WO2016161889A1 - Dynamic password authentication method, system, client terminal and server - Google Patents

Dynamic password authentication method, system, client terminal and server Download PDF

Info

Publication number
WO2016161889A1
WO2016161889A1 PCT/CN2016/076880 CN2016076880W WO2016161889A1 WO 2016161889 A1 WO2016161889 A1 WO 2016161889A1 CN 2016076880 W CN2016076880 W CN 2016076880W WO 2016161889 A1 WO2016161889 A1 WO 2016161889A1
Authority
WO
WIPO (PCT)
Prior art keywords
server
verification
dynamic password
current time
client
Prior art date
Application number
PCT/CN2016/076880
Other languages
French (fr)
Chinese (zh)
Inventor
肖维杰
吴月刚
Original Assignee
阿里巴巴集团控股有限公司
肖维杰
吴月刚
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 阿里巴巴集团控股有限公司, 肖维杰, 吴月刚 filed Critical 阿里巴巴集团控股有限公司
Publication of WO2016161889A1 publication Critical patent/WO2016161889A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols

Definitions

  • the present application relates to the field of Internet information security technologies, and in particular, to a dynamic password verification method and system, a client, and a server.
  • a dynamic password is a password that is generated over time or an event.
  • the password is valid and unpredictable in a certain time interval. It is usually displayed by a carrier generated by a dynamic password, such as a mobile phone token or a scratch card.
  • Dynamic password verification technology can implement user security authentication function. With the development of mobile Internet, dynamic password verification technology has been widely used in enterprises, finance, online banking, e-government and other fields. For example, when the user logs in to the online banking transaction system, the system will ask the user to input a dynamic password. After the user completes the input, the dynamic password is transmitted to the verification server for verification. Since each generated dynamic password is random and can only be used once, it can prevent attacks such as dynamic password eavesdropping, replay, impersonation, and guessing.
  • a dynamic password verification method based on time synchronization is commonly used to implement verification of a user identity.
  • an algorithm for generating a dynamic password by a client includes a time factor parameter.
  • the verification server generates a verification password for verifying the dynamic password, and the algorithm for generating the verification password also requires a time factor parameter.
  • the time factor in the client-generated dynamic password algorithm is derived from the client device
  • the time factor in the verification server generating the verification password algorithm is derived from the verification server.
  • the client device clock and the authentication server clock are almost impossible to match completely.
  • the time factor does not match, the generated dynamic password and the authentication password will also not match, which will cause the user authentication to fail.
  • the purpose of the embodiment of the present application is to provide a dynamic password verification method and system, a client and a server, to implement a time factor in generating a dynamic password algorithm and a time factor exact match in generating a verification password algorithm.
  • the embodiment of the present application provides a dynamic password verification method and system, and the client and the server are implemented as follows:
  • a dynamic password verification method comprising:
  • the client requests the current time of the server from the authentication server;
  • the client receives the current time of the server returned by the verification server;
  • the client calculates a dynamic password according to the current time of the server, and uploads the dynamic password to the test. Certificate server
  • the verification server calculates and generates a verification password according to the current time of the server
  • the verification server determines whether the dynamic password and the verification password match, and if it matches, passes the verification.
  • a dynamic password verification method comprising:
  • a dynamic password verification method comprising:
  • the method further includes:
  • the client checks if it is connected to the network
  • the client When judging the connection to the network, the client requests the server for the current time from the authentication server.
  • the current time and seed key of the server are used as input parameters of the dynamic password algorithm, and the dynamic password is calculated by using a dynamic password algorithm.
  • the seed key includes a seed key generated by the client upon initialization and sent to the authentication server.
  • the seed key includes a seed key that is generated when the client initializes and is sent to the verification server when calculating a dynamic password.
  • the dynamic password algorithm includes a one-way hash function.
  • a dynamic password verification method comprising:
  • the client reads the pre-stored server synchronization time
  • the client determines the current time of the server according to the server synchronization time
  • the client calculates and generates a dynamic password according to the current time of the server, and uploads the dynamic password to the verification server;
  • the verification server receives the dynamic password, and generates a verification password according to the current time value of the server;
  • the verification server determines whether the dynamic password and the verification password match, and if they match, passes the verification.
  • a dynamic password verification method comprising:
  • a dynamic password verification method comprising:
  • the current time and seed key of the server are used as input parameters of the dynamic password algorithm, and the dynamic password is calculated by using a dynamic password algorithm.
  • the seed key includes a seed key generated by the client upon initialization and sent to the authentication server.
  • the seed key includes a seed key that is generated when the client initializes and is sent to the verification server when calculating a dynamic password.
  • the dynamic password algorithm includes a one-way hash function.
  • Determining, according to the server synchronization time, a current time of the server including:
  • a dynamic password verification system comprising:
  • a client configured to request a current time of the server from the verification server; receive a current time of the server returned by the verification server; calculate a dynamic password according to the current time of the server, and upload the dynamic password to the verification server;
  • An authentication server configured to receive a current time request of the server sent by the client; return a current time of the server to the client; calculate a generated verification password according to the current time value of the server; and determine whether the dynamic password and the verification password match, If it matches, it passes the verification.
  • a client that includes:
  • a requesting unit configured to request a server current time from the verification server
  • a receiving unit configured to receive a current time of the server returned by the verification server
  • the dynamic password generating unit is configured to calculate and generate a dynamic password according to the current time of the server, and upload the dynamic password to the verification server.
  • a server that includes:
  • a first receiving unit configured to receive a server current time request sent by the client
  • Return unit used to return the current time of the server to the client
  • a second receiving unit configured to receive a dynamic password returned by the client
  • a verification password generating unit configured to calculate and generate a verification password according to the current time value of the server
  • the verification unit is configured to determine whether the dynamic password and the verification password match, and if they match, pass the verification.
  • a dynamic password verification system comprising:
  • a client configured to read a pre-stored server synchronization time; determine a current server time according to the server synchronization time; calculate a dynamic password according to the current time of the server, and upload the dynamic password to the verification server;
  • the verification server is configured to receive a dynamic password returned by the client; calculate a generated verification password according to the current time value of the server; determine whether the dynamic password and the verification password match, and if they match, pass the verification.
  • a client that includes:
  • a reading unit for reading a pre-stored server synchronization time
  • a time determining unit configured to determine a current time of the server according to the server synchronization time
  • the dynamic password generating unit is configured to calculate and generate a dynamic password according to the current time of the server, and upload the dynamic password to the verification server.
  • a server that includes:
  • a receiving unit configured to receive a dynamic password returned by the client
  • a verification password generating unit configured to calculate and generate a verification password according to a current time of the server
  • the verification unit is configured to determine whether the dynamic password and the verification password match, and if they match, pass the verification.
  • the time determining unit includes:
  • An obtaining unit configured to acquire a first time of the client when the server synchronization time is stored
  • a first calculating unit configured to calculate a difference between acquiring a current time of the client and the first time
  • a second calculating unit configured to calculate a sum of the difference value and the server synchronization time, where the sum value is determined to be the current time of the server.
  • the client in the dynamic password verification method based on time synchronization, the client generates a communication with the server before acquiring the dynamic password, acquires the current time of the server, and implements the client.
  • the generation of the dynamic password synchronizes with the time factor used by the verification server to generate the verification password, thereby improving the matching degree between the dynamic password and the verification password.
  • FIG. 1 is a schematic flow chart of a first method embodiment of a dynamic password verification method according to the present application
  • FIG. 2 is a schematic diagram of an application scenario of a first embodiment of a dynamic password verification method according to the present application
  • FIG. 3 is a schematic flowchart of a second method embodiment of a dynamic password verification method according to the present application.
  • FIG. 4 is a schematic structural diagram of a first embodiment of a dynamic password verification client according to the present application.
  • FIG. 5 is a schematic flowchart of a third method embodiment of a dynamic password verification method according to the present application.
  • FIG. 6 is a schematic diagram of the composition of a first embodiment of a dynamic password verification server of the present application.
  • FIG. 7 is a schematic flowchart of a fourth method embodiment of a dynamic password verification method according to the present application.
  • FIG. 8 is a schematic flowchart of a fifth method embodiment of a dynamic password verification method according to the present application.
  • FIG. 9 is a schematic structural diagram of a second embodiment of a dynamic password verification client according to the present application.
  • FIG. 10 is a schematic diagram of a composition of a time determining unit in a second embodiment of the dynamic password verification client of the present application.
  • FIG. 11 is a schematic flowchart of a sixth method embodiment of a dynamic password verification method according to the present application.
  • FIG. 12 is a schematic diagram showing the composition of a second embodiment of the dynamic password verification server of the present application.
  • the embodiment of the present application provides a dynamic password verification method and system, a client, and a server.
  • the dynamic password generation algorithm and the verification password generation algorithm are the same.
  • the time factor in the client dynamic password generation algorithm is the same as the time factor in the verification server verification password generation algorithm, the dynamic password and the verification password match, and the user passes the authentication.
  • the client may also obtain the current time of the verification server according to the last synchronized authentication server time saved in the local file.
  • the client can communicate with the verification server once before generating the dynamic password to obtain the verification service.
  • the current time of the server can be implemented by the method of S101 to S105 shown in FIG.
  • the client can be set to be able to initiate a specific function, such as touching a preset virtual button or pressing a physical button to activate that particular function.
  • the specific function can be re-opened to perform the work of obtaining the current time of the verification server, for example, the work of S101 to S103 below.
  • Step S101 The client requests the server current time from the verification server.
  • the client After the client starts a specific function, it can perform the work of obtaining the current time of the verification server.
  • the client requests the server for the current time from the authentication server.
  • the client may send an http request to the time synchronization interface of the verification service, requesting the verification server to return the current time.
  • the specific Java implementation code is as follows:
  • Date date obtainServerDate(); //The client initiates a request to the authentication server.
  • the client can also check if the network is connected before requesting the current time of the authentication server.
  • the client can communicate with the authentication server.
  • the client device includes a computer, a PAD, or a mobile phone.
  • a mobile phone client is installed with an Android system, and the user can invoke Android after clicking the “Get Dynamic Password” button in the current login page of the client.
  • the Network Connection Manager in the system checks if the mobile client is connected to the network.
  • the mobile client can call the isAvailable() function of the ConnectivityManager class in the Android system, and the implementation code is as follows:
  • ConnectivityManager cwjManager (ConnectivityManager)getSystemService(Context.CON-NECTIVITY_SERVICE);
  • cwjManager.getActiveNetworkInfo().isAvailable();//Returning True can determine that the current Android mobile client is connected to the network.
  • the client also checks whether the client is connected to the network by calling the network connection manager in the corresponding installation system.
  • the computer that installs the Win7 system checks whether the computer client is connected to the network by calling the network connection manager of the Win7 system.
  • the iPhone or Ipad of the iOS system is installed to check whether the iPhone or the Ipad client is connected to the network by calling the network connection manager of the iOS system. .
  • Step S102 The client receives the current time of the server returned by the verification server.
  • the verification server receives the client's request and returns the current time of the server.
  • the specific Java implementation code is as shown above, and the client receives the current time returned by the verification server.
  • Step S103 The client calculates a dynamic password according to the current time of the server, and sends the dynamic password to the verification server.
  • the client After receiving the current time of the server, the client calculates and generates a dynamic password according to the current time of the server.
  • Algorithms for generating dynamic passwords include one-way hash functions such as HMAC-SHA1, MD5, SHA-1, and SHA-256.
  • HMAC-SHA1 one-way hash functions
  • MD5 SHA-1
  • SHA-256 one-way hash functions
  • the embodiment of the present application uses the HMAC-SHA1 algorithm to calculate and generate a dynamic password. The specific steps are as follows:
  • the client When the user registers the account, the client automatically generates a seed key, and the seed key may be a random code generated by the client.
  • the seed key When the client includes a mobile phone client, the seed key may include a combination of one or several of an IMEI, a mobile phone manufacturer identification code, a mobile phone screen resolution, and a mobile phone operating system version number.
  • the seed key After the client generates the seed key, the seed key can be immediately sent to the verification server. After the verification server receives the seed key, the seed key and the corresponding user ID may be saved in a database of the verification server.
  • the client may also send the seed key to the authentication server when computing to generate a dynamic password. Assuming that the seed key is a key, the time factor is T, and the initialized (seed key key, time factor T) is an encrypted initial value key2, and the encrypted initial value key2 can be generated as follows:
  • FormatDateTime('yyyymmdd', nowTime) can format the year, month and day value of the current time of the server according to the format of 'yyyymmdd'. For example, the current date of the server is January 22, 2015. , then formatted as "20150122”. FormatDateTime('hhmmss', nowTime) can format the time, minute and second of the current time of the server according to the format of 'hhmmss'.
  • the format is " 144403".
  • the seed key value is "999888”
  • the current time of the server received by the client is 2:44:32 on January 22, 2015
  • the encryption initial value key2 can be expressed as "99920150122999144403”.
  • SS2 Generate an HMAC-SHA-1 value according to the encryption initial value calculation.
  • the HMAC-SHA-1 value is generated according to the initial value of the encryption, and the specific expression is:
  • Hs HMAC-SHA-1 (encrypted initial value)
  • Hs is a 160-bit binary string.
  • HMAC-SHA-1 outputs a 160-bit HMAC-SHA-1 value after two hash operations using the SHA-1 algorithm.
  • the SHA-1 is a standard hash operation of the prior art and will not be described here.
  • SS3 Generate a 31-bit binary string based on the HMAC-SHA-1 value.
  • a dynamic offset truncation function is used to extract a 31-bit dynamic binary string from the 160-bit HMAC-SHA-1 value.
  • Hs Hs[0]Hs[1]...Hs[19]; // where Hs[i] is the ith byte of the binary string Hs;
  • OffsetBits Hs[19]&0xf; //OffsetBits in the formula is the offset digit, taking the last 4 digits of Hs[19];
  • Offset StToNum(OffsetBits);
  • SS4 Obtain a dynamic password according to the 31-bit binary string.
  • the dynamic password is determined according to the 31-bit binary string, and the binary string can be converted into a 6-8 bit decimal number by using a StToNum function, and the specific implementation manner is as follows:
  • StToNum(P) P[0] ⁇ 2 ⁇ (30)+P[1] ⁇ 2 ⁇ (29)+...+P[29] ⁇ 2 ⁇ (1)+P[30] ⁇ 2 ⁇ (0) .
  • the client can send the dynamic password to the verification server by SMS.
  • the short message gateway converts the short message sent by the client to the verification server.
  • Step S104 The verification server calculates a generated verification password according to the current time value of the server.
  • the verification server may invoke a seed key corresponding to the user ID from the verification server database, and may also receive a seed key sent by the client in real time.
  • the verification server calculates a generated verification password according to the seed key and the current time value of the server sent to the client.
  • the same algorithm as the client can be adopted.
  • the verification server is preconfigured with the same dynamic password algorithm as the client.
  • the verification server can also adopt a different algorithm from the client, and only the calculated dynamic password and the verification password are matched after a certain algorithm conversion.
  • the dynamic password algorithm includes HMAC-SHA1, MD5, SHA-1, and SHA-256.
  • Step S106 The verification server determines whether the dynamic password and the verification password match, and if they match, passes the verification.
