WO2017007767A1 - Procédé et dispositif d'authentification à l'aide de mots de passe dynamiques - Google Patents

Procédé et dispositif d'authentification à l'aide de mots de passe dynamiques Download PDF

Info

Publication number
WO2017007767A1
WO2017007767A1 PCT/US2016/040997 US2016040997W WO2017007767A1 WO 2017007767 A1 WO2017007767 A1 WO 2017007767A1 US 2016040997 W US2016040997 W US 2016040997W WO 2017007767 A1 WO2017007767 A1 WO 2017007767A1
Authority
WO
WIPO (PCT)
Prior art keywords
terminal
dynamic password
server
equipment code
authentication
Prior art date
Application number
PCT/US2016/040997
Other languages
English (en)
Inventor
Zeyang LI
Original Assignee
Alibaba Group Holding Limited
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Priority claimed from CN201510397391.XA external-priority patent/CN106341372A/zh
Application filed by Alibaba Group Holding Limited filed Critical Alibaba Group Holding Limited
Priority to EP16821878.2A priority Critical patent/EP3320523B1/fr
Priority to KR1020177036868A priority patent/KR102039316B1/ko
Priority to JP2017566863A priority patent/JP2018528504A/ja
Publication of WO2017007767A1 publication Critical patent/WO2017007767A1/fr

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • G06F21/34User authentication involving the use of external additional devices, e.g. dongles or smart cards
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • H04L63/0838Network architectures or network communication protocols for network security for authentication of entities using passwords using one-time-passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • H04L63/0846Network architectures or network communication protocols for network security for authentication of entities using passwords using time-dependent-passwords, e.g. periodically changing passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0866Generation of secret information including derivation or calculation of cryptographic keys or passwords involving user or device identifiers, e.g. serial number, physical or biometrical information, DNA, hand-signature or measurable physical characteristics
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3226Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a predetermined code, e.g. password, passphrase or PIN
    • H04L9/3228One-time or temporary data, i.e. information which is sent for every authentication or authorization, e.g. one-time-password, one-time-token or one-time-key

