication terminal;
  • a fourth key update submodule configured to: if the data packet is sent by the server, update the second dynamic key according to the key update algorithm, where the fourth key update submodule is located at the In the communication terminal;
  • the dynamic key judging module includes:
  • a first key judging submodule configured to determine, when the dynamic login credential reaches the update period, whether the first dynamic key or the second dynamic key has occurred in the update period of the current time Updating, the first key judging submodule is provided in the server; or
  • a second key determining sub-module configured to determine, when the dynamic login credential reaches the update period, whether the first dynamic key or the second dynamic key has occurred in the update period of the current time Updating, the second key determining submodule is disposed in the communication terminal;
  • the dynamic login credential update module includes:
  • a first credential update submodule configured to update the algorithm according to the credential and the updated first dynamic key and/or if the first dynamic key or the second dynamic key is updated
  • the second dynamic key updates the dynamic login credential
  • the first credential update submodule is located at the In the server;
  • a second credential update submodule configured to update the algorithm according to the credential update algorithm and the updated first dynamic key and/or if the first dynamic key or the second dynamic key is updated
  • the second dynamic key updates the dynamic login credential
  • the second credential update submodule is disposed in the communication terminal.
  • the key update algorithm is:
  • the credential update algorithm is:
  • the l 1 is a binary length of P
  • the l 2 is a binary length of sk 1 and sk 2 ;
  • the ⁇ is a bitwise XOR operation on two binary strings
  • is a connection operation to two binary strings
  • the hash 1 is a first hash function, indicating that the input is a binary string of arbitrary length, and the output is a binary string of length l 2 ;
  • the hash 2 is a second hash function, indicating that the input is a binary string of length 2l 2 and the output is a binary string of length l 1 .
  • the dynamic key judging module further includes:
  • a first update notification submodule configured to send, when the first dynamic key or the second dynamic key has not been updated, a non-update notification of the dynamic login credential to the communication terminal; And sending, when the first dynamic key or the second dynamic key is updated, an update notification of the dynamic login credential to the communication terminal, where the first update notification submodule is disposed in the server ;
  • a first update confirmation submodule configured to: after receiving the update notification of the server, return an update confirmation of the dynamic login credential to the server, where the first update confirmation submodule is disposed in the communication terminal ;or
  • the dynamic key judging module further includes:
  • a second update notification submodule configured to send, when the first dynamic key or the second dynamic key has not been updated, a non-update notification of the dynamic login credential to the server; And sending, when the first dynamic key or the second dynamic key is updated, an update notification of the dynamic login credential to the server, where the second update notification submodule is disposed in the communication terminal ;
  • a second update confirmation submodule configured to: after receiving the update notification of the communication terminal, return an update confirmation of the dynamic login credential to the communication terminal, where the second update confirmation submodule is disposed on the server in.
  • the system further includes a credential update confirmation module, the credential is more
  • the new confirmation module includes:
  • a first confirmation value calculation submodule configured to calculate a first confirmation value according to the dynamic login credential and the predetermined confirmation value algorithm after the server is updated, and send the first confirmation value to the communication terminal
  • the first confirmation value calculation submodule is disposed in the server;
  • a second confirmation value calculation submodule configured to calculate a second confirmation value according to the updated dynamic login credential and the confirmation value algorithm after the communication terminal is updated, where the second confirmation value calculation submodule is provided in the communication terminal in;
  • a first confirmation value determining submodule configured to determine whether the first confirmation value and the second confirmation value are equal, the first confirmation value determining submodule being disposed in the communication terminal;
  • a first confirmation notification submodule configured to: if the first confirmation value and the second confirmation value are equal, determine that the dynamic login credential update is successful, and send a credential update success notification to the server; When the first confirmation value and the second confirmation value are not equal, determining that the dynamic login credential update fails, and sending a credential update failure notification to the server, where the first confirmation notification sub-module is set in the communication In the terminal; or
  • the credential update confirmation module includes:
  • a third confirmation value calculation submodule configured to calculate a first confirmation value according to the updated dynamic login credential and the predetermined confirmation value algorithm of the communication terminal, and send the first confirmation value to the server
  • the third confirmation value calculation submodule is disposed in the communication terminal;
  • a fourth confirmation value calculation submodule configured to calculate a second confirmation value according to the dynamic login credential and the confirmation value algorithm after the server is updated, where the fourth confirmation value calculation submodule is provided on the server in;
  • a second confirmation value determining sub-module configured to determine whether the first confirmation value and the second confirmation value are equal, the second confirmation value determining sub-module being disposed in the server;
  • a second confirmation notification submodule configured to: if the first confirmation value and the second confirmation value are equal, determine that the dynamic login credential update is successful, and send a credential update success notification to the communication terminal; If the first confirmation value and the second confirmation value are not equal, determining that the dynamic login credential update fails, and sending a credential update failure notification to the communication terminal, where the second confirmation notification sub-module is located at the In the server.
  • the confirmation value algorithm is:
  • the a is the first confirmation value
  • the a' is the second confirmation value
  • the P1 is a dynamic login credential that is locally updated by the server or the communication terminal
  • the P2 is the communication Dynamic login credentials after the terminal or the server is locally updated.
  • the communication terminal logs in to the server using the updated dynamic login credential.
  • the communication terminal and the server continue to use the original dynamic login credential, and the first dynamic key and the second The dynamic key is cleared.
  • the system further includes an initial value setting module, and the initial value setting module includes:
  • a first initial value setting submodule configured to: when the communication terminal registers with the server, set a login password set by the communication terminal to an initial value of the dynamic login credential; and the first dynamic secret
  • the initial values of the key and the second dynamic key are respectively set to 0 strings of length l 2 , and the first initial value setting submodule is provided in the server; and/or
  • a second initial value setting submodule configured to: when the communication terminal registers with the server, set a login password set by the communication terminal to an initial value of the dynamic login credential; and the first dynamic secret
  • the initial values of the key and the second dynamic key are respectively set to 0 strings of length l 2 , and the second initial value setting submodule is provided in the communication terminal.
  • the first initial value setting submodule and/or the first initial value setting submodule is configured to use a fixed binary string if the length of the login password is less than l 1 Filling, so that the binary length of the login password reaches l 1 , and the padded login password is used as an initial value of the dynamic login credential; and if the length of the login password is greater than l 1 , the interception is performed binary before said login password string length l 1 as an initial value of the dynamic login credentials.
  • the invention generates dynamic login credentials through negotiation between the server and the communication terminal, and through the continuous update of the dynamic login credentials, even if the dynamic login credentials are stolen by the offender at a certain moment, the security of the dynamic login credentials can be guaranteed after the update, thereby protecting the user's use. safety.
  • the present invention uses a bitwise XOR operation and a hash operation to generate dynamic login credentials. These two operations are not only easy to implement, but also computationally intensive, which improves computational efficiency.
  • FIG. 1 is a schematic structural diagram of a system for generating a dynamic login credential according to the present invention
  • FIG. 2 is a schematic structural diagram of a system for generating a dynamic login credential according to the present invention
  • FIG. 3 is a flowchart of a method for generating a dynamic login credential according to the present invention
  • FIG. 4 is a flow chart of a method for generating a preferred dynamic login credential of the present invention
  • FIG. 5 is a flow chart of a preferred example of updating the dynamic login credential of the present invention once.
  • the system 100 for generating a dynamic login credential may be provided in a server and/or a communication terminal, and the server 200 is preferably a cloud server, and the communication terminal may be Mobile phones, PDAs (Personal Digital Assistants), tablets, etc.
  • the dynamic login credential generation system 100 includes at least a dynamic key update module 10, a dynamic key determination module 20, and a dynamic login credential update module 30, wherein:
  • the dynamic key update module 10 is configured to update at least one dynamic key according to a predetermined key update algorithm if data interaction occurs between the server and the communication terminal.
  • the key update algorithm is preferably a hash operation and a bitwise exclusive OR operation.
  • the dynamic key judging module 20 is configured to determine whether the dynamic key has been updated in the current update period when the dynamic login credential reaches a predetermined update period.
  • the dynamic login credentials In order to protect the security of the dynamic login credentials, the dynamic login credentials must be periodically updated (e.g., updated once a month), which may be negotiated between the communication terminal 300 and the server 200 at the time of registration.
  • the dynamic login credential update module 30 is configured to update the dynamic login credential according to the predetermined credential update algorithm and the updated dynamic key if the dynamic key is updated.
  • the credential update algorithm is preferably a hash operation and a bitwise exclusive OR operation. After the dynamic login credential is successfully updated, the communication terminal 300 logs in to the server 200 using the updated login credentials.
  • the present invention negotiates the generation of dynamic login credentials through the server 200 and the communication terminal 300. By continuously updating the dynamic login credentials, even if the dynamic login credentials are stolen by the offender at a certain moment, the security of the dynamic login credentials can be guaranteed after the update.
  • the present invention preferably uses only bit-wise XOR operations and hash operations, both of which are easy to implement and the amount of computation is small.
  • the system 100 for generating a dynamic login credential may be provided in the server 200 and/or the communication terminal 300, and the server 200 is preferably a cloud server, and the communication is performed.
  • the terminal 300 can be a mobile phone, a PDA, a tablet, or the like.
  • the dynamic login credential generation system 100 includes at least a dynamic key update module 10, a dynamic key determination module 20, and a dynamic login credential update module 30.
  • P dynamic login credentials
  • sk 1 , sk 2 a first dynamic key and a second dynamic key for updating P
  • l 1 the binary length of P
  • l 2 the binary length of sk 1 and sk 2 ;
  • the first hash function the input is a binary string of arbitrary length, and the output is a binary string of length l 2 ;
  • the second hash function the input is a binary string of length 2l 2 , and the output is a binary string of length l 1 .
  • the dynamic key update module 10 is configured to update at least one dynamic key according to a predetermined key update algorithm if data interaction occurs between the server 200 and the communication terminal 300.
  • the dynamic key update module 10 includes:
  • the first data judging sub-module 11 is configured to determine whether the data packet m is sent by the communication terminal 300 when the data packet m is exchanged between the server 200 and the communication terminal 300, and the first data judging sub-module 11 is provided in the server 200. in.
  • First key 12 if a packet transmitted by the communication terminal 300 m updating sub-module, in accordance with the predetermined algorithm to update the first key sk 1 dynamic key update, key updating a first sub-module 12 disposed on In the server 200.
  • the second key update sub-module 13 is configured to update the second dynamic key sk 2 according to the key update algorithm if the data packet m is sent by the server 200, and the second key update sub-module 13 is set on the server. 200.
  • the dynamic key update module further includes:
  • the second data judging sub-module 14 is configured to determine whether the data packet m is sent by the communication terminal 300 when the data packet m is exchanged between the server 200 and the communication terminal 300, and the second data judging sub-module 14 is disposed in the communication terminal 300. in.
  • the third sub-key update module 15 if a packet transmitted by the communication terminal 300 m, the key updating according to a first algorithm dynamically updated key sk 1, the third key updating sub-module 15 provided in the communication In the terminal 300.
  • the fourth key update sub-module 16 is configured to update the second dynamic key sk 2 according to the key update algorithm if the data packet m is sent by the server 200, and the fourth key update sub-module 16 is provided in the communication terminal 300. in.
  • the server 200 and the communication terminal 300 of the present invention both judge the source of the data packet m, and the server 200 and the communication terminal 300 respectively perform the first dynamic key sk 1 and/or the second dynamic key sk 2 Update.
  • Each of the data packets m that are exchanged between the communication terminal 300 and the server 200 through a reliable transmission protocol, such as the TCP (Transmission Control Protocol) protocol will cause an update of the sk 1 or sk 2 value.
  • the update algorithms of sk 1 and sk 2 are both executed by the communication terminal 300 and the server 200 and the steps are the same. If there is no error, the results of sk 1 and sk 2 of both parties are the same.
  • the dynamic key judging module 20 is configured to determine whether the dynamic key has been updated in the current update period when the dynamic login credential P reaches a predetermined update period. In order to protect the security of the dynamic login credentials P, the dynamic login credentials P must be periodically updated, which can be negotiated between the communication terminal 300 and the server 200 at the time of registration.
  • the dynamic key judging module 20 includes:
  • the first key judging sub-module 21 is configured to determine whether the first dynamic key sk 1 or the second dynamic key sk 2 has been updated during the update period when the dynamic login credential P reaches the update period.
  • the first key judging submodule is provided in the server 200; or
  • the second key judging sub-module 22 is configured to determine, when the dynamic login credential P reaches the update period, whether the first dynamic key sk 1 or the second dynamic key sk 2 has been updated in the current update period, and second The key determination sub-module is provided in the communication terminal 300.
  • the dynamic key judging module 20 further includes:
  • the first update notification sub-module 23 is configured to: when the first dynamic key sk 1 or the second dynamic key sk 2 has not been updated, send a non-update notification of the dynamic login credential P to the communication terminal 300; When the first dynamic key sk 1 or the second dynamic key sk 2 is updated, the update notification of the dynamic login credential P is transmitted to the communication terminal 300, and the first update notification sub-module is provided in the server 200.
  • the first update confirmation sub-module 24 is configured to return an update confirmation of the dynamic login credential P to the server 200 after receiving the update notification of the server 200, and the first update confirmation sub-module is provided in the communication terminal 300.
  • the dynamic key judging module 20 includes:
  • a second update notification sub-module 25 configured to: if the first dynamic key sk 1 or the second dynamic key sk 2 has not been updated, send a non-update notification of the dynamic login credential P to the server 200; When the first dynamic key sk 1 or the second dynamic key sk 2 is updated, the update notification of the dynamic login credential P is transmitted to the server 200, and the second update notification sub-module is provided in the communication terminal 300.
  • the second update confirmation sub-module 26 is configured to return an update confirmation of the dynamic login credential P to the communication terminal 300 after receiving the update notification of the communication terminal 300, and the second update confirmation sub-module is provided in the server 200.
  • the dynamic login credential update module 30 is configured to update the dynamic login credential P according to a predetermined credential update algorithm and an updated dynamic key if the dynamic key is updated.
  • the dynamic login credential update module 30 includes:
  • the first credential update sub-module 31 is configured to: according to the credential update algorithm and the updated first dynamic key sk 1 when the first dynamic key sk 1 or the second dynamic key sk 2 is updated And/or the second dynamic key sk 2 , the dynamic login credential P is updated, and the first credential update submodule is provided in the server 200;