  • the verification server compares the dynamic password and the verification password, and if so, sends a confirmation message of verification to the client. Subsequently, if the dynamic password and the verification password do not match, the verification server may send a reply message that fails verification to the client.
  • the interface when user A logs in to a website through the mobile client is shown in Figure 2.
  • dynamic password authentication is required.
  • the user clicks "Get Dynamic Password”. Button the button triggers the function of the mobile client to obtain a dynamic password.
  • the client checks if the mobile device is connected to the network. If the mobile device is equipped with an Android system, the client can call the isAvailable() function to check if the phone is connected to the network. After checking, if it is determined that the mobile client device is connected to the network, the client requests the current time of the server from the authentication server.
  • the client may send an Http request to the time synchronization interface of the verification server to request the current time of the server, and the current time may be 2:44:32 on the afternoon of January 22, 2015.
  • the mobile client reads the local seed key, which may be a 15-digit IMEI code of the mobile device, such as “834299070186334”.
  • the client can calculate and generate a dynamic password by using the HMAC-SHA-1 algorithm.
  • the seed key and the current time of the server are initialized, the initial value of the encryption is obtained, and the HMAC-SHA-1 value of the initial value of the encryption is calculated, and after truncation, the dynamic password is converted into 6-8 bits, such as “ 453476".
  • the client sends the dynamic password to the authentication server.
  • the verification server receives the dynamic password, it is determined whether the ID of the user is legal. After determining the legality of the ID, the verification server invokes a seed key corresponding to the ID in the server database according to the ID.
  • the verification server After the seed key is obtained, the verification server generates a verification password by using an HMAC-SHA-1 algorithm according to the seed key and the current time of the server, where the HMAC-SHA-1 algorithm is pre-configured in the verification server. .
  • the verification password is generated, the verification server compares the dynamic password with the verification password. If the two match, the verification is passed, otherwise, the verification is not passed.
  • the client in the dynamic password verification method based on time synchronization, the client generates a communication with the server before acquiring the dynamic password, acquires the current time of the server, and implements the client to generate the dynamic password and the verification server.
  • the synchronization of the time factor used to verify the password is generated, thereby improving the matching degree between the dynamic password and the verification password.
  • the following describes a first embodiment of a system for dynamic password verification corresponding to the embodiment of the method, where the system includes
  • a client configured to request a current time of the server from the verification server; receive a current time of the server returned by the verification server; calculate a dynamic password according to the current time of the server, and upload the dynamic password to the verification server;
  • An authentication server configured to receive a current time request of the server sent by the client; return a current time of the server to the client; calculate a generated verification password according to the current time value of the server; and determine whether the dynamic password and the verification password match, If it matches, it passes the verification, otherwise it fails the verification.
  • the foregoing first method embodiment considering a client-based step, may be evolved into a second method embodiment, as shown in FIG. 3, including:
  • Step S301 request the current time of the server from the verification server
  • Step S302 Receive a current time of the server returned by the verification server.
  • Step S303 Calculate and generate a dynamic password according to the current time of the server, and upload the dynamic password to the verification server.
  • the corresponding client first embodiment 400 includes:
  • a requesting unit 401 configured to request a server current time from the verification server
  • the receiving unit 402 is configured to receive a current time of the server returned by the verification server;
  • the dynamic password generating unit 403 is configured to calculate and generate a dynamic password according to the current time of the server, and upload the dynamic password to the verification server.
  • the third method embodiment may be evolved. As shown in FIG. 5, the method includes:
  • Step S501 Receive a server current time request sent by the client
  • Step S502 Returning the current time of the server to the client;
  • Step S503 Receive a dynamic password returned by the client.
  • Step S504 Calculate and generate a verification password according to the current time value of the server
  • Step S505 Determine whether the dynamic password and the verification password match, and if they match, pass the verification.
  • the corresponding server first embodiment 600 includes:
  • the first receiving unit 601 is configured to receive a server current time request sent by the client.
  • a second receiving unit 603, configured to receive a dynamic password returned by the client
  • the verification password generating unit 604 is configured to calculate and generate a verification password according to the current time value of the server;
  • the verification unit 605 is configured to determine whether the dynamic password and the verification password match, and if they match, pass the verification.
  • the foregoing first method embodiment can be evolved into a fourth method embodiment in consideration of the fact that the client is not connected to the network.
  • the server synchronization time saved locally by the client may be read, and the current server time is calculated according to the server synchronization time.
  • Step S701 The client reads the server synchronization time pre-stored by the client.
  • the client when the client device is connected to the network, the client can periodically synchronize the server time and save the acquired server synchronization time in the form of a log in the client file system.
  • the client can read the last saved server synchronization time from the client file system, thereby calculating the current server time.
  • Step S702 The client determines the current time of the server according to the server synchronization time.
  • the client can determine the current time of the server according to the server synchronization time. Specifically, the current time of the client minus the time when the client saves the server synchronization time, plus the server synchronization time, can determine the current time of the server.
  • the above method includes steps S1 to S3:
  • S1 Acquire a first time of the client when storing the synchronization time of the server;
  • S3 Calculate a sum of the difference value and the server synchronization time, and the sum value is determined as the current time of the server.
  • the current time of the client device is 21:50:37 on January 26, 2015.
  • the client device synchronizes the server time and saves it at 12:28:03 on January 20, 2015.
  • the server synchronization time is At 12:27:50 on January 20, 2015, according to the above calculation method of determining the current time of the server, then the current time of the server is 21:50:24 on January 26, 2015.
  • Step S703 The client calculates a dynamic password according to the current time of the server, and uploads the dynamic password to the verification server.
  • Dynamic password algorithms include one-way hash functions such as HMAC-SHA1, MD5, SHA-1, and SHA-256.
  • HMAC-SHA1 one-way hash functions
  • MD5 SHA-1
  • SHA-256 one-way hash functions
  • the embodiment of the present application uses the HMAC-SHA1 algorithm to calculate and generate a dynamic password.
  • the specific steps refer to SS1 to SS4 in the first method embodiment, and details are not described herein again.
  • Step S704 The verification server receives the dynamic password, and calculates and generates a verification password according to the current time value of the server.
  • the verification server may invoke a seed key corresponding to the user ID from the verification server database, and may also receive a seed key sent by the client in real time.
  • the verification server calculates and generates a verification password according to the seed key and the current time value of the server sent to the client.
  • the same dynamic password algorithm as the client can be adopted.
  • the verification server is pre-configured with the same dynamic password algorithm as the client.
  • the dynamic password algorithm includes HMAC-SHA1, MD5, SHA-1, and SHA-256.
  • Step S705 The verification server determines whether the dynamic password and the verification password match, and if they match, passes the verification.
  • the verification server compares the dynamic password and the verification password, and if so, sends a confirmation message of verification to the client. Subsequently, if the dynamic password and the verification password do not match, the verification server may send a reply message that fails verification to the client.
  • the interface when user A logs in to a website through the mobile client is as shown in FIG. 2 .
  • the client checks if the mobile device is connected to the network. If the mobile device is equipped with an Android system, the client can call the isAvailable() function to check if the phone is connected to the network. After checking, if it is determined that the mobile client device is not connected to the network, the client reads the server synchronization time last saved in the client device file system. The current time of the server is generated according to the server synchronization time calculation, and the specific calculation method refers to step S702.
  • the mobile client After determining the current time of the server, the mobile client reads the local seed key, which can be a 15-digit IMEI code of the mobile device, such as "834299070186334".
  • the client can calculate and generate a dynamic password by using the HMAC-SHA-1 algorithm. Specifically, the seed key and the current time of the server are initialized, the initial value of the encryption is obtained, and the HMAC-SHA-1 value of the initial value of the encryption is calculated, and after truncation, the dynamic password is converted into 6-8 bits, such as “ 453476”.
  • the client sends the dynamic password to the authentication server. After the verification server receives the dynamic password, it is determined whether the ID of the user is legal.
  • the verification server After determining the legality of the ID, invokes the seed key corresponding to the ID in the server database according to the ID. After the seed key is obtained, the verification server generates a verification password by using an HMAC-SHA-1 algorithm according to the seed key and the current time of the server, where the HMAC-SHA-1 algorithm is pre-configured in the verification server. . After the verification password is generated, the verification server compares the dynamic password with the verification password. If the two are the same, the verification is successful. Otherwise, the verification is unsuccessful.
  • the current time of the server is determined according to the server synchronization time stored in the client file system, thereby The synchronization between the dynamic password of the client and the time factor used by the verification server to calculate the verification password is improved, and the matching degree between the dynamic password and the verification password is improved.
  • a client configured to read a pre-stored server synchronization time; determine a current server time according to the server synchronization time; calculate a dynamic password according to the current time of the server, and upload the dynamic password to the verification server;
  • the verification server is configured to receive a dynamic password returned by the client; calculate a generated verification password according to the current time value of the server; determine whether the dynamic password and the verification password match, and if they match, pass the verification.
  • the fourth method embodiment considering the client-based step, can be evolved into the fifth method embodiment, as shown in FIG. 8, including:
  • Step S801 Read the pre-stored server synchronization time
  • Step S802 Determine a current time of the server according to the server synchronization time
  • Step S803 Calculate and generate a dynamic password according to the current time of the server, and upload the dynamic password to the verification server.
  • the fifth embodiment of the foregoing method, the corresponding client second embodiment 900, as shown in FIG. 9, includes:
  • the reading unit 901 is configured to read the pre-stored server synchronization time
  • the time determining unit 902 is configured to determine a current time of the server according to the server synchronization time
  • the dynamic password generating unit 903 is configured to calculate and generate a dynamic password according to the current time of the server, and upload the dynamic password to the verification server.
  • the time determining unit 902 includes:
  • the obtaining unit 1001 is configured to acquire a first time of the client when the server synchronization time is stored;
  • a first calculating unit 1002 configured to calculate a difference between acquiring a current time of the client and the first time
  • the second calculating unit 1003 is configured to calculate a sum of the difference value and the server synchronization time, where the sum value is determined to be the current time of the server.
  • the fourth method embodiment considering a server-based step, may be evolved into a sixth method embodiment, as shown in FIG. 11, including:
  • Step S1101 Receive a dynamic password returned by the client.
  • Step S1102 Calculate and generate a verification password according to the current time value of the server
  • Step S1103 Determine whether the dynamic password and the verification password match, and if they match, pass the verification.
  • the foregoing sixth method embodiment, the corresponding server second embodiment 1200, as shown in FIG. 12, includes:
  • the receiving unit 1201 is configured to receive a dynamic password returned by the client;
  • the verification password generating unit 1202 is configured to calculate and generate a verification password according to the current time of the server;
  • the verification unit 1203 is configured to determine whether the dynamic password and the verification password match, and if they match, pass the verification.
  • PLD Programmable Logic Device
  • FPGA Field Programmable Gate Array
  • HDL Hardware Description Language
  • the controller can be implemented in any suitable manner, for example, the controller can take the form of, for example, a microprocessor or processor and a computer readable medium storing computer readable program code (eg, software or firmware) executable by the (micro)processor.
  • computer readable program code eg, software or firmware
  • examples of controllers include, but are not limited to, the following microcontrollers: ARC 625D, Atmel AT91SAM, The Microchip PIC18F26K20 and the Silicone Labs C8051F320, the memory controller can also be implemented as part of the memory's control logic.
  • the controller can be logically programmed by means of logic gates, switches, ASICs, programmable logic controllers, and embedding.
  • Such a controller can therefore be considered a hardware component, and the means for implementing various functions included therein can also be considered as a structure within the hardware component.
  • a device for implementing various functions can be considered as a software module that can be both a method of implementation and a structure within a hardware component.
  • the system, device, module or unit illustrated in the above embodiments may be implemented by a computer chip or an entity, or by a product having a certain function.
  • the present application can be implemented by means of software plus a necessary general hardware platform. Based on such understanding, portions of the technical solution of the present application that contribute substantially or to the prior art may be embodied in the form of a software product.
  • the computing device includes one or more processors (CPU ), input / output interface, network interface and memory.
  • the computer software product can A number of instructions are included to cause a computer device (which may be a personal computer, server, or network device, etc.) to perform the methods described in various embodiments of the present application or portions of the embodiments.
  • the computer software product can be stored in a memory, which may include non-persistent memory, random access memory (RAM), and/or nonvolatile memory in a computer readable medium, such as read only memory (ROM) or Flash memory.
  • RAM random access memory
  • ROM read only memory
  • Memory is an example of a computer readable medium.
  • Computer readable media includes both permanent and non-persistent, removable and non-removable media.
  • Information storage can be implemented by any method or technology.
  • the information can be computer readable instructions, data structures, modules of programs, or other data. Examples of computer storage media include, but are not limited to, phase change memory (PRAM), static random access memory (SRAM), dynamic random access memory (DRAM), other types of random access memory (RAM), read only memory.
  • PRAM phase change memory
  • SRAM static random access memory
  • DRAM dynamic random access memory
  • RAM random access memory
  • ROM read only memory
  • EEPROM electrically erasable programmable read only memory
  • flash memory or other memory technology
  • compact disk read only memory CD-ROM
  • DVD digital versatile disk
  • Magnetic tape cartridges magnetic tape storage or other magnetic storage devices or any other non-transportable media can be used to store information that can be accessed by a computing device.
  • computer readable media does not include transitory computer readable media, such as modulated data signals and carrier waves.
  • This application can be used in a variety of general purpose or special purpose computer system environments or configurations.
  • the application can be described in the general context of computer-executable instructions executed by a computer, such as a program module.
  • program modules include routines, programs, objects, components, data structures, and the like that perform particular tasks or implement particular abstract data types.
  • the present application can also be practiced in distributed computing environments where tasks are performed by remote processing devices that are connected through a communication network.
  • program modules can be located in both local and remote computer storage media including storage devices.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Telephonic Communication Services (AREA)
  • Information Transfer Between Computers (AREA)

Abstract

Disclosed in embodiments of the present application are a dynamic password authentication method, system, client terminal and server. The method comprises: requesting, by a client terminal, a current server time from an authentication server; receiving, by the client terminal, the current server time returned by the authentication server; calculating to generate, by the client terminal, according to the current server time, a dynamic password and uploading the dynamic password to the authentication server; calculating to generate, by the authentication server, according to the current server time, an authentication password; determining whether the dynamic password matches the authentication password, if so, the authentication is successful. The embodiments of the present application realize synchronization of a time factor used by the client terminal when generating the dynamic password and a time factor used by the authentication server when generating the authentication password, thereby improving the matching degree between the dynamic password and the authentication password.