Definitions

  • the present invention relates to the field of authentication.
  • the present application relates to a method, a device, and system for authentication using a dynamic password.
  • Dynamic passwords are combinations of time-related, unpredictable random numbers generated at fixed intervals based on a dedicated algorithm. Generally, each password can only be used once in a system that performs authentication using dynamic passwords. With the ability to effectively protect the security of transaction and log-on authentication, the use of dynamic passwords in connection with an authentication system causes the need to change passwords on a regular basis to be unnecessary, thereby reducing security worries. The use of dynamic passwords is particularly effective in internal corporate environments. Dynamic passwords can be realized on dedicated hardware, and/or by software.
  • FIG. 1 is a block diagram of a device for authentication processing according to various embodiments of the present disclosure.
  • FIG. 2 is a flowchart of a method for authentication processing according to various embodiments of the present disclosure.
  • FIG. 3A is a flowchart of a method for authentication processing according to various embodiments of the present disclosure.
  • FIG. 3B is a flowchart of a method for authentication processing according to various embodiments of the present disclosure.
  • FIG. 4 is a block diagram of a device for authentication processing according to various embodiments of the present disclosure.
  • FIG. 5 is a block diagram of a device for authentication processing according to various embodiments of the present disclosure.
  • FIG. 6 is a flowchart of a method for authentication processing according to various embodiments of the present disclosure.
  • FIG. 7 is a block diagram of a device for authentication processing according to various embodiments of the present disclosure.
  • FIG. 8 is a block diagram of a device for authentication processing according to various embodiments of the present disclosure.
  • FIG. 9 is a structural schematic diagram of a system for authentication processing according to various embodiments of the present disclosure.
  • FIG. 10 is a structural schematic diagram of a system for authentication processing according to various embodiments of the present disclosure.
  • FIG. 11 is a block diagram of a computer terminal for authentication processing according to various embodiments of the present disclosure.
  • FIG. 12 is a functional diagram of a computer system for authentication processing according to various embodiments of the present disclosure.
  • the invention can be implemented in numerous ways, including as a process; an apparatus; a system; a composition of matter; a computer program product embodied on a computer readable storage medium; and/or a processor, such as a processor configured to execute instructions stored on and/or provided by a memory coupled to the processor.
  • these implementations, or any other form that the invention may take, may be referred to as techniques.
  • the order of the steps of disclosed processes may be altered within the scope of the invention.
  • a component such as a processor or a memory described as being configured to perform a task may be implemented as a general component that is temporarily configured to perform the task at a given time or a specific component that is manufactured to perform the task.
  • the term 'processor' refers to one or more devices, circuits, and/or processing cores configured to process data, such as computer program instructions.
  • a terminal generally refers to a device used (e.g., by a user) within a network system and used to communicate with one or more servers.
  • a terminal includes components that support communication functionality.
  • a terminal can be a smart phone, a tablet device, a mobile phone, a video phone, an e-book reader, a desktop computer, a laptop computer, a netbook computer, a Personal Digital Assistant (PDA), a Portable Multimedia Player (PMP), an mp3 player, a mobile medical device, a camera, a wearable device (e.g., a Head-Mounted Device (HMD), electronic clothes, electronic braces, an electronic necklace, an electronic accessory, an electronic tattoo, or a smart watch), a smart home appliance, or the like.
  • a web browser and/or a standalone application is installed at each terminal, enabling a user to access a service (e.g., an e-commerce website) hosted by one or more servers.
  • a service e.g., an e-commerce website
  • Authentication processing is described. Authentication processing can, for example, be executed on a computer system using a set of computer-executable commands, and, although a logical sequence is shown in processes 200 of FIG. 2, 300 of FIG. 3 A, 350 of FIG. 3B, 600 of FIG. 6, under certain circumstances, the elements of such methods as shown or described can be executed in a sequence different from the sequence illustrated in FIGS. 2, 3A, 3B, and 6.
  • FIG. 1 is a block diagram of a device for authentication processing according to various embodiments of the present disclosure.
  • device 100 can be implemented in connection with process 200 of FIG. 2, or process 300 of FIG. 3 A.
  • Device 100 can be implemented in connection with system 1000 of FIG. 10, computer terminal 1100 of FIG. 11, or computer system 1200 of FIG. 12.
  • Device 100 can be included in, or otherwise correspond to, a mobile terminal, a computer terminal, or similar operating device.
  • device 100 can include processor 110, a memory 120, and a communication interface 130.
  • the processor 110 can include one or more computer processors.
  • the processor 110 may comprise, but is not limited to, such processing devices as central processing units (CPUs), microprocessors (MCUs), field programmable logic devices (FPGAs), application specific integrated circuits (ASICs), or the like.
  • CPUs central processing units
  • MCUs microprocessors
  • FPGAs field programmable logic devices
  • ASICs application specific integrated circuits
  • the memory 120 is configured to store data.
  • the memory 120 can store software programs and modules of the application software, for example, for the program commands/modules corresponding to the authentication processing methods according to various embodiments.
  • the memory 120 can store software programs or instructions comprising process 200 of FIG. 2, process 300 of FIG. 3 A, or process 350 of FIG. 3B.
  • the processor 110 can store software code and modules in the memory 120 in the course of operation, and can accordingly execute various functional applications and data processing, thus realizing vulnerability detection of the aforesaid application program.
  • the memory 120 can comprise random access memory.
  • the memory 120 can also comprise non- volatile memory, such as one or more magnetic storage devices, flash memory, or other non- volatile solid-state memory.
  • the memory 120 can be, or otherwise comprise memory that is, remotely disposed relative to the processor 110.
  • such remote memory can be connected to the processor 110 (e.g., device 100) via a network.
  • Examples of the aforesaid network comprise but are not limited to the Internet, corporate intranets, local area networks, wide area networks, mobile communication networks, and combinations thereof.
  • the communication interface 130 is used to communicate data (e.g., receive and/or transmit data) over a network.
  • a network may comprise wireless networks provided by communication providers for the device 100.
  • the communication interface 130 comprises a network interface controller (NIC), which can link to other network equipment via a base station, and thereby communicate with the Internet.
  • the communication interface 130 is a radio frequency (RF) module which can communicate wirelessly with one or more other devices, the Internet, or the like.
  • NIC network interface controller
  • RF radio frequency
  • FIG. 2 is a flowchart of a method for authentication processing according to various embodiments of the present disclosure.
  • process 200 for authentication processing is provided.
  • Process 200 can be implemented by, for example, device 100 of FIG. 1, system 900 of FIG. 9, system 1000 of FIG. 10, or computer system 1200 of FIG. 12.
  • an equipment code is obtained.
  • the equipment code can uniquely identify a device or terminal.
  • the terminal retrieves an equipment code used to uniquely identify the terminal.
  • device 100 can obtain the equipment code associated therewith.
  • the equipment code can be set by a manufacturer and stored in memory (e.g., the memory 120), and retrieved using a special application programming interface (API) call or other appropriate function call.
  • the equipment code can be generated by using some characteristic parameters of the equipment itself according to a preset equipment code determination process.
  • the equipment code can be stored in, for example, the memory or storage of the equipment.
  • the equipment code corresponds to, or be generated based at least in part on one or more of the terminal serial number, the international mobile equipment identity (IMEI), the international mobile subscriber identity (IMSI), the media access control (MAC) address, or the operating system ID.
  • the equipment code can be generated based at least in part on the terminal's characteristic parameters in accordance with a predefined process.
  • the characteristic parameters with which the equipment code can be generated based at least in part can include on one or more of a brand of the terminal, the model number of the terminal, the terminal serial number, the international mobile equipment identity (IMEI), the international mobile subscriber identity (IMSI), the media access control (MAC) address, the operating system identifier (ID), or the like.
  • Hash(C0+Cl+C2+C3+C4+C5+C6) wherein deviceld represents the equipment code, CO represents the brand, CI represents the model number, C2 represents the IMEI, C3 represents the IMSI, C4 represents the MAC address (mac_address), C5 represents the terminal serial number (serial num), and C6 represents the operating system ID.
  • C0-C6 can be numerical values, strings, or in other appropriate formats as required by the Hash function.
  • Hash( ) can be a cryptographic hash function such as SHA, MD5, etc.
  • a password is generated based at least in part on the equipment code and an output value from a counter.
  • the terminal generates a dynamic password based on the equipment code and the output value of a local counter.
  • the dynamic password is used by a server as the basis for verification of the terminal or user associated with the terminal.
  • the counter is a local counter that uses the frequency of a specified event transmitted locally as the input or the value of a specific parameter.
  • the frequency of a specified event can correspond to sending times of the access requests for one or more websites in a period.
  • the terminal time can be used as the input to the local counter.
  • the terminal time 2016-06-01-10:05:30 will result in a counter value of 20160601100530.
  • the counter is remote in relation to the terminal such that the terminal communicates the equipment code to the counter (e.g., a server hosting the counter or service associated with the counter value), and in response to the communication from the terminal, the counter returns the output value or the dynamic password.
  • the terminal communicates the equipment code to the counter (e.g., a server hosting the counter or service associated with the counter value), and in response to the communication from the terminal, the counter returns the output value or the dynamic password.
  • a seed key can be generated based at least in part on the equipment code (e.g., as the equipment code itself, as a hash value of the equipment code, etc.), and the dynamic password can be generated based at least in part on the seed key and the output value of the counter.
  • a symmetric key can be generated based on the equipment code, the session ID assigned to the terminal by a server associated with authentication of the terminal, and a user identifier (UID) assigned to the terminal (or the user associated with the terminal) by the server, in accordance with a key generation process (e.g., that the sender and the receiver use the same key to perform encryption and decryption operations on inputs that are formatted as plain text), and the terminal can generate the dynamic password based on the symmetric key and the output value, in accordance with a password generation process.
  • the session ID and/or the UID can be associated by the server.
  • the session ID and/or the UID can be generated by random numbers to insure that the session ID and UID can be used for uniquely identifying the session and user respectively.
  • the session ID and/or the UID can be stored in a mapping of identifiers to user accounts.
  • the session ID and/or the UID can be dynamically generated (e.g., based on when the corresponding identifier is requested or needed).
  • the first preset key generation process (e.g., to generate the symmetric key) can be expressed as: combining the equipment code, the session ID and the UID, or using a predefined technique in the relevant technology to perform encryption and generate the key.
  • a predefined technique in the relevant technology for example, techniques such as Data Encryption Standard (DES), Triple DES (e.g., 3DES) or Triple Data Encryption Algorithm (TDEA), International Data Encryption Algorithm (IDEA), etc. can be used.