  • a second credential update sub-module 32 configured to: according to the credential update algorithm and the updated first dynamic key sk 1 if the first dynamic key sk 1 or the second dynamic key sk 2 has been updated And/or the second dynamic key sk 2 , the dynamic login credential P is updated, and the second credential update submodule is provided in the communication terminal 300.
  • the present invention can determine whether the sk 1 or sk 2 has been updated after the last update P by the server 200, and if so, the server 200 notifies the communication terminal 300 to update the P value.
  • the present invention can also be judged by the communication terminal 300 whether or not sk 1 or sk 2 has been updated since the last update P, and if so, the communication terminal 300 notifies the server 200 to update the P value. It only needs to be synchronized by both parties, but it is better to judge and notify by the server 200.
  • the key update algorithm is preferably:
  • Sk 1 sk 1 ⁇ Hash 1 (m).
  • Sk 2 sk 2 ⁇ Hash 1 (m);
  • the credential update algorithm is:
  • P P ⁇ Hash 2 (sk 1
  • the dynamic login credential generation system 100 includes a credential update confirmation module 40.
  • the credential update confirmation module 40 includes:
  • the first confirmation value calculation sub-module 41 is configured to calculate a first confirmation value according to the updated dynamic login credential P and the predetermined confirmation value algorithm of the server 200, and send the first confirmation value to the communication terminal 300, the first confirmation The value calculation sub-module 41 is provided in the server 200.
  • the second confirmation value calculation sub-module 42 is configured to calculate a second confirmation value according to the updated dynamic login credential P and the confirmation value algorithm of the communication terminal 300, and the second confirmation value calculation sub-module 42 is provided in the communication terminal 300.
  • the first confirmation value judging sub-module 43 is configured to determine whether the first confirmation value and the second confirmation value are equal, and the first confirmation value judging sub-module 43 is provided in the communication terminal 300.
  • the first confirmed value By comparing the first confirmed value with the second confirmed value, it can be determined whether the dynamic login credentials P calculated by both parties are equal, and only equal can be used for new login credentials.
  • the fact that the first confirmation value and the second confirmation value are not equal means that the dynamic login credentials P of the server 200 and the communication terminal 300 are not equal, which is caused by the inconsistency between sk 1 and sk 2 held by both parties before the dynamic login credential P is updated.
  • the first confirmation notification sub-module 44 is configured to: if the first confirmation value and the second confirmation value are equal, determine that the dynamic login credential P is updated successfully, and send a credential update success notification to the server 200; and if the first confirmation value and When the second confirmation values are not equal, it is determined that the dynamic login credential P update fails, and the credential update failure notification is sent to the server 200, and the first confirmation notification sub-module 44 is provided in the communication terminal 300.
  • the credential update confirmation module 40 includes:
  • the third confirmation value calculation sub-module 45 is configured to calculate a first confirmation value according to the updated dynamic login credential P and the predetermined confirmation value algorithm of the communication terminal 300, and send the first confirmation value to the server 200, the third confirmation The value calculation sub-module 45 is provided in the communication terminal 300.
  • the fourth confirmation value calculation sub-module 46 is configured to calculate a second confirmation value according to the updated dynamic login credential P and the confirmation value algorithm of the server 200, and the fourth confirmation value calculation sub-module 46 is provided in the server 200.
  • the second confirmation value judging sub-module 47 is configured to determine whether the first confirmation value and the second confirmation value are equal, and the second confirmation value judging sub-module 47 is provided in the server 200.
  • the second confirmation notification sub-module 48 is configured to: if the first confirmation value and the second confirmation value are equal, determine that the dynamic login credential P is updated successfully, and send a credential update success notification to the communication terminal 300; and if the first confirmation value is used If the second confirmation value is not equal, it is determined that the dynamic login credential P is updated and fails.
  • the letter terminal 300 transmits a credential update failure notification, and the second confirmation notification sub-module 48 is provided in the server 200.
  • the present invention can calculate the first acknowledgment value and the second acknowledgment value by the server 200 and the communication terminal 300, respectively, and the server 200 or the communication terminal 300 determines whether the first acknowledgment value and the second acknowledgment value are equal. It only needs to be synchronized by both parties.
  • the confirmation value algorithm is preferably:
  • a is the first confirmation value
  • a' is the second confirmation value
  • P1 is the dynamic login credential that is locally updated by the server 200 or the communication terminal 300
  • P2 is the dynamic login credential that is locally updated by the communication terminal 300 or the server 200.
  • the communication terminal 300 logs in to the server 200 using the updated dynamic login credential P.
  • the communication terminal 300 and the server 200 continue to use the original dynamic login credential P, and perform the clear processing of the first dynamic key sk 1 and the second dynamic key sk 2 .
  • the dynamic login credential generation system 100 further includes an initial value setting module 50 including a first initial value setting sub-module 51 and/or a second initial value setting sub-module 52:
  • the first initial value setting sub-module 51 is provided in the server 200, and is used to set the login password set by the communication terminal 300 to the initial value of the dynamic login credential P when the communication terminal 300 registers with the server 200; When the length is less than l 1 , it is filled with a fixed binary string, so that the binary length of the login password reaches l 1 , and the padded login password is used as the initial value of the dynamic login credential P, and if the length of the login password is greater than l 1 , then taken before login password binary string length l 1 as an initial value P of dynamic login credentials.
  • First initial value setting sub-module 51 for further dynamic key sk. 1 of the first and second dynamic key sk initial value 2 are set to the string length l 0 2, i.e. 000 ... ..0 (length l 2 ).
  • the second initial value setting sub-module 52 is provided in the communication terminal 300 for setting the login password set by the communication terminal 300 to the initial value of the dynamic login credential P when the communication terminal 300 registers with the server 200; if the length of the login password is When less than l 1 , it is filled with a fixed binary string, so that the binary length of the login password reaches l 1 , and the padded login password is used as the initial value of the dynamic login credential P, and if the length of the login password is greater than l 1 , before the intercepting login password binary string length l 1 as an initial value P of dynamic login credentials.
  • Second initial value setting sub-module 52 for further dynamic key sk. 1 of the first and second dynamic key sk initial value 2 are set to the string length l 0 2.
  • the initial value of the dynamic login credential P can be set by the server 200, and the initial value of the dynamic login credential P can be sent to the communication terminal 300 by the server 200; or the dynamic login credential can be set by the high end 300 in the communication.
  • the initial value of P is then sent to the server 200 by the communication terminal 300; or the server 200 and the communication terminal 300 can respectively set the initial value of the dynamic login credential P.
  • FIG. 3 is a flowchart of a method for generating a dynamic login credential according to the present invention, which may be implemented by the dynamic login credential generation system 100 shown in FIG. 1 or FIG. 2, and the method includes the following steps:
  • Step S301 a dynamic key update step, if data interaction occurs between the server 200 and the communication terminal 300, the at least one dynamic key is updated according to a predetermined key update algorithm.
  • the key update algorithm is preferably a hash operation and a bitwise exclusive OR operation.
  • Step S302 the dynamic key determining step determines whether the dynamic key has been updated in the current update period when the dynamic login credential P reaches a predetermined update period.
  • the dynamic login credentials P In order to protect the security of the dynamic login credentials P, the dynamic login credentials P must be periodically updated (e.g., updated once a month), which may be negotiated between the communication terminal 300 and the server 200 at the time of registration.
  • Step S303 the dynamic login credential update step, if the dynamic key is updated, the dynamic login credential P is updated according to the predetermined credential update algorithm and the updated dynamic key.
  • the credential update algorithm is preferably a hash operation and a bitwise exclusive OR operation.
  • the invention protects the login credentials by dynamically updating the login credentials of the terminal, thereby protecting the security of the user.
  • FIG. 4 is a flowchart of a method for generating a preferred dynamic login credential according to the present invention, which may be implemented by the dynamic login credential generation system 100 shown in FIG. 2, the method comprising the steps of:
  • step S401 a data packet m is exchanged between the server 200 and the communication terminal 300.
  • step S402 the server 200 and the communication terminal 300 determine whether the data packet m is transmitted by the communication terminal 300, and if so, execute step S403, otherwise execute step S404.
  • Step S403 the data packet if the m transmitted by communication terminal 300, the server 200 and communication terminal 300 are respectively the first algorithm according to the key update dynamically updated key sk 1.
  • step S404 if the data packet m is transmitted by the server 200, the server 200 and the communication terminal 300 respectively update the second dynamic key sk 2 according to the key update algorithm.
  • the server 200 and the communication terminal 300 of the present invention both judge the source of the data packet m, and the server 200 and the communication terminal 300 respectively perform the first dynamic key sk 1 and/or the second dynamic key sk 2 Update.
  • each data packet m that is exchanged will cause an update of the sk 1 or sk 2 value through a reliable transmission protocol.
  • the update algorithms of sk 1 and sk 2 are both executed by the communication terminal 300 and the server 200 and the steps are the same. If there is no error, the results of sk 1 and sk 2 of both parties are the same.
  • step S405 the dynamic login credential P reaches the update period.
  • the dynamic login credentials P In order to protect the security of the dynamic login credentials P, the dynamic login credentials P must be periodically updated, which can be negotiated between the communication terminal 300 and the server 200 at the time of registration.
  • step S406 the server 200 or the communication terminal 300 determines whether the first dynamic key sk 1 or the second dynamic key sk 2 has been updated in the current update period. If yes, step S407 is performed; otherwise, the flow ends.
  • step S406 the method further includes:
  • the server 200 or the communication terminal 300 transmits a non-update notification of the dynamic login credential P to the communication terminal 300 or the server 200.
  • the server 200 or the communication terminal 300 transmits an update notification of the dynamic login credential P to the communication terminal 300 or the server 200.
  • the communication terminal 300 or the server 200 Upon receiving the update notification, the communication terminal 300 or the server 200 returns an update confirmation of the dynamic login credential P to the server 200 or the communication terminal 300.
  • step S407 the server 200 and the communication terminal 300 update the dynamic login credential P according to the credential update algorithm and the updated first dynamic key sk 1 and/or second dynamic key sk 2 , respectively.
  • the key update algorithm is preferably:
  • the credential update algorithm is preferably:
  • P P ⁇ Hash 2 (sk 1
  • the P is the dynamic login credential; the sk 1 is the first dynamic key; the sk 2 is the second dynamic key sk 2 ;
  • the l 1 is a binary length of P
  • the l 2 is a binary length of sk 1 and sk 2 ;
  • the ⁇ is a bitwise XOR operation on two binary strings
  • is a connection operation to two binary strings
  • the hash 1 is a first hash function, indicating that the input is a binary string of arbitrary length, and the output is a binary string of length l 2 ;
  • the hash 2 is a second hash function, indicating that the input is a binary string of length 2l 2 and the output is a binary string of length l 1 .
  • the step S406 further includes a credential update confirmation step
  • the credential update confirmation step includes:
  • the server 200 or the communication terminal 300 calculates the first confirmation value based on the locally updated dynamic login credential P and the predetermined acknowledgment value algorithm, and transmits the first acknowledgment value to the communication terminal 300 or the server 200.
  • the communication terminal 300 or the server 200 calculates the second confirmation value based on the locally updated dynamic login credential P and the confirmation value algorithm.
  • the communication terminal 300 or the server 200 determines whether the first confirmation value and the second confirmation value are equal.
  • the communication terminal 300 or the server 200 determines that the dynamic login credential P is updated successfully, and transmits a credential update success notification to the server 200 or the communication terminal 300, The communication terminal 300 logs in to the server 200 using the updated dynamic login credential P.
  • the communication terminal 300 or the server 200 determines that the dynamic login credential P update fails, and transmits a credential update failure notification to the server 200 or the communication terminal 300. After the dynamic login credential P fails to be updated, the communication terminal 300 and the server 200 continue to use the original dynamic login credential P, and perform the clear processing of the first dynamic key sk 1 and the second dynamic key sk 2 .
  • the confirmation value algorithm is preferably:
  • a is a first confirmation value
  • a' is a second confirmation value
  • P1 is a dynamic login credential that is locally updated by the server 200 or the communication terminal 300
  • P2 is a dynamic login credential that is locally updated by the communication terminal 300 or the server 200.
  • the present invention may further include an initial value setting step, and when the communication terminal 300 registers with the server 200, the server 200 and/or the communication terminal 300 sets the login password set by the communication terminal 300 as the initial value of the dynamic login credential P.
  • Dynamic key sk and the first and second dynamic key sk. 1 the initial value 2 are set to the string length l 0 2. If the length of the login password is less than l 1 , it is filled with a fixed binary string, so that the binary length of the login password reaches l 1 , and the filled login password is used as the initial value of the dynamic login credential P. If the login password is greater than the length l 1, is taken before the login password binary string length l 1 as an initial value P of dynamic login credentials.
  • FIG. 5 is a preferred flowchart of the dynamic login credential update of the present invention, which can be implemented by the dynamic login credential generation system 100 shown in FIG. 2, the method comprising the steps of:
  • step S501 when the update period of the dynamic login credential P has arrived.
  • step S502 the server 200 determines whether the value of sk 1 or sk 2 has been updated after the last update P, and if so, executes step S504, otherwise executes step S503.
  • step S503 if not updated, the server 200 notifies the communication terminal 300 not to update the P value.
  • step S504 if updated, the server 200 notifies the communication terminal 300 to update the P value.
  • the communication terminal 300 determines whether sk 1 or sk 2 has been updated since the last update P, and if so, the communication terminal 300 notifies the server 200 to update the P value. It only needs to be synchronized by both parties, but it is better to judge and notify by the server 200.
  • step S505 the communication terminal 300 confirms to the server 200 that the update of the P value is performed.
  • P P ⁇ Hash 2 (sk 1
  • the P1 is a dynamic login credential that is locally updated by the server 200.
  • step S508 the server 200 transmits a to the communication terminal 300.
  • the P2 is a dynamic login credential that is locally updated by the communication terminal 300.
  • step S510 the communication terminal 300 determines whether a and a' are equal, and if so, executes step S511, otherwise performs step S512.
  • step S511 if a and a' are equal, the communication terminal 300 notifies the server 200 that the P update is successful.
  • the communication terminal 300 needs to input the updated P login server 200.
  • the update P is automatically stored and used, and the user does not need to access, but the offender needs to constantly steal the updated dynamic login credential P, which obviously increases the difficulty of illegal login.
  • step S512 if a and a' are not equal, the communication terminal 300 notifies the server 200 that the P update has failed.
  • the confirmation value a can also be calculated by the communication terminal 300, and a is sent to the server 200, which calculates a' by the server 200, and the server 200 judges whether a and a' are equal.
  • the present invention generates dynamic login credentials through negotiation between the server and the communication terminal, and through dynamic update of the login credentials, even if the dynamic login credentials are stolen by the offender at a certain moment, the security of the dynamic login credentials can be guaranteed after the update. Thereby protecting the security of the user's use.
  • the present invention uses a bitwise XOR operation and a hash operation to generate dynamic login credentials. These two operations are not only easy to implement, but also computationally intensive, which improves computational efficiency.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Telephonic Communication Services (AREA)