Description

一种动态口令验证方法及系统、客户端和服务器Dynamic password verification method and system, client and server 技术领域Technical field
本申请涉及互联网信息安全技术领域,特别涉及一种动态口令验证方法及系统、客户端和服务器。The present application relates to the field of Internet information security technologies, and in particular, to a dynamic password verification method and system, a client, and a server.
背景技术Background technique
动态口令是一种随时间或事件变化而产生的口令,该口令在一定时间间隔内有效且不可预测,一般会通过动态口令生成的载体显示出来,如手机令牌、刮刮卡等。动态口令验证技术可以实现用户安全身份验证功能,随着移动互联网的发展,动态口令验证技术已经被广泛应用于企业、金融、网上银行、电子政务等领域。例如,用户在登录网上银行交易系统时,系统会要求用户输入动态口令,用户完成输入后,所述动态口令被传输至验证服务器进行验证。由于每次生成的动态口令是随机的,并且只能使用一次,可以防止对动态口令窃听、重放、假冒、猜测等攻击方式。A dynamic password is a password that is generated over time or an event. The password is valid and unpredictable in a certain time interval. It is usually displayed by a carrier generated by a dynamic password, such as a mobile phone token or a scratch card. Dynamic password verification technology can implement user security authentication function. With the development of mobile Internet, dynamic password verification technology has been widely used in enterprises, finance, online banking, e-government and other fields. For example, when the user logs in to the online banking transaction system, the system will ask the user to input a dynamic password. After the user completes the input, the dynamic password is transmitted to the verification server for verification. Since each generated dynamic password is random and can only be used once, it can prevent attacks such as dynamic password eavesdropping, replay, impersonation, and guessing.
现有技术中,常用基于时间同步的动态口令验证方法实现用户身份的验证,所述验证方法中,客户端生成动态口令的算法包括时间因子参数。验证服务器生成验证动态口令的验证口令,生成所述验证口令的算法也需要时间因子参数。In the prior art, a dynamic password verification method based on time synchronization is commonly used to implement verification of a user identity. In the verification method, an algorithm for generating a dynamic password by a client includes a time factor parameter. The verification server generates a verification password for verifying the dynamic password, and the algorithm for generating the verification password also requires a time factor parameter.
在实现本申请过程中,发明人发现现有技术中至少存在如下问题:客户端生成动态口令算法中的时间因子来源于客户端设备,验证服务器生成验证口令算法中的时间因子来源于验证服务器。通常情况下,客户端设备时钟和验证服务器时钟几乎不可能完全匹配,当时间因子不匹配时,生成的动态口令和验证口令也将不匹配,这将导致用户身份验证失败。In the process of implementing the present application, the inventor has found that at least the following problems exist in the prior art: the time factor in the client-generated dynamic password algorithm is derived from the client device, and the time factor in the verification server generating the verification password algorithm is derived from the verification server. Normally, the client device clock and the authentication server clock are almost impossible to match completely. When the time factor does not match, the generated dynamic password and the authentication password will also not match, which will cause the user authentication to fail.
发明内容Summary of the invention
本申请实施例的目的是提供一种动态口令验证方法及系统、客户端和服务器,以实现生成动态口令算法中的时间因子以及生成验证口令算法中的时间因子完全匹配。The purpose of the embodiment of the present application is to provide a dynamic password verification method and system, a client and a server, to implement a time factor in generating a dynamic password algorithm and a time factor exact match in generating a verification password algorithm.
为解决上述技术问题,本申请实施例提供一种动态口令验证方法及系统、客户端和服务器是这样实现的:To solve the above technical problem, the embodiment of the present application provides a dynamic password verification method and system, and the client and the server are implemented as follows:
一种动态口令验证方法,包括:A dynamic password verification method, comprising:
客户端向验证服务器请求服务器当前时间;The client requests the current time of the server from the authentication server;
客户端接收所述验证服务器返回的服务器当前时间;The client receives the current time of the server returned by the verification server;
客户端根据所述服务器当前时间,计算生成动态口令,并将所述动态口令上传至所述验 证服务器;The client calculates a dynamic password according to the current time of the server, and uploads the dynamic password to the test. Certificate server
验证服务器根据所述服务器当前时间,计算生成验证口令;The verification server calculates and generates a verification password according to the current time of the server;
验证服务器判断所述动态口令和所述验证口令是否匹配,如果匹配则通过验证。The verification server determines whether the dynamic password and the verification password match, and if it matches, passes the verification.
一种动态口令验证方法,包括:A dynamic password verification method, comprising:
向验证服务器请求服务器当前时间;Request the server current time from the authentication server;
接收所述验证服务器返回的服务器当前时间;Receiving a current time of the server returned by the verification server;
根据所述服务器当前时间,计算生成动态口令,并将所述动态口令上传至所述验证服务器。And generating a dynamic password according to the current time of the server, and uploading the dynamic password to the verification server.
一种动态口令验证方法,包括:A dynamic password verification method, comprising:
接收客户端发来的服务器当前时间请求;Receiving the current time request of the server sent by the client;
返回服务器当前时间至客户端;Returns the current time of the server to the client;
接收客户端返回的动态口令;Receive the dynamic password returned by the client;
根据所述服务器当前时间值,计算生成验证口令;Calculating and generating a verification password according to the current time value of the server;
判断所述动态口令和所述验证口令是否匹配,如果匹配则通过验证。Determining whether the dynamic password and the verification password match, and if they match, pass the verification.
在所述向验证服务器请求服务器当前时间之前,还包括:Before the requesting the server to request the current time of the server, the method further includes:
客户端检查是否连接网络;The client checks if it is connected to the network;
在判断连接网络时,客户端向验证服务器请求服务器当前时间。When judging the connection to the network, the client requests the server for the current time from the authentication server.
所述根据所述服务器当前时间,计算生成动态口令,包括:And generating, according to the current time of the server, generating a dynamic password, including:
将所述服务器当前时间和种子密钥作为动态口令算法的输入参数,采用动态口令算法计算得到动态口令。The current time and seed key of the server are used as input parameters of the dynamic password algorithm, and the dynamic password is calculated by using a dynamic password algorithm.
所述种子密钥包括所述客户端初始化时生成并发送至所述验证服务器的种子密钥。The seed key includes a seed key generated by the client upon initialization and sent to the authentication server.
所述种子密钥包括所述客户端初始化时生成,并在计算生成动态口令时发送至所述验证服务器的种子密钥。The seed key includes a seed key that is generated when the client initializes and is sent to the verification server when calculating a dynamic password.
所述动态口令算法包括单向散列函数。The dynamic password algorithm includes a one-way hash function.
一种动态口令验证方法,包括:A dynamic password verification method, comprising:
客户端读取预存的服务器同步时间;The client reads the pre-stored server synchronization time;
客户端根据所述服务器同步时间确定服务器当前时间;The client determines the current time of the server according to the server synchronization time;
客户端根据所述服务器当前时间,计算生成动态口令,并将所述动态口令上传至验证服务器;The client calculates and generates a dynamic password according to the current time of the server, and uploads the dynamic password to the verification server;
所述验证服务器接收所述动态口令,根据所述服务器当前时间值,计算生成验证口令;The verification server receives the dynamic password, and generates a verification password according to the current time value of the server;
所述验证服务器判断所述动态口令和所述验证口令是否匹配,如果匹配则通过验证。 The verification server determines whether the dynamic password and the verification password match, and if they match, passes the verification.
一种动态口令验证方法,包括:A dynamic password verification method, comprising:
读取预存的服务器同步时间;Read the pre-stored server synchronization time;
根据所述服务器同步时间确定服务器当前时间;Determining a current time of the server according to the server synchronization time;
根据所述服务器当前时间,计算生成动态口令,并将所述动态口令上传至验证服务器。And generating a dynamic password according to the current time of the server, and uploading the dynamic password to the verification server.
一种动态口令验证方法,包括:A dynamic password verification method, comprising:
接收客户端返回的动态口令;Receive the dynamic password returned by the client;
根据服务器当前时间值,计算生成验证口令;Calculate and generate a verification password according to the current time value of the server;
判断所述动态口令和所述验证口令是否匹配,如果匹配则通过验证。Determining whether the dynamic password and the verification password match, and if they match, pass the verification.
所述根据所述服务器当前时间,计算生成动态口令,包括:And generating, according to the current time of the server, generating a dynamic password, including:
将所述服务器当前时间和种子密钥作为动态口令算法的输入参数,采用动态口令算法计算得到动态口令。The current time and seed key of the server are used as input parameters of the dynamic password algorithm, and the dynamic password is calculated by using a dynamic password algorithm.
所述种子密钥包括所述客户端初始化时生成并发送至所述验证服务器的种子密钥。The seed key includes a seed key generated by the client upon initialization and sent to the authentication server.
所述种子密钥包括所述客户端初始化时生成,并在计算生成动态口令时发送至所述验证服务器的种子密钥。The seed key includes a seed key that is generated when the client initializes and is sent to the verification server when calculating a dynamic password.
所述动态口令算法包括单向散列函数。The dynamic password algorithm includes a one-way hash function.
所述根据所述服务器同步时间确定服务器当前时间,包括:Determining, according to the server synchronization time, a current time of the server, including:
获取存储所述服务器同步时间时客户端的第一时间;Obtaining the first time of the client when storing the server synchronization time;
计算客户端当前时间和所述第一时间的差值;Calculating a difference between a current time of the client and the first time;
计算所述差值和所述服务器同步时间的和值,所述和值确定为所述服务器当前时间。And calculating a sum of the difference and the server synchronization time, the sum value being determined as the current time of the server.
一种动态口令验证系统,包括:A dynamic password verification system comprising:
客户端,用于向验证服务器请求服务器当前时间;接收所述验证服务器返回的服务器当前时间;根据所述服务器当前时间,计算生成动态口令,并将所述动态口令上传至所述验证服务器;a client, configured to request a current time of the server from the verification server; receive a current time of the server returned by the verification server; calculate a dynamic password according to the current time of the server, and upload the dynamic password to the verification server;
验证服务器,用于接收客户端发来的服务器当前时间请求;返回服务器当前时间至客户端;根据所述服务器当前时间值,计算生成验证口令;判断所述动态口令和所述验证口令是否匹配,如果匹配则通过验证。An authentication server, configured to receive a current time request of the server sent by the client; return a current time of the server to the client; calculate a generated verification password according to the current time value of the server; and determine whether the dynamic password and the verification password match, If it matches, it passes the verification.
一种客户端,包括:A client that includes:
请求单元,用于向验证服务器请求服务器当前时间;a requesting unit, configured to request a server current time from the verification server;
接收单元,用于接收所述验证服务器返回的服务器当前时间;a receiving unit, configured to receive a current time of the server returned by the verification server;
动态口令生成单元,用于根据所述服务器当前时间,计算生成动态口令,并将所述动态口令上传至所述验证服务器。 The dynamic password generating unit is configured to calculate and generate a dynamic password according to the current time of the server, and upload the dynamic password to the verification server.
一种服务器,包括:A server that includes:
第一接收单元,用于接收客户端发来的服务器当前时间请求;a first receiving unit, configured to receive a server current time request sent by the client;
返回单元,用于返回服务器当前时间至客户端;Return unit, used to return the current time of the server to the client;
第二接收单元,用于接收客户端返回的动态口令;a second receiving unit, configured to receive a dynamic password returned by the client;
验证口令生成单元,用于根据所述服务器当前时间值,计算生成验证口令;a verification password generating unit, configured to calculate and generate a verification password according to the current time value of the server;
验证单元,用于判断所述动态口令和所述验证口令是否匹配,如果匹配则通过验证。The verification unit is configured to determine whether the dynamic password and the verification password match, and if they match, pass the verification.
一种动态口令验证系统,包括:A dynamic password verification system comprising:
客户端,用于读取预存的服务器同步时间;根据所述服务器同步时间确定服务器当前时间;根据所述服务器当前时间,计算生成动态口令,并将所述动态口令上传至验证服务器;a client, configured to read a pre-stored server synchronization time; determine a current server time according to the server synchronization time; calculate a dynamic password according to the current time of the server, and upload the dynamic password to the verification server;
验证服务器,用于接收客户端返回的动态口令;根据所述服务器当前时间值,计算生成验证口令;判断所述动态口令和所述验证口令是否匹配,如果匹配则通过验证。The verification server is configured to receive a dynamic password returned by the client; calculate a generated verification password according to the current time value of the server; determine whether the dynamic password and the verification password match, and if they match, pass the verification.
一种客户端,包括:A client that includes:
读取单元,用于读取预存的服务器同步时间;a reading unit for reading a pre-stored server synchronization time;
时间确定单元,用于根据所述服务器同步时间确定服务器当前时间;a time determining unit, configured to determine a current time of the server according to the server synchronization time;
动态口令生成单元,用于根据所述服务器当前时间,计算生成动态口令,并将所述动态口令上传至验证服务器。The dynamic password generating unit is configured to calculate and generate a dynamic password according to the current time of the server, and upload the dynamic password to the verification server.
一种服务器,包括:A server that includes:
接收单元,用于接收客户端返回的动态口令;、a receiving unit, configured to receive a dynamic password returned by the client;
验证口令生成单元,用于根据服务器当前时间,计算生成验证口令;a verification password generating unit, configured to calculate and generate a verification password according to a current time of the server;
验证单元,用于判断所述动态口令和所述验证口令是否匹配,如果匹配则通过验证。The verification unit is configured to determine whether the dynamic password and the verification password match, and if they match, pass the verification.
所述时间确定单元包括:The time determining unit includes:
获取单元,用于获取存储所述服务器同步时间时客户端的第一时间;An obtaining unit, configured to acquire a first time of the client when the server synchronization time is stored;
第一计算单元,用于计算获取客户端当前时间和所述第一时间的差值;a first calculating unit, configured to calculate a difference between acquiring a current time of the client and the first time;
第二计算单元,用于计算所述差值和所述服务器同步时间的和值,所述和值确定为所述服务器当前时间。And a second calculating unit, configured to calculate a sum of the difference value and the server synchronization time, where the sum value is determined to be the current time of the server.
由以上本申请实施例提供的技术方案可见,本申请实施例在基于时间同步的动态口令验证方法中,客户端在生成动态口令之前,与服务器产生一次通信,获取服务器的当前时间,实现了客户端生成动态口令与验证服务器生成验证口令采用的时间因子的同步,从而提高了动态口令与验证口令的匹配度。 It can be seen from the technical solution provided by the foregoing application embodiment that in the dynamic password verification method based on time synchronization, the client generates a communication with the server before acquiring the dynamic password, acquires the current time of the server, and implements the client. The generation of the dynamic password synchronizes with the time factor used by the verification server to generate the verification password, thereby improving the matching degree between the dynamic password and the verification password.
附图说明DRAWINGS
为了更清楚地说明本申请实施例或现有技术中的技术方案,下面将对实施例或现有技术描述中所需要使用的附图作简单地介绍,显而易见地,下面描述中的附图仅仅是本申请中记载的一些实施例,对于本领域普通技术人员来讲,在不付出创造性劳动性的前提下,还可以根据这些附图获得其他的附图。In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings to be used in the embodiments or the prior art description will be briefly described below. Obviously, the drawings in the following description are only It is a few embodiments described in the present application, and other drawings can be obtained from those skilled in the art without any inventive labor.
图1是本申请动态口令验证方法第一方法实施例的流程示意图;1 is a schematic flow chart of a first method embodiment of a dynamic password verification method according to the present application;
图2是本申请动态口令验证方法第一实施例应用场景的示意图;2 is a schematic diagram of an application scenario of a first embodiment of a dynamic password verification method according to the present application;
图3是本申请动态口令验证方法第二方法实施例的流程示意图;3 is a schematic flowchart of a second method embodiment of a dynamic password verification method according to the present application;
图4是本申请动态口令验证客户端第一实施例的组成示意图;4 is a schematic structural diagram of a first embodiment of a dynamic password verification client according to the present application;