  • DES Data Encryption Standard
  • Triple DES e.g., 3DES
  • TDEA Triple Data Encryption Algorithm
  • IDEA International Data Encryption Algorithm
  • the dynamic password can be generated using various methods. For example, there may be a variety of forms of expression for a password generation process.
  • code HMAC_SHAl(K,C)
  • HMAC_SHA1( ) is the hash function related to the key
  • HMAC represents the hash-based message authentication code related to the key
  • SHA1 Secure Hash Algorithm 1
  • K represents the symmetric key
  • C represents the output value.
  • Other dynamic password generation processes can be used.
  • HMAC_SHA1( ) can also be described as HMAC-
  • HMAC_SHA1( ) or HMAC(SHA1)( ); it is a key-controlled hash function being used as a hash-based message authentication code (HMAC).
  • HMAC hash-based message authentication code
  • the HMAC process blends the key with message data, uses the hash function to perform hashing computations on the blended results, and then reapplies the hash function.
  • HMAC_SHA1( ) receives a key of any size, and generates a hash series 160 digits in length.
  • the message data can comprise, or otherwise correspond to, the output value.
  • the implementation of HMAC_SHA1( ) is publically available (e.g., as library code).
  • the dynamic password is sent to the server.
  • the server can use the dynamic password in connection with authentication of the terminal or the user associated therewith.
  • the dynamic password can be sent to the server in connection with the
  • the terminal transmits the dynamic password to the server.
  • the server can perform authentication of the terminal based at least in part on the dynamic password.
  • a dynamic password can be generated by a server associated with the authentication process to determine whether to authenticate the terminal. For example, the server can execute the same operation as the terminal to generate a dynamic password, and compare the generated dynamic password against the received dynamic password transmitted from the terminal.
  • the dynamic password can be generated based at least in part on a seed key and a counter that is local to the server. In some embodiments, the output value of the local counter can be communicated form the terminal to the server.
  • the terminal In the event that the dynamic password that the server receives from the terminal matches the dynamic password generated by the server (in connection with the authentication of the terminal such as in response to a login or authentication request from the terminal), the terminal is determined to have passed authentication. Conversely, in the event that the dynamic password that the server receives from the terminal does not match the dynamic password generated by the server, the terminal is determined to have failed authentication.
  • the dynamic password can be invisible to the user throughout the authentication process. Because various embodiments do not require manual entry of the dynamic password, the problem of errors resulting from manual input can be avoided. Moreover, because characteristic parameters of the terminal can be used to generate the dynamic password, additional hardware equipment is therefore unnecessary, which reduces costs. In addition, various embodiments avoid the problem in software-realized dynamic passwords of verification failure resulting from the updating of the system time.
  • the terminal identifier (e.g., when the terminal is a mobile phone, the terminal identifier is the mobile phone number) can be used as the user ID, and the user does not need to memorize a password; the terminal's equipment code and the terminal identifier (e.g., if the terminal is a mobile phone, the terminal identifier is the mobile phone number) uniquely locate one device, and this does not change upon reinstallation and log-on of the client-end application. Moreover, during logged-on log analysis, mobile phone equipment can be located based on the current key at that time.
  • FIG. 3A is a flowchart of a method for authentication processing according to various embodiments of the present disclosure.
  • process 300 for authentication processing is provided.
  • Process 300 can be implemented by, for example, device 100 of FIG. 1, system 900 of FIG. 9, system 1000 of FIG. 10, or computer system 1200 of FIG. 12.
  • a registration request is received.
  • the registration request is sent to a server by the terminal.
  • the registration request comprises the verification code, equipment code, and a communication number.
  • the communication number can correspond to a phone number, a user identifier, account identifier, or the like.
  • the terminal can send the registration request to the server.
  • the communication number comprised in the registration request can be a communication number associated with the terminal.
  • the communication number can be a number that is requested by the server (e.g., in connection with a login request).
  • the server can request the communication number (or otherwise obtain the communication number) before the registration request is received.
  • the user logs on to the server using the mobile phone number, the server transmits a verification code via text message or Short Message Service (SMS) (e.g., equivalent to a verification request) to the mobile phone number, and the user uses the mobile phone to submit the verification code, equipment code, and mobile phone number to the server (e.g., collectively the registration request).
  • SMS Short Message Service
  • the equipment code can be generated based at least in part on the terminal's characteristic parameters in accordance with a predefined process.
  • the equipment code can be displayed to the user on the mobile phone.
  • an application can be configured to obtain the verification code, equipment code, and mobile phone number (e.g., collectively the registration request) and submit the verification code, equipment code, and mobile phone number to the server in response to a user inputting an input corresponding to a submit command.
  • the verification code, equipment code, and mobile phone number can be submitted by the user at the user's initiative, or the user can submit the verification code, equipment code, and mobile phone number in response to a message received from the server.
  • the server determines whether the verification code, equipment code, and the communication number communicated in the registration request are verified based at least in part on information stored in a verification database that stores a mapping of a verification code, an equipment code, and a communication number to a terminal or a user associated with the terminal.
  • process 300 proceeds to 315 at which authentication fails.
  • authentication when authentication is deemed to fail, login by the terminal can be rejected and/or an indication of failure of the authentication can be communicated by the server to the terminal.
  • process 300 proceeds to
  • the session ID and/or the UID can be assigned by the server in connection with the authentication process.
  • the terminal receives the session ID and UID assigned to the terminal by the server.
  • the terminal maintains the communication link with the server.
  • the communication link can be expressed as a long connection or a short connection, but is not limited to these forms of expression.
  • a short connection corresponds to a connection by which a link between the sending side and the receiving side is to be disconnected after the data is sent and received between such sending side and receiving side.
  • the long connection corresponds to a connection by which the link between the sending side and the receiving side is maintained after the data is sent and received (e.g., the link is not disconnected upon the data being sent and received by such sending side any receiving side).
  • an authentication request is communicated.
  • the server can send the authentication request to the terminal.
  • the server can communicate the authentication request to the terminal in response to a login request or otherwise in connection with the authentication process.
  • the terminal can perform a verification of the authentication request.
  • the authentication request is verified based on a comparison of the parameter (e.g., user ID, session ID, or the like) carried in the
  • the authentication request and the parameter e.g., user ID, session ID, or the like
  • the authentication request is verified.
  • the dynamic password can be generated in response to determining that the authentication request is verified.
  • the server transmits an authentication request to the client on the mobile phone (e.g., the terminal receives the verification request transmitted by the server).
  • the authentication request is an HTTP response.
  • the authentication request is an HTTP request.
  • the dynamic password is communicated.
  • the server can receive the dynamic password from the terminal.
  • the server can use the dynamic password in connection with the authentication of the terminal.
  • the server can generate a dynamic password and compare the generated dynamic password to the dynamic password received from the server, and based on such comparison, determine whether the terminal is authenticated.
  • FIG. 3B is a flowchart of a method for authentication processing according to various embodiments of the present disclosure.
  • process 350 for authentication processing is provided.
  • Process 350 can be implemented by, for example, device 400 of FIG. 4, device 500 of FIG. 5, system 900 of FIG. 9, system 1000 of FIG. 10, or computer system 1200 of FIG. 12. Process 350 can be performed in connection with process 300 of FIG. 3 A.
  • a registration request is sent.
  • a terminal can send the registration request to a server (e.g., in connection with an authentication process).
  • the registration request comprises the verification code, equipment code, and a communication number.
  • the communication umber can be a phone number, an account identifier, a user identifier, or the like.
  • the communication number comprised in the registration request can be a communication number associated with the terminal.
  • the communication number can be a number that is requested by the server (e.g., in connection with a login request).
  • the user logs on to the server using the mobile phone number, the server transmits a verification code via text message or Short Message Service (SMS) (e.g., equivalent to a verification request) to the mobile phone number, and the user uses the mobile phone to submit the verification code, equipment code, and mobile phone number to the server (e.g., collectively the registration request).
  • SMS Short Message Service
  • a session ID and a UID are received.
  • the terminal can receive the session ID and the UID from a server.
  • the terminal can establish or maintain a connection with the server, or otherwise use the session ID and the UID in connection with communicating with the server.
  • the terminal Upon receipt of the session ID and the UID, the terminal also saves the session ID and the UID locally in order to facilitate subsequent use.
  • the session ID and UID can be generated as random numbers.
  • the terminal maintains the communication link with the server.
  • the communication link can be expressed as a long connection or a short connection, but is not limited to these forms of expression.
  • an authentication request is received.
  • the terminal can receive the authentication request from the server in connection with an authentication process.
  • the terminal can perform a verification of the authentication request. For example, in some embodiments, the terminal can perform a verification of the authentication request and proceed to 370 in the event that the
  • an equipment code is obtained.
  • the terminal can retrieve the equipment code in response to receiving the authentication request, or in response to verifying the authentication request.
  • the equipment code can correspond to a number or other identifier that uniquely identifies the terminal associated therewith.
  • the terminal can obtain the equipment code from storage (e.g., a local storage or a remote storage).
  • the terminal can derive the equipment code from information associated with, or otherwise corresponding to, the terminal. For example, the terminal can use a predefined process or technique to derive the equipment code.
  • a dynamic password is generated.
  • the terminal can generate the dynamic password.
  • the terminal can generate the dynamic password based at least in part on the equipment code.
  • the terminal in response to receiving the authentication request, the terminal can generate the dynamic password.
  • the terminal in response to determining that the authentication request is verified.
  • the dynamic password is generated based at least in part on the aforesaid equipment code and the output value of a local counter. The dynamic password can be used as a basis for verification of the terminal by the server.
  • the client on the mobile phone uses the equipment code, the session ID, and the UID to generate the symmetric key K in accordance with a predefined technique (e.g., addition), and uses the client time (i.e., the terminal time) as the output value C of the adding counter to generate the dynamic password.
  • a predefined technique e.g., addition
  • the dynamic password is communicated.
  • the terminal can send the dynamic password to the server.
  • the terminal can send the dynamic password to the server in connection with an authentication process.