Abstract

The present invention is applicable to the technical field of communications. Provided is a method for generating a dynamic login credential, comprising the steps of: if data interaction occurs between a server and a communication terminal, updating at least one dynamic key according to a pre-determined key updating algorithm; when a dynamic login credential reaches a pre-determined update period, judging whether the dynamic key is updated within the update period this time; and if the dynamic key is updated, according to a pre-determined credential updating algorithm and the updated dynamic key, updating the dynamic login credential. Accordingly, further provided is a system for generating a dynamic login credential. By virtue of this, in the present invention, the dynamic login credential is generated by means of the negotiation between the server and the communication terminal. By means of the continuous update of the dynamic login credential, even though the dynamic login credential is stolen by a violator at a certain moment, the security of the dynamic login credential can still be ensured after update, thereby protecting the security for the use by a user.

Description

动态登录凭据的生成方法及系统Method and system for generating dynamic login credentials 技术领域Technical field
本发明涉及通信技术领域,尤其涉及一种动态登录凭据的生成方法及系统。The present invention relates to the field of communications technologies, and in particular, to a method and system for generating dynamic login credentials.
背景技术Background technique
现有网络服务中广泛使用的登录模式是,用户在手机等通信终端上通过口令等登录凭据登录服务器。除了口令以外,登录凭据还包括特定问题的答案、特定可插拔硬件,服务器发送至移动终端的一次性密码、指纹信息等。在现有登录模式下,一旦口令等被窃取,就没有安全性可言。在用户使用移动终端时这个问题更严重,因为诸如手机、平板电脑之类的移动终端更容易被盗,此时口令等登录凭据有可能在cookie(小型文本文件)等缓存中被违法者读取,因此存在严重的安全隐患。The login mode widely used in existing network services is that a user logs in to the server by using a login credential such as a password on a communication terminal such as a mobile phone. In addition to the password, the login credentials include answers to specific questions, specific pluggable hardware, one-time passwords that the server sends to the mobile terminal, fingerprint information, and so on. In the existing login mode, once a password or the like is stolen, there is no security. This problem is more serious when the user uses the mobile terminal, because mobile terminals such as mobile phones and tablets are more likely to be stolen, and login credentials such as passwords may be read by the offender in a cache such as a cookie (small text file). Therefore, there are serious security risks.
综上可知,现有技术在实际使用上显然存在不便与缺陷,所以有必要加以改进。In summary, the prior art obviously has inconveniences and defects in practical use, so it is necessary to improve.
发明内容Summary of the invention
针对上述的缺陷,本发明的目的在于提供一种动态登录凭据的生成方法及系统,其能够通过不断更新动态登录凭据以保证动态登录凭据的安全性,从而保护用户使用的安全性。In view of the above drawbacks, an object of the present invention is to provide a method and system for generating dynamic login credentials, which can secure the dynamic login credentials by continuously updating the dynamic login credentials, thereby protecting the security of the user.
为了实现上述目的,本发明提供一种动态登录凭据的生成方法,包括步骤有:In order to achieve the above object, the present invention provides a method for generating dynamic login credentials, including the following steps:
动态密钥更新步骤,若服务器和通信终端之间发生数据交互,根据预定的密钥更新算法将至少一个动态密钥进行更新;The dynamic key update step, if data interaction occurs between the server and the communication terminal, updating at least one dynamic key according to a predetermined key update algorithm;
动态密钥判断步骤,当动态登录凭据达到预定的更新周期时,判断本次的所述更新周期内所述动态密钥是否发生过更新;The dynamic key judging step determines whether the dynamic key has been updated during the update period of the current time when the dynamic login credential reaches a predetermined update period;
动态登录凭据更新步骤,若所述动态密钥发生过更新,根据预定的凭据更新算法以及更新后的所述动态密钥,对所述动态登录凭据进行更新。The dynamic login credential update step updates the dynamic login credential according to a predetermined credential update algorithm and the updated dynamic key if the dynamic key has been updated.
根据本发明所述的方法,所述动态密钥更新步骤包括:According to the method of the present invention, the dynamic key update step includes:
当所述服务器和所述通信终端之间交互了一个数据包时,所述服务器和所述通信终端判断所述数据包是否由所述通信终端发送;When a data packet is exchanged between the server and the communication terminal, the server and the communication terminal determine whether the data packet is sent by the communication terminal;
若所述数据包由所述通信终端发送,则所述服务器和所述通信终端分别根据所述密钥更新算法将第一动态密钥进行更新;And if the data packet is sent by the communication terminal, the server and the communication terminal respectively update the first dynamic key according to the key update algorithm;
若所述数据包由所述服务器发送,则所述服务器和所述通信终端分别根据 所述密钥更新算法将第二动态密钥进行更新;If the data packet is sent by the server, the server and the communication terminal are respectively The key update algorithm updates the second dynamic key;
所述动态密钥判断步骤包括:The dynamic key determining step includes:
当所述动态登录凭据达到所述更新周期时,所述服务器或所述通信终端判断本次的所述更新周期内所述第一动态密钥或所述第二动态密钥是否发生过更新;When the dynamic login credential reaches the update period, the server or the communication terminal determines whether the first dynamic key or the second dynamic key has been updated in the update period of the current time;
所述动态登录凭据更新步骤包括:The dynamic login credential update step includes:
若所述第一动态密钥或所述第二动态密钥发生过更新,所述服务器和所述通信终端分别根据所述凭据更新算法以及更新后的所述第一动态密钥和/或所述第二动态密钥,对所述动态登录凭据进行更新。And if the first dynamic key or the second dynamic key is updated, the server and the communication terminal respectively according to the credential update algorithm and the updated first dynamic key and/or The second dynamic key is described, and the dynamic login credential is updated.
根据本发明所述的方法,所述密钥更新算法为:According to the method of the present invention, the key update algorithm is:
sk1=sk1⊕Hash1(m);sk2=sk2⊕Hash1(m);
Figure PCTCN2014087979-appb-000001
Sk 1 =sk 1 ⊕Hash 1 (m);sk 2 =sk 2 ⊕Hash 1 (m);
Figure PCTCN2014087979-appb-000001
所述凭据更新算法为:The credential update algorithm is:
P=P⊕Hash2(sk1||sk2),sk1=0,sk2=0;
Figure PCTCN2014087979-appb-000002
P=P⊕Hash 2 (sk 1 || sk 2 ), sk 1 =0, sk 2 =0;
Figure PCTCN2014087979-appb-000002
所述P为所述动态登录凭据;所述sk1为所述第一动态密钥;所述sk2为所述第二动态密钥;The P is the dynamic login credential; the sk 1 is the first dynamic key; the sk 2 is the second dynamic key;
所述l1为P的二进制长度,所述l2为sk1和sk2的二进制长度;The l 1 is a binary length of P, and the l 2 is a binary length of sk 1 and sk 2 ;
所述⊕是对两个二进制串的逐比特异或操作;The ⊕ is a bitwise XOR operation on two binary strings;
所述||是对两个二进制串的连接操作;The || is a connection operation to two binary strings;
所述Hash1是第一哈希函数,表示输入是任意长度的二进制串,输出为长度为l2的二进制串;The hash 1 is a first hash function, indicating that the input is a binary string of arbitrary length, and the output is a binary string of length l 2 ;
所述Hash2是第二哈希函数,表示输入是长度为2l2的二进制串,输出为长度为l1的二进制串。The hash 2 is a second hash function, indicating that the input is a binary string of length 2l 2 and the output is a binary string of length l 1 .
根据本发明所述的方法,所述服务器或所述通信终端判断本次的所述更新周期内所述第一动态密钥或所述第二动态密钥是否发生过更新的步骤之后还包括:According to the method of the present invention, after the step of determining whether the first dynamic key or the second dynamic key has been updated in the update period of the current time, the server or the communication terminal further includes:
若所述第一动态密钥或所述第二动态密钥未发生过更新,则所述服务器或所述通信终端向所述通信终端或所述服务器发送所述动态登录凭据的不更新通知;If the first dynamic key or the second dynamic key has not been updated, the server or the communication terminal sends a non-update notification of the dynamic login credential to the communication terminal or the server;
若所述第一动态密钥或所述第二动态密钥发生过更新,则所述服务器或所述通信终端向所述通信终端或所述服务器发送所述动态登录凭据的更新通知;And if the first dynamic key or the second dynamic key is updated, the server or the communication terminal sends an update notification of the dynamic login credential to the communication terminal or the server;
所述通信终端或所述服务器收到所述更新通知后,向所述服务器或所述通信终端返回所述动态登录凭据的更新确认。After receiving the update notification, the communication terminal or the server returns an update confirmation of the dynamic login credential to the server or the communication terminal.
根据本发明所述的方法,所述动态登录凭据更新步骤之后还包括凭据更新确认步骤,所述凭据更新确认步骤包括:According to the method of the present invention, the dynamic login credential update step further includes a credential update confirmation step, the credential update confirmation step comprising:
所述服务器或所述通信终端根据本地更新后的所述动态登录凭据和预定的 确认值算法,计算出第一确认值,并将所述第一确认值发送给所述通信终端或所述服务器;The server or the communication terminal according to the dynamically updated credential and the predetermined Confirming a value algorithm, calculating a first confirmation value, and transmitting the first confirmation value to the communication terminal or the server;
所述通信终端或所述服务器根据本地更新后的所述动态登录凭据和所述确认值算法,计算出第二确认值;The communication terminal or the server calculates a second confirmation value according to the dynamically updated login credential and the confirmation value algorithm;
所述通信终端或所述服务器判断所述第一确认值和所述第二确认值是否相等;Determining, by the communication terminal or the server, whether the first confirmation value and the second confirmation value are equal;
若所述第一确认值和所述第二确认值相等,所述通信终端或所述服务器确定所述动态登录凭据更新成功,并向所述服务器或所述通信终端发送凭据更新成功通知;If the first confirmation value and the second confirmation value are equal, the communication terminal or the server determines that the dynamic login credential update is successful, and sends a credential update success notification to the server or the communication terminal;
若所述第一确认值和所述第二确认值不相等,所述通信终端或所述服务器确定所述动态登录凭据更新失败,并向所述服务器或所述通信终端发送凭据更新失败通知。If the first confirmation value and the second confirmation value are not equal, the communication terminal or the server determines that the dynamic login credential update fails, and sends a credential update failure notification to the server or the communication terminal.
根据本发明所述的方法,所述确认值算法为:According to the method of the present invention, the confirmation value algorithm is:
a=Hash1(P1),a’=Hash1(P2);a=Hash 1 (P1), a'=Hash 1 (P2);
所述a为所述第一确认值,所述a’为所述第二确认值,所述P1为所述服务器或所述通信终端本地更新后的动态登录凭据,所述P2为所述通信终端或所述服务器本地更新后的动态登录凭据。The a is the first confirmation value, the a' is the second confirmation value, the P1 is a dynamic login credential that is locally updated by the server or the communication terminal, and the P2 is the communication Dynamic login credentials after the terminal or the server is locally updated.
根据本发明所述的方法,所述动态登录凭据更新成功后,所述通信终端使用更新后的所述动态登录凭据登录所述服务器。According to the method of the present invention, after the dynamic login credential is successfully updated, the communication terminal logs in to the server using the updated dynamic login credential.
根据本发明所述的方法,所述动态登录凭据更新失败后,所述通信终端和所述服务器继续使用原有的所述动态登录凭据,并将所述第一动态密钥和所述第二动态密钥进行清零处理。According to the method of the present invention, after the dynamic login credential update fails, the communication terminal and the server continue to use the original dynamic login credential, and the first dynamic key and the second The dynamic key is cleared.
根据本发明所述的方法,所述方法还包括:According to the method of the present invention, the method further includes:
初始值设置步骤,当所述通信终端在所述服务器注册时,所述服务器和/或所述通信终端将所述通信终端设置的登录口令设置为所述动态登录凭据的初始值;以及将所述第一动态密钥和所述第二动态密钥的初始值分别设置为长度为l2的0串。An initial value setting step, when the communication terminal registers with the server, the server and/or the communication terminal sets a login password set by the communication terminal as an initial value of the dynamic login credential; The initial values of the first dynamic key and the second dynamic key are respectively set to 0 strings of length l 2 .
根据本发明所述的方法,所述初始值设置步骤进一步包括:According to the method of the present invention, the initial value setting step further includes:
若所述登录口令的长度小于l1,则用固定的二进制串填充,使所述登录口令的二进制长度达到l1,并将该填充后的所述登录口令作为所述动态登录凭据的初始值;若所述登录口令的长度大于l1,则截取所述登录口令前l1长度的二进制串作为所述动态登录凭据的初始值。If the length of the login password is less than l 1 , it is padded with a fixed binary string, so that the binary length of the login password reaches l 1 , and the padded login password is used as an initial value of the dynamic login credential. ; if the login password is greater than the length l 1, is taken before the login password binary string length l 1 as an initial value of the dynamic login credentials.
本发明还提供一种动态登录凭据的生成系统,包括有:The invention also provides a system for generating dynamic login credentials, comprising:
动态密钥更新模块,用于若服务器和通信终端之间发生数据交互,根据预定的密钥更新算法将至少一个动态密钥进行更新; a dynamic key update module, configured to update at least one dynamic key according to a predetermined key update algorithm if data interaction occurs between the server and the communication terminal;
动态密钥判断模块,用于当动态登录凭据达到预定的更新周期时,判断本次的所述更新周期内所述动态密钥是否发生过更新;a dynamic key judging module, configured to determine, when the dynamic login credential reaches a predetermined update period, whether the dynamic key has been updated in the update period of the current time;
动态登录凭据更新模块,用于若所述动态密钥发生过更新,根据预定的凭据更新算法以及更新后的所述动态密钥,对所述动态登录凭据进行更新。The dynamic login credential update module is configured to update the dynamic login credential according to a predetermined credential update algorithm and the updated dynamic key if the dynamic key is updated.
根据本发明所述的系统,所述动态密钥更新模块包括:According to the system of the present invention, the dynamic key update module includes:
第一数据判断子模块,用于当所述服务器和所述通信终端之间交互了一个数据包时,判断所述数据包是否由所述通信终端发送,所述第一数据判断子模块设于所述服务器中;a first data judging submodule, configured to determine, when the server and the communication terminal exchange a data packet, whether the data packet is sent by the communication terminal, where the first data judging submodule is In the server;
第一密钥更新子模块,用于若所述数据包由所述通信终端发送,则根据所述密钥更新算法将第一动态密钥进行更新,所述第一密钥更新子模块设于所述服务器中;a first key update submodule, configured to: if the data packet is sent by the communication terminal, update the first dynamic key according to the key update algorithm, where the first key update submodule is set In the server;
第二密钥更新子模块,用于若所述数据包由所述服务器发送,则根据所述密钥更新算法将第二动态密钥进行更新,所述第二密钥更新子模块设于所述服务器中;以及a second key update submodule, configured to: if the data packet is sent by the server, update the second dynamic key according to the key update algorithm, where the second key update submodule is located at the In the server; and
所述动态密钥更新模块还包括:The dynamic key update module further includes:
第二数据判断子模块,用于当所述服务器和所述通信终端之间交互了一个数据包时,判断所述数据包是否由所述通信终端发送,所述第二数据判断子模块设于所述通信终端中;a second data judging submodule, configured to determine, when the server and the communication terminal exchange a data packet, whether the data packet is sent by the communication terminal, where the second data judging submodule is In the communication terminal;
第三密钥更新子模块,用于若所述数据包由所述通信终端发送,则根据所述密钥更新算法将第一动态密钥进行更新,所述第三密钥更新子模块设于所述通信终端中;a third key update submodule, configured to: if the data packet is sent by the communication terminal, update the first dynamic key according to the key update algorithm, where the third key update submodule is set In the communication terminal;
第四密钥更新子模块,用于若所述数据包由所述服务器发送,则根据所述密钥更新算法将第二动态密钥进行更新,所述第四密钥更新子模块设于所述通信终端中;a fourth key update submodule, configured to: if the data packet is sent by the server, update the second dynamic key according to the key update algorithm, where the fourth key update submodule is located at the In the communication terminal;
所述动态密钥判断模块包括:The dynamic key judging module includes:
第一密钥判断子模块,用于当所述动态登录凭据达到所述更新周期时,判断本次的所述更新周期内所述第一动态密钥或所述第二动态密钥是否发生过更新,所述第一密钥判断子模块设于所述服务器中;或者a first key judging submodule, configured to determine, when the dynamic login credential reaches the update period, whether the first dynamic key or the second dynamic key has occurred in the update period of the current time Updating, the first key judging submodule is provided in the server; or
第二密钥判断子模块,用于当所述动态登录凭据达到所述更新周期时,判断本次的所述更新周期内所述第一动态密钥或所述第二动态密钥是否发生过更新,所述第二密钥判断子模块设于所述通信终端中;a second key determining sub-module, configured to determine, when the dynamic login credential reaches the update period, whether the first dynamic key or the second dynamic key has occurred in the update period of the current time Updating, the second key determining submodule is disposed in the communication terminal;
所述动态登录凭据更新模块包括:The dynamic login credential update module includes:
第一凭据更新子模块,用于若所述第一动态密钥或所述第二动态密钥发生过更新时,根据所述凭据更新算法以及更新后的所述第一动态密钥和/或所述第二动态密钥,对所述动态登录凭据进行更新,所述第一凭据更新子模块设于所 述服务器中;以及a first credential update submodule, configured to update the algorithm according to the credential and the updated first dynamic key and/or if the first dynamic key or the second dynamic key is updated The second dynamic key updates the dynamic login credential, and the first credential update submodule is located at the In the server; and
第二凭据更新子模块,用于若所述第一动态密钥或所述第二动态密钥发生过更新时,根据所述凭据更新算法以及更新后的所述第一动态密钥和/或所述第二动态密钥,对所述动态登录凭据进行更新,所述第二凭据更新子模块设于所述通信终端中。a second credential update submodule, configured to update the algorithm according to the credential update algorithm and the updated first dynamic key and/or if the first dynamic key or the second dynamic key is updated The second dynamic key updates the dynamic login credential, and the second credential update submodule is disposed in the communication terminal.
根据本发明所述的系统,所述密钥更新算法为:According to the system of the present invention, the key update algorithm is:
sk1=sk1⊕Hash1(m);sk2=sk2⊕Hash1(m);
Figure PCTCN2014087979-appb-000003
Sk 1 =sk 1 ⊕Hash 1 (m);sk 2 =sk 2 ⊕Hash 1 (m);
Figure PCTCN2014087979-appb-000003
所述凭据更新算法为:The credential update algorithm is:
P=P⊕Hash2(sk1||sk2),sk1=0,sk2=0;
Figure PCTCN2014087979-appb-000004
P=P⊕Hash 2 (sk 1 || sk 2 ), sk 1 =0, sk 2 =0;
Figure PCTCN2014087979-appb-000004
所述P为所述动态登录凭据;所述sk1为所述第一动态密钥;所述sk2为所述第二动态密钥;The P is the dynamic login credential; the sk 1 is the first dynamic key; the sk 2 is the second dynamic key;