图5是本申请动态口令验证方法第三方法实施例的流程示意图;5 is a schematic flowchart of a third method embodiment of a dynamic password verification method according to the present application;
图6是本申请动态口令验证服务器第一实施例的组成示意图;6 is a schematic diagram of the composition of a first embodiment of a dynamic password verification server of the present application;
图7是本申请动态口令验证方法第四方法实施例的流程示意图;7 is a schematic flowchart of a fourth method embodiment of a dynamic password verification method according to the present application;
图8是本申请动态口令验证方法第五方法实施例的流程示意图;8 is a schematic flowchart of a fifth method embodiment of a dynamic password verification method according to the present application;
图9是本申请动态口令验证客户端第二实施例的组成示意图;9 is a schematic structural diagram of a second embodiment of a dynamic password verification client according to the present application;
图10是本申请动态口令验证客户端第二实施例中时间确定单元的组成示意图;10 is a schematic diagram of a composition of a time determining unit in a second embodiment of the dynamic password verification client of the present application;
图11是本申请动态口令验证方法第六方法实施例的流程示意图;11 is a schematic flowchart of a sixth method embodiment of a dynamic password verification method according to the present application;
图12是本申请动态口令验证服务器第二实施例的组成示意图。FIG. 12 is a schematic diagram showing the composition of a second embodiment of the dynamic password verification server of the present application.
具体实施方式detailed description
本申请实施例提供一种动态口令验证方法及系统、客户端和服务器。The embodiment of the present application provides a dynamic password verification method and system, a client, and a server.
为了使本技术领域的人员更好地理解本申请中的技术方案,下面将结合本申请实施例中的附图,对本申请实施例中的技术方案进行清楚、完整地描述,显然,所描述的实施例仅仅是本申请一部分实施例,而不是全部的实施例。基于本申请中的实施例,本领域普通技术人员在没有作出创造性劳动前提下所获得的所有其他实施例,都应当属于本申请保护的范围。The technical solutions in the embodiments of the present application are clearly and completely described in the following, in which the technical solutions in the embodiments of the present application are clearly and completely described. The embodiments are only a part of the embodiments of the present application, and not all of them. All other embodiments obtained by a person of ordinary skill in the art based on the embodiments of the present application without departing from the inventive scope shall fall within the scope of the application.
动态口令生成算法和验证口令生成算法是相同的,当客户端动态口令生成算法中的时间因子和验证服务器验证口令生成算法中的时间因子相同时,动态口令和验证口令相匹配,用户通过身份验证。所述客户端还可以根据本地文件中保存的上一次同步的验证服务器时间,获取验证服务器当前时间。The dynamic password generation algorithm and the verification password generation algorithm are the same. When the time factor in the client dynamic password generation algorithm is the same as the time factor in the verification server verification password generation algorithm, the dynamic password and the verification password match, and the user passes the authentication. . The client may also obtain the current time of the verification server according to the last synchronized authentication server time saved in the local file.
以下介绍本申请的第一实施例的实现方案。The implementation of the first embodiment of the present application is described below.
为了实现客户端动态口令生成算法中的时间因子和验证服务器验证口令生成算法中的时间因子相同,客户端在生成动态口令之前,可以与验证服务器进行一次通信,获取验证服 务器的当前时间。具体可以通过如图1所示的S101~S105的方法实现。In order to realize that the time factor in the client dynamic password generation algorithm is the same as the time factor in the verification server verification password generation algorithm, the client can communicate with the verification server once before generating the dynamic password to obtain the verification service. The current time of the server. Specifically, it can be implemented by the method of S101 to S105 shown in FIG.
客户端可以设置为能够启动一个特定的功能例如触摸某一预设的虚拟按键或者按下某个物理按键后启动该特定功能。该特定的功能可以再开启后执行获取验证服务器当前时间的工作,例如下面S101~S103的工作。The client can be set to be able to initiate a specific function, such as touching a preset virtual button or pressing a physical button to activate that particular function. The specific function can be re-opened to perform the work of obtaining the current time of the verification server, for example, the work of S101 to S103 below.
步骤S101:客户端向验证服务器请求服务器当前时间。Step S101: The client requests the server current time from the verification server.
如上所述,客户端在启动一特定功能后,可以执行获取验证服务器当前时间的工作。首先,客户端向验证服务器请求服务器当前时间。在本发明实施例中,客户端可以向验证服务的时间同步接口发送http请求,请求验证服务器返回当前时间。具体Java实现代码如下所示:As described above, after the client starts a specific function, it can perform the work of obtaining the current time of the verification server. First, the client requests the server for the current time from the authentication server. In the embodiment of the present invention, the client may send an http request to the time synchronization interface of the verification service, requesting the verification server to return the current time. The specific Java implementation code is as follows:
Date date=obtainServerDate();    //客户端向验证服务器发起请求Date date=obtainServerDate(); //The client initiates a request to the authentication server.
public Date obtainServerDate()Public Date obtainServerDate()
{SimpleDateFormat df=new SimpleDateFormat("yyyy-MM-dd HH:mm:ss");{SimpleDateFormat df=new SimpleDateFormat("yyyy-MM-dd HH:mm:ss");
//验证服务器设置当前时间/ / Verify the server to set the current time
return df.format(new Date());}     //验证服务器返回当前时间至客户端Return df.format(new Date());} //Verify the server returns the current time to the client
在请求验证服务器当前时间之前,客户端还可以检查是否连接网络。当所述客户端连接网络时,客户端才能实现与验证服务器的通信。一般的,客户端设备包括电脑、PAD或者手机等,例如,一手机客户端安装有Android系统,用户在点击客户端当前登录页面中的“获取动态口令”按钮后,所述客户端可以调用Android系统中网络连接管理器检查该手机客户端是否连接网络。具体地,手机客户端可以调用Android系统中ConnectivityManager类的isAvailable()函数,实现代码如下:The client can also check if the network is connected before requesting the current time of the authentication server. When the client connects to the network, the client can communicate with the authentication server. Generally, the client device includes a computer, a PAD, or a mobile phone. For example, a mobile phone client is installed with an Android system, and the user can invoke Android after clicking the “Get Dynamic Password” button in the current login page of the client. The Network Connection Manager in the system checks if the mobile client is connected to the network. Specifically, the mobile client can call the isAvailable() function of the ConnectivityManager class in the Android system, and the implementation code is as follows:
ConnectivityManager cwjManager=(ConnectivityManager)getSystemService(Context.CON-NECTIVITY_SERVICE);ConnectivityManager cwjManager=(ConnectivityManager)getSystemService(Context.CON-NECTIVITY_SERVICE);
cwjManager.getActiveNetworkInfo().isAvailable();//返回True则可以判断当前Android手机客户端已经连接网络。cwjManager.getActiveNetworkInfo().isAvailable();//Returning True can determine that the current Android mobile client is connected to the network.
与上述方法类似,在其他客户端设备中,客户端也是通过调用相应的安装系统中的网络连接管理器检查客户端是否连接网络。例如,安装Win7系统的电脑通过调用Win7系统的网络连接管理器检查该电脑客户端是否连接网络,安装iOS系统的iPhone或者Ipad通过调用iOS系统的网络连接管理器检查iPhone或者Ipad客户端是否连接网络。Similar to the above method, in other client devices, the client also checks whether the client is connected to the network by calling the network connection manager in the corresponding installation system. For example, the computer that installs the Win7 system checks whether the computer client is connected to the network by calling the network connection manager of the Win7 system. The iPhone or Ipad of the iOS system is installed to check whether the iPhone or the Ipad client is connected to the network by calling the network connection manager of the iOS system. .
步骤S102:客户端接收所述验证服务器返回的服务器当前时间。Step S102: The client receives the current time of the server returned by the verification server.
验证服务器接收客户端的请求,返回服务器当前时间,具体Java实现代码如上所示,客户端接收所述验证服务器返回的当前时间。 The verification server receives the client's request and returns the current time of the server. The specific Java implementation code is as shown above, and the client receives the current time returned by the verification server.
步骤S103:客户端根据所述服务器当前时间,计算生成动态口令,并将所述动态口令发送至所述验证服务器。Step S103: The client calculates a dynamic password according to the current time of the server, and sends the dynamic password to the verification server.
客户端接收到服务器当前时间后,根据所述服务器当前时间,计算生成动态口令。生成动态口令的算法包括单向散列函数,如HMAC-SHA1、MD5、SHA-1以及SHA-256。例如,本申请实施例采用HMAC-SHA1算法计算生成动态口令,具体步骤如下:After receiving the current time of the server, the client calculates and generates a dynamic password according to the current time of the server. Algorithms for generating dynamic passwords include one-way hash functions such as HMAC-SHA1, MD5, SHA-1, and SHA-256. For example, the embodiment of the present application uses the HMAC-SHA1 algorithm to calculate and generate a dynamic password. The specific steps are as follows:
SS1:初始化种子密钥以及时间因子。SS1: Initialize the seed key and time factor.
用户在注册账号时,客户端自动生成种子密钥,所述种子密钥可以是客户端生成的随机码。所述客户端包括手机客户端时,所述种子密钥可以包括IMEI,手机厂商标识码,手机屏幕分辨率以及手机操作系统版本号中的一个或者几个的组合。客户端生成所述种子密钥后,可以立即将所述种子密钥发送至验证服务器。验证服务器接收所述种子密钥后,可以将所述种子密钥以及相应的用户ID保存于验证服务器的数据库中。客户端也可以在计算生成动态口令时将所述种子密钥发送至所述验证服务器。假设所述种子密钥为key,所述时间因子为T,初始化后的(种子密钥key,时间因子T)为加密初值key2,所述加密初值key2可以按下式生成:When the user registers the account, the client automatically generates a seed key, and the seed key may be a random code generated by the client. When the client includes a mobile phone client, the seed key may include a combination of one or several of an IMEI, a mobile phone manufacturer identification code, a mobile phone screen resolution, and a mobile phone operating system version number. After the client generates the seed key, the seed key can be immediately sent to the verification server. After the verification server receives the seed key, the seed key and the corresponding user ID may be saved in a database of the verification server. The client may also send the seed key to the authentication server when computing to generate a dynamic password. Assuming that the seed key is a key, the time factor is T, and the initialized (seed key key, time factor T) is an encrypted initial value key2, and the encrypted initial value key2 can be generated as follows:
key2=copy(key,1,L/2)+FormatDateTime(‘yyyymmdd’,nowTime)+Key2=copy(key,1,L/2)+FormatDateTime(‘yyyymmdd’,nowTime)+
copy(key,L/2,L)+FormatDateTime(‘hhmmss’,nowTime)Copy(key,L/2,L)+FormatDateTime(‘hhmmss’, nowTime)
其中,L是种子密钥key的长度,copy(key,1,L/2)是种子密钥的前段部分,copy(key,L/2,L)是后段部分。服务器当前时间nowTime可以精确至秒,FormatDateTime(‘yyyymmdd’,nowTime)可以按照‘yyyymmdd’的格式对服务器当前时间的年、月、日值进行格式化,如服务器当前日期是2015年1月22日,则格式化后为“20150122”。FormatDateTime(‘hhmmss’,nowTime)可以按照‘hhmmss’的格式对服务器当前时间的时、分、秒进行格式化,如服务器当前时间是下午两点四十四分三秒,则格式化后为“144403”。举个例子,种子密钥key值为“999888”,客户端接收的服务器当前时间为2015年1月22日下午两点四十四分三秒,那么加密初值key2可以表示为“99920150122999144403”。Where L is the length of the seed key, copy (key, 1, L/2) is the front part of the seed key, and copy (key, L/2, L) is the latter part. The server current time nowTime can be accurate to the second. FormatDateTime('yyyymmdd', nowTime) can format the year, month and day value of the current time of the server according to the format of 'yyyymmdd'. For example, the current date of the server is January 22, 2015. , then formatted as "20150122". FormatDateTime('hhmmss', nowTime) can format the time, minute and second of the current time of the server according to the format of 'hhmmss'. If the current time of the server is 2:44:32, the format is " 144403". For example, the seed key value is "999888", and the current time of the server received by the client is 2:44:32 on January 22, 2015, then the encryption initial value key2 can be expressed as "99920150122999144403".
SS2:根据所述加密初值计算生成HMAC-SHA-1值。SS2: Generate an HMAC-SHA-1 value according to the encryption initial value calculation.
根据所述加密初值计算生成HMAC-SHA-1值,具体表达式为:The HMAC-SHA-1 value is generated according to the initial value of the encryption, and the specific expression is:
Hs=HMAC-SHA-1(加密初值)Hs=HMAC-SHA-1 (encrypted initial value)
其中,Hs是一个160位的二进制串。HMAC-SHA-1是利用SHA-1算法进行两次杂凑运算后,输出一个160bit的HMAC-SHA-1值。所述SHA-1是现有技术的一种标准杂凑运算,这里不再赘述。Among them, Hs is a 160-bit binary string. HMAC-SHA-1 outputs a 160-bit HMAC-SHA-1 value after two hash operations using the SHA-1 algorithm. The SHA-1 is a standard hash operation of the prior art and will not be described here.
SS3:根据所述HMAC-SHA-1值生成一个31位的二进制串。 SS3: Generate a 31-bit binary string based on the HMAC-SHA-1 value.
采用动态偏移截短函数将160位的HMAC-SHA-1值中提取出一个31位的动态二进制串,具体表达式为P=DT(Hs),式中DT是截短函数。P=DT(Hs)的具体实现过程如下:A dynamic offset truncation function is used to extract a 31-bit dynamic binary string from the 160-bit HMAC-SHA-1 value. The specific expression is P=DT(Hs), where DT is a truncation function. The specific implementation process of P=DT(Hs) is as follows:
Hs=Hs[0]Hs[1]…Hs[19];   //式中Hs[i]为二进制串Hs的第i个字节;Hs=Hs[0]Hs[1]...Hs[19]; // where Hs[i] is the ith byte of the binary string Hs;
OffsetBits=Hs[19]&0xf;   //式中OffsetBits为偏移位数,取Hs[19]的最后4位;OffsetBits=Hs[19]&0xf; //OffsetBits in the formula is the offset digit, taking the last 4 digits of Hs[19];
Offset=StToNum(OffsetBits);Offset=StToNum(OffsetBits);
//式中将OffsetBits转换为十进制数,并且值在0-15之间;/ / Convert OffsetBits to a decimal number, and the value is between 0-15;
P=(Hs[Offset]&0x7f)<<24|(Hs[Offset+1]&0xff)<<16|(Hs[Offset+2]&0xff)<<8|(Hs[Offset+3]&0xff);    //式中从Hs[Offset]至Hs[Offset+3]连续4个字节中取后31位。P=(Hs[Offset]&0x7f)<<24|(Hs[Offset+1]&0xff)<<16|(Hs[Offset+2]&0xff)<<8|(Hs[Offset+3]&0xff); / In the equation, the last 31 bits are taken from Hs[Offset] to Hs[Offset+3] consecutively 4 bytes.
SS4:根据所述31位二进制串获取动态口令。SS4: Obtain a dynamic password according to the 31-bit binary string.
根据所述31位的二进制串确定所述动态口令,可以利用StToNum函数将所述二进制串转换成6~8位的十进制数,具体实现方式如下:The dynamic password is determined according to the 31-bit binary string, and the binary string can be converted into a 6-8 bit decimal number by using a StToNum function, and the specific implementation manner is as follows:
StToNum(P)=P[0]·2^(30)+P[1]·2^(29)+…+P[29]·2^(1)+P[30]·2^(0)。StToNum(P)=P[0]·2^(30)+P[1]·2^(29)+...+P[29]·2^(1)+P[30]·2^(0) .
客户端可以以短信方式发送所述动态口令至验证服务器。短信网关将客户端发送的短信信息转换后发送至所述验证服务器。The client can send the dynamic password to the verification server by SMS. The short message gateway converts the short message sent by the client to the verification server.
步骤S104:验证服务器根据所述服务器当前时间值,计算生成验证口令。Step S104: The verification server calculates a generated verification password according to the current time value of the server.
一般地,验证服务器在确定用户ID的合法性后,可以从验证服务器数据库中调用与所述用户ID相应的种子密钥,还可以接收客户端实时发送至的种子密钥。验证服务器根据所述种子密钥以及发送至客户端的所述服务器当前时间值,计算生成验证口令。验证服务器计算生成验证口令时,可以采用与客户端相同的算法,在此情况下,所述验证服务器预先配置有与客户端相同的动态口令算法。当然,验证服务器也可以采用与客户端不同的算法,只需计算得到的动态口令以及验证口令经过一定的算法转换后相匹配。同样地,所述动态口令的算法包括HMAC-SHA1、MD5、SHA-1以及SHA-256。Generally, after determining the validity of the user ID, the verification server may invoke a seed key corresponding to the user ID from the verification server database, and may also receive a seed key sent by the client in real time. The verification server calculates a generated verification password according to the seed key and the current time value of the server sent to the client. When the verification server calculates the generated verification password, the same algorithm as the client can be adopted. In this case, the verification server is preconfigured with the same dynamic password algorithm as the client. Of course, the verification server can also adopt a different algorithm from the client, and only the calculated dynamic password and the verification password are matched after a certain algorithm conversion. Similarly, the dynamic password algorithm includes HMAC-SHA1, MD5, SHA-1, and SHA-256.
步骤S106:所述验证服务器判断所述动态口令和所述验证口令是否匹配,如果匹配则通过验证。Step S106: The verification server determines whether the dynamic password and the verification password match, and if they match, passes the verification.
验证服务器比较所述动态口令以及所述验证口令,如果匹配,则发送通过验证的确认消息至客户端。后续的,如果所述动态口令以及所述验证口令不匹配,所述验证服务器可以发送未通过验证的回复消息至客户端。The verification server compares the dynamic password and the verification password, and if so, sends a confirmation message of verification to the client. Subsequently, if the dynamic password and the verification password do not match, the verification server may send a reply message that fails verification to the client.