  • the server can use the dynamic password in connection with authenticating the terminal (or user thereof).
  • the terminal can send the dynamic password with other information.
  • the terminal can send the dynamic password to the server in conjunction with an output value (of a counter associated with the terminal).
  • 370, 375, and/or 380 of process 350 of FIG. 3B can include 210, 220, and/or 230 of process 200 of FIG. 2.
  • FIG. 4 is a block diagram of a device for authentication processing according to various embodiments of the present disclosure.
  • device 400 can be implemented in connection with process 200 of FIG. 2, process 300 of FIG. 3 A, process 350 of FIG. 3B, or process 600 of FIG. 6.
  • Device 400 can be implemented in connection with system 1000 of FIG. 10, computer terminal 1100 of FIG. 11, or computer system 1200 of FIG. 12.
  • Device 400 can be included in, or otherwise correspond to, a mobile terminal, a computer terminal, or similar operating device.
  • device 400 is implemented as a terminal.
  • device 400 is implemented as a server.
  • device 400 can comprise a retrieving module 410, a generating module 420, and a communication interface 430.
  • the retrieving module 410 is configured to retrieve an equipment code used to uniquely identify the terminal.
  • the retrieving module 410 can obtain the equipment code from a storage.
  • the storage from which the equipment code is obtained can be local or remote in relation to the terminal (e.g., device 400).
  • the equipment code is computed based at least in part on the terminal's characteristic parameters as described in connection with 110 of FIG. 1.
  • the equipment code can be computed by the retrieving module 410 (e.g., after the retrieving module 410 retrieves the corresponding characteristic parameters), or the equipment code can be computed and stored in advance of the retrieving module 410 retrieving the equipment code.
  • the retrieving module 410 is configured to generate the equipment code.
  • the retrieving module 410 can generate the equipment code based at least in part on the characteristic parameters of the terminal.
  • the characteristic parameters comprise one or more of the following parameters: the brand of the terminal, the model number of the terminal, the terminal serial number, the IMEI, the IMSI, the MAC address, the operating system ID, and/or the like.
  • the generating module 420 can be configured to generate a dynamic password based on the equipment code and the output value of a local counter.
  • the dynamic password can be used by the server as a basis for verification of the terminal (e.g., device 400).
  • the communication interface 430 is configured to send the dynamic password to the server.
  • the communication interface can be connected to the generating module 420.
  • the communication interface 430 is configured to communicate the dynamic password to the server via a communication link or channel (e.g., during a session).
  • FIG. 5 is a block diagram of a device for authentication processing according to various embodiments of the present disclosure.
  • device 500 can be implemented in connection with process 200 of FIG. 2, process 300 of FIG. 3 A, process 350 of FIG. 3B, or process 600 of FIG. 6.
  • Device 500 can be implemented in connection with system 1000 of FIG. 10, computer terminal 1100 of FIG. 11, or computer system 1200 of FIG. 12.
  • Device 500 can be included in, or otherwise correspond to, a mobile terminal, a computer terminal, or similar operating device.
  • device 500 is implemented as a terminal.
  • device 500 is implemented as a server.
  • device 500 can comprise a retrieving module 510, a generating module 520, and a communication module 530.
  • the retrieving module 510 is configured to retrieve an equipment code used to uniquely identify the terminal.
  • the retrieving module 510 can correspond to retrieving module 410 of device 400 of FIG. 4.
  • the generating module 520 is configured to generate a dynamic password based on the equipment code and the output value of a local counter.
  • the generating module 520 can correspond to generating module 420 of device 400 of FIG. 4.
  • generating module 520 can include a first generating sub-module 522 and a second generating sub-module 524.
  • Generating module 520 can be configured to generate the dynamic password.
  • First generating sub-module 522 is configured to generate a symmetric key based on the equipment code, the aforesaid session ID assigned to the aforesaid terminal by the server, and the UID assigned to the terminal by the server, in accordance with a preset identifier assignment process.
  • Second generating sub-module 524 can be connected to the first generating sub-module 522 and be configured to generate the dynamic password based at least in part on the symmetric key and the output value, in accordance with a password generation process.
  • the preset identifier assignment process can be expressed as: combining the equipment code, the session ID, and the UID, or using a known technique in the relevant technology to perform encryption and generate the key.
  • the dynamic password can be generated in a variety of methods (e.g., there may be a variety of forms of expression for the password generation process).
  • the modules or sub-modules can be implemented in the form of software or hardware.
  • the retrieving module 510, the generating module 520, and the communication module 530 are located on the same processor. In some embodiments, the retrieving module 510, the generating module 520, and the communication module 530 are respectively located on different processors; or, any two of the retrieving module 510, the generating module 520, and the communication module 530 are located on the same processor, and the other module is located on another processor.
  • FIG. 6 is a flowchart of a method for authentication processing according to various embodiments of the present disclosure.
  • process 600 for authentication processing is provided.
  • Process 600 can be implemented by, for example, device 700 of FIG. 7, device 800 of FIG. 8, system 900 of FIG. 9, system 1000 of FIG. 10, or computer system 1200 of FIG. 12.
  • an authentication process can be run on a server.
  • the structure of the server can be implemented using the structure of device 100 of FIG. 1.
  • a first dynamic password is received.
  • the server can receive the first dynamic password transmitted by a terminal.
  • the first dynamic password can correspond to a dynamic password generated by the terminal.
  • the terminal can generate the first dynamic password based on the output value of a local counter (e.g., a counter in the terminal) and an equipment code used to uniquely identify the terminal.
  • the server can receive other information associated with the authentication process. For example, the server can receive the output value communicated by the terminal along with the first dynamic password.
  • the terminal generates the aforesaid equipment code based at least in part on one or more of the characteristic parameters of the terminal using a predefined technique.
  • the one or more characteristic parameters can comprise one or more of the following parameters: the brand of the terminal, the model number of the terminal, the terminal serial number, the IMEI, the IMSI, the MAC address, the operation system ID, and the like.
  • a second dynamic password is generated.
  • the server generates the second dynamic password.
  • the server can generate the second dynamic password based at least in part on an equipment code retrieved in advance. For example, the server can retrieve an equipment code associated with the terminal from a storage (e.g., a database) storing a mapping of equipment codes to terminals or to users.
  • the server can use other information in connection with generating the second dynamic password, such as other information obtained from the terminal or from the storage that stores mappings of information to terminals.
  • the server can receive an output value from the terminal, and use such output value in the generation of the second dynamic password.
  • the server can compare the first dynamic password with the second dynamic password to authenticate the terminal.
  • the server can determine whether the first dynamic password and the second dynamic password match.
  • the terminal or the server generates a symmetric key based on the equipment code, the session ID assigned to the terminal by the server, and the UID assigned to the terminal by the server, in accordance with a preset identifier assignment process; and the terminal or server generates the first dynamic password or the second dynamic password based on the symmetric key and the output value.
  • the server can retrieve an equipment code in advance and save the equipment code, in order to prepare in advance for the subsequent authentication process. For example, before the server generates the second dynamic password based on the equipment code retrieved in advance, the server can transmit a verification request to the aforesaid terminal; and the server receives a verification code and the aforesaid equipment code transmitted by the aforesaid terminal based at least in part on (e.g., in response to) the verification request.
  • the terminal is authenticated based at least in part on the first dynamic password and the second dynamic password.
  • the server performs authentication of the aforesaid terminal based on results of the comparison of the first dynamic password and the second dynamic password. In the event that the results of the comparison indicate that the first dynamic password and the second dynamic password match, the terminal is determined to have passed authentication. Conversely, in the event that the results of the comparison indicate that the first dynamic password and the second dynamic password do not match, the terminal is determined to have failed authentication.
  • the user can proceed to use the terminal to access services provided by the server.
  • the first dynamic password and the second dynamic password can be generated using the same method.
  • the first dynamic password and the second dynamic password can be generated using the following method: the terminal or the server generates a symmetric key based on the aforesaid equipment code, the session ID assigned to the terminal by the server, and the UID assigned to the terminal by the server, in accordance with a preset identifier assignment process; and the terminal or server generates the aforesaid first dynamic password or the aforesaid second dynamic password based on the aforesaid symmetric key and the output value.
  • FIG. 7 is a block diagram of a device for authentication processing according to various embodiments of the present disclosure.
  • device 700 can be implemented in connection with process 200 of FIG. 2, process 300 of FIG. 3 A, process 350 of FIG. 3B, or process 600 of FIG. 6.
  • Device 700 can be implemented in connection with system 1000 of FIG. 10, computer terminal 1100 of FIG. 11, or computer system 1200 of FIG. 12.
  • Device 700 can be included in, or otherwise correspond to, a computer terminal, a server, or similar operating device.
  • device 700 can comprise a first receiving module 710, a generating module 720, and an authentication module 730.
  • the first receiving module 710 can be configured to receive a first dynamic password transmitted by the terminal.
  • the first dynamic password is a dynamic password generated by the terminal based on the output value of a local counter and an equipment code used to uniquely identify the terminal.
  • the first receiving module 710 can receive the first dynamic password from the terminal over a network such as the Internet, or the like.
  • the first receiving module 710 can implement 610 of process 600 of FIG. 6.
  • the generating module 720 can be connected to the first receiving module
  • the generating module 720 can be configured to generate a second dynamic password based at least in part on an equipment code associated with the terminal. The equipment code associated with the terminal is retrieved in advance. The generating module 720 can be further configured to compare the first dynamic password against the second dynamic password in connection with determining whether the first dynamic password and the second dynamic password match. The generating module 720 can implement 620 of process 600 of FIG. 6.
  • the authentication module 730 can be connected to the generating module
  • the authentication module 730 can be configured to perform authentication of the terminal based at least in part on the first dynamic password and the second dynamic password. For example, the authentication module can use results of the comparison of the first dynamic password and the second dynamic password to determine whether the terminal is authenticated. In the event that the results of the comparison indicate that the first dynamic password and the second dynamic password match, the terminal is determined to have passed authentication. Conversely, in the event that the results of the comparison indicate that the first dynamic password and the second dynamic password do not match, the terminal is determined to have failed authentication.
  • the authentication module 730 can implement 630 of process 600 of FIG. 6.
  • FIG. 8 is a block diagram of a device for authentication processing according to various embodiments of the present disclosure.
  • device 800 can be implemented in connection with process 200 of FIG. 2, process 300 of FIG. 3 A, process 350 of FIG. 3B, or process 600 of FIG. 6.