所述l1为P的二进制长度,所述l2为sk1和sk2的二进制长度;The l 1 is a binary length of P, and the l 2 is a binary length of sk 1 and sk 2 ;
所述⊕是对两个二进制串的逐比特异或操作;The ⊕ is a bitwise XOR operation on two binary strings;
所述||是对两个二进制串的连接操作;The || is a connection operation to two binary strings;
所述Hash1是第一哈希函数,表示输入是任意长度的二进制串,输出为长度为l2的二进制串;The hash 1 is a first hash function, indicating that the input is a binary string of arbitrary length, and the output is a binary string of length l 2 ;
所述Hash2是第二哈希函数,表示输入是长度为2l2的二进制串,输出为长度为l1的二进制串。The hash 2 is a second hash function, indicating that the input is a binary string of length 2l 2 and the output is a binary string of length l 1 .
根据本发明所述的系统,所述动态密钥判断模块还包括:According to the system of the present invention, the dynamic key judging module further includes:
第一更新通知子模块,用于若所述第一动态密钥或所述第二动态密钥未发生过更新时,向所述通信终端发送所述动态登录凭据的不更新通知;以及用于若所述第一动态密钥或所述第二动态密钥发生过更新时,向所述通信终端发送所述动态登录凭据的更新通知,所述第一更新通知子模块设于所述服务器中;a first update notification submodule, configured to send, when the first dynamic key or the second dynamic key has not been updated, a non-update notification of the dynamic login credential to the communication terminal; And sending, when the first dynamic key or the second dynamic key is updated, an update notification of the dynamic login credential to the communication terminal, where the first update notification submodule is disposed in the server ;
第一更新确认子模块,用于收到所述服务器的所述更新通知后,向所述服务器返回所述动态登录凭据的更新确认,所述第一更新确认子模块设于所述通信终端中;或者a first update confirmation submodule, configured to: after receiving the update notification of the server, return an update confirmation of the dynamic login credential to the server, where the first update confirmation submodule is disposed in the communication terminal ;or
所述动态密钥判断模块还包括:The dynamic key judging module further includes:
第二更新通知子模块,用于若所述第一动态密钥或所述第二动态密钥未发生过更新时,则向所述服务器发送所述动态登录凭据的不更新通知;以及用于若所述第一动态密钥或所述第二动态密钥发生过更新时,向所述服务器发送所述动态登录凭据的更新通知,所述第二更新通知子模块设于所述通信终端中;a second update notification submodule, configured to send, when the first dynamic key or the second dynamic key has not been updated, a non-update notification of the dynamic login credential to the server; And sending, when the first dynamic key or the second dynamic key is updated, an update notification of the dynamic login credential to the server, where the second update notification submodule is disposed in the communication terminal ;
第二更新确认子模块,用于收到所述通信终端的所述更新通知后,向所述通信终端返回所述动态登录凭据的更新确认,所述第二更新确认子模块设于所述服务器中。a second update confirmation submodule, configured to: after receiving the update notification of the communication terminal, return an update confirmation of the dynamic login credential to the communication terminal, where the second update confirmation submodule is disposed on the server in.
根据本发明所述的系统,所述系统还包括凭据更新确认模块,所述凭据更 新确认模块包括:According to the system of the present invention, the system further includes a credential update confirmation module, the credential is more The new confirmation module includes:
第一确认值计算子模块,用于根据所述服务器更新后的所述动态登录凭据和预定的确认值算法,计算出第一确认值,并将所述第一确认值发送给所述通信终端,所述第一确认值计算子模块设于所述服务器中;a first confirmation value calculation submodule, configured to calculate a first confirmation value according to the dynamic login credential and the predetermined confirmation value algorithm after the server is updated, and send the first confirmation value to the communication terminal The first confirmation value calculation submodule is disposed in the server;
第二确认值计算子模块,用于根据通信终端更新后的所述动态登录凭据和所述确认值算法,计算出第二确认值,所述第二确认值计算子模块设于所述通信终端中;a second confirmation value calculation submodule, configured to calculate a second confirmation value according to the updated dynamic login credential and the confirmation value algorithm after the communication terminal is updated, where the second confirmation value calculation submodule is provided in the communication terminal in;
第一确认值判断子模块,用于判断所述第一确认值和所述第二确认值是否相等,所述第一确认值判断子模块设于所述通信终端中;a first confirmation value determining submodule, configured to determine whether the first confirmation value and the second confirmation value are equal, the first confirmation value determining submodule being disposed in the communication terminal;
第一确认通知子模块,用于若所述第一确认值和所述第二确认值相等时,确定所述动态登录凭据更新成功,并向所述服务器发送凭据更新成功通知;以及用于若所述第一确认值和所述第二确认值不相等时,确定所述动态登录凭据更新失败,并向所述服务器发送凭据更新失败通知,所述第一确认通知子模块设于所述通信终端中;或者a first confirmation notification submodule, configured to: if the first confirmation value and the second confirmation value are equal, determine that the dynamic login credential update is successful, and send a credential update success notification to the server; When the first confirmation value and the second confirmation value are not equal, determining that the dynamic login credential update fails, and sending a credential update failure notification to the server, where the first confirmation notification sub-module is set in the communication In the terminal; or
所述凭据更新确认模块包括:The credential update confirmation module includes:
第三确认值计算子模块,用于根据所述通信终端更新后的所述动态登录凭据和预定的确认值算法,计算出第一确认值,并将所述第一确认值发送给所述服务器,所述第三确认值计算子模块设于所述通信终端中;a third confirmation value calculation submodule, configured to calculate a first confirmation value according to the updated dynamic login credential and the predetermined confirmation value algorithm of the communication terminal, and send the first confirmation value to the server The third confirmation value calculation submodule is disposed in the communication terminal;
第四确认值计算子模块,用于根据所述服务器更新后的所述动态登录凭据和所述确认值算法,计算出第二确认值,所述第四确认值计算子模块设于所述服务器中;a fourth confirmation value calculation submodule, configured to calculate a second confirmation value according to the dynamic login credential and the confirmation value algorithm after the server is updated, where the fourth confirmation value calculation submodule is provided on the server in;
第二确认值判断子模块,用于判断所述第一确认值和所述第二确认值是否相等,所述第二确认值判断子模块设于所述服务器中;a second confirmation value determining sub-module, configured to determine whether the first confirmation value and the second confirmation value are equal, the second confirmation value determining sub-module being disposed in the server;
第二确认通知子模块,用于若所述第一确认值和所述第二确认值相等时,确定所述动态登录凭据更新成功,并向所述通信终端发送凭据更新成功通知;以及用于若所述第一确认值和所述第二确认值不相等时,确定所述动态登录凭据更新失败,并向所述通信终端发送凭据更新失败通知,所述第二确认通知子模块设于所述服务器中。a second confirmation notification submodule, configured to: if the first confirmation value and the second confirmation value are equal, determine that the dynamic login credential update is successful, and send a credential update success notification to the communication terminal; If the first confirmation value and the second confirmation value are not equal, determining that the dynamic login credential update fails, and sending a credential update failure notification to the communication terminal, where the second confirmation notification sub-module is located at the In the server.
根据本发明所述的系统,所述确认值算法为:According to the system of the present invention, the confirmation value algorithm is:
a=Hash1(P1),a’=Hash1(P2);a=Hash 1 (P1), a'=Hash 1 (P2);
所述a为所述第一确认值,所述a’为所述第二确认值,所述P1为所述服务器或所述通信终端本地更新后的动态登录凭据,所述P2为所述通信终端或所述服务器本地更新后的动态登录凭据。The a is the first confirmation value, the a' is the second confirmation value, the P1 is a dynamic login credential that is locally updated by the server or the communication terminal, and the P2 is the communication Dynamic login credentials after the terminal or the server is locally updated.
根据本发明所述的系统,所述动态登录凭据更新成功后,所述通信终端使用更新后的所述动态登录凭据登录所述服务器。 According to the system of the present invention, after the dynamic login credential is successfully updated, the communication terminal logs in to the server using the updated dynamic login credential.
根据本发明所述的系统,所述动态登录凭据更新失败后,所述通信终端和所述服务器继续使用原有的所述动态登录凭据,并将所述第一动态密钥和所述第二动态密钥进行清零处理。According to the system of the present invention, after the dynamic login credential update fails, the communication terminal and the server continue to use the original dynamic login credential, and the first dynamic key and the second The dynamic key is cleared.
根据本发明所述的系统,所述系统还包括初始值设置模块,所述初始值设置模块包括:According to the system of the present invention, the system further includes an initial value setting module, and the initial value setting module includes:
第一初始值设置子模块,用于当所述通信终端在所述服务器注册时,将所述通信终端设置的登录口令设置为所述动态登录凭据的初始值;及将所述第一动态密钥和所述第二动态密钥的初始值分别设置为长度为l2的0串,所述第一初始值设置子模块设于所述服务器中;和/或a first initial value setting submodule, configured to: when the communication terminal registers with the server, set a login password set by the communication terminal to an initial value of the dynamic login credential; and the first dynamic secret The initial values of the key and the second dynamic key are respectively set to 0 strings of length l 2 , and the first initial value setting submodule is provided in the server; and/or
第二初始值设置子模块,用于当所述通信终端在所述服务器注册时,将所述通信终端设置的登录口令设置为所述动态登录凭据的初始值;及将所述第一动态密钥和所述第二动态密钥的初始值分别设置为长度为l2的0串,所述第二初始值设置子模块设于所述通信终端中。a second initial value setting submodule, configured to: when the communication terminal registers with the server, set a login password set by the communication terminal to an initial value of the dynamic login credential; and the first dynamic secret The initial values of the key and the second dynamic key are respectively set to 0 strings of length l 2 , and the second initial value setting submodule is provided in the communication terminal.
根据本发明所述的系统,所述第一初始值设置子模块和/或所述第一初始值设置子模块,用于若所述登录口令的长度小于l1时,则用固定的二进制串填充,使所述登录口令的二进制长度达到l1,并将该填充后的所述登录口令作为所述动态登录凭据的初始值;以及若所述登录口令的长度大于l1时,则截取所述登录口令前l1长度的二进制串作为所述动态登录凭据的初始值。According to the system of the present invention, the first initial value setting submodule and/or the first initial value setting submodule is configured to use a fixed binary string if the length of the login password is less than l 1 Filling, so that the binary length of the login password reaches l 1 , and the padded login password is used as an initial value of the dynamic login credential; and if the length of the login password is greater than l 1 , the interception is performed binary before said login password string length l 1 as an initial value of the dynamic login credentials.
本发明通过服务器和通信终端协商生成动态登录凭据,通过动态登录凭据的不断更新,即使某一时刻动态登录凭据被违法者窃取,更新后依然可保证动态登录凭据的安全性,从而保护用户使用的安全性。优选的是,本发明使用逐比特异或操作和哈希操作来生成动态登录凭据,这两种操作不仅容易实现,而且计算量很小,可提升计算效率。The invention generates dynamic login credentials through negotiation between the server and the communication terminal, and through the continuous update of the dynamic login credentials, even if the dynamic login credentials are stolen by the offender at a certain moment, the security of the dynamic login credentials can be guaranteed after the update, thereby protecting the user's use. safety. Preferably, the present invention uses a bitwise XOR operation and a hash operation to generate dynamic login credentials. These two operations are not only easy to implement, but also computationally intensive, which improves computational efficiency.
附图说明DRAWINGS
图1是本发明动态登录凭据的生成系统的结构示意图;1 is a schematic structural diagram of a system for generating a dynamic login credential according to the present invention;
图2是本发明优选动态登录凭据的生成系统的结构示意图;2 is a schematic structural diagram of a system for generating a dynamic login credential according to the present invention;
图3是本发明动态登录凭据的生成方法的流程图;3 is a flowchart of a method for generating a dynamic login credential according to the present invention;
图4是本发明优选动态登录凭据的生成方法的流程图;4 is a flow chart of a method for generating a preferred dynamic login credential of the present invention;
图5是本发明动态登录凭据更新一次的优选实例流程图。FIG. 5 is a flow chart of a preferred example of updating the dynamic login credential of the present invention once.
具体实施方式detailed description
为了使本发明的目的、技术方案及优点更加清楚明白,以下结合附图及实施例,对本发明进行进一步详细说明。应当理解,此处所描述的具体实施例仅仅用以解释本发明,并不用于限定本发明。 The present invention will be further described in detail below with reference to the accompanying drawings and embodiments. It is understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention.
图1是本发明动态登录凭据的生成系统的结构示意图,所述动态登录凭据的生成系统100可以设于服务器和/或通信终端中,所述服务器200优选为云服务器,所述通信终端可以是手机、PDA(Personal Digital Assistant,个人数字助理)、平板电脑等。并且,所述动态登录凭据的生成系统100至少包括有动态密钥更新模块10、动态密钥判断模块20和动态登录凭据更新模块30,其中:1 is a schematic structural diagram of a system for generating a dynamic login credential according to the present invention. The system 100 for generating a dynamic login credential may be provided in a server and/or a communication terminal, and the server 200 is preferably a cloud server, and the communication terminal may be Mobile phones, PDAs (Personal Digital Assistants), tablets, etc. Moreover, the dynamic login credential generation system 100 includes at least a dynamic key update module 10, a dynamic key determination module 20, and a dynamic login credential update module 30, wherein:
所述动态密钥更新模块10,用于若服务器和通信终端之间发生数据交互,根据预定的密钥更新算法将至少一个动态密钥进行更新。所述密钥更新算法优选为哈希(hash)操作和逐比特异或操作。The dynamic key update module 10 is configured to update at least one dynamic key according to a predetermined key update algorithm if data interaction occurs between the server and the communication terminal. The key update algorithm is preferably a hash operation and a bitwise exclusive OR operation.
所述动态密钥判断模块20,用于当动态登录凭据达到预定的更新周期时,判断本次的更新周期内动态密钥是否发生过更新。为了保护动态登录凭据的安全性,动态登录凭据必须周期性更新(例如每个月更新一次),该更新周期可在注册时由通信终端300和服务器200之间协商。The dynamic key judging module 20 is configured to determine whether the dynamic key has been updated in the current update period when the dynamic login credential reaches a predetermined update period. In order to protect the security of the dynamic login credentials, the dynamic login credentials must be periodically updated (e.g., updated once a month), which may be negotiated between the communication terminal 300 and the server 200 at the time of registration.
所述动态登录凭据更新模块30,用于若动态密钥发生过更新,根据预定的凭据更新算法以及更新后的动态密钥,对动态登录凭据进行更新。所述凭据更新算法优选为哈希操作和逐比特异或操作。动态登录凭据更新成功后,通信终端300使用更新后的登录凭据登录服务器200。The dynamic login credential update module 30 is configured to update the dynamic login credential according to the predetermined credential update algorithm and the updated dynamic key if the dynamic key is updated. The credential update algorithm is preferably a hash operation and a bitwise exclusive OR operation. After the dynamic login credential is successfully updated, the communication terminal 300 logs in to the server 200 using the updated login credentials.
本发明通过服务器200和通信终端300协商生成动态登录凭据,通过对动态登录凭据的不断更新,即使某一时刻动态登录凭据被违法者窃取,更新后依然可保证动态登录凭据的安全性。本发明优选仅使用逐比特异或操作和哈希操作,这两种操作很容易实现,计算量也很小。The present invention negotiates the generation of dynamic login credentials through the server 200 and the communication terminal 300. By continuously updating the dynamic login credentials, even if the dynamic login credentials are stolen by the offender at a certain moment, the security of the dynamic login credentials can be guaranteed after the update. The present invention preferably uses only bit-wise XOR operations and hash operations, both of which are easy to implement and the amount of computation is small.
图2是本发明优选动态登录凭据的生成系统的结构示意图,所述动态登录凭据的生成系统100可以设于服务器200和/或通信终端300中,所述服务器200优选为云服务器,所述通信终端300可以是手机、PDA、平板电脑等。并且,所述动态登录凭据的生成系统100至少包括有动态密钥更新模块10、动态密钥判断模块20和动态登录凭据更新模块30。2 is a schematic structural diagram of a system for generating a dynamic login credential according to the present invention. The system 100 for generating a dynamic login credential may be provided in the server 200 and/or the communication terminal 300, and the server 200 is preferably a cloud server, and the communication is performed. The terminal 300 can be a mobile phone, a PDA, a tablet, or the like. Moreover, the dynamic login credential generation system 100 includes at least a dynamic key update module 10, a dynamic key determination module 20, and a dynamic login credential update module 30.
首先,在本实施例中定义三个变量如下:First, three variables are defined in this embodiment as follows:
P:动态登录凭据;sk1,sk2:用于更新P的第一动态密钥和第二动态密钥;P: dynamic login credentials; sk 1 , sk 2 : a first dynamic key and a second dynamic key for updating P;
除了上述变量外,还需使用下述符号:In addition to the above variables, the following symbols are required:
l1:P的二进制长度;l2:sk1和sk2的二进制长度;l 1 : the binary length of P; l 2 : the binary length of sk 1 and sk 2 ;
⊕:对两个二进制串的逐比特异或操作;⊕: bitwise XOR operation on two binary strings;
||:两个二进制串的连接操作;||: connection operation of two binary strings;
Figure PCTCN2014087979-appb-000005
第一hash函数,其输入是任意长度的二进制串,输出为长度为l2的二进制串;
Figure PCTCN2014087979-appb-000005
The first hash function, the input is a binary string of arbitrary length, and the output is a binary string of length l 2 ;
Figure PCTCN2014087979-appb-000006
第二hash函数,输入是长度为2l2的二进制串,输出为长度为l1的二进制串。
Figure PCTCN2014087979-appb-000006
The second hash function, the input is a binary string of length 2l 2 , and the output is a binary string of length l 1 .
所述动态密钥更新模块10,用于若服务器200和通信终端300之间发生数据交互,根据预定的密钥更新算法将至少一个动态密钥进行更新。The dynamic key update module 10 is configured to update at least one dynamic key according to a predetermined key update algorithm if data interaction occurs between the server 200 and the communication terminal 300.
优选的是,动态密钥更新模块10包括:Preferably, the dynamic key update module 10 includes:
第一数据判断子模块11,用于当服务器200和通信终端300之间交互了一个数据包m时,判断该数据包m是否由通信终端300发送,第一数据判断子模块11设于服务器200中。The first data judging sub-module 11 is configured to determine whether the data packet m is sent by the communication terminal 300 when the data packet m is exchanged between the server 200 and the communication terminal 300, and the first data judging sub-module 11 is provided in the server 200. in.
第一密钥更新子模块12,用于若数据包m由通信终端300发送,则根据预定的密钥更新算法将第一动态密钥sk1进行更新,第一密钥更新子模块设12于服务器200中。First key 12, if a packet transmitted by the communication terminal 300 m updating sub-module, in accordance with the predetermined algorithm to update the first key sk 1 dynamic key update, key updating a first sub-module 12 disposed on In the server 200.