下面结合具体场景说明上述本申请实施例的实现过程:The implementation process of the foregoing embodiment of the present application is described below in conjunction with a specific scenario:
用户A通过手机客户端登录某网站时的界面如图2所示。用户A输入完用户ID以及密码后,需要进行动态口令身份验证。在图2所示的界面上,用户点击“获取动态口令”按 钮,所述按钮触发了手机客户端获取动态口令的功能。首先,客户端检查手机设备是否连接网络。如果手机设备安装有Android系统,客户端可以调用isAvailable()函数检查手机是否连接网络。经检查,如果判断手机客户端设备连接网络,客户端向验证服务器请求服务器当前时间。具体的,客户端可以向验证服务器的时间同步接口发送Http请求所述服务器当前时间,所述当前时间可以是2015年1月22日下午两点四十四分三秒。手机客户端接收到验证服务器的服务器当前时间后,读取保存于本地的种子密钥,所述种子密钥可以是手机设备的15位IMEI码,如“834299070186334”。在本实施例中,客户端可以采用HMAC-SHA-1算法计算生成动态口令。具体地,将所述种子密钥以及服务器当前时间初始化,获取加密初值,计算所述加密初值的HMAC-SHA-1值,经过截短后转换成6~8位的动态口令,如“453476”。客户端并将所述动态口令发送至验证服务器。验证服务器接收所述动态口令后,确定用户的ID是否合法。确定所述ID的合法性后,验证服务器根据所述ID在服务器数据库中调用与所述ID相对应的种子密钥。获取所述种子密钥后,验证服务器根据所述种子密钥以及所述服务器当前时间采用HMAC-SHA-1算法计算生成验证口令,所述HMAC-SHA-1算法预先配置于所述验证服务器中。生成验证口令后,所述验证服务器比较所述动态口令以及验证口令,若两者匹配,则通过验证,否则,未通过验证。The interface when user A logs in to a website through the mobile client is shown in Figure 2. After user A enters the user ID and password, dynamic password authentication is required. On the interface shown in Figure 2, the user clicks "Get Dynamic Password". Button, the button triggers the function of the mobile client to obtain a dynamic password. First, the client checks if the mobile device is connected to the network. If the mobile device is equipped with an Android system, the client can call the isAvailable() function to check if the phone is connected to the network. After checking, if it is determined that the mobile client device is connected to the network, the client requests the current time of the server from the authentication server. Specifically, the client may send an Http request to the time synchronization interface of the verification server to request the current time of the server, and the current time may be 2:44:32 on the afternoon of January 22, 2015. After receiving the current time of the server of the verification server, the mobile client reads the local seed key, which may be a 15-digit IMEI code of the mobile device, such as “834299070186334”. In this embodiment, the client can calculate and generate a dynamic password by using the HMAC-SHA-1 algorithm. Specifically, the seed key and the current time of the server are initialized, the initial value of the encryption is obtained, and the HMAC-SHA-1 value of the initial value of the encryption is calculated, and after truncation, the dynamic password is converted into 6-8 bits, such as “ 453476". The client sends the dynamic password to the authentication server. After the verification server receives the dynamic password, it is determined whether the ID of the user is legal. After determining the legality of the ID, the verification server invokes a seed key corresponding to the ID in the server database according to the ID. After the seed key is obtained, the verification server generates a verification password by using an HMAC-SHA-1 algorithm according to the seed key and the current time of the server, where the HMAC-SHA-1 algorithm is pre-configured in the verification server. . After the verification password is generated, the verification server compares the dynamic password with the verification password. If the two match, the verification is passed, otherwise, the verification is not passed.
利用上述本申请的方法实施例一,在基于时间同步的动态口令验证方法中,客户端在生成动态口令之前,与服务器产生一次通信,获取服务器的当前时间,实现客户端生成动态口令与验证服务器生成验证口令采用的时间因子的同步,从而提高了动态口令与验证口令的匹配度。With the first embodiment of the method of the present application, in the dynamic password verification method based on time synchronization, the client generates a communication with the server before acquiring the dynamic password, acquires the current time of the server, and implements the client to generate the dynamic password and the verification server. The synchronization of the time factor used to verify the password is generated, thereby improving the matching degree between the dynamic password and the verification password.
下面介绍本方法实施例对应的动态口令验证的系统第一实施例,所述系统包括,The following describes a first embodiment of a system for dynamic password verification corresponding to the embodiment of the method, where the system includes
客户端,用于向验证服务器请求服务器当前时间;接收所述验证服务器返回的服务器当前时间;根据所述服务器当前时间,计算生成动态口令,并将所述动态口令上传至所述验证服务器;a client, configured to request a current time of the server from the verification server; receive a current time of the server returned by the verification server; calculate a dynamic password according to the current time of the server, and upload the dynamic password to the verification server;
验证服务器,用于接收客户端发来的服务器当前时间请求;返回服务器当前时间至客户端;根据所述服务器当前时间值,计算生成验证口令;判断所述动态口令和所述验证口令是否匹配,如果匹配则通过验证,否则未通过验证。An authentication server, configured to receive a current time request of the server sent by the client; return a current time of the server to the client; calculate a generated verification password according to the current time value of the server; and determine whether the dynamic password and the verification password match, If it matches, it passes the verification, otherwise it fails the verification.
上述第一方法实施例,考虑以客户端为主的步骤,可以演化为第二方法实施例,如图3所示,包括:The foregoing first method embodiment, considering a client-based step, may be evolved into a second method embodiment, as shown in FIG. 3, including:
步骤S301:向验证服务器请求服务器当前时间; Step S301: request the current time of the server from the verification server;
步骤S302:接收所述验证服务器返回的服务器当前时间;Step S302: Receive a current time of the server returned by the verification server.
步骤S303:根据所述服务器当前时间,计算生成动态口令,并将所述动态口令上传至所述验证服务器。Step S303: Calculate and generate a dynamic password according to the current time of the server, and upload the dynamic password to the verification server.
上述第二方法实施例,对应的客户端第一实施例400,如图4所示,包括:In the foregoing second method embodiment, the corresponding client first embodiment 400, as shown in FIG. 4, includes:
请求单元401,用于向验证服务器请求服务器当前时间;a requesting unit 401, configured to request a server current time from the verification server;
接收单元402,用于接收所述验证服务器返回的服务器当前时间;The receiving unit 402 is configured to receive a current time of the server returned by the verification server;
动态口令生成单元403,用于根据所述服务器当前时间,计算生成动态口令,并将所述动态口令上传至所述验证服务器。The dynamic password generating unit 403 is configured to calculate and generate a dynamic password according to the current time of the server, and upload the dynamic password to the verification server.
上述第一方法实施例,考虑以服务器为主的步骤,可以演化为第三方法实施例,如图5所示,包括:In the foregoing first method embodiment, considering a server-based step, the third method embodiment may be evolved. As shown in FIG. 5, the method includes:
步骤S501:接收客户端发来的服务器当前时间请求;Step S501: Receive a server current time request sent by the client;
步骤S502:返回服务器当前时间至客户端;Step S502: Returning the current time of the server to the client;
步骤S503:接收客户端返回的动态口令;Step S503: Receive a dynamic password returned by the client.
步骤S504:根据所述服务器当前时间值,计算生成验证口令;Step S504: Calculate and generate a verification password according to the current time value of the server;
步骤S505:判断所述动态口令和所述验证口令是否匹配,如果匹配则通过验证。Step S505: Determine whether the dynamic password and the verification password match, and if they match, pass the verification.
上述第三方法实施例,对应的服务器第一实施例600,如图6所示,包括:The foregoing third method embodiment, the corresponding server first embodiment 600, as shown in FIG. 6, includes:
第一接收单元601,用于接收客户端发来的服务器当前时间请求;The first receiving unit 601 is configured to receive a server current time request sent by the client.
返回单元602,用于返回服务器当前时间至客户端;Returning to the unit 602, used to return the current time of the server to the client;
第二接收单元603,用于接收客户端返回的动态口令;a second receiving unit 603, configured to receive a dynamic password returned by the client;
验证口令生成单元604,用于根据所述服务器当前时间值,计算生成验证口令;The verification password generating unit 604 is configured to calculate and generate a verification password according to the current time value of the server;
验证单元605,用于判断所述动态口令和所述验证口令是否匹配,如果匹配则通过验证。The verification unit 605 is configured to determine whether the dynamic password and the verification password match, and if they match, pass the verification.
上述第一方法实施例,考虑到客户端没有连接网络的情况,可以演化为第四方法实施例。The foregoing first method embodiment can be evolved into a fourth method embodiment in consideration of the fact that the client is not connected to the network.
如果检查所述客户端没有连接网络,为了实现计算动态口令以及验证口令的时间因子是同步的,可以读取客户端本地保存的服务器同步时间,根据所述服务器同步时间计算服务器当前时间。具体实施步骤如图7所示,包括:If the client is not connected to the network, in order to implement the calculation of the dynamic password and the time factor for verifying the password is synchronized, the server synchronization time saved locally by the client may be read, and the current server time is calculated according to the server synchronization time. The specific implementation steps are shown in Figure 7, including:
步骤S701:客户端读取客户端预存的服务器同步时间。Step S701: The client reads the server synchronization time pre-stored by the client.
一般地,客户端设备连接网络时,客户端可以定期同步服务器时间,并将获取的服务器同步时间以日志的形式保存于客户端文件系统中。当客户端设备没有连接网络时,客户端可以从客户端文件系统中读取上一次保存的服务器同步时间,从而计算得到服务器当前时间。 Generally, when the client device is connected to the network, the client can periodically synchronize the server time and save the acquired server synchronization time in the form of a log in the client file system. When the client device is not connected to the network, the client can read the last saved server synchronization time from the client file system, thereby calculating the current server time.
步骤S702:客户端根据所述服务器同步时间确定服务器当前时间。Step S702: The client determines the current time of the server according to the server synchronization time.
客户端可以根据所述服务器同步时间确定服务器当前时间。具体地,客户端当前时间减去客户端保存所述服务器同步时间时的时间,再加上所述服务器同步时间,就可以确定服务器当前时间。上述方法包括步骤S1~S3:The client can determine the current time of the server according to the server synchronization time. Specifically, the current time of the client minus the time when the client saves the server synchronization time, plus the server synchronization time, can determine the current time of the server. The above method includes steps S1 to S3:
S1:获取存储所述服务器同步时间时客户端的第一时间;S1: Acquire a first time of the client when storing the synchronization time of the server;
S2:计算客户端当前时间和所述第一时间的差值;S2: calculating a difference between the current time of the client and the first time;
S3:计算所述差值和所述服务器同步时间的和值,所述和值确定为所述服务器当前时间。S3: Calculate a sum of the difference value and the server synchronization time, and the sum value is determined as the current time of the server.
举个例子,客户端设备当前时间是2015年1月26日21点50分37秒,客户端设备在2015年1月20日12点28分03秒同步了服务器时间并保存,服务器同步时间为2015年1月20日12点27分50秒,根据上述确定服务器当前时间的计算方法,那么,服务器的当前时间为2015年1月26日21点50分24秒。For example, the current time of the client device is 21:50:37 on January 26, 2015. The client device synchronizes the server time and saves it at 12:28:03 on January 20, 2015. The server synchronization time is At 12:27:50 on January 20, 2015, according to the above calculation method of determining the current time of the server, then the current time of the server is 21:50:24 on January 26, 2015.
步骤S703:客户端根据所述服务器当前时间,计算生成动态口令,并将所述动态口令上传至验证服务器。Step S703: The client calculates a dynamic password according to the current time of the server, and uploads the dynamic password to the verification server.
客户端接收到服务器当前时间后,根据所述服务器当前时间,计算生成动态口令。动态口令的算法包括单向散列函数,例如HMAC-SHA1、MD5、SHA-1以及SHA-256。例如,本申请实施例采用HMAC-SHA1算法计算生成动态口令,具体步骤参考第一方法实施例的SS1~SS4,在此不再赘述。After receiving the current time of the server, the client calculates and generates a dynamic password according to the current time of the server. Dynamic password algorithms include one-way hash functions such as HMAC-SHA1, MD5, SHA-1, and SHA-256. For example, the embodiment of the present application uses the HMAC-SHA1 algorithm to calculate and generate a dynamic password. The specific steps refer to SS1 to SS4 in the first method embodiment, and details are not described herein again.
步骤S704:所述验证服务器接收所述动态口令,根据所述服务器当前时间值,计算生成验证口令。Step S704: The verification server receives the dynamic password, and calculates and generates a verification password according to the current time value of the server.
验证服务器在确定用户ID的合法性后,可以从验证服务器数据库中调用与所述用户ID相应的种子密钥,还可以接收客户端实时发送至的种子密钥。验证服务器根据所述种子密钥以及发送给客户端的服务器当前时间值,计算生成验证口令。验证服务器计算生成验证口令时,可以采用与客户端相同的动态口令算法,在此情况下,所述验证服务器预先配置有与客户端相同的动态口令算法。同样地,所述动态口令的算法包括HMAC-SHA1、MD5、SHA-1以及SHA-256。After determining the validity of the user ID, the verification server may invoke a seed key corresponding to the user ID from the verification server database, and may also receive a seed key sent by the client in real time. The verification server calculates and generates a verification password according to the seed key and the current time value of the server sent to the client. When the verification server calculates the generated verification password, the same dynamic password algorithm as the client can be adopted. In this case, the verification server is pre-configured with the same dynamic password algorithm as the client. Similarly, the dynamic password algorithm includes HMAC-SHA1, MD5, SHA-1, and SHA-256.
步骤S705:所述验证服务器判断所述动态口令和所述验证口令是否匹配,如果匹配则通过验证。Step S705: The verification server determines whether the dynamic password and the verification password match, and if they match, passes the verification.
验证服务器比较所述动态口令以及所述验证口令,如果匹配,则发送通过验证的确认消息至客户端。后续的,如果所述动态口令以及所述验证口令不匹配,所述验证服务器可以发送未通过验证的回复消息至客户端。The verification server compares the dynamic password and the verification password, and if so, sends a confirmation message of verification to the client. Subsequently, if the dynamic password and the verification password do not match, the verification server may send a reply message that fails verification to the client.
下面结合具体场景说明上述本申请实施例的实现过程: The implementation process of the foregoing embodiment of the present application is described below in conjunction with a specific scenario:
同样地,用户A通过手机客户端登录某网站时的界面如图2所示。用户点击“获取动态口令”按钮,所述按钮触发了手机客户端获取动态口令的功能。首先,客户端检查手机设备是否连接网络。如果手机设备安装有Android系统,客户端可以调用isAvailable()函数检查手机是否连接网络。经检查,如果判断手机客户端设备未连接网络,客户端读取客户端设备文件系统中上一次保存的服务器同步时间。根据所述服务器同步时间计算生成服务器当前时间,具体计算方法参考步骤S702。手机客户端确定服务器当前时间后,读取保存于本地的种子密钥,所述种子密钥可以手机设备的15位IMEI码,如“834299070186334”。在本实施例中,客户端可以采用HMAC-SHA-1算法计算生成动态口令。具体地,将所述种子密钥以及服务器当前时间初始化,获取加密初值,计算所述加密初值的HMAC-SHA-1值,经过截短后转换成6~8位的动态口令,如“453476”。客户端并将所述动态口令发送至验证服务器。验证服务器接收所述动态口令后,确定用户的ID是否合法。经确定所述ID的合法性后,验证服务器根据所述ID在服务器数据库中调用与所述ID相对应的种子密钥。获取所述种子密钥后,验证服务器根据所述种子密钥以及所述服务器当前时间采用HMAC-SHA-1算法计算生成验证口令,所述HMAC-SHA-1算法预先配置于所述验证服务器中。生成验证口令后,所述验证服务器比较所述动态口令以及验证口令,若两者相同,则此次验证成功,否则,验证不成功。Similarly, the interface when user A logs in to a website through the mobile client is as shown in FIG. 2 . The user clicks the "Get Dynamic Password" button, which triggers the function of the mobile client to obtain a dynamic password. First, the client checks if the mobile device is connected to the network. If the mobile device is equipped with an Android system, the client can call the isAvailable() function to check if the phone is connected to the network. After checking, if it is determined that the mobile client device is not connected to the network, the client reads the server synchronization time last saved in the client device file system. The current time of the server is generated according to the server synchronization time calculation, and the specific calculation method refers to step S702. After determining the current time of the server, the mobile client reads the local seed key, which can be a 15-digit IMEI code of the mobile device, such as "834299070186334". In this embodiment, the client can calculate and generate a dynamic password by using the HMAC-SHA-1 algorithm. Specifically, the seed key and the current time of the server are initialized, the initial value of the encryption is obtained, and the HMAC-SHA-1 value of the initial value of the encryption is calculated, and after truncation, the dynamic password is converted into 6-8 bits, such as “ 453476". The client sends the dynamic password to the authentication server. After the verification server receives the dynamic password, it is determined whether the ID of the user is legal. After determining the legality of the ID, the verification server invokes the seed key corresponding to the ID in the server database according to the ID. After the seed key is obtained, the verification server generates a verification password by using an HMAC-SHA-1 algorithm according to the seed key and the current time of the server, where the HMAC-SHA-1 algorithm is pre-configured in the verification server. . After the verification password is generated, the verification server compares the dynamic password with the verification password. If the two are the same, the verification is successful. Otherwise, the verification is unsuccessful.