  • Device 800 can be implemented in connection with system 1000 of FIG. 10, computer terminal 1100 of FIG. 11, or computer system 1200 of FIG. 12.
  • Device 800 can be included in, or otherwise correspond to, a computer terminal, a server, or similar operating device.
  • device 800 can comprise a first receiving module 810, a generating module 820, an authentication module 830, a transmitting module 840, and a second receiving module 850.
  • first receiving module 810 can be implemented by first receiving module 710 of device 700 of FIG. 7.
  • generating module 820 can be implemented by generating module 720 of device 700 of FIG. 7.
  • authentication module 830 can be implemented by authentication module 730 of device 700 of FIG. 7.
  • the transmitting module 840 can be configured to transmit a verification request to the aforesaid terminal.
  • the transmitting module can transmit the verification request before generation of a second dynamic password based on an equipment code retrieved in advance.
  • the second receiving module 850 can be connected to the transmitting module
  • the second receiving module 850 can be configured to receive the verification code and the equipment code transmitted by the terminal based at least in part on (e.g., in response to) the verification request.
  • the equipment code can be determined based at least in part by: the terminal generating an equipment code based on one or more of the characteristic parameters of the terminal, in accordance with a predefined technique.
  • the characteristic parameters can comprise one or more of the following parameters: the brand of the terminal, the model number of the terminal, the terminal serial number, the IMEI, the IMSI, the MAC address, the operating system ID, and the like.
  • the predefined technique corresponds to, or otherwise includes, a hash function.
  • the generating module 820 can be configured to generate the second dynamic password by generating a symmetric key based at least in part on the aforesaid equipment code, the session ID assigned to the terminal by the server, and the UID assigned to the terminal by the server, in accordance with a preset identifier assignment process; and generating the second dynamic password based at least in part on the symmetric key and the output value in accordance with a password generation process.
  • the first preset identifier assignment process can comprise, but is not limited to, the following: combining the equipment code, the session ID, and the UID.
  • FIG. 9 is a structural schematic diagram of a system for authentication processing according to various embodiments of the present disclosure.
  • system 900 can be implemented in connection with process 200 of FIG. 2, process 300 of FIG. 3 A, process 350 of FIG. 3B, or process 600 of FIG. 6.
  • System 900 can implement device 100 of FIG. 1, device 500 of FIG. 5, and/or device 700 of FIG. 7.
  • System 900 can be implemented in connection with system 1000 of FIG. 10, computer terminal 1100 of FIG. 11, or computer system 1200 of FIG. 12.
  • system 900 can comprise a terminal 910 and a server
  • Terminal 910 can generate a dynamic password used by the server 920 in connection with server 920 authenticating the terminal 910.
  • server 920 can compare the dynamic password that server 920 receives from terminal 910 with a dynamic password generated by server 920.
  • Server 920 can authenticate terminal 910 based at least in part on the comparison of the dynamic password generated by terminal 910 (e.g., the first dynamic password) with the dynamic password generated by server 920 (e.g., the second dynamic password).
  • Terminal 910 can comprise device 100 of FIG. 1.
  • Server 920 can comprise device 400 of FIG. 4.
  • FIG. 10 is a structural schematic diagram of a system for authentication processing according to various embodiments of the present disclosure.
  • system 1000 can be implemented in connection with process 200 of FIG. 2, process 300 of FIG. 3 A, process 350 of FIG. 3B, or process 600 of FIG. 6.
  • System 1000 can implement device 100 of FIG. 1, device 500 of FIG. 5, and/or device 700 of FIG. 7.
  • System 1000 can be implemented in connection with system 900 of FIG. 9, computer terminal 1100 of FIG. 11, or computer system 1200 of FIG. 12.
  • system 1000 can comprise a terminal 1010 (e.g., a mobile phone) and a server 1020.
  • Terminal 1010 and server 1020 can communicate with each other in connection with authentication of terminal 1010 by server 1020.
  • a user logs on to server 1020 using the mobile phone number of terminal 1010.
  • Server 1020 transmits a verification message (e.g., SMS message, text message, etc.) to the mobile phone number associated with terminal 1010, and the user submits the verification code, the device ID, and the mobile phone number to server 1020 via the mobile phone 1010.
  • the user can submit the verification code, the device ID, and the mobile phone number via an interface provided by terminal 1010.
  • the verification code, the device ID, and the mobile phone number can be stored on a device, and the user can select to submit the verification code, the device ID, and the mobile phone number to server 1020 by selecting a submit/send button provided on an interface displayed to the user on terminal 1010.
  • the interface displayed to the user can be displayed in connection with a standalone software application, a browser-based application, or the like.
  • a standalone software application can be installed and executed by the terminal in connection with an authentication process.
  • the authentication process can use a browser-based application to display the interface to the user.
  • Server 1020 can perform verification of the verification code, the device ID, and the mobile phone number. In response to determining that the verification code, the device ID, and the mobile phone number pass verification, server 1020 saves and assigns a session ID and a UID, and saves the session ID and the UID for subsequent use. Server 1020 sends the session ID and the UID to terminal 1010, which stores the session ID and the UID for subsequent use.
  • terminal 1010 and server 1020 maintain a communication session with each other (e.g., an HTTP session).
  • server 1020 transmits an authentication request to terminal 1010 (e.g., to a client on the mobile phone).
  • terminal 1010 e.g., to a client on the mobile phone.
  • the user or the terminal
  • the client on terminal 1010 combines the device ID, the session ID, and the UID to form the symmetric key K, uses the client time as the adding counter C, and generates the dynamic password code.
  • the client on terminal 1010 transmits the dynamic password to server 1020, server 1020 performs the same operation of generating a dynamic password code, server 1020 compares the dynamic passwords, and the authentication operation is then completed based on results of the comparison of the dynamic passwords (e.g., the dynamic password communicated by terminal 1010 to server 1020, and the dynamic password generated on server-side).
  • server 1020 performs the same operation of generating a dynamic password code
  • server 1020 compares the dynamic passwords
  • the authentication operation is then completed based on results of the comparison of the dynamic passwords (e.g., the dynamic password communicated by terminal 1010 to server 1020, and the dynamic password generated on server-side).
  • the terminal can be a computer terminal and can be located on at least one piece of network equipment among multiple pieces of network equipment in a computer network.
  • the computer terminal can execute the program code for the steps in a terminal authentication processing method.
  • the computer terminal can execute program code associated with the terminal retrieving the equipment code used to uniquely identify the terminal, the terminal generating a dynamic password based on the equipment code and the output value of a local counter, wherein, the dynamic password is a basis for verification of the terminal by a server, and the terminal transmitting the dynamic password to the server.
  • FIG. 11 is a block diagram of a computer terminal for authentication processing according to various embodiments of the present disclosure.
  • computer terminal 1100 can be implemented in connection with process 200 of FIG. 2, process 300 of FIG. 3 A, process 350 of FIG. 3B, or process 600 of FIG. 6.
  • Computer terminal 1100 can implement device 100 of FIG. 1, device 500 of FIG. 5, and/or device 700 of FIG. 7.
  • Computer terminal 1100 can be implemented in connection with system 900 of FIG. 9, system 1000 of FIG. 10, or computer system 1200 of FIG. 12.
  • computer terminal 1100 can comprise one or more processors 1110, a memory 1120, and a communication interface 1130.
  • Memory 1120 can be used to store software programs and modules, such as the program commands/modules corresponding to the terminal authentication processing method or device according to various embodiments. By running the software programs and modules stored in the memory 1120, processor 1110 thereby executes the various functional applications and data processing, thus achieving a method of vulnerability detection of the aforesaid system.
  • Memory 1120 can comprise high-speed random memory, and may also comprise non-volatile memory, such as one or more magnetic storage devices, or other nonvolatile solid state memory devices.
  • memory 1120 can further comprise memory devices disposed remotely relative to the processor 1110; such remote memory devices can connect to computer terminal 1100 via a network. Examples of the aforesaid network comprise but are not limited to the Internet, corporate intranets, local area networks, wide area networks, mobile communication networks, and combinations thereof.
  • the communication interface 1130 can be used to receive or transmit data via a network.
  • Specific examples of the aforesaid network may include cable networks and wireless networks.
  • communication interface 1130 comprises a network interface controller (NIC), which can be connected to a router via cable and other network equipment, and can thereby communicate with the Internet or a local area network.
  • NIC network interface controller
  • communication interface 1130 is a radio frequency (RF) module, which is used to communicate wirelessly with the Internet.
  • RF radio frequency
  • memory 1120 is used to store preset action conditions and preset authorized user information, as well as application programs.
  • Processor 1110 can invoke information and application programs stored in memory 1120 in order to execute the following steps: computer terminal 1100 retrieves an equipment code used to uniquely identify the computer terminal 1100; computer terminal 1100 generates a dynamic password based on the equipment code and the output value of a local counter, wherein, the dynamic password is a basis for verification of computer terminal 1100 by a server; computer terminal 1100 transmits the aforesaid dynamic password to the server.
  • processor 1110 can execute the program code for the following steps: computer terminal 1100 generates an equipment code based on the characteristic parameters of computer terminal 1100 in accordance with a preset technique, wherein, the characteristic parameters comprise one or more of the following parameters: the brand of the computer terminal 1100, the model number of the computer terminal 1100, the terminal serial number, the IMEI, the IMS, the MAC address, the operating system ID, and the like.
  • processor 1110 can execute the program code for the following steps: computer terminal 1100 generates a symmetric key based on the aforesaid equipment code, the session ID assigned to computer terminal 1100 by the server, and the UID assigned to computer terminal 1100 by the server, in accordance with a first preset identifier assignment process; computer terminal 1100 generates the dynamic password based on the symmetric key and the output value in accordance with a second preset password generation process.
  • processor 1110 can execute the program code for the following steps: computer terminal 1100 transmits a registration request to the server, wherein, the registration request contains the verification code, the equipment code, and the communication number of the terminal requested from computer terminal 1100 by the server; after the registration request passes verification, computer terminal 1100 receives the aforesaid session ID and the aforesaid UID assigned to computer terminal 1100 by the server, and maintains the communication link with the server.
  • processor 1110 can execute the program code for the following steps: computer terminal 1100 receives an authentication request from the server, wherein, when the authentication request passes verification, computer terminal 1100 is caused to generate the aforesaid dynamic password.
  • FIG. 11 does not constitute a limitation of the structure of the aforesaid electronic device.
  • computer terminal 1100 can also include more or fewer components than are shown in FIG. 11 (such as network interfaces, display devices, etc.), or may have a different configuration than that shown in FIG. 11.
  • Various embodiments include a storage medium.
  • the storage medium can be used to save the program code executed by the terminal authentication processing method of process 200 of FIG. 2 or device 100 of FIG. 1.
  • the storage medium is located in any computer terminal in a computer terminal group in a computer network or located in any mobile terminal in a mobile terminal group.