第二密钥更新子模块13,用于若数据包m由服务器200发送,则根据所述密钥更新算法将第二动态密钥sk2进行更新,第二密钥更新子模块13设于服务器200中。The second key update sub-module 13 is configured to update the second dynamic key sk 2 according to the key update algorithm if the data packet m is sent by the server 200, and the second key update sub-module 13 is set on the server. 200.
优选的是,动态密钥更新模块还包括:Preferably, the dynamic key update module further includes:
第二数据判断子模块14,用于当服务器200和通信终端300之间交互了一个数据包m时,判断数据包m是否由通信终端300发送,第二数据判断子模块14设于通信终端300中。The second data judging sub-module 14 is configured to determine whether the data packet m is sent by the communication terminal 300 when the data packet m is exchanged between the server 200 and the communication terminal 300, and the second data judging sub-module 14 is disposed in the communication terminal 300. in.
第三密钥更新子模块15,用于若数据包m由通信终端300发送时,则根据密钥更新算法将第一动态密钥sk1进行更新,第三密钥更新子模块15设于通信终端300中。The third sub-key update module 15, if a packet transmitted by the communication terminal 300 m, the key updating according to a first algorithm dynamically updated key sk 1, the third key updating sub-module 15 provided in the communication In the terminal 300.
第四密钥更新子模块16,用于若数据包m由服务器200发送,则根据密钥更新算法将第二动态密钥sk2进行更新,第四密钥更新子模块16设于通信终端300中。The fourth key update sub-module 16 is configured to update the second dynamic key sk 2 according to the key update algorithm if the data packet m is sent by the server 200, and the fourth key update sub-module 16 is provided in the communication terminal 300. in.
也就是说,本发明服务器200和通信终端300都要对数据包m的来源进行判断,并且服务器200和通信终端300分别进行第一动态密钥sk1和/或第二动态密钥sk2的更新。通信终端300和服务器200之间通过可靠的传输协议,例如TCP(Transmission Control Protocol,传输控制协议)协议,交互的每一个数据包m都将引起sk1或sk2值的更新。sk1和sk2的更新算法通信终端300和服务器200都要执行且步骤相同。若未出错,双方的sk1和sk2更新后结果一致。That is, the server 200 and the communication terminal 300 of the present invention both judge the source of the data packet m, and the server 200 and the communication terminal 300 respectively perform the first dynamic key sk 1 and/or the second dynamic key sk 2 Update. Each of the data packets m that are exchanged between the communication terminal 300 and the server 200 through a reliable transmission protocol, such as the TCP (Transmission Control Protocol) protocol, will cause an update of the sk 1 or sk 2 value. The update algorithms of sk 1 and sk 2 are both executed by the communication terminal 300 and the server 200 and the steps are the same. If there is no error, the results of sk 1 and sk 2 of both parties are the same.
所述动态密钥判断模块20,用于当动态登录凭据P达到预定的更新周期时,判断本次的更新周期内动态密钥是否发生过更新。为了保护动态登录凭据P的安全性,动态登录凭据P必须周期性更新,该更新周期可在注册时由通信终端300和服务器200之间协商。The dynamic key judging module 20 is configured to determine whether the dynamic key has been updated in the current update period when the dynamic login credential P reaches a predetermined update period. In order to protect the security of the dynamic login credentials P, the dynamic login credentials P must be periodically updated, which can be negotiated between the communication terminal 300 and the server 200 at the time of registration.
优选的是,动态密钥判断模块20包括:Preferably, the dynamic key judging module 20 includes:
第一密钥判断子模块21,用于当动态登录凭据P达到所述更新周期时,判断本次的更新周期内第一动态密钥sk1或第二动态密钥sk2是否发生过更新,第 一密钥判断子模块设于服务器200中;或者The first key judging sub-module 21 is configured to determine whether the first dynamic key sk 1 or the second dynamic key sk 2 has been updated during the update period when the dynamic login credential P reaches the update period. The first key judging submodule is provided in the server 200; or
第二密钥判断子模块22,用于当动态登录凭据P达到更新周期时,判断本次的更新周期内第一动态密钥sk1或第二动态密钥sk2是否发生过更新,第二密钥判断子模块设于通信终端300中。The second key judging sub-module 22 is configured to determine, when the dynamic login credential P reaches the update period, whether the first dynamic key sk 1 or the second dynamic key sk 2 has been updated in the current update period, and second The key determination sub-module is provided in the communication terminal 300.
更好的是,动态密钥判断模块20还包括:More preferably, the dynamic key judging module 20 further includes:
第一更新通知子模块23,用于若第一动态密钥sk1或第二动态密钥sk2未发生过更新时,向通信终端300发送动态登录凭据P的不更新通知;以及用于若第一动态密钥sk1或第二动态密钥sk2发生过更新时,向通信终端300发送动态登录凭据P的更新通知,第一更新通知子模块设于服务器200中。The first update notification sub-module 23 is configured to: when the first dynamic key sk 1 or the second dynamic key sk 2 has not been updated, send a non-update notification of the dynamic login credential P to the communication terminal 300; When the first dynamic key sk 1 or the second dynamic key sk 2 is updated, the update notification of the dynamic login credential P is transmitted to the communication terminal 300, and the first update notification sub-module is provided in the server 200.
第一更新确认子模块24,用于收到服务器200的更新通知后,向服务器200返回动态登录凭据P的更新确认,第一更新确认子模块设于通信终端300中。The first update confirmation sub-module 24 is configured to return an update confirmation of the dynamic login credential P to the server 200 after receiving the update notification of the server 200, and the first update confirmation sub-module is provided in the communication terminal 300.
或者,动态密钥判断模块20包括:Alternatively, the dynamic key judging module 20 includes:
第二更新通知子模块25,用于若第一动态密钥sk1或第二动态密钥sk2未发生过更新时,则向服务器200发送动态登录凭据P的不更新通知;以及用于若第一动态密钥sk1或第二动态密钥sk2发生过更新时,向服务器200发送动态登录凭据P的更新通知,第二更新通知子模块设于通信终端300中。a second update notification sub-module 25, configured to: if the first dynamic key sk 1 or the second dynamic key sk 2 has not been updated, send a non-update notification of the dynamic login credential P to the server 200; When the first dynamic key sk 1 or the second dynamic key sk 2 is updated, the update notification of the dynamic login credential P is transmitted to the server 200, and the second update notification sub-module is provided in the communication terminal 300.
第二更新确认子模块26,用于收到通信终端300的更新通知后,向通信终端300返回动态登录凭据P的更新确认,第二更新确认子模块设于服务器200中。The second update confirmation sub-module 26 is configured to return an update confirmation of the dynamic login credential P to the communication terminal 300 after receiving the update notification of the communication terminal 300, and the second update confirmation sub-module is provided in the server 200.
所述动态登录凭据更新模块30,用于若动态密钥发生过更新,根据预定的凭据更新算法以及更新后的动态密钥,对动态登录凭据P进行更新。The dynamic login credential update module 30 is configured to update the dynamic login credential P according to a predetermined credential update algorithm and an updated dynamic key if the dynamic key is updated.
优选的是,动态登录凭据更新模块30包括:Preferably, the dynamic login credential update module 30 includes:
第一凭据更新子模块31,用于若所述第一动态密钥sk1或所述第二动态密钥sk2发生过更新时,根据凭据更新算法以及更新后的第一动态密钥sk1和/或第二动态密钥sk2,对动态登录凭据P进行更新,第一凭据更新子模块设于服务器200中;以及The first credential update sub-module 31 is configured to: according to the credential update algorithm and the updated first dynamic key sk 1 when the first dynamic key sk 1 or the second dynamic key sk 2 is updated And/or the second dynamic key sk 2 , the dynamic login credential P is updated, and the first credential update submodule is provided in the server 200;
第二凭据更新子模块32,用于若所述第一动态密钥sk1或所述第二动态密钥sk2发生过更新时,根据凭据更新算法以及更新后的第一动态密钥sk1和/或第二动态密钥sk2,对动态登录凭据P进行更新,第二凭据更新子模块设于通信终端300中。a second credential update sub-module 32, configured to: according to the credential update algorithm and the updated first dynamic key sk 1 if the first dynamic key sk 1 or the second dynamic key sk 2 has been updated And/or the second dynamic key sk 2 , the dynamic login credential P is updated, and the second credential update submodule is provided in the communication terminal 300.
也就是说,本发明可以由服务器200判断上次更新P之后sk1或sk2是否更新过,若是则服务器200通知通信终端300进行P值的更新。本发明也可由通信终端300判断上次更新P之后sk1或sk2是否更新过,若是则通信终端300通知服务器200进行P值的更新。这里只需双方同步即可,但由服务器200判断和通知比较好实现。 That is, the present invention can determine whether the sk 1 or sk 2 has been updated after the last update P by the server 200, and if so, the server 200 notifies the communication terminal 300 to update the P value. The present invention can also be judged by the communication terminal 300 whether or not sk 1 or sk 2 has been updated since the last update P, and if so, the communication terminal 300 notifies the server 200 to update the P value. It only needs to be synchronized by both parties, but it is better to judge and notify by the server 200.
所述密钥更新算法优选为:The key update algorithm is preferably:
sk1=sk1⊕Hash1(m)。sk2=sk2⊕Hash1(m);
Figure PCTCN2014087979-appb-000007
Sk 1 =sk 1 ⊕Hash 1 (m). Sk 2 =sk 2 ⊕Hash 1 (m);
Figure PCTCN2014087979-appb-000007
所述凭据更新算法为:The credential update algorithm is:
P=P⊕Hash2(sk1||sk2),sk1=0,sk2=0;
Figure PCTCN2014087979-appb-000008
P=P⊕Hash 2 (sk 1 || sk 2 ), sk 1 =0, sk 2 =0;
Figure PCTCN2014087979-appb-000008
这里是先计算P=P⊕Hash2(sk1||sk2),再将sk1和sk2置为0。Here, P = P ⊕ Hash 2 (sk 1 || sk 2 ) is calculated first, and sk 1 and sk 2 are set to 0.
优选的是,所述动态登录凭据的生成系统100包括凭据更新确认模块40。在本发明一实施例中,所述凭据更新确认模块40包括:Preferably, the dynamic login credential generation system 100 includes a credential update confirmation module 40. In an embodiment of the invention, the credential update confirmation module 40 includes:
第一确认值计算子模块41,用于根据服务器200更新后的动态登录凭据P和预定的确认值算法,计算出第一确认值,并将第一确认值发送给通信终端300,第一确认值计算子模块41设于服务器200中。The first confirmation value calculation sub-module 41 is configured to calculate a first confirmation value according to the updated dynamic login credential P and the predetermined confirmation value algorithm of the server 200, and send the first confirmation value to the communication terminal 300, the first confirmation The value calculation sub-module 41 is provided in the server 200.
第二确认值计算子模块42,用于根据通信终端300更新后的动态登录凭据P和确认值算法,计算出第二确认值,第二确认值计算子模块42设于通信终端300中。The second confirmation value calculation sub-module 42 is configured to calculate a second confirmation value according to the updated dynamic login credential P and the confirmation value algorithm of the communication terminal 300, and the second confirmation value calculation sub-module 42 is provided in the communication terminal 300.
第一确认值判断子模块43,用于判断第一确认值和第二确认值是否相等,第一确认值判断子模块43设于通信终端300中。The first confirmation value judging sub-module 43 is configured to determine whether the first confirmation value and the second confirmation value are equal, and the first confirmation value judging sub-module 43 is provided in the communication terminal 300.
通过比较第一确认值和第二确认值,可确信双方计算出来的动态登录凭据P是否相等,只有相等可作新登录凭据用。第一确认值和第二确认值不相等表示服务器200和通信终端300的动态登录凭据P不相等,是由于动态登录凭据P更新前双方持有的sk1和sk2不一致导致。By comparing the first confirmed value with the second confirmed value, it can be determined whether the dynamic login credentials P calculated by both parties are equal, and only equal can be used for new login credentials. The fact that the first confirmation value and the second confirmation value are not equal means that the dynamic login credentials P of the server 200 and the communication terminal 300 are not equal, which is caused by the inconsistency between sk 1 and sk 2 held by both parties before the dynamic login credential P is updated.
第一确认通知子模块44,用于若第一确认值和第二确认值相等时,确定动态登录凭据P更新成功,并向服务器200发送凭据更新成功通知;以及用于若第一确认值和第二确认值不相等时,确定动态登录凭据P更新失败,并向服务器200发送凭据更新失败通知,第一确认通知子模块44设于通信终端300中。The first confirmation notification sub-module 44 is configured to: if the first confirmation value and the second confirmation value are equal, determine that the dynamic login credential P is updated successfully, and send a credential update success notification to the server 200; and if the first confirmation value and When the second confirmation values are not equal, it is determined that the dynamic login credential P update fails, and the credential update failure notification is sent to the server 200, and the first confirmation notification sub-module 44 is provided in the communication terminal 300.
或者,在本发明另一实施例中,凭据更新确认模块40包括:Alternatively, in another embodiment of the present invention, the credential update confirmation module 40 includes:
第三确认值计算子模块45,用于根据通信终端300更新后的动态登录凭据P和预定的确认值算法,计算出第一确认值,并将第一确认值发送给服务器200,第三确认值计算子模块45设于通信终端300中。The third confirmation value calculation sub-module 45 is configured to calculate a first confirmation value according to the updated dynamic login credential P and the predetermined confirmation value algorithm of the communication terminal 300, and send the first confirmation value to the server 200, the third confirmation The value calculation sub-module 45 is provided in the communication terminal 300.
第四确认值计算子模块46,用于根据服务器200更新后的动态登录凭据P和确认值算法,计算出第二确认值,第四确认值计算子模块46设于服务器200中。The fourth confirmation value calculation sub-module 46 is configured to calculate a second confirmation value according to the updated dynamic login credential P and the confirmation value algorithm of the server 200, and the fourth confirmation value calculation sub-module 46 is provided in the server 200.
第二确认值判断子模块47,用于判断第一确认值和第二确认值是否相等,第二确认值判断子模块47设于服务器200中。The second confirmation value judging sub-module 47 is configured to determine whether the first confirmation value and the second confirmation value are equal, and the second confirmation value judging sub-module 47 is provided in the server 200.
第二确认通知子模块48,用于若第一确认值和第二确认值相等时,确定动态登录凭据P更新成功,并向通信终端300发送凭据更新成功通知;以及用于若第一确认值和第二确认值不相等时,确定动态登录凭据P更新失败,并向通 信终端300发送凭据更新失败通知,第二确认通知子模块48设于服务器200中。The second confirmation notification sub-module 48 is configured to: if the first confirmation value and the second confirmation value are equal, determine that the dynamic login credential P is updated successfully, and send a credential update success notification to the communication terminal 300; and if the first confirmation value is used If the second confirmation value is not equal, it is determined that the dynamic login credential P is updated and fails. The letter terminal 300 transmits a credential update failure notification, and the second confirmation notification sub-module 48 is provided in the server 200.
也就是说,本发明可以由服务器200和通信终端300分别计算第一确认值和第二确认值,并由服务器200或通信终端300判断第一确认值和第二确认值是否相等。这里只需双方同步即可。That is, the present invention can calculate the first acknowledgment value and the second acknowledgment value by the server 200 and the communication terminal 300, respectively, and the server 200 or the communication terminal 300 determines whether the first acknowledgment value and the second acknowledgment value are equal. It only needs to be synchronized by both parties.
所述确认值算法优选为:The confirmation value algorithm is preferably:
a=Hash1(P1),a’=Hash1(P2);a=Hash 1 (P1), a'=Hash 1 (P2);
其中,a为第一确认值,a’为第二确认值,P1为服务器200或通信终端300本地更新后的动态登录凭据,P2为通信终端300或服务器200本地更新后的动态登录凭据。Where a is the first confirmation value, a' is the second confirmation value, P1 is the dynamic login credential that is locally updated by the server 200 or the communication terminal 300, and P2 is the dynamic login credential that is locally updated by the communication terminal 300 or the server 200.
当动态登录凭据P更新成功后,通信终端300使用更新后的动态登录凭据P登录服务器200。当动态登录凭据P更新失败后,通信终端300和服务器200继续使用原有的动态登录凭据P,并将第一动态密钥sk1和第二动态密钥sk2进行清零处理。When the dynamic login credential P is successfully updated, the communication terminal 300 logs in to the server 200 using the updated dynamic login credential P. When the dynamic login credential P update fails, the communication terminal 300 and the server 200 continue to use the original dynamic login credential P, and perform the clear processing of the first dynamic key sk 1 and the second dynamic key sk 2 .
所述动态登录凭据的生成系统100还包括初始值设置模块50,所述初始值设置模块50包括第一初始值设置子模块51和/或第二初始值设置子模块52:The dynamic login credential generation system 100 further includes an initial value setting module 50 including a first initial value setting sub-module 51 and/or a second initial value setting sub-module 52:
所述第一初始值设置子模块51设于服务器200中,用于当通信终端300在服务器200注册时,将通信终端300设置的登录口令设置为动态登录凭据P的初始值;若登录口令的长度小于l1时,则用固定的二进制串填充,使登录口令的二进制长度达到l1,并将该填充后的登录口令作为动态登录凭据P的初始值,以及若登录口令的长度大于l1时,则截取登录口令前l1长度的二进制串作为动态登录凭据P的初始值。第一初始值设置子模块51还用于将第一动态密钥sk1和第二动态密钥sk2的初始值分别设置为长度为l2的0串,即000…..0(长度为l2)。The first initial value setting sub-module 51 is provided in the server 200, and is used to set the login password set by the communication terminal 300 to the initial value of the dynamic login credential P when the communication terminal 300 registers with the server 200; When the length is less than l 1 , it is filled with a fixed binary string, so that the binary length of the login password reaches l 1 , and the padded login password is used as the initial value of the dynamic login credential P, and if the length of the login password is greater than l 1 , then taken before login password binary string length l 1 as an initial value P of dynamic login credentials. First initial value setting sub-module 51 for further dynamic key sk. 1 of the first and second dynamic key sk initial value 2 are set to the string length l 0 2, i.e. 000 ... ..0 (length l 2 ).
第二初始值设置子模块52设于通信终端300中,用于当通信终端300在服务器200注册时,将通信终端300设置的登录口令设置为动态登录凭据P的初始值;若登录口令的长度小于l1时,则用固定的二进制串填充,使登录口令的二进制长度达到l1,并将该填充后的登录口令作为动态登录凭据P的初始值,以及若登录口令的长度大于l1时,则截取登录口令前l1长度的二进制串作为动态登录凭据P的初始值。第二初始值设置子模块52还用于将第一动态密钥sk1和第二动态密钥sk2的初始值分别设置为长度为l2的0串。The second initial value setting sub-module 52 is provided in the communication terminal 300 for setting the login password set by the communication terminal 300 to the initial value of the dynamic login credential P when the communication terminal 300 registers with the server 200; if the length of the login password is When less than l 1 , it is filled with a fixed binary string, so that the binary length of the login password reaches l 1 , and the padded login password is used as the initial value of the dynamic login credential P, and if the length of the login password is greater than l 1 , before the intercepting login password binary string length l 1 as an initial value P of dynamic login credentials. Second initial value setting sub-module 52 for further dynamic key sk. 1 of the first and second dynamic key sk initial value 2 are set to the string length l 0 2.