利用上述本申请的方法实施例四,在基于时间同步的动态口令验证方法中,在客户端没有连接网络的情况下,根据保存于客户端文件系统中的服务器同步时间,确定服务器当前时间,从而实现客户端计算动态口令与验证服务器计算验证口令采用的时间因子的同步,提高了动态口令与验证口令的匹配度。With the fourth embodiment of the method of the present application, in the dynamic password verification method based on time synchronization, if the client is not connected to the network, the current time of the server is determined according to the server synchronization time stored in the client file system, thereby The synchronization between the dynamic password of the client and the time factor used by the verification server to calculate the verification password is improved, and the matching degree between the dynamic password and the verification password is improved.
下面介绍本方法实施例对应的动态口令验证的系统第二实施例,所述系统包括,The following describes a second embodiment of the system for dynamic password verification corresponding to the embodiment of the method, where the system includes
客户端,用于读取预存的服务器同步时间;根据所述服务器同步时间确定服务器当前时间;根据所述服务器当前时间,计算生成动态口令,并将所述动态口令上传至验证服务器;a client, configured to read a pre-stored server synchronization time; determine a current server time according to the server synchronization time; calculate a dynamic password according to the current time of the server, and upload the dynamic password to the verification server;
验证服务器,用于接收客户端返回的动态口令;根据所述服务器当前时间值,计算生成验证口令;判断所述动态口令和所述验证口令是否匹配,如果匹配则通过验证。The verification server is configured to receive a dynamic password returned by the client; calculate a generated verification password according to the current time value of the server; determine whether the dynamic password and the verification password match, and if they match, pass the verification.
上述第四方法实施例,考虑以客户端为主的步骤,可以演化为第五方法实施例,如图8所示,包括:The fourth method embodiment, considering the client-based step, can be evolved into the fifth method embodiment, as shown in FIG. 8, including:
步骤S801:读取预存的服务器同步时间;Step S801: Read the pre-stored server synchronization time;
步骤S802:根据所述服务器同步时间确定服务器当前时间; Step S802: Determine a current time of the server according to the server synchronization time;
步骤S803:根据所述服务器当前时间,计算生成动态口令,并将所述动态口令上传至验证服务器。Step S803: Calculate and generate a dynamic password according to the current time of the server, and upload the dynamic password to the verification server.
上述第五方法实施例,对应的客户端第二实施例900,如图9所示,包括:The fifth embodiment of the foregoing method, the corresponding client second embodiment 900, as shown in FIG. 9, includes:
读取单元901,用于读取预存的服务器同步时间;The reading unit 901 is configured to read the pre-stored server synchronization time;
时间确定单元902,用于根据所述服务器同步时间确定服务器当前时间;The time determining unit 902 is configured to determine a current time of the server according to the server synchronization time;
动态口令生成单元903,用于根据所述服务器当前时间,计算生成动态口令,并将所述动态口令上传至验证服务器。The dynamic password generating unit 903 is configured to calculate and generate a dynamic password according to the current time of the server, and upload the dynamic password to the verification server.
如图10所示,所述时间确定单元902包括:As shown in FIG. 10, the time determining unit 902 includes:
获取单元1001,用于获取存储所述服务器同步时间时客户端的第一时间;The obtaining unit 1001 is configured to acquire a first time of the client when the server synchronization time is stored;
第一计算单元1002,用于计算获取客户端当前时间和所述第一时间的差值;a first calculating unit 1002, configured to calculate a difference between acquiring a current time of the client and the first time;
第二计算单元1003,用于计算所述差值和所述服务器同步时间的和值,所述和值确定为所述服务器当前时间。The second calculating unit 1003 is configured to calculate a sum of the difference value and the server synchronization time, where the sum value is determined to be the current time of the server.
上述第四方法实施例,考虑以服务器为主的步骤,可以演化为第六方法实施例,如图11所示,包括:The fourth method embodiment, considering a server-based step, may be evolved into a sixth method embodiment, as shown in FIG. 11, including:
步骤S1101:接收客户端返回的动态口令;Step S1101: Receive a dynamic password returned by the client.
步骤S1102:根据服务器当前时间值,计算生成验证口令;Step S1102: Calculate and generate a verification password according to the current time value of the server;
步骤S1103:判断所述动态口令和所述验证口令是否匹配,如果匹配则通过验证。Step S1103: Determine whether the dynamic password and the verification password match, and if they match, pass the verification.
上述第六方法实施例,对应的服务器第二实施例1200,如图12所示,包括:The foregoing sixth method embodiment, the corresponding server second embodiment 1200, as shown in FIG. 12, includes:
接收单元1201,用于接收客户端返回的动态口令;、The receiving unit 1201 is configured to receive a dynamic password returned by the client;
验证口令生成单元1202,用于根据服务器当前时间,计算生成验证口令;The verification password generating unit 1202 is configured to calculate and generate a verification password according to the current time of the server;
验证单元1203,用于判断所述动态口令和所述验证口令是否匹配,如果匹配则通过验证。The verification unit 1203 is configured to determine whether the dynamic password and the verification password match, and if they match, pass the verification.
在20世纪90年代,对于一个技术的改进可以很明显地区分是硬件上的改进(例如,对二极管、晶体管、开关等电路结构的改进)还是软件上的改进(对于方法流程的改进)。然而,随着技术的发展,当今的很多方法流程的改进已经可以视为硬件电路结构的直接改进。设计人员几乎都通过将改进的方法流程编程到硬件电路中来得到相应的硬件电路结构。因此,不能说一个方法流程的改进就不能用硬件实体模块来实现。例如,可编程逻辑器件(Programmable Logic Device,PLD)(例如现场可编程门阵列(Field Programmable Gate Array,FPGA))就是这样一种集成电路,其逻辑功能由用户对器件编程来确定。由设计人员自行编程来把一个数字系统“集成”在一片PLD上,而不需要请芯片制造厂商来设计和制 作专用的集成电路芯片2。而且,如今,取代手工地制作集成电路芯片,这种编程也多半改用“逻辑编译器(logic compiler)”软件来实现,它与程序开发撰写时所用的软件编译器相类似,而要编译之前的原始代码也得用特定的编程语言来撰写,此称之为硬件描述语言(Hardware Description Language,HDL),而HDL也并非仅有一种,而是有许多种,如ABEL(Advanced Boolean Expression Language)、AHDL(Altera Hardware Description Language)、Confluence、CUPL(Cornell University Programming Language)、HDCal、JHDL(Java Hardware Description Language)、Lava、Lola、MyHDL、PALASM、RHDL(Ruby Hardware Description Language)等,目前最普遍使用的是VHDL(Very-High-Speed Integrated Circuit Hardware Description Language)与Verilog2。本领域技术人员也应该清楚,只需要将方法流程用上述几种硬件描述语言稍作逻辑编程并编程到集成电路中,就可以很容易得到实现该逻辑方法流程的硬件电路。In the 1990s, improvements to a technology could clearly distinguish between hardware improvements (eg, improvements to circuit structures such as diodes, transistors, switches, etc.) or software improvements (for process flow improvements). However, as technology advances, many of today's method flow improvements can be seen as direct improvements in hardware circuit architecture. Designers almost always get the corresponding hardware circuit structure by programming the improved method flow into the hardware circuit. Therefore, it cannot be said that the improvement of a method flow cannot be implemented by hardware entity modules. For example, a Programmable Logic Device (PLD) (such as a Field Programmable Gate Array (FPGA)) is an integrated circuit whose logic function is determined by the user programming the device. Designed by the designer to "integrate" a digital system on a PLD without the need for a chip manufacturer to design and manufacture A dedicated integrated circuit chip 2 is used. Moreover, today, instead of manually making integrated circuit chips, this programming is mostly implemented using "logic compiler" software, which is similar to the software compiler used in programming development, but before compiling The original code has to be written in a specific programming language. This is called the Hardware Description Language (HDL). HDL is not the only one, but there are many kinds, such as ABEL (Advanced Boolean Expression Language). AHDL (Altera Hardware Description Language), Confluence, CUPL (Cornell University Programming Language), HDCal, JHDL (Java Hardware Description Language), Lava, Lola, MyHDL, PALASM, RHDL (Ruby Hardware Description Language), etc., are currently the most commonly used VHDL (Very-High-Speed Integrated Circuit Hardware Description Language) and Verilog2. It should also be apparent to those skilled in the art that the hardware flow for implementing the logic method flow can be easily obtained by simply programming the method flow into the integrated circuit with a few hardware description languages.
控制器可以按任何适当的方式实现,例如,控制器可以采取例如微处理器或处理器以及存储可由该(微)处理器执行的计算机可读程序代码(例如软件或固件)的计算机可读介质、逻辑门、开关、专用集成电路(Application Specific Integrated Circuit,ASIC)、可编程逻辑控制器和嵌入微控制器的形式,控制器的例子包括但不限于以下微控制器:ARC 625D、Atmel AT91SAM、Microchip PIC18F26K20 以及Silicone Labs C8051F320,存储器控制器还可以被实现为存储器的控制逻辑的一部分。The controller can be implemented in any suitable manner, for example, the controller can take the form of, for example, a microprocessor or processor and a computer readable medium storing computer readable program code (eg, software or firmware) executable by the (micro)processor. In the form of logic gates, switches, application specific integrated circuits (ASICs), programmable logic controllers, and embedded microcontrollers, examples of controllers include, but are not limited to, the following microcontrollers: ARC 625D, Atmel AT91SAM, The Microchip PIC18F26K20 and the Silicone Labs C8051F320, the memory controller can also be implemented as part of the memory's control logic.
本领域技术人员也知道,除了以纯计算机可读程序代码方式实现控制器以外,完全可以通过将方法步骤进行逻辑编程来使得控制器以逻辑门、开关、专用集成电路、可编程逻辑控制器和嵌入微控制器等的形式来实现相同功能。因此这种控制器可以被认为是一种硬件部件,而对其内包括的用于实现各种功能的装置也可以视为硬件部件内的结构。或者甚至,可以将用于实现各种功能的装置视为既可以是实现方法的软件模块又可以是硬件部件内的结构。Those skilled in the art will also appreciate that in addition to implementing the controller in purely computer readable program code, the controller can be logically programmed by means of logic gates, switches, ASICs, programmable logic controllers, and embedding. The form of a microcontroller or the like to achieve the same function. Such a controller can therefore be considered a hardware component, and the means for implementing various functions included therein can also be considered as a structure within the hardware component. Or even a device for implementing various functions can be considered as a software module that can be both a method of implementation and a structure within a hardware component.
上述实施例阐明的系统、装置、模块或单元,具体可以由计算机芯片或实体实现,或者由具有某种功能的产品来实现。The system, device, module or unit illustrated in the above embodiments may be implemented by a computer chip or an entity, or by a product having a certain function.
为了描述的方便,描述以上装置时以功能分为各种单元分别描述。当然,在实施本申请时可以把各单元的功能在同一个或多个软件和/或硬件中实现。For the convenience of description, the above devices are described separately by function into various units. Of course, the functions of each unit may be implemented in the same software or software and/or hardware when implementing the present application.
通过以上的实施方式的描述可知,本领域的技术人员可以清楚地了解到本申请可借助软件加必需的通用硬件平台的方式来实现。基于这样的理解,本申请的技术方案本质上或者说对现有技术做出贡献的部分可以以软件产品的形式体现出来,在一个典型的配置中,计算设备包括一个或多个处理器(CPU)、输入/输出接口、网络接口和内存。该计算机软件产品可以 包括若干指令用以使得一台计算机设备(可以是个人计算机,服务器,或者网络设备等)执行本申请各个实施例或者实施例的某些部分所述的方法。该计算机软件产品可以存储在内存中,内存可能包括计算机可读介质中的非永久性存储器,随机存取存储器(RAM)和/或非易失性内存等形式,如只读存储器(ROM)或闪存(flash RAM)。内存是计算机可读介质的示例。计算机可读介质包括永久性和非永久性、可移动和非可移动媒体可以由任何方法或技术来实现信息存储。信息可以是计算机可读指令、数据结构、程序的模块或其他数据。计算机的存储介质的例子包括,但不限于相变内存(PRAM)、静态随机存取存储器(SRAM)、动态随机存取存储器(DRAM)、其他类型的随机存取存储器(RAM)、只读存储器(ROM)、电可擦除可编程只读存储器(EEPROM)、快闪记忆体或其他内存技术、只读光盘只读存储器(CD-ROM)、数字多功能光盘(DVD)或其他光学存储、磁盒式磁带,磁带磁磁盘存储或其他磁性存储设备或任何其他非传输介质,可用于存储可以被计算设备访问的信息。按照本文中的界定,计算机可读介质不包括短暂电脑可读媒体(transitory media),如调制的数据信号和载波。It will be apparent to those skilled in the art from the above description of the embodiments that the present application can be implemented by means of software plus a necessary general hardware platform. Based on such understanding, portions of the technical solution of the present application that contribute substantially or to the prior art may be embodied in the form of a software product. In a typical configuration, the computing device includes one or more processors (CPU ), input / output interface, network interface and memory. The computer software product can A number of instructions are included to cause a computer device (which may be a personal computer, server, or network device, etc.) to perform the methods described in various embodiments of the present application or portions of the embodiments. The computer software product can be stored in a memory, which may include non-persistent memory, random access memory (RAM), and/or nonvolatile memory in a computer readable medium, such as read only memory (ROM) or Flash memory. Memory is an example of a computer readable medium. Computer readable media includes both permanent and non-persistent, removable and non-removable media. Information storage can be implemented by any method or technology. The information can be computer readable instructions, data structures, modules of programs, or other data. Examples of computer storage media include, but are not limited to, phase change memory (PRAM), static random access memory (SRAM), dynamic random access memory (DRAM), other types of random access memory (RAM), read only memory. (ROM), electrically erasable programmable read only memory (EEPROM), flash memory or other memory technology, compact disk read only memory (CD-ROM), digital versatile disk (DVD) or other optical storage, Magnetic tape cartridges, magnetic tape storage or other magnetic storage devices or any other non-transportable media can be used to store information that can be accessed by a computing device. As defined herein, computer readable media does not include transitory computer readable media, such as modulated data signals and carrier waves.
本说明书中的各个实施例均采用递进的方式描述,各个实施例之间相同相似的部分互相参见即可,每个实施例重点说明的都是与其他实施例的不同之处。尤其,对于系统实施例而言,由于其基本相似于方法实施例,所以描述的比较简单,相关之处参见方法实施例的部分说明即可。The various embodiments in the specification are described in a progressive manner, and the same or similar parts between the various embodiments may be referred to each other, and each embodiment focuses on the differences from the other embodiments. In particular, for the system embodiment, since it is basically similar to the method embodiment, the description is relatively simple, and the relevant parts can be referred to the description of the method embodiment.
本申请可用于众多通用或专用的计算机系统环境或配置中。例如:个人计算机、服务器计算机、手持设备或便携式设备、平板型设备、多处理器系统、基于微处理器的系统、置顶盒、可编程的消费电子设备、网络PC、小型计算机、大型计算机、包括以上任何系统或设备的分布式计算环境等等。This application can be used in a variety of general purpose or special purpose computer system environments or configurations. For example: personal computers, server computers, handheld or portable devices, tablet devices, multiprocessor systems, microprocessor based systems, set-top boxes, programmable consumer electronics devices, network PCs, small computers, mainframe computers, including A distributed computing environment of any of the above systems or devices, and the like.
本申请可以在由计算机执行的计算机可执行指令的一般上下文中描述,例如程序模块。一般地,程序模块包括执行特定任务或实现特定抽象数据类型的例程、程序、对象、组件、数据结构等等。也可以在分布式计算环境中实践本申请,在这些分布式计算环境中,由通过通信网络而被连接的远程处理设备来执行任务。在分布式计算环境中,程序模块可以位于包括存储设备在内的本地和远程计算机存储介质中。The application can be described in the general context of computer-executable instructions executed by a computer, such as a program module. Generally, program modules include routines, programs, objects, components, data structures, and the like that perform particular tasks or implement particular abstract data types. The present application can also be practiced in distributed computing environments where tasks are performed by remote processing devices that are connected through a communication network. In a distributed computing environment, program modules can be located in both local and remote computer storage media including storage devices.
虽然通过实施例描绘了本申请,本领域普通技术人员知道,本申请有许多变形和变化而不脱离本申请的精神,希望所附的权利要求包括这些变形和变化而不脱离本申请的精神。 While the present invention has been described by the embodiments of the present invention, it will be understood by those skilled in the art