  • the storage medium is configured to store the program code used to execute the following steps: the terminal generates a dynamic password based on the equipment code and the output value of a local counter, wherein, the dynamic password is the basis for verification of the terminal by the server; and the terminal transmits the dynamic password to the server.
  • the storage medium can also be configured to store the program code used to execute elements of process 200 of FIG. 2.
  • any of the computers in the aforesaid computer terminal group can establish a communication relationship with the network server and scanner, and the scanner can scan the value commands of the web applications executed by the php or script on the computer terminal.
  • a computer terminal can be provided, wherein such computer terminal implements process 600 of FIG. 6.
  • the computer terminal can be located on at least one piece of network equipment among multiple pieces of network equipment in a computer network.
  • the computer terminal can execute the program code for the following steps in the terminal authentication method: the server receives a first dynamic password transmitted by the terminal, wherein, the first dynamic password is a dynamic password generated based on the output value and the equipment code used to uniquely identify the terminal; the server generates a second dynamic password based on an equipment code retrieved in advance, and compares the first dynamic password against the second dynamic password to determine whether the first dynamic password and the second dynamic password match; the server performs authentication of the terminal based on the comparison results, wherein, if the comparison results indicate a match, the terminal is determined to have passed authentication; otherwise, the terminal is determined to have failed authentication.
  • Processor 1110 can use communication interface 1130 to invoke the information and applications stored on the memory 1120 in order to execute the following steps: the server receives the first dynamic password transmitted by the aforesaid terminal, wherein, the first dynamic password is a dynamic password generated by the terminal based on the aforesaid output value and the equipment code used to uniquely identify the terminal; the server generates a second dynamic password based on an equipment code retrieved in advance, and compares the first dynamic password against the second dynamic password to determine whether the first dynamic password and the second dynamic password match; the server performs authentication of the terminal based on the comparison results, wherein, when the comparison results indicate a match, the terminal is determined to have passed authentication; otherwise, the terminal is determined to have failed authentication.
  • processor 1110 can also execute the program code for the following steps: the server transmits a verification request to the terminal; the server receives the verification code and the equipment code transmitted by the terminal based on the verification request.
  • a storage medium can be provided, wherein the storage medium is used to save the program code executed by process 600 of FIG. 6.
  • the storage medium may be located in any computer terminal in a computer terminal group in a computer network or located in any mobile terminal in a mobile terminal group.
  • the storage medium is set to store the program code used to execute the following steps: the server receives a first dynamic password transmitted by the terminal, wherein, the first dynamic password is a dynamic password generated by the terminal based on the output value and the equipment code used to uniquely identify the terminal; the server generates a second dynamic password based on an equipment code retrieved in advance, and compares the first dynamic password against the second dynamic password to determine whether the first dynamic password and the second dynamic password match; the server performs authentication of the terminal based on the comparison results, wherein, if the comparison results indicate a match, the terminal is determined to have passed authentication; otherwise, the terminal is determined to have failed authentication.
  • the storage medium can also be configured to store the steps used to execute process 600 of FIG. 6.
  • FIG. 12 is a functional diagram of a computer system for authentication processing according to various embodiments of the present disclosure.
  • Computer system 1200 can implement process 200 of FIG. 2, process 300 of FIG. 3A, process 350 of FIG. 3B, or process 600 of FIG. 6.
  • Computer system 1200 can implement device 100 of FIG. 1, device 400 of FIG. 4, device 500 of FIG. 5, device 700 of FIG. 7, or device 800 of FIG. 8.
  • other computer system architectures and configurations can be used to implement a display interface.
  • Computer system 1200 which includes various subsystems as described below, includes at least one microprocessor subsystem (also referred to as a processor or a central processing unit (CPU)) 1202.
  • processor 1202 can be implemented by a single-chip processor or by multiple processors.
  • processor 1202 is a general purpose digital processor that controls the operation of the computer system 1200. Using instructions retrieved from memory 1210, the processor 1202 controls the reception and manipulation of input data, and the output and display of data on output devices (e.g., display 1218).
  • output devices e.g., display 1218
  • Processor 1202 is coupled bi-directionally with memory 1210, which can include a first primary storage, typically a random access memory (RAM), and a second primary storage area, typically a read-only memory (ROM).
  • primary storage can be used as a general storage area and as scratch-pad memory, and can also be used to store input data and processed data.
  • Primary storage can also store programming instructions and data, in the form of data objects and text objects, in addition to other data and instructions for processes operating on processor 1202.
  • primary storage typically includes basic operating instructions, program code, data, and objects used by the processor 1202 to perform its functions (e.g., programmed instructions).
  • memory 1210 can include any suitable computer-readable storage media, described below, depending on whether, for example, data access needs to be bi-directional or uni-directional.
  • processor 1202 can also directly and very rapidly retrieve and store frequently needed data in a cache memory (not shown).
  • the memory can be a non-transitory computer-readable storage medium.
  • a removable mass storage device 1212 provides additional data storage capacity for the computer system 1200, and is coupled either bi-directionally (read/write) or uni-directionally (read only) to processor 1202.
  • storage 1212 can also include computer-readable media such as magnetic tape, flash memory, PC-CARDS, portable mass storage devices, holographic storage devices, and other storage devices.
  • a fixed mass storage 1220 can also, for example, provide additional data storage capacity. The most common example of mass storage 1220 is a hard disk drive.
  • Mass storage device 1212 and fixed mass storage 1220 generally store additional programming instructions, data, and the like that typically are not in active use by the processor 1202. It will be appreciated that the information retained within mass storage device 1212 and fixed mass storage 1220 can be incorporated, if needed, in standard fashion as part of memory 1210 (e.g., RAM) as virtual memory.
  • the pointing device 1206 can be a mouse, stylus, track ball, or tablet, and is useful for interacting with a graphical user interface.
  • the network interface 1216 allows processor 1202 to be coupled to another computer, computer network, or telecommunications network using a network connection as shown.
  • the processor 1202 can receive information (e.g., data objects or program instructions) from another network or output information to another network in the course of performing method/process steps.
  • processor 1202 can be used to connect the computer system 1200 to an external network and transfer data according to standard protocols. For example, various process embodiments disclosed herein can be executed on processor 1202, or can be performed across a network such as the
  • Additional mass storage devices can also be connected to processor 1202 through network interface 1216.
  • auxiliary I/O device interface (not shown) can be used in conjunction with computer system 1200.
  • the auxiliary I/O device interface can include general and
  • processor 1202 may send and, more typically, receive data from other devices such as microphones, touch-sensitive displays, transducer card readers, tape readers, voice or handwriting recognizers, biometrics readers, cameras, portable mass storage devices, and other computers.
  • other devices such as microphones, touch-sensitive displays, transducer card readers, tape readers, voice or handwriting recognizers, biometrics readers, cameras, portable mass storage devices, and other computers.
  • the computer system shown in FIG. 12 is but an example of a computer system suitable for use with the various embodiments disclosed herein.
  • Other computer systems suitable for such use can include additional or fewer subsystems.
  • bus 1214 is illustrative of any interconnection scheme serving to link the subsystems.
  • Other computer architectures having different configurations of subsystems can also be utilized.
  • the modules described as separate components may or may not be physically separate, and components displayed as modules may or may not be physical modules. They can be located in one place, or they can be distributed across multiple network modules.
  • the embodiment schemes of the present embodiments can be realized by selecting part or all of the modules in accordance with actual need.
  • the functional modules in the various embodiments of the present invention can be integrated into one processor, or each module can have an independent physical existence, or two or more modules can be integrated into a single module.
  • the aforesaid integrated modules can take the form of hardware, or they can take the form of hardware combined with software function modules.
  • the modules described above in which the software function modules are integrated can be stored in a computer-readable storage medium.
  • the software function modules described above are stored in a storage medium and include a number of commands whose purpose is to cause a piece of computer equipment (which can be a personal computer, a server, or network computer) or a processor to execute some of the steps in the method described in the various embodiments of the present invention.
  • the storage medium described above encompasses: USB flash drive, mobile hard drive, read-only memory (ROM), random access memory (RAM), magnetic disk, or optical disk, or various other media that can store program code.
  • the disclosed terminal can be realized by other methods.
  • the device embodiment described above is merely exemplary; for example, the division of said units or modules is merely one logical functional division thereof, and they may be divided in another manner in actual implementation. For example, multiple units or modules can be combined, or they can be integrated into another system, or some characteristics may be omitted or may not be executed.
  • the interposed couplings or direct couplings or communication connections that are displayed or discussed may be indirect couplings or communication links that pass through some interfaces, units, or modules. They may be electrical or may take another form.
  • the units or modules described as separate components above may or may not be physically separate, and the components shown as units or modules may or may not be physical units or physical modules; they may be located in one place, or they may be distributed across multiple network units.
  • the objectives of the embodiment schemes of the present embodiments can be realized by selecting part or all of the units or modules in accordance with actual need.
  • the functional units or modules in the various embodiments of the present invention can be integrated into one processing unit or module, or each unit or module can have an independent physical existence, or two or more units or modules can be integrated into a single unit or module.
  • the aforesaid integrated units or modules may also take the form of hardware, and they may take the form of software function units or modules.
  • the aforesaid integrated units or modules are realized in the form of software function units or modules and sold or used as independent products, they can be stored on a computer-readable storage medium.
  • this computer software product is stored on a storage medium and includes a number of commands to cause one set of terminal equipment (which can be a personal computer, a server, network equipment, etc.) to execute all or part of the steps of the aforesaid methods in each of the embodiments of the present invention.
  • the storage medium described above encompasses: U discs, read-only memory (ROM), random access memory (RAM), portable hard drives, magnetic disks or optical disks, or various other media that can store program code.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computing Systems (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Telephonic Communication Services (AREA)