也就是说,可以由服务器200来设置动态登录凭据P的初始值,再由服务器200将该动态登录凭据P的初始值发给通信终端300;或者,可以由通信中高端300来设置动态登录凭据P的初始值,再由通信终端300将该动态登录凭据P的初始值发给服务器200;或者,服务器200和通信终端300可分别设置动态登录凭据P的初始值。 That is, the initial value of the dynamic login credential P can be set by the server 200, and the initial value of the dynamic login credential P can be sent to the communication terminal 300 by the server 200; or the dynamic login credential can be set by the high end 300 in the communication. The initial value of P is then sent to the server 200 by the communication terminal 300; or the server 200 and the communication terminal 300 can respectively set the initial value of the dynamic login credential P.
图3是本发明动态登录凭据的生成方法的流程图,其可通过如图1或图2所示的动态登录凭据的生成系统100实现,所述方法包括步骤有:FIG. 3 is a flowchart of a method for generating a dynamic login credential according to the present invention, which may be implemented by the dynamic login credential generation system 100 shown in FIG. 1 or FIG. 2, and the method includes the following steps:
步骤S301,动态密钥更新步骤,若服务器200和通信终端300之间发生数据交互,根据预定的密钥更新算法将至少一个动态密钥进行更新。Step S301, a dynamic key update step, if data interaction occurs between the server 200 and the communication terminal 300, the at least one dynamic key is updated according to a predetermined key update algorithm.
所述密钥更新算法优选为哈希(hash)操作和逐比特异或操作。The key update algorithm is preferably a hash operation and a bitwise exclusive OR operation.
步骤S302,动态密钥判断步骤,当动态登录凭据P达到预定的更新周期时,判断本次的更新周期内动态密钥是否发生过更新。Step S302, the dynamic key determining step determines whether the dynamic key has been updated in the current update period when the dynamic login credential P reaches a predetermined update period.
为了保护动态登录凭据P的安全性,动态登录凭据P必须周期性更新(例如每个月更新一次),该更新周期可在注册时由通信终端300和服务器200之间协商。In order to protect the security of the dynamic login credentials P, the dynamic login credentials P must be periodically updated (e.g., updated once a month), which may be negotiated between the communication terminal 300 and the server 200 at the time of registration.
步骤S303,动态登录凭据更新步骤,若动态密钥发生过更新,根据预定的凭据更新算法以及更新后的动态密钥,对动态登录凭据P进行更新。Step S303, the dynamic login credential update step, if the dynamic key is updated, the dynamic login credential P is updated according to the predetermined credential update algorithm and the updated dynamic key.
所述凭据更新算法优选为哈希操作和逐比特异或操作。动态登录凭据P更新成功后,通信终端300使用更新后的登录凭据登录服务器200。The credential update algorithm is preferably a hash operation and a bitwise exclusive OR operation. After the dynamic login credential P is successfully updated, the communication terminal 300 logs in to the server 200 using the updated login credentials.
本发明通过动态更新终端的登录凭据,实现登录凭据的保护,从而保护用户使用的安全性。The invention protects the login credentials by dynamically updating the login credentials of the terminal, thereby protecting the security of the user.
图4是本发明优选动态登录凭据的生成方法的流程图,其可通过如图2所示的动态登录凭据的生成系统100实现,所述方法包括步骤有:4 is a flowchart of a method for generating a preferred dynamic login credential according to the present invention, which may be implemented by the dynamic login credential generation system 100 shown in FIG. 2, the method comprising the steps of:
步骤S401,服务器200和通信终端300之间交互了一个数据包m。In step S401, a data packet m is exchanged between the server 200 and the communication terminal 300.
步骤S402,服务器200和通信终端300判断数据包m是否由通信终端300发送,若是则执行步骤S403,否则执行步骤S404。In step S402, the server 200 and the communication terminal 300 determine whether the data packet m is transmitted by the communication terminal 300, and if so, execute step S403, otherwise execute step S404.
步骤S403,若数据包m由通信终端300发送,则服务器200和通信终端300分别根据密钥更新算法将第一动态密钥sk1进行更新。Step S403, the data packet if the m transmitted by communication terminal 300, the server 200 and communication terminal 300 are respectively the first algorithm according to the key update dynamically updated key sk 1.
步骤S404,若数据包m由服务器200发送,则服务器200和通信终端300分别根据密钥更新算法将第二动态密钥sk2进行更新。In step S404, if the data packet m is transmitted by the server 200, the server 200 and the communication terminal 300 respectively update the second dynamic key sk 2 according to the key update algorithm.
也就是说,本发明服务器200和通信终端300都要对数据包m的来源进行判断,并且服务器200和通信终端300分别进行第一动态密钥sk1和/或第二动态密钥sk2的更新。通信终端300和服务器200之间通过可靠的传输协议,交互的每一个数据包m都将引起sk1或sk2值的更新。sk1和sk2的更新算法通信终端300和服务器200都要执行且步骤相同。若未出错,双方的sk1和sk2更新后结果一致。That is, the server 200 and the communication terminal 300 of the present invention both judge the source of the data packet m, and the server 200 and the communication terminal 300 respectively perform the first dynamic key sk 1 and/or the second dynamic key sk 2 Update. Between the communication terminal 300 and the server 200, each data packet m that is exchanged will cause an update of the sk 1 or sk 2 value through a reliable transmission protocol. The update algorithms of sk 1 and sk 2 are both executed by the communication terminal 300 and the server 200 and the steps are the same. If there is no error, the results of sk 1 and sk 2 of both parties are the same.
步骤S405,动态登录凭据P达到更新周期。In step S405, the dynamic login credential P reaches the update period.
为了保护动态登录凭据P的安全性,动态登录凭据P必须周期性更新,该更新周期可在注册时由通信终端300和服务器200之间协商。In order to protect the security of the dynamic login credentials P, the dynamic login credentials P must be periodically updated, which can be negotiated between the communication terminal 300 and the server 200 at the time of registration.
步骤S406,服务器200或通信终端300判断本次的更新周期内第一动态密 钥sk1或第二动态密钥sk2是否发生过更新,若是则执行步骤S407,否则结束流程。In step S406, the server 200 or the communication terminal 300 determines whether the first dynamic key sk 1 or the second dynamic key sk 2 has been updated in the current update period. If yes, step S407 is performed; otherwise, the flow ends.
优选的是,步骤S406之后还包括:Preferably, after step S406, the method further includes:
若第一动态密钥sk1或第二动态密钥sk2未发生过更新,则服务器200或通信终端300向通信终端300或服务器200发送动态登录凭据P的不更新通知。If the first dynamic key sk 1 or the second dynamic key sk 2 has not been updated, the server 200 or the communication terminal 300 transmits a non-update notification of the dynamic login credential P to the communication terminal 300 or the server 200.
若第一动态密钥sk1或第二动态密钥sk2发生过更新,则服务器200或通信终端300向通信终端300或服务器200发送动态登录凭据P的更新通知。If the first dynamic key sk 1 or the second dynamic key sk 2 has been updated, the server 200 or the communication terminal 300 transmits an update notification of the dynamic login credential P to the communication terminal 300 or the server 200.
通信终端300或服务器200收到更新通知后,向服务器200或通信终端300返回动态登录凭据P的更新确认。Upon receiving the update notification, the communication terminal 300 or the server 200 returns an update confirmation of the dynamic login credential P to the server 200 or the communication terminal 300.
步骤S407,服务器200和通信终端300分别根据凭据更新算法以及更新后的第一动态密钥sk1和/或第二动态密钥sk2,对动态登录凭据P进行更新。In step S407, the server 200 and the communication terminal 300 update the dynamic login credential P according to the credential update algorithm and the updated first dynamic key sk 1 and/or second dynamic key sk 2 , respectively.
所述密钥更新算法优选为:The key update algorithm is preferably:
sk1=sk1⊕Hash1(m);sk2=sk2⊕Hash1(m);
Figure PCTCN2014087979-appb-000009
Sk 1 =sk 1 ⊕Hash 1 (m);sk 2 =sk 2 ⊕Hash 1 (m);
Figure PCTCN2014087979-appb-000009
所述凭据更新算法优选为:The credential update algorithm is preferably:
P=P⊕Hash2(sk1||sk2),sk1=0,sk2=0。
Figure PCTCN2014087979-appb-000010
P=P⊕Hash 2 (sk 1 || sk 2 ), sk 1 =0, sk 2 =0.
Figure PCTCN2014087979-appb-000010
这里是先计算P=P⊕Hash2(sk1||sk2),再将sk1和sk2置为0。Here, P = P ⊕ Hash 2 (sk 1 || sk 2 ) is calculated first, and sk 1 and sk 2 are set to 0.
所述P为所述动态登录凭据;所述sk1为所述第一动态密钥;所述sk2为所述第二动态密钥sk2The P is the dynamic login credential; the sk 1 is the first dynamic key; the sk 2 is the second dynamic key sk 2 ;
所述l1为P的二进制长度,所述l2为sk1和sk2的二进制长度;The l 1 is a binary length of P, and the l 2 is a binary length of sk 1 and sk 2 ;
所述⊕是对两个二进制串的逐比特异或操作;The ⊕ is a bitwise XOR operation on two binary strings;
所述||是对两个二进制串的连接操作;The || is a connection operation to two binary strings;
所述Hash1是第一哈希函数,表示输入是任意长度的二进制串,输出为长度为l2的二进制串;The hash 1 is a first hash function, indicating that the input is a binary string of arbitrary length, and the output is a binary string of length l 2 ;
所述Hash2是第二哈希函数,表示输入是长度为2l2的二进制串,输出为长度为l1的二进制串。The hash 2 is a second hash function, indicating that the input is a binary string of length 2l 2 and the output is a binary string of length l 1 .
优选的是,所述步骤S406之后还包括凭据更新确认步骤,凭据更新确认步骤包括:Preferably, the step S406 further includes a credential update confirmation step, and the credential update confirmation step includes:
服务器200或通信终端300根据本地更新后的动态登录凭据P和预定的确认值算法,计算出第一确认值,并将第一确认值发送给通信终端300或服务器200。The server 200 or the communication terminal 300 calculates the first confirmation value based on the locally updated dynamic login credential P and the predetermined acknowledgment value algorithm, and transmits the first acknowledgment value to the communication terminal 300 or the server 200.
通信终端300或服务器200根据本地更新后的动态登录凭据P和确认值算法,计算出第二确认值。The communication terminal 300 or the server 200 calculates the second confirmation value based on the locally updated dynamic login credential P and the confirmation value algorithm.
通信终端300或服务器200判断第一确认值和第二确认值是否相等。The communication terminal 300 or the server 200 determines whether the first confirmation value and the second confirmation value are equal.
若第一确认值和第二确认值相等,通信终端300或服务器200确定动态登录凭据P更新成功,并向服务器200或通信终端300发送凭据更新成功通知, 通信终端300使用更新后的动态登录凭据P来登录服务器200。If the first confirmation value and the second confirmation value are equal, the communication terminal 300 or the server 200 determines that the dynamic login credential P is updated successfully, and transmits a credential update success notification to the server 200 or the communication terminal 300, The communication terminal 300 logs in to the server 200 using the updated dynamic login credential P.
若第一确认值和第二确认值不相等,通信终端300或服务器200确定动态登录凭据P更新失败,并向服务器200或通信终端300发送凭据更新失败通知。动态登录凭据P更新失败后,通信终端300和服务器200继续使用原有的动态登录凭据P,并将第一动态密钥sk1和第二动态密钥sk2进行清零处理。If the first confirmation value and the second confirmation value are not equal, the communication terminal 300 or the server 200 determines that the dynamic login credential P update fails, and transmits a credential update failure notification to the server 200 or the communication terminal 300. After the dynamic login credential P fails to be updated, the communication terminal 300 and the server 200 continue to use the original dynamic login credential P, and perform the clear processing of the first dynamic key sk 1 and the second dynamic key sk 2 .
所述确认值算法优选为:The confirmation value algorithm is preferably:
a=Hash1(P1),a’=Hash1(P2)。a=Hash 1 (P1), a'=Hash 1 (P2).
a为第一确认值,a’为第二确认值,P1为服务器200或通信终端300本地更新后的动态登录凭据,P2为通信终端300或服务器200本地更新后的动态登录凭据。a is a first confirmation value, a' is a second confirmation value, P1 is a dynamic login credential that is locally updated by the server 200 or the communication terminal 300, and P2 is a dynamic login credential that is locally updated by the communication terminal 300 or the server 200.
本发明还可以包括初始值设置步骤,当通信终端300在服务器200注册时,服务器200和/或通信终端300将通信终端300设置的登录口令设置为动态登录凭据P的初始值。以及将第一动态密钥sk1和第二动态密钥sk2的初始值分别设置为长度为l2的0串。若登录口令的长度小于l1,则用固定的二进制串填充,使登录口令的二进制长度达到l1,并将该填充后的登录口令作为动态登录凭据P的初始值。若登录口令的长度大于l1,则截取登录口令前l1长度的二进制串作为动态登录凭据P的初始值。The present invention may further include an initial value setting step, and when the communication terminal 300 registers with the server 200, the server 200 and/or the communication terminal 300 sets the login password set by the communication terminal 300 as the initial value of the dynamic login credential P. Dynamic key sk and the first and second dynamic key sk. 1 the initial value 2 are set to the string length l 0 2. If the length of the login password is less than l 1 , it is filled with a fixed binary string, so that the binary length of the login password reaches l 1 , and the filled login password is used as the initial value of the dynamic login credential P. If the login password is greater than the length l 1, is taken before the login password binary string length l 1 as an initial value P of dynamic login credentials.
图5是本发明动态登录凭据更新一次的优选流程图,其可通过如图2所示的动态登录凭据的生成系统100实现,所述方法包括步骤有:FIG. 5 is a preferred flowchart of the dynamic login credential update of the present invention, which can be implemented by the dynamic login credential generation system 100 shown in FIG. 2, the method comprising the steps of:
步骤S501,当动态登录凭据P的更新周期已到。In step S501, when the update period of the dynamic login credential P has arrived.
步骤S502,服务器200判断在上次更新P之后sk1或sk2的值是否更新过,若是则执行步骤S504,否则执行步骤S503。In step S502, the server 200 determines whether the value of sk 1 or sk 2 has been updated after the last update P, and if so, executes step S504, otherwise executes step S503.
步骤S503,若未更新过,服务器200通知通信终端300不对P值进行更新。In step S503, if not updated, the server 200 notifies the communication terminal 300 not to update the P value.
步骤S504,若更新过,服务器200通知通信终端300进行P值的更新。In step S504, if updated, the server 200 notifies the communication terminal 300 to update the P value.
当然,也可由通信终端300判断上次更新P之后sk1或sk2是否更新过,若是则通信终端300通知服务器200进行P值的更新。这里只需双方同步即可,但由服务器200判断和通知比较好实现。Of course, it is also possible for the communication terminal 300 to determine whether sk 1 or sk 2 has been updated since the last update P, and if so, the communication terminal 300 notifies the server 200 to update the P value. It only needs to be synchronized by both parties, but it is better to judge and notify by the server 200.
步骤S505,通信终端300向服务器200确认进行P值的更新。In step S505, the communication terminal 300 confirms to the server 200 that the update of the P value is performed.
步骤S506,服务器200和通信终端300分别计算更新值:P=P⊕Hash2(sk1||sk2),sk1=0,sk2=0。In step S506, the server 200 and the communication terminal 300 respectively calculate update values: P = P ⊕ Hash 2 (sk 1 || sk 2 ), sk 1 =0, sk 2 =0.
这里是先计算P=P⊕Hash2(sk1||sk2),再将sk1和sk2置为0,即计算P时sk1和sk2不等于0。Here, P = P ⊕ Hash 2 (sk 1 || sk 2 ) is calculated first, and then sk1 and sk2 are set to 0, that is, sk1 and sk2 are not equal to 0 when P is calculated.
步骤S507,服务器200计算第一确认值a=Hash1(P1)。In step S507, the server 200 calculates a first confirmation value a = Hash 1 (P1).
所述P1为服务器200本地更新后的动态登录凭据。The P1 is a dynamic login credential that is locally updated by the server 200.
步骤S508,服务器200将a发送给通信终端300。 In step S508, the server 200 transmits a to the communication terminal 300.
步骤S509,通信终端300计算第二确认值a’=Hash1(P2)。In step S509, the communication terminal 300 calculates a second confirmation value a'=Hash 1 (P2).
所述P2为通信终端300本地更新后的动态登录凭据。The P2 is a dynamic login credential that is locally updated by the communication terminal 300.
步骤S510,通信终端300判断a和a’是否相等,若是则执行步骤S511,否则执行步骤S512。In step S510, the communication terminal 300 determines whether a and a' are equal, and if so, executes step S511, otherwise performs step S512.
通过a的值,可确信双方计算出来的P相等,可作新登录凭据用。a和a’不相等表示双方的P不相等,是由于P更新前双方持有的sk1和sk2不一致导致。By the value of a, you can be sure that the Ps calculated by both parties are equal and can be used as new login credentials. The fact that a and a' are not equal means that the Ps of the two parties are not equal, which is caused by the inconsistency between sk 1 and sk 2 held by both parties before the P update.
步骤S511,若a和a’相等,通信终端300通知服务器200,P更新成功。通信终端300需输入更新的P登录服务器200。更新P自动存储和使用,用户无需接入,但违法者需不停的窃取更新后的动态登录凭据P,显然大大增加了违法登录的难度。In step S511, if a and a' are equal, the communication terminal 300 notifies the server 200 that the P update is successful. The communication terminal 300 needs to input the updated P login server 200. The update P is automatically stored and used, and the user does not need to access, but the offender needs to constantly steal the updated dynamic login credential P, which obviously increases the difficulty of illegal login.
步骤S512,若a和a’不相等,通信终端300通知服务器200,P更新失败。In step S512, if a and a' are not equal, the communication terminal 300 notifies the server 200 that the P update has failed.
当然,也可由通信终端300计算确认值a,并将a发给服务器200,由服务器200计算a’,服务器200判断a和a’是否相等。Of course, the confirmation value a can also be calculated by the communication terminal 300, and a is sent to the server 200, which calculates a' by the server 200, and the server 200 judges whether a and a' are equal.
综上所述,本发明通过服务器和通信终端协商生成动态登录凭据,通过动态登录凭据的不断更新,即使某一时刻动态登录凭据被违法者窃取,更新后依然可保证动态登录凭据的安全性,从而保护用户使用的安全性。优选的是,本发明使用逐比特异或操作和哈希操作来生成动态登录凭据,这两种操作不仅容易实现,而且计算量很小,可提升计算效率。In summary, the present invention generates dynamic login credentials through negotiation between the server and the communication terminal, and through dynamic update of the login credentials, even if the dynamic login credentials are stolen by the offender at a certain moment, the security of the dynamic login credentials can be guaranteed after the update. Thereby protecting the security of the user's use. Preferably, the present invention uses a bitwise XOR operation and a hash operation to generate dynamic login credentials. These two operations are not only easy to implement, but also computationally intensive, which improves computational efficiency.
当然,本发明还可有其它多种实施例,在不背离本发明精神及其实质的情况下,熟悉本领域的技术人员当可根据本发明作出各种相应的改变和变形,但这些相应的改变和变形都应属于本发明所附的权利要求的保护范围。 The invention may, of course, be embodied in a variety of other embodiments without departing from the spirit and scope of the invention. Changes and modifications are intended to be included within the scope of the appended claims.