Claims (23)

  1. 一种动态口令验证方法,其特征在于,包括:A dynamic password verification method, comprising:
    客户端向验证服务器请求服务器当前时间;The client requests the current time of the server from the authentication server;
    客户端接收所述验证服务器返回的服务器当前时间;The client receives the current time of the server returned by the verification server;
    客户端根据所述服务器当前时间,计算生成动态口令,并将所述动态口令上传至所述验证服务器;The client calculates a dynamic password according to the current time of the server, and uploads the dynamic password to the verification server;
    验证服务器根据所述服务器当前时间,计算生成验证口令;The verification server calculates and generates a verification password according to the current time of the server;
    验证服务器判断所述动态口令和所述验证口令是否匹配,如果匹配则通过验证。The verification server determines whether the dynamic password and the verification password match, and if it matches, passes the verification.
  2. 一种动态口令验证方法,其特征在于,包括:A dynamic password verification method, comprising:
    向验证服务器请求服务器当前时间;Request the server current time from the authentication server;
    接收所述验证服务器返回的服务器当前时间;Receiving a current time of the server returned by the verification server;
    根据所述服务器当前时间,计算生成动态口令,并将所述动态口令上传至所述验证服务器。And generating a dynamic password according to the current time of the server, and uploading the dynamic password to the verification server.
  3. 一种动态口令验证方法,其特征在于,包括:A dynamic password verification method, comprising:
    接收客户端发来的服务器当前时间请求;Receiving the current time request of the server sent by the client;
    返回服务器当前时间至客户端;Returns the current time of the server to the client;
    接收客户端返回的动态口令;Receive the dynamic password returned by the client;
    根据所述服务器当前时间值,计算生成验证口令;Calculating and generating a verification password according to the current time value of the server;
    判断所述动态口令和所述验证口令是否匹配,如果匹配则通过验证。Determining whether the dynamic password and the verification password match, and if they match, pass the verification.
  4. 根据权利要求1或2所述的动态口令验证方法,其特征在于,在所述向验证服务器请求服务器当前时间之前,还包括:The dynamic password verification method according to claim 1 or 2, further comprising: before the requesting the server for the current time to the verification server, further comprising:
    客户端检查是否连接网络;The client checks if it is connected to the network;
    在判断连接网络时,客户端向验证服务器请求服务器当前时间。When judging the connection to the network, the client requests the server for the current time from the authentication server.
  5. 根据权利要求1或2所述的动态口令验证方法,其特征在于,所述根据所述服务器当前时间,计算生成动态口令,包括:The dynamic password verification method according to claim 1 or 2, wherein the calculating the dynamic password according to the current time of the server comprises:
    将所述服务器当前时间和种子密钥作为动态口令算法的输入参数,采用动态口令算法计算得到动态口令。The current time and seed key of the server are used as input parameters of the dynamic password algorithm, and the dynamic password is calculated by using a dynamic password algorithm.
  6. 根据权利要求5所述的动态口令验证方法,其特征在于,所述种子密钥包括所述客户端初始化时生成并发送至所述验证服务器的种子密钥。The dynamic password verification method according to claim 5, wherein the seed key comprises a seed key generated by the client upon initialization and sent to the verification server.
  7. 根据权利要求5所述的动态口令验证方法,其特征在于,所述种子密钥包括所述客 户端初始化时生成,并在计算生成动态口令时发送至所述验证服务器的种子密钥。The dynamic password verification method according to claim 5, wherein said seed key comprises said guest A seed key that is generated when the client is initialized and sent to the authentication server when calculating a dynamic password.
  8. 根据权利要求5所述的动态口令验证方法,其特征在于,所述动态口令算法包括单向散列函数。The dynamic password verification method according to claim 5, wherein the dynamic password algorithm comprises a one-way hash function.
  9. 一种动态口令验证方法,其特征在于,包括:A dynamic password verification method, comprising:
    客户端读取预存的服务器同步时间;The client reads the pre-stored server synchronization time;
    客户端根据所述服务器同步时间确定服务器当前时间;The client determines the current time of the server according to the server synchronization time;
    客户端根据所述服务器当前时间,计算生成动态口令,并将所述动态口令上传至验证服务器;The client calculates and generates a dynamic password according to the current time of the server, and uploads the dynamic password to the verification server;
    所述验证服务器接收所述动态口令,根据所述服务器当前时间值,计算生成验证口令;The verification server receives the dynamic password, and generates a verification password according to the current time value of the server;
    所述验证服务器判断所述动态口令和所述验证口令是否匹配,如果匹配则通过验证。The verification server determines whether the dynamic password and the verification password match, and if they match, passes the verification.
  10. 一种动态口令验证方法,其特征在于,包括:A dynamic password verification method, comprising:
    读取预存的服务器同步时间;Read the pre-stored server synchronization time;
    根据所述服务器同步时间确定服务器当前时间;Determining a current time of the server according to the server synchronization time;
    根据所述服务器当前时间,计算生成动态口令,并将所述动态口令上传至验证服务器。And generating a dynamic password according to the current time of the server, and uploading the dynamic password to the verification server.
  11. 一种动态口令验证方法,其特征在于,包括:A dynamic password verification method, comprising:
    接收客户端返回的动态口令;Receive the dynamic password returned by the client;
    根据服务器当前时间值,计算生成验证口令;Calculate and generate a verification password according to the current time value of the server;
    判断所述动态口令和所述验证口令是否匹配,如果匹配则通过验证。Determining whether the dynamic password and the verification password match, and if they match, pass the verification.
  12. 根据权利要求9或10所述的动态口令验证方法,其特征在于,所述根据所述服务器当前时间,计算生成动态口令,包括:The dynamic password verification method according to claim 9 or 10, wherein the calculating the dynamic password according to the current time of the server comprises:
    将所述服务器当前时间和种子密钥作为动态口令算法的输入参数,采用动态口令算法计算得到动态口令。The current time and seed key of the server are used as input parameters of the dynamic password algorithm, and the dynamic password is calculated by using a dynamic password algorithm.
  13. 根据权利要求12所述的动态口令验证方法,其特征在于,所述种子密钥包括所述客户端初始化时生成并发送至所述验证服务器的种子密钥。The dynamic password verification method according to claim 12, wherein the seed key comprises a seed key generated by the client upon initialization and sent to the verification server.
  14. 根据权利要求12所述的动态口令验证方法,其特征在于,所述种子密钥包括所述客户端初始化时生成,并在计算生成动态口令时发送至所述验证服务器的种子密钥。The dynamic password verification method according to claim 12, wherein the seed key comprises a seed key that is generated when the client initializes and is sent to the verification server when calculating a dynamic password.
  15. 根据权利要求12所述的动态口令验证方法,其特征在于,所述动态口令算法包括单向散列函数。The dynamic password verification method according to claim 12, wherein the dynamic password algorithm comprises a one-way hash function.
  16. 根据权利要求9或10所述的动态口令验证方法,其特征在于,所述根据所述服务器同步时间确定服务器当前时间,包括:The dynamic password verification method according to claim 9 or 10, wherein the determining the current time of the server according to the server synchronization time comprises:
    获取存储所述服务器同步时间时客户端的第一时间; Obtaining the first time of the client when storing the server synchronization time;
    计算客户端当前时间和所述第一时间的差值;Calculating a difference between a current time of the client and the first time;
    计算所述差值和所述服务器同步时间的和值,所述和值确定为所述服务器当前时间。And calculating a sum of the difference and the server synchronization time, the sum value being determined as the current time of the server.
  17. 一种动态口令验证系统,其特征在于,包括:A dynamic password verification system, comprising:
    客户端,用于向验证服务器请求服务器当前时间;接收所述验证服务器返回的服务器当前时间;根据所述服务器当前时间,计算生成动态口令,并将所述动态口令上传至所述验证服务器;a client, configured to request a current time of the server from the verification server; receive a current time of the server returned by the verification server; calculate a dynamic password according to the current time of the server, and upload the dynamic password to the verification server;
    验证服务器,用于接收客户端发来的服务器当前时间请求;返回服务器当前时间至客户端;根据所述服务器当前时间值,计算生成验证口令;判断所述动态口令和所述验证口令是否匹配,如果匹配则通过验证。An authentication server, configured to receive a current time request of the server sent by the client; return a current time of the server to the client; calculate a generated verification password according to the current time value of the server; and determine whether the dynamic password and the verification password match, If it matches, it passes the verification.
  18. 一种客户端,其特征在于,包括:A client, comprising:
    请求单元,用于向验证服务器请求服务器当前时间;a requesting unit, configured to request a server current time from the verification server;
    接收单元,用于接收所述验证服务器返回的服务器当前时间;a receiving unit, configured to receive a current time of the server returned by the verification server;
    动态口令生成单元,用于根据所述服务器当前时间,计算生成动态口令,并将所述动态口令上传至所述验证服务器。The dynamic password generating unit is configured to calculate and generate a dynamic password according to the current time of the server, and upload the dynamic password to the verification server.
  19. 一种服务器,其特征在于,包括:A server, comprising:
    第一接收单元,用于接收客户端发来的服务器当前时间请求;a first receiving unit, configured to receive a server current time request sent by the client;
    返回单元,用于返回服务器当前时间至客户端;Return unit, used to return the current time of the server to the client;
    第二接收单元,用于接收客户端返回的动态口令;a second receiving unit, configured to receive a dynamic password returned by the client;
    验证口令生成单元,用于根据所述服务器当前时间值,计算生成验证口令;a verification password generating unit, configured to calculate and generate a verification password according to the current time value of the server;
    验证单元,用于判断所述动态口令和所述验证口令是否匹配,如果匹配则通过验证。The verification unit is configured to determine whether the dynamic password and the verification password match, and if they match, pass the verification.
  20. 一种动态口令验证系统,其特征在于,包括:A dynamic password verification system, comprising:
    客户端,用于读取预存的服务器同步时间;根据所述服务器同步时间确定服务器当前时间;根据所述服务器当前时间,计算生成动态口令,并将所述动态口令上传至验证服务器;a client, configured to read a pre-stored server synchronization time; determine a current server time according to the server synchronization time; calculate a dynamic password according to the current time of the server, and upload the dynamic password to the verification server;
    验证服务器,用于接收客户端返回的动态口令;根据所述服务器当前时间值,计算生成验证口令;判断所述动态口令和所述验证口令是否匹配,如果匹配则通过验证。The verification server is configured to receive a dynamic password returned by the client; calculate a generated verification password according to the current time value of the server; determine whether the dynamic password and the verification password match, and if they match, pass the verification.
  21. 一种客户端,其特征在于,包括:A client, comprising:
    读取单元,用于读取预存的服务器同步时间;a reading unit for reading a pre-stored server synchronization time;
    时间确定单元,用于根据所述服务器同步时间确定服务器当前时间;a time determining unit, configured to determine a current time of the server according to the server synchronization time;
    动态口令生成单元,用于根据所述服务器当前时间,计算生成动态口令,并将所述动态口令上传至验证服务器。The dynamic password generating unit is configured to calculate and generate a dynamic password according to the current time of the server, and upload the dynamic password to the verification server.
  22. 一种服务器,其特征在于,包括: A server, comprising:
    接收单元,用于接收客户端返回的动态口令;、a receiving unit, configured to receive a dynamic password returned by the client;
    验证口令生成单元,用于根据服务器当前时间,计算生成验证口令;a verification password generating unit, configured to calculate and generate a verification password according to a current time of the server;
    验证单元,用于判断所述动态口令和所述验证口令是否匹配,如果匹配则通过验证。The verification unit is configured to determine whether the dynamic password and the verification password match, and if they match, pass the verification.
  23. 根据权利要求21所述的客户端,其特征在于,所述时间确定单元包括:The client according to claim 21, wherein the time determining unit comprises:
    获取单元,用于获取存储所述服务器同步时间时客户端的第一时间;An obtaining unit, configured to acquire a first time of the client when the server synchronization time is stored;
    第一计算单元,用于计算获取客户端当前时间和所述第一时间的差值;a first calculating unit, configured to calculate a difference between acquiring a current time of the client and the first time;
    第二计算单元,用于计算所述差值和所述服务器同步时间的和值,所述和值确定为所述服务器当前时间。 And a second calculating unit, configured to calculate a sum of the difference value and the server synchronization time, where the sum value is determined to be the current time of the server.
PCT/CN2016/076880 2015-04-07 2016-03-21 Dynamic password authentication method, system, client terminal and server WO2016161889A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201510160501.0 2015-04-07
CN201510160501.0A CN106161367A (en) 2015-04-07 2015-04-07 A kind of verifying dynamic password method and system, client and server