Abstract

La présente invention concerne, selon des modes de réalisation, un procédé et un dispositif de traitement d'authentification. Le procédé comprend l'obtention d'un code d'équipement qui identifie d'une manière unique un terminal, la génération d'un mot de passe dynamique au moins en partie sur la base du code d'équipement et d'une valeur de sortie d'un compteur, le mot de passe dynamique servant de base pour l'authentification du terminal par un serveur, et l'envoi du mot de passe dynamique au serveur, le serveur authentifiant le mot de passe dynamique.
PCT/US2016/040997 2015-07-08 2016-07-05 Procédé et dispositif d'authentification à l'aide de mots de passe dynamiques WO2017007767A1 (fr)

Priority Applications (3)

Application Number Priority Date Filing Date Title
EP16821878.2A EP3320523B1 (fr) 2015-07-08 2016-07-05 Procédé et dispositif d'authentification à l'aide de mots de passe dynamiques
KR1020177036868A KR102039316B1 (ko) 2015-07-08 2016-07-05 동적 패스워드들을 사용하는 인증을 위한 방법 및 디바이스
JP2017566863A JP2018528504A (ja) 2015-07-08 2016-07-05 動的パスワードを使用する認証のための方法及びデバイス

Applications Claiming Priority (4)

Application Number Priority Date Filing Date Title
CN201510397391.X 2015-07-08
CN201510397391.XA CN106341372A (zh) 2015-07-08 2015-07-08 终端的认证处理、认证方法及装置、系统
US15/201,084 2016-07-01
US15/201,084 US10523664B2 (en) 2015-07-08 2016-07-01 Method and device for authentication using dynamic passwords

Publications (1)

Publication Number Publication Date
WO2017007767A1 true WO2017007767A1 (fr) 2017-01-12

Family

ID=57686136

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/US2016/040997 WO2017007767A1 (fr) 2015-07-08 2016-07-05 Procédé et dispositif d'authentification à l'aide de mots de passe dynamiques

Country Status (1)

Country Link
WO (1) WO2017007767A1 (fr)