Claims (20)

  1. 一种动态登录凭据的生成方法,其特征在于,包括步骤有:A method for generating dynamic login credentials, characterized in that the steps include:
    动态密钥更新步骤,若服务器和通信终端之间发生数据交互,根据预定的密钥更新算法将至少一个动态密钥进行更新;The dynamic key update step, if data interaction occurs between the server and the communication terminal, updating at least one dynamic key according to a predetermined key update algorithm;
    动态密钥判断步骤,当动态登录凭据达到预定的更新周期时,判断本次的所述更新周期内所述动态密钥是否发生过更新;The dynamic key judging step determines whether the dynamic key has been updated during the update period of the current time when the dynamic login credential reaches a predetermined update period;
    动态登录凭据更新步骤,若所述动态密钥发生过更新,根据预定的凭据更新算法以及更新后的所述动态密钥,对所述动态登录凭据进行更新。The dynamic login credential update step updates the dynamic login credential according to a predetermined credential update algorithm and the updated dynamic key if the dynamic key has been updated.
  2. 根据权利要求1所述的方法,其特征在于,所述动态密钥更新步骤包括:The method of claim 1 wherein said dynamic key update step comprises:
    当所述服务器和所述通信终端之间交互了一个数据包时,所述服务器和所述通信终端判断所述数据包是否由所述通信终端发送;When a data packet is exchanged between the server and the communication terminal, the server and the communication terminal determine whether the data packet is sent by the communication terminal;
    若所述数据包由所述通信终端发送,则所述服务器和所述通信终端分别根据所述密钥更新算法将第一动态密钥进行更新;And if the data packet is sent by the communication terminal, the server and the communication terminal respectively update the first dynamic key according to the key update algorithm;
    若所述数据包由所述服务器发送,则所述服务器和所述通信终端分别根据所述密钥更新算法将第二动态密钥进行更新;And if the data packet is sent by the server, the server and the communication terminal respectively update the second dynamic key according to the key update algorithm;
    所述动态密钥判断步骤包括:The dynamic key determining step includes:
    当所述动态登录凭据达到所述更新周期时,所述服务器或所述通信终端判断本次的所述更新周期内所述第一动态密钥或第二动态密钥是否发生过更新;When the dynamic login credential reaches the update period, the server or the communication terminal determines whether the first dynamic key or the second dynamic key has been updated in the update period of the current time;
    所述动态登录凭据更新步骤包括:The dynamic login credential update step includes:
    若所述第一动态密钥或所述第二动态密钥发生过更新,所述服务器和所述通信终端分别根据所述凭据更新算法以及更新后的所述第一动态密钥和/或所述第二动态密钥,对所述动态登录凭据进行更新。And if the first dynamic key or the second dynamic key is updated, the server and the communication terminal respectively according to the credential update algorithm and the updated first dynamic key and/or The second dynamic key is described, and the dynamic login credential is updated.
  3. 根据权利要求2所述的方法,其特征在于,所述密钥更新算法为:The method of claim 2 wherein said key update algorithm is:
    sk1=sk1⊕Hash1(m);sk2=sk2⊕Hash1(m);
    Figure PCTCN2014087979-appb-100001
    Sk 1 =sk 1 ⊕Hash 1 (m);sk 2 =sk 2 ⊕Hash 1 (m);
    Figure PCTCN2014087979-appb-100001
    所述凭据更新算法为:The credential update algorithm is:
    P=P⊕Hash2(sk1||sk2),sk1=0,sk2=0;
    Figure PCTCN2014087979-appb-100002
    P=P⊕Hash 2 (sk 1 || sk 2 ), sk 1 =0, sk 2 =0;
    Figure PCTCN2014087979-appb-100002
    所述P为所述动态登录凭据;所述sk1为所述第一动态密钥;所述sk2为所述第二动态密钥,所述m为数据包;The P is the dynamic login credential; the sk 1 is the first dynamic key; the sk 2 is the second dynamic key, and the m is a data packet;
    所述l1为P的二进制长度,所述l2为sk1和sk2的二进制长度;The l 1 is a binary length of P, and the l 2 is a binary length of sk 1 and sk 2 ;
    所述⊕是对两个二进制串的逐比特异或操作;The ⊕ is a bitwise XOR operation on two binary strings;
    所述||是对两个二进制串的连接操作;The || is a connection operation to two binary strings;
    所述Hash1是第一哈希函数,表示输入是任意长度的二进制串,输出为长度为l2的二进制串;The hash 1 is a first hash function, indicating that the input is a binary string of arbitrary length, and the output is a binary string of length l 2 ;
    所述Hash2是第二哈希函数,表示输入是长度为2l2的二进制串,输出为长度为l1的二进制串。 The hash 2 is a second hash function, indicating that the input is a binary string of length 2l 2 and the output is a binary string of length l 1 .
  4. 根据权利要求2所述的方法,其特征在于,所述服务器或所述通信终端判断本次的所述更新周期内所述第一动态密钥或所述第二动态密钥是否发生过更新的步骤之后还包括:The method according to claim 2, wherein the server or the communication terminal determines whether the first dynamic key or the second dynamic key has been updated during the update period of the current time. After the step, it also includes:
    若所述第一动态密钥或所述第二动态密钥未发生过更新,则所述服务器或所述通信终端向所述通信终端或所述服务器发送所述动态登录凭据的不更新通知;If the first dynamic key or the second dynamic key has not been updated, the server or the communication terminal sends a non-update notification of the dynamic login credential to the communication terminal or the server;
    若所述第一动态密钥或所述第二动态密钥发生过更新,则所述服务器或所述通信终端向所述通信终端或所述服务器发送所述动态登录凭据的更新通知;And if the first dynamic key or the second dynamic key is updated, the server or the communication terminal sends an update notification of the dynamic login credential to the communication terminal or the server;
    所述通信终端或所述服务器收到所述更新通知后,向所述服务器或所述通信终端返回所述动态登录凭据的更新确认。After receiving the update notification, the communication terminal or the server returns an update confirmation of the dynamic login credential to the server or the communication terminal.
  5. 根据权利要求3所述的方法,其特征在于,所述动态登录凭据更新步骤之后还包括凭据更新确认步骤,所述凭据更新确认步骤包括:The method according to claim 3, wherein the dynamic login credential updating step further comprises a credential update confirming step, the credential update confirming step comprising:
    所述服务器或所述通信终端根据本地更新后的所述动态登录凭据和预定的确认值算法,计算出第一确认值,并将所述第一确认值发送给所述通信终端或所述服务器;The server or the communication terminal calculates a first confirmation value according to the locally updated dynamic login credential and a predetermined confirmation value algorithm, and sends the first confirmation value to the communication terminal or the server ;
    所述通信终端或所述服务器根据本地更新后的所述动态登录凭据和所述确认值算法,计算出第二确认值;The communication terminal or the server calculates a second confirmation value according to the dynamically updated login credential and the confirmation value algorithm;
    所述通信终端或所述服务器判断所述第一确认值和所述第二确认值是否相等;Determining, by the communication terminal or the server, whether the first confirmation value and the second confirmation value are equal;
    若所述第一确认值和所述第二确认值相等,所述通信终端或所述服务器确定所述动态登录凭据更新成功,并向所述服务器或所述通信终端发送凭据更新成功通知;If the first confirmation value and the second confirmation value are equal, the communication terminal or the server determines that the dynamic login credential update is successful, and sends a credential update success notification to the server or the communication terminal;
    若所述第一确认值和所述第二确认值不相等,所述通信终端或所述服务器确定所述动态登录凭据更新失败,并向所述服务器或所述通信终端发送凭据更新失败通知。If the first confirmation value and the second confirmation value are not equal, the communication terminal or the server determines that the dynamic login credential update fails, and sends a credential update failure notification to the server or the communication terminal.
  6. 根据权利要求5所述的方法,其特征在于,所述确认值算法为:The method of claim 5 wherein said confirmation value algorithm is:
    a=Hash1(P1),a’=Hash1(P2);a=Hash 1 (P1), a'=Hash 1 (P2);
    所述a为所述第一确认值,所述a’为所述第二确认值,所述P1为所述服务器或所述通信终端本地更新后的动态登录凭据,所述P2为所述通信终端或所述服务器本地更新后的动态登录凭据。The a is the first confirmation value, the a' is the second confirmation value, the P1 is a dynamic login credential that is locally updated by the server or the communication terminal, and the P2 is the communication Dynamic login credentials after the terminal or the server is locally updated.
  7. 根据权利要求5所述的方法,其特征在于,所述动态登录凭据更新成功后,所述通信终端使用更新后的所述动态登录凭据登录所述服务器。The method according to claim 5, wherein after the dynamic login credential is successfully updated, the communication terminal logs in to the server using the updated dynamic login credential.
  8. 根据权利要求5所述的方法,其特征在于,所述动态登录凭据更新失败后,所述通信终端和所述服务器继续使用原有的所述动态登录凭据,并将所述第一动态密钥和所述第二动态密钥进行清零处理。 The method according to claim 5, wherein after the dynamic login credential update fails, the communication terminal and the server continue to use the original dynamic login credential and the first dynamic key And clearing processing with the second dynamic key.
  9. 根据权利要求3所述的方法,其特征在于,所述方法还包括:The method of claim 3, wherein the method further comprises:
    初始值设置步骤,当所述通信终端在所述服务器注册时,所述服务器和/或所述通信终端将所述通信终端设置的登录口令设置为所述动态登录凭据的初始值;以及将所述第一动态密钥和所述第二动态密钥的初始值分别设置为长度为l2的0串。An initial value setting step, when the communication terminal registers with the server, the server and/or the communication terminal sets a login password set by the communication terminal as an initial value of the dynamic login credential; The initial values of the first dynamic key and the second dynamic key are respectively set to 0 strings of length l 2 .
  10. 根据权利要求9所述的方法,其特征在于,所述初始值设置步骤进一步包括:The method according to claim 9, wherein the initial value setting step further comprises:
    若所述登录口令的长度小于l1,则用固定的二进制串填充,使所述登录口令的二进制长度达到l1,并将该填充后的所述登录口令作为所述动态登录凭据的初始值;若所述登录口令的长度大于l1,则截取所述登录口令前l1长度的二进制串作为所述动态登录凭据的初始值。If the length of the login password is less than l 1 , it is padded with a fixed binary string, so that the binary length of the login password reaches l 1 , and the padded login password is used as an initial value of the dynamic login credential. ; if the login password is greater than the length l 1, is taken before the login password binary string length l 1 as an initial value of the dynamic login credentials.
  11. 一种动态登录凭据的生成系统,其特征在于,包括有:A system for generating dynamic login credentials, comprising:
    动态密钥更新模块,用于若服务器和通信终端之间发生数据交互,根据预定的密钥更新算法将至少一个动态密钥进行更新;a dynamic key update module, configured to update at least one dynamic key according to a predetermined key update algorithm if data interaction occurs between the server and the communication terminal;
    动态密钥判断模块,用于当动态登录凭据达到预定的更新周期时,判断本次的所述更新周期内所述动态密钥是否发生过更新;a dynamic key judging module, configured to determine, when the dynamic login credential reaches a predetermined update period, whether the dynamic key has been updated in the update period of the current time;
    动态登录凭据更新模块,用于若所述动态密钥发生过更新,根据预定的凭据更新算法以及更新后的所述动态密钥,对所述动态登录凭据进行更新。The dynamic login credential update module is configured to update the dynamic login credential according to a predetermined credential update algorithm and the updated dynamic key if the dynamic key is updated.
  12. 根据权利要求11所述的系统,其特征在于,所述动态密钥更新模块包括:The system of claim 11 wherein the dynamic key update module comprises:
    第一数据判断子模块,用于当所述服务器和所述通信终端之间交互了一个数据包时,判断所述数据包是否由所述通信终端发送,所述第一数据判断子模块设于所述服务器中;a first data judging submodule, configured to determine, when the server and the communication terminal exchange a data packet, whether the data packet is sent by the communication terminal, where the first data judging submodule is In the server;
    第一密钥更新子模块,用于若所述数据包由所述通信终端发送,则根据所述密钥更新算法将第一动态密钥进行更新,所述第一密钥更新子模块设于所述服务器中;a first key update submodule, configured to: if the data packet is sent by the communication terminal, update the first dynamic key according to the key update algorithm, where the first key update submodule is set In the server;
    第二密钥更新子模块,用于若所述数据包由所述服务器发送,则根据所述密钥更新算法将第二动态密钥进行更新,所述第二密钥更新子模块设于所述服务器中;以及a second key update submodule, configured to: if the data packet is sent by the server, update the second dynamic key according to the key update algorithm, where the second key update submodule is located at the In the server; and
    所述动态密钥更新模块还包括:The dynamic key update module further includes:
    第二数据判断子模块,用于当所述服务器和所述通信终端之间交互了一个数据包时,判断所述数据包是否由所述通信终端发送,所述第二数据判断子模块设于所述通信终端中;a second data judging submodule, configured to determine, when the server and the communication terminal exchange a data packet, whether the data packet is sent by the communication terminal, where the second data judging submodule is In the communication terminal;
    第三密钥更新子模块,用于若所述数据包由所述通信终端发送,则根据所述密钥更新算法将第一动态密钥进行更新,所述第三密钥更新子模块设于所述 通信终端中;a third key update submodule, configured to: if the data packet is sent by the communication terminal, update the first dynamic key according to the key update algorithm, where the third key update submodule is set Said In the communication terminal;
    第四密钥更新子模块,用于若所述数据包由所述服务器发送,则根据所述密钥更新算法将第二动态密钥进行更新,所述第四密钥更新子模块设于所述通信终端中;a fourth key update submodule, configured to: if the data packet is sent by the server, update the second dynamic key according to the key update algorithm, where the fourth key update submodule is located at the In the communication terminal;
    所述动态密钥判断模块包括:The dynamic key judging module includes:
    第一密钥判断子模块,用于当所述动态登录凭据达到所述更新周期时,判断本次的所述更新周期内所述第一动态密钥或所述第二动态密钥是否发生过更新,所述第一密钥判断子模块设于所述服务器中;或者a first key judging submodule, configured to determine, when the dynamic login credential reaches the update period, whether the first dynamic key or the second dynamic key has occurred in the update period of the current time Updating, the first key judging submodule is provided in the server; or
    第二密钥判断子模块,用于当所述动态登录凭据达到所述更新周期时,判断本次的所述更新周期内所述第一动态密钥或所述第二动态密钥是否发生过更新,所述第二密钥判断子模块设于所述通信终端中;a second key determining sub-module, configured to determine, when the dynamic login credential reaches the update period, whether the first dynamic key or the second dynamic key has occurred in the update period of the current time Updating, the second key determining submodule is disposed in the communication terminal;
    所述动态登录凭据更新模块包括:The dynamic login credential update module includes:
    第一凭据更新子模块,用于若所述第一动态密钥或所述第二动态密钥发生过更新时,根据所述凭据更新算法以及更新后的所述第一动态密钥和/或所述第二动态密钥,对所述动态登录凭据进行更新,所述第一凭据更新子模块设于所述服务器中;以及a first credential update submodule, configured to update the algorithm according to the credential and the updated first dynamic key and/or if the first dynamic key or the second dynamic key is updated The second dynamic key updates the dynamic login credential, and the first credential update submodule is disposed in the server;
    第二凭据更新子模块,用于若所述第一动态密钥或所述第二动态密钥发生过更新时,根据所述凭据更新算法以及更新后的所述第一动态密钥和/或所述第二动态密钥,对所述动态登录凭据进行更新,所述第二凭据更新子模块设于所述通信终端中。a second credential update submodule, configured to update the algorithm according to the credential update algorithm and the updated first dynamic key and/or if the first dynamic key or the second dynamic key is updated The second dynamic key updates the dynamic login credential, and the second credential update submodule is disposed in the communication terminal.
  13. 根据权利要求12所述的系统,其特征在于,所述密钥更新算法为:The system of claim 12 wherein said key update algorithm is:
    sk1=sk1⊕Hash1(m);sk2=sk2⊕Hash1(m);
    Figure PCTCN2014087979-appb-100003
    Sk 1 =sk 1 ⊕Hash 1 (m);sk 2 =sk 2 ⊕Hash 1 (m);
    Figure PCTCN2014087979-appb-100003
    所述凭据更新算法为:The credential update algorithm is:
    P=P⊕Hash2(sk1||sk2),sk1=0,sk2=0;
    Figure PCTCN2014087979-appb-100004
    P=P⊕Hash 2 (sk 1 || sk 2 ), sk 1 =0, sk 2 =0;
    Figure PCTCN2014087979-appb-100004
    所述P为所述动态登录凭据;所述sk1为所述第一动态密钥;所述sk2为所述第二动态密钥,所述m为数据包;The P is the dynamic login credential; the sk 1 is the first dynamic key; the sk 2 is the second dynamic key, and the m is a data packet;
    所述l1为P的二进制长度,所述l2为sk1和sk2的二进制长度;The l 1 is a binary length of P, and the l 2 is a binary length of sk 1 and sk 2 ;
    所述⊕是对两个二进制串的逐比特异或操作;The ⊕ is a bitwise XOR operation on two binary strings;
    所述||是对两个二进制串的连接操作;The || is a connection operation to two binary strings;
    所述Hash1是第一哈希函数,表示输入是任意长度的二进制串,输出为长度为l2的二进制串;The hash 1 is a first hash function, indicating that the input is a binary string of arbitrary length, and the output is a binary string of length l 2 ;
    所述Hash2是第二哈希函数,表示输入是长度为2l2的二进制串,输出为长度为l1的二进制串。The hash 2 is a second hash function, indicating that the input is a binary string of length 2l 2 and the output is a binary string of length l 1 .
  14. 根据权利要求12所述的系统,其特征在于,所述动态密钥判断模块还包括: The system of claim 12, wherein the dynamic key determination module further comprises:
    第一更新通知子模块,用于若所述第一动态密钥或所述第二动态密钥未发生过更新时,向所述通信终端发送所述动态登录凭据的不更新通知;以及用于若所述第一动态密钥或所述第二动态密钥发生过更新时,向所述通信终端发送所述动态登录凭据的更新通知,所述第一更新通知子模块设于所述服务器中;a first update notification submodule, configured to send, when the first dynamic key or the second dynamic key has not been updated, a non-update notification of the dynamic login credential to the communication terminal; And sending, when the first dynamic key or the second dynamic key is updated, an update notification of the dynamic login credential to the communication terminal, where the first update notification submodule is disposed in the server ;
    第一更新确认子模块,用于收到所述服务器的所述更新通知后,向所述服务器返回所述动态登录凭据的更新确认,所述第一更新确认子模块设于所述通信终端中;或者a first update confirmation submodule, configured to: after receiving the update notification of the server, return an update confirmation of the dynamic login credential to the server, where the first update confirmation submodule is disposed in the communication terminal ;or
    所述动态密钥判断模块还包括:The dynamic key judging module further includes:
    第二更新通知子模块,用于若所述第一动态密钥或所述第二动态密钥未发生过更新时,则向所述服务器发送所述动态登录凭据的不更新通知;以及用于若所述第一动态密钥或所述第二动态密钥发生过更新时,向所述服务器发送所述动态登录凭据的更新通知,所述第二更新通知子模块设于所述通信终端中;a second update notification submodule, configured to send, when the first dynamic key or the second dynamic key has not been updated, a non-update notification of the dynamic login credential to the server; And sending, when the first dynamic key or the second dynamic key is updated, an update notification of the dynamic login credential to the server, where the second update notification submodule is disposed in the communication terminal ;
    第二更新确认子模块,用于收到所述通信终端的所述更新通知后,向所述通信终端返回所述动态登录凭据的更新确认,所述第二更新确认子模块设于所述服务器中。a second update confirmation submodule, configured to: after receiving the update notification of the communication terminal, return an update confirmation of the dynamic login credential to the communication terminal, where the second update confirmation submodule is disposed on the server in.
  15. 根据权利要求13所述的系统,其特征在于,所述系统还包括凭据更新确认模块,所述凭据更新确认模块包括:The system of claim 13, wherein the system further comprises a credential update confirmation module, the credential update confirmation module comprising:
    第一确认值计算子模块,用于根据所述服务器更新后的所述动态登录凭据和预定的确认值算法,计算出第一确认值,并将所述第一确认值发送给所述通信终端,所述第一确认值计算子模块设于所述服务器中;a first confirmation value calculation submodule, configured to calculate a first confirmation value according to the dynamic login credential and the predetermined confirmation value algorithm after the server is updated, and send the first confirmation value to the communication terminal The first confirmation value calculation submodule is disposed in the server;
    第二确认值计算子模块,用于根据通信终端更新后的所述动态登录凭据和所述确认值算法,计算出第二确认值,所述第二确认值计算子模块设于所述通信终端中;a second confirmation value calculation submodule, configured to calculate a second confirmation value according to the updated dynamic login credential and the confirmation value algorithm after the communication terminal is updated, where the second confirmation value calculation submodule is provided in the communication terminal in;
    第一确认值判断子模块,用于判断所述第一确认值和所述第二确认值是否相等,所述第一确认值判断子模块设于所述通信终端中;a first confirmation value determining submodule, configured to determine whether the first confirmation value and the second confirmation value are equal, the first confirmation value determining submodule being disposed in the communication terminal;
    第一确认通知子模块,用于若所述第一确认值和所述第二确认值相等时,确定所述动态登录凭据更新成功,并向所述服务器发送凭据更新成功通知;以及用于若所述第一确认值和所述第二确认值不相等时,确定所述动态登录凭据更新失败,并向所述服务器发送凭据更新失败通知,所述第一确认通知子模块设于所述通信终端中;或者a first confirmation notification submodule, configured to: if the first confirmation value and the second confirmation value are equal, determine that the dynamic login credential update is successful, and send a credential update success notification to the server; When the first confirmation value and the second confirmation value are not equal, determining that the dynamic login credential update fails, and sending a credential update failure notification to the server, where the first confirmation notification sub-module is set in the communication In the terminal; or
    所述凭据更新确认模块包括:The credential update confirmation module includes:
    第三确认值计算子模块,用于根据所述通信终端更新后的所述动态登录凭据和预定的确认值算法,计算出第一确认值,并将所述第一确认值发送给所述服务器,所述第三确认值计算子模块设于所述通信终端中;a third confirmation value calculation submodule, configured to calculate a first confirmation value according to the updated dynamic login credential and the predetermined confirmation value algorithm of the communication terminal, and send the first confirmation value to the server The third confirmation value calculation submodule is disposed in the communication terminal;
    第四确认值计算子模块,用于根据所述服务器更新后的所述动态登录凭据 和所述确认值算法,计算出第二确认值,所述第四确认值计算子模块设于所述服务器中;a fourth confirmation value calculation submodule, configured to update the dynamic login credential according to the server And the confirmation value algorithm, calculating a second confirmation value, where the fourth confirmation value calculation sub-module is disposed in the server;
    第二确认值判断子模块,用于判断所述第一确认值和所述第二确认值是否相等,所述第二确认值判断子模块设于所述服务器中;a second confirmation value determining sub-module, configured to determine whether the first confirmation value and the second confirmation value are equal, the second confirmation value determining sub-module being disposed in the server;
    第二确认通知子模块,用于若所述第一确认值和所述第二确认值相等时,确定所述动态登录凭据更新成功,并向所述通信终端发送凭据更新成功通知;以及用于若所述第一确认值和所述第二确认值不相等时,确定所述动态登录凭据更新失败,并向所述通信终端发送凭据更新失败通知,所述第二确认通知子模块设于所述服务器中。a second confirmation notification submodule, configured to: if the first confirmation value and the second confirmation value are equal, determine that the dynamic login credential update is successful, and send a credential update success notification to the communication terminal; If the first confirmation value and the second confirmation value are not equal, determining that the dynamic login credential update fails, and sending a credential update failure notification to the communication terminal, where the second confirmation notification sub-module is located at the In the server.
  16. 根据权利要求15所述的系统,其特征在于,所述确认值算法为:The system of claim 15 wherein said confirmation value algorithm is:
    a=Hash1(P1),a’=Hash1(P2);a=Hash 1 (P1), a'=Hash 1 (P2);
    所述a为所述第一确认值,所述a’为所述第二确认值,所述P1为所述服务器或所述通信终端本地更新后的动态登录凭据,所述P2为所述通信终端或所述服务器本地更新后的动态登录凭据。The a is the first confirmation value, the a' is the second confirmation value, the P1 is a dynamic login credential that is locally updated by the server or the communication terminal, and the P2 is the communication Dynamic login credentials after the terminal or the server is locally updated.
  17. 根据权利要求15所述的系统,其特征在于,所述动态登录凭据更新成功后,所述通信终端使用更新后的所述动态登录凭据登录所述服务器。The system according to claim 15, wherein after the dynamic login credential is successfully updated, the communication terminal logs in to the server using the updated dynamic login credential.
  18. 根据权利要求15所述的系统,其特征在于,所述动态登录凭据更新失败后,所述通信终端和所述服务器继续使用原有的所述动态登录凭据,并将所述第一动态密钥和所述第二动态密钥进行清零处理。The system according to claim 15, wherein after the dynamic login credential update fails, the communication terminal and the server continue to use the original dynamic login credential and the first dynamic key And clearing processing with the second dynamic key.
  19. 根据权利要求13所述的系统,其特征在于,所述系统还包括初始值设置模块,所述初始值设置模块包括:The system according to claim 13, wherein the system further comprises an initial value setting module, the initial value setting module comprising:
    第一初始值设置子模块,用于当所述通信终端在所述服务器注册时,将所述通信终端设置的登录口令设置为所述动态登录凭据的初始值;及将所述第一动态密钥和所述第二动态密钥的初始值分别设置为长度为l2的0串,所述第一初始值设置子模块设于所述服务器中;和/或a first initial value setting submodule, configured to: when the communication terminal registers with the server, set a login password set by the communication terminal to an initial value of the dynamic login credential; and the first dynamic secret The initial values of the key and the second dynamic key are respectively set to 0 strings of length l 2 , and the first initial value setting submodule is provided in the server; and/or
    第二初始值设置子模块,用于当所述通信终端在所述服务器注册时,将所述通信终端设置的登录口令设置为所述动态登录凭据的初始值;及将所述第一动态密钥和所述第二动态密钥的初始值分别设置为长度为l2的0串,所述第二初始值设置子模块设于所述通信终端中。a second initial value setting submodule, configured to: when the communication terminal registers with the server, set a login password set by the communication terminal to an initial value of the dynamic login credential; and the first dynamic secret The initial values of the key and the second dynamic key are respectively set to 0 strings of length l 2 , and the second initial value setting submodule is provided in the communication terminal.
  20. 根据权利要求19所述的系统,其特征在于,所述第一初始值设置子模块和/或所述第一初始值设置子模块,用于若所述登录口令的长度小于l1时,则用固定的二进制串填充,使所述登录口令的二进制长度达到l1,并将该填充后的所述登录口令作为所述动态登录凭据的初始值;以及若所述登录口令的长度大于l1时,则截取所述登录口令前l1长度的二进制串作为所述动态登录凭据的初始值。 The system according to claim 19, wherein the first initial value setting submodule and/or the first initial value setting submodule is configured to: if the length of the login password is less than l 1 Filling with a fixed binary string such that the binary length of the login password reaches l 1 and the padded login password is used as an initial value of the dynamic login credential; and if the login password has a length greater than l 1 , then intercepting the login password before the binary string length l 1 as an initial value of the dynamic login credentials.
PCT/CN2014/087979 2014-09-30 2014-09-30 Method and system for generating dynamic login credential WO2016049870A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
PCT/CN2014/087979 WO2016049870A1 (en) 2014-09-30 2014-09-30 Method and system for generating dynamic login credential