Publications (1)

Publication Number Publication Date
WO2016161889A1 true WO2016161889A1 (en) 2016-10-13

Family

ID=57073034

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2016/076880 WO2016161889A1 (en) 2015-04-07 2016-03-21 Dynamic password authentication method, system, client terminal and server

Country Status (2)

Country Link
CN (1) CN106161367A (en)
WO (1) WO2016161889A1 (en)

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107317804A (en) * 2017-06-19 2017-11-03 努比亚技术有限公司 Private clound encryption data access method, terminal and storage medium
WO2018108062A1 (en) * 2016-12-15 2018-06-21 腾讯科技(深圳)有限公司 Method and device for identity verification, and storage medium
EP3772044A1 (en) * 2019-07-29 2021-02-03 Beijing Xiaomi Mobile Software Co., Ltd. Methods, apparatus and storage medium for entrance control
CN113067705A (en) * 2021-04-13 2021-07-02 广州锦行网络科技有限公司 Method for identity authentication in connection establishment
US11089008B2 (en) 2018-11-20 2021-08-10 HCL Technologies Italy S.p.A. System and method for facilitating pre authentication of user[s] intended to access data resources
CN114553445A (en) * 2020-11-10 2022-05-27 腾讯科技(深圳)有限公司 Equipment method, device, electronic equipment and readable storage medium

Families Citing this family (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108964884B (en) * 2017-05-24 2021-11-09 武汉斗鱼网络科技有限公司 Method for generating dynamic password of mobile terminal, storage medium, electronic equipment and system
CN108019889B (en) * 2017-10-31 2020-11-24 青岛海尔空调电子有限公司 Air-cooled module unit dynamic password configuration method and system and air-cooled module unit
CN109586921B (en) * 2018-12-14 2021-07-02 飞天诚信科技股份有限公司 Method and system for realizing dynamic password
CN109886014A (en) * 2019-02-28 2019-06-14 上海龙旗科技股份有限公司 A kind of method and apparatus logging in testing tool
CN111209761B (en) * 2019-12-30 2023-07-25 深圳市英威腾电气股份有限公司 Frequency converter anti-counterfeiting method and system
CN112073188B (en) * 2020-08-31 2023-01-24 北京市商汤科技开发有限公司 Authentication method, device, equipment and computer readable storage medium

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102148685A (en) * 2010-02-04 2011-08-10 陈祖石 Method and system for dynamically authenticating password by multi-password seed self-defined by user
CN102176712A (en) * 2011-02-14 2011-09-07 华为终端有限公司 Identity authentication method and data card
CN102307182A (en) * 2011-04-27 2012-01-04 上海动联信息技术有限公司 Intelligent time compensation method for dynamic password authentication server
CN103297403A (en) * 2012-03-01 2013-09-11 盛大计算机(上海)有限公司 Method and system for achieving dynamic password authentication
WO2014032495A1 (en) * 2012-08-31 2014-03-06 飞天诚信科技股份有限公司 Method for authorizing and calibrating time

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101453458B (en) * 2007-12-06 2013-07-10 北京唐桓科技发展有限公司 Personal identification process for dynamic cipher password bidirectional authentication based on multiple variables
CN100586169C (en) * 2007-12-25 2010-01-27 北京惠信博思技术有限公司 Authentication method for interdynamic television service
CN101917271B (en) * 2010-08-11 2012-11-07 优视科技有限公司 Electronic security device running in mobile communication terminal and encryption method thereof
CN102148837A (en) * 2011-05-11 2011-08-10 上海时代亿信信息科技有限公司 Bidirectional authentication method and system for dynamic token

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102148685A (en) * 2010-02-04 2011-08-10 陈祖石 Method and system for dynamically authenticating password by multi-password seed self-defined by user
CN102176712A (en) * 2011-02-14 2011-09-07 华为终端有限公司 Identity authentication method and data card
CN102307182A (en) * 2011-04-27 2012-01-04 上海动联信息技术有限公司 Intelligent time compensation method for dynamic password authentication server
CN103297403A (en) * 2012-03-01 2013-09-11 盛大计算机(上海)有限公司 Method and system for achieving dynamic password authentication
WO2014032495A1 (en) * 2012-08-31 2014-03-06 飞天诚信科技股份有限公司 Method for authorizing and calibrating time

Cited By (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2018108062A1 (en) * 2016-12-15 2018-06-21 腾讯科技(深圳)有限公司 Method and device for identity verification, and storage medium
CN107317804A (en) * 2017-06-19 2017-11-03 努比亚技术有限公司 Private clound encryption data access method, terminal and storage medium
CN107317804B (en) * 2017-06-19 2020-12-29 努比亚技术有限公司 Private cloud encrypted data access method, terminal and storage medium
US11089008B2 (en) 2018-11-20 2021-08-10 HCL Technologies Italy S.p.A. System and method for facilitating pre authentication of user[s] intended to access data resources
EP3772044A1 (en) * 2019-07-29 2021-02-03 Beijing Xiaomi Mobile Software Co., Ltd. Methods, apparatus and storage medium for entrance control
US11100735B2 (en) 2019-07-29 2021-08-24 Beijing Xiaomi Mobile Software Co., Ltd. Method and apparatus for controlling entrance guard
CN114553445A (en) * 2020-11-10 2022-05-27 腾讯科技(深圳)有限公司 Equipment method, device, electronic equipment and readable storage medium
CN113067705A (en) * 2021-04-13 2021-07-02 广州锦行网络科技有限公司 Method for identity authentication in connection establishment
CN113067705B (en) * 2021-04-13 2022-05-27 广州锦行网络科技有限公司 Method for identity authentication in connection establishment

Also Published As

Publication number Publication date
CN106161367A (en) 2016-11-23

Similar Documents

Publication Publication Date Title
WO2016161889A1 (en) Dynamic password authentication method, system, client terminal and server
EP3731488B1 (en) Login information processing method and device
US10789356B2 (en) Method, apparatus, and system for service data processing and verification
US10862691B2 (en) Method, apparatus, and electronic device for communication between blockchain nodes, and method, apparatus, and electronic device for blockchain-based certificate management
US20200274859A1 (en) User authentication system with self-signed certificate and identity verification with offline root certificate storage
US10878248B2 (en) Media authentication using distributed ledger
US10313353B2 (en) Method, device, terminal, and server for verifying security of service operation
AU2011307320B2 (en) Image-based key exchange
WO2018233536A1 (en) Authentication method, and authentication data processing method and device based on blockchain
EP2839401B1 (en) Secure password-based authentication for cloud computing services
KR20170129866A (en) Automated demonstration of device integrity using block chains
WO2021208743A1 (en) Account binding for application program
CN108965250B (en) Digital certificate installation method and system
WO2018032939A1 (en) Network node encryption method and network node encryption device
WO2016045548A1 (en) Data synchronization method and device
WO2019165875A1 (en) Transaction processing method, server, client, and system
WO2019011186A1 (en) Information verification method, device, system, clients and servers
EP3206329A1 (en) Security check method, device, terminal and server
WO2020093818A1 (en) Blockchain-based data processing method and apparatus, and server
CN110021291B (en) Method and device for calling voice synthesis file
US11509469B2 (en) Methods and systems for password recovery based on user location
TW202018644A (en) Blockchain-based data processing method and apparatus, and server
CA3178249A1 (en) Systems and methods for conducting remote attestation
US10686610B2 (en) Method and apparatus for publishing work in network
WO2017167052A1 (en) Method and device for concealing user information contained in application

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 16776064

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 16776064

Country of ref document: EP

Kind code of ref document: A1