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110753036A (zh) * 2019-09-27 2020-02-04 苏州浪潮智能科技有限公司 一种cs架构下客户端快速认证的方法和系统
CN111414594A (zh) * 2020-03-23 2020-07-14 京东方科技集团股份有限公司 身份认证方法及计算机可读存储介质
CN114070551A (zh) * 2021-10-27 2022-02-18 中国建设银行股份有限公司 动态口令生成方法、授权方法、装置、设备及存储介质
CN114120497A (zh) * 2021-12-28 2022-03-01 深圳市欧瑞博科技股份有限公司 智能门锁的通信方法、装置、智能门锁及存储介质
CN114500098A (zh) * 2022-03-03 2022-05-13 广州市智荟环保有限公司 一种验证方法、装置和计算机设备及可读存储介质
US20230291549A1 (en) * 2022-03-14 2023-09-14 Vmware, Inc. Securely sharing secret information through an unsecure channel

Citations (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20040172535A1 (en) * 2002-11-27 2004-09-02 Rsa Security Inc. Identity authentication system and method
US20050144484A1 (en) * 2002-02-14 2005-06-30 Hironori Wakayama Authenticating method
US20070165582A1 (en) * 2006-01-18 2007-07-19 Puneet Batta System and method for authenticating a wireless computing device
US20070186115A1 (en) * 2005-10-20 2007-08-09 Beijing Watch Data System Co., Ltd. Dynamic Password Authentication System and Method thereof
US20070260556A1 (en) * 2005-06-06 2007-11-08 Michael Pousti System and method for verification of identity for transactions
US20090045253A1 (en) * 2006-03-10 2009-02-19 Min Gyu Han System and method for providing virtual discernment information
US20090313687A1 (en) * 2004-10-15 2009-12-17 Nicolas Popp One time password
US20100253470A1 (en) * 2007-10-22 2010-10-07 Microlatch Pty Ltd Transmitter For Transmitting A Secure Access Signal
US20120142329A1 (en) * 2004-07-07 2012-06-07 Cardina Donald M System and Method for IMEI Detection and Alerting
US20120278871A1 (en) * 2011-04-26 2012-11-01 Fonestock Technology Inc. User identification method applicable to network transaction and system thereof
US20130227661A1 (en) * 2012-02-29 2013-08-29 Infosys Limited Systems and methods for generating and authenticating one time dynamic password based on context information
US20150012981A1 (en) * 2006-04-24 2015-01-08 Yubico Inc. Device and Method for Identification and Authentication

Patent Citations (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20050144484A1 (en) * 2002-02-14 2005-06-30 Hironori Wakayama Authenticating method
US20040172535A1 (en) * 2002-11-27 2004-09-02 Rsa Security Inc. Identity authentication system and method
US20120142329A1 (en) * 2004-07-07 2012-06-07 Cardina Donald M System and Method for IMEI Detection and Alerting
US20090313687A1 (en) * 2004-10-15 2009-12-17 Nicolas Popp One time password
US20070260556A1 (en) * 2005-06-06 2007-11-08 Michael Pousti System and method for verification of identity for transactions
US20070186115A1 (en) * 2005-10-20 2007-08-09 Beijing Watch Data System Co., Ltd. Dynamic Password Authentication System and Method thereof
US20070165582A1 (en) * 2006-01-18 2007-07-19 Puneet Batta System and method for authenticating a wireless computing device
US20090045253A1 (en) * 2006-03-10 2009-02-19 Min Gyu Han System and method for providing virtual discernment information
US20150012981A1 (en) * 2006-04-24 2015-01-08 Yubico Inc. Device and Method for Identification and Authentication
US20100253470A1 (en) * 2007-10-22 2010-10-07 Microlatch Pty Ltd Transmitter For Transmitting A Secure Access Signal
US20120278871A1 (en) * 2011-04-26 2012-11-01 Fonestock Technology Inc. User identification method applicable to network transaction and system thereof
US20130227661A1 (en) * 2012-02-29 2013-08-29 Infosys Limited Systems and methods for generating and authenticating one time dynamic password based on context information

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
See also references of EP3320523A4 *

Cited By (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110753036A (zh) * 2019-09-27 2020-02-04 苏州浪潮智能科技有限公司 一种cs架构下客户端快速认证的方法和系统
CN110753036B (zh) * 2019-09-27 2022-04-22 苏州浪潮智能科技有限公司 一种cs架构下客户端快速认证的方法和系统
CN111414594A (zh) * 2020-03-23 2020-07-14 京东方科技集团股份有限公司 身份认证方法及计算机可读存储介质
CN111414594B (zh) * 2020-03-23 2023-11-28 京东方科技集团股份有限公司 身份认证方法及计算机可读存储介质
CN114070551A (zh) * 2021-10-27 2022-02-18 中国建设银行股份有限公司 动态口令生成方法、授权方法、装置、设备及存储介质
CN114070551B (zh) * 2021-10-27 2024-04-09 中国建设银行股份有限公司 动态口令生成方法、授权方法、装置、设备及存储介质
CN114120497A (zh) * 2021-12-28 2022-03-01 深圳市欧瑞博科技股份有限公司 智能门锁的通信方法、装置、智能门锁及存储介质
CN114500098A (zh) * 2022-03-03 2022-05-13 广州市智荟环保有限公司 一种验证方法、装置和计算机设备及可读存储介质
US20230291549A1 (en) * 2022-03-14 2023-09-14 Vmware, Inc. Securely sharing secret information through an unsecure channel

Similar Documents

Publication Publication Date Title
US10523664B2 (en) Method and device for authentication using dynamic passwords
US10897455B2 (en) System and method for identity authentication
US20180285555A1 (en) Authentication method, device and system
JP7352008B2 (ja) 第1の要素非接触カード認証システムおよび方法
US10348715B2 (en) Computer-implemented systems and methods of device based, internet-centric, authentication
US10135824B2 (en) Method and system for determining whether a terminal logging into a website is a mobile terminal
US10158621B2 (en) Method, apparatus, and system for providing a security check
WO2017007767A1 (fr) Procédé et dispositif d'authentification à l'aide de mots de passe dynamiques
US20200311309A1 (en) Encryption techniques for cookie security
WO2020140407A1 (fr) Procédé, dispositif, équipement et support d'informations permettant l'ouverture d'une session de bureau infonuagique reposant sur la sécurité infonuagique
US9747434B1 (en) Authenticating with an external device by providing a message having message fields arranged in a particular message field order
WO2020041747A1 (fr) Procédés, appareils et produits-programmes informatiques pour une gestion de signature électronique sans friction
US20170357799A1 (en) Tracking and managing multiple time-based one-time password (TOTP) accounts
US9124571B1 (en) Network authentication method for secure user identity verification
JP6967449B2 (ja) セキュリティチェックのための方法、デバイス、端末およびサーバ
US20170279798A1 (en) Multi-factor authentication system and method
KR20160123069A (ko) 단말의 통합 인증 방법 및 그 장치
WO2015179640A1 (fr) Procédé, appareil et système pour fournir une vérification de sécurité
US9917694B1 (en) Key provisioning method and apparatus for authentication tokens
CN111901303A (zh) 设备认证方法和装置、存储介质及电子装置
US9235696B1 (en) User authentication using a portable mobile device
JP2016100007A (ja) カード装置を用いたネットワーク認証方法
KR101651607B1 (ko) 익명 아이디를 사용하는 원클릭 사용자 인증 방법 및 시스템
US10461932B2 (en) Method and system for digital signature-based adjustable one-time passwords
TWM655123U (zh) 支援混合型應用程式的身分驗證系統

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 16821878

Country of ref document: EP

Kind code of ref document: A1

ENP Entry into the national phase

Ref document number: 20177036868

Country of ref document: KR

Kind code of ref document: A

ENP Entry into the national phase

Ref document number: 2017566863

Country of ref document: JP

Kind code of ref document: A

NENP Non-entry into the national phase

Ref country code: DE

WWE Wipo information: entry into national phase

Ref document number: 2016821878

Country of ref document: EP