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/CN2014/087979 WO2016049870A1 (en) 2014-09-30 2014-09-30 Method and system for generating dynamic login credential

Publications (1)

Publication Number Publication Date
WO2016049870A1 true WO2016049870A1 (en) 2016-04-07

Family

ID=55629297

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2014/087979 WO2016049870A1 (en) 2014-09-30 2014-09-30 Method and system for generating dynamic login credential

Country Status (1)

Country Link
WO (1) WO2016049870A1 (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107770053A (en) * 2017-10-30 2018-03-06 商客通尚景科技江苏有限公司 Instant messages reminding method under a kind of off-line state
CN110086719A (en) * 2019-04-30 2019-08-02 深圳市腾讯网域计算机网络有限公司 Data processing method, device and server
CN111258602A (en) * 2020-01-10 2020-06-09 百度在线网络技术(北京)有限公司 Information updating method and device

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1764296A (en) * 2004-10-22 2006-04-26 北京握奇数据系统有限公司 Dynamic password identification system and method
WO2012117253A1 (en) * 2011-03-02 2012-09-07 Digitalle Limited An authentication system
CN103391195A (en) * 2013-07-01 2013-11-13 飞天诚信科技股份有限公司 Working method for dynamic token
CN103684782A (en) * 2013-11-26 2014-03-26 飞天诚信科技股份有限公司 Method for activating token equipment in token authentication system
CN103731272A (en) * 2014-01-06 2014-04-16 飞天诚信科技股份有限公司 Identity authentication method, system and equipment

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1764296A (en) * 2004-10-22 2006-04-26 北京握奇数据系统有限公司 Dynamic password identification system and method
WO2012117253A1 (en) * 2011-03-02 2012-09-07 Digitalle Limited An authentication system
CN103391195A (en) * 2013-07-01 2013-11-13 飞天诚信科技股份有限公司 Working method for dynamic token
CN103684782A (en) * 2013-11-26 2014-03-26 飞天诚信科技股份有限公司 Method for activating token equipment in token authentication system
CN103731272A (en) * 2014-01-06 2014-04-16 飞天诚信科技股份有限公司 Identity authentication method, system and equipment

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107770053A (en) * 2017-10-30 2018-03-06 商客通尚景科技江苏有限公司 Instant messages reminding method under a kind of off-line state
CN107770053B (en) * 2017-10-30 2020-07-17 商客通尚景科技江苏有限公司 Instant message prompting method in off-line state
CN110086719A (en) * 2019-04-30 2019-08-02 深圳市腾讯网域计算机网络有限公司 Data processing method, device and server
CN110086719B (en) * 2019-04-30 2021-07-27 深圳市腾讯网域计算机网络有限公司 Data processing method and device and server
CN111258602A (en) * 2020-01-10 2020-06-09 百度在线网络技术(北京)有限公司 Information updating method and device

Similar Documents

Publication Publication Date Title
US10439806B2 (en) Method and system for secure data transmission
US20200244658A1 (en) Method and System for Associating a Unique Device Identifier with a Potential Security Threat
US11533297B2 (en) Secure communication channel with token renewal mechanism
US11190504B1 (en) Certificate-based service authorization
US11018866B2 (en) Dynamic second factor authentication for cookie-based authentication
JP5224481B2 (en) Password authentication method
WO2014107977A1 (en) Key protection method and system
US20240356730A1 (en) Computer-implemented system and method for highly secure, high speed encryption and transmission of data
CN109309566B (en) Authentication method, device, system, equipment and storage medium
WO2017031984A1 (en) Bmp message authentification method and device
CN111914291A (en) Message processing method, device, equipment and storage medium
US20180123782A1 (en) Method for secret origination service to distribute a shared secret
JPWO2014147934A1 (en) COMMUNICATION DEVICE, COMMUNICATION SYSTEM, AND COMMUNICATION METHOD
KR20150135032A (en) System and method for updating secret key using physical unclonable function
KR101253683B1 (en) Digital Signing System and Method Using Chained Hash
WO2017200791A1 (en) Method and system for secure data transmission
US20180083778A1 (en) Binding data to a network in the presence of an entity with revocation capabilities
WO2016049870A1 (en) Method and system for generating dynamic login credential
Gajbhiye et al. Bluetooth secure simple pairing with enhanced security level
Sabah et al. Developing an end-to-end secure chat application
WO2022042198A1 (en) Identity authentication method and apparatus, computer device, and storage medium
US20220400000A1 (en) Methods, mediums, and systems for verifying devices in an encrypted messaging system
KR102049527B1 (en) User Authentication Server and System
WO2022135394A1 (en) Identity authentication method and apparatus, storage medium, program, and program product
US11848930B1 (en) Methods, mediums, and systems for verifying devices in an encrypted messaging system

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 14903020

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

32PN Ep: public notification in the ep bulletin as address of the adressee cannot be established

Free format text: NOTING OF LOSS OF RIGHTS PURSUANT TO RULE 112(1) EPC (EPO FORM 1205A DATED 10.08.2017)

122 Ep: pct application non-entry in european phase

Ref document number: 14903020

Country of ref document: EP

Kind code of ref document: A1