WO2022042198A1 - Identity authentication method and apparatus, computer device, and storage medium - Google Patents

Identity authentication method and apparatus, computer device, and storage medium Download PDF

Info

Publication number
WO2022042198A1
WO2022042198A1 PCT/CN2021/109292 CN2021109292W WO2022042198A1 WO 2022042198 A1 WO2022042198 A1 WO 2022042198A1 CN 2021109292 W CN2021109292 W CN 2021109292W WO 2022042198 A1 WO2022042198 A1 WO 2022042198A1
Authority
WO
WIPO (PCT)
Prior art keywords
counter
client
user
verification
service counter
Prior art date
Application number
PCT/CN2021/109292
Other languages
French (fr)
Chinese (zh)
Inventor
李岩
Original Assignee
百果园技术(新加坡)有限公司
李岩
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 百果园技术(新加坡)有限公司, 李岩 filed Critical 百果园技术(新加坡)有限公司
Publication of WO2022042198A1 publication Critical patent/WO2022042198A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0869Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3226Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a predetermined code, e.g. password, passphrase or PIN

Definitions

  • the embodiments of the present application relate to the technical field of information security, for example, to an identity verification method, apparatus, computer device, and storage medium.
  • Password authentication is a widely used authentication method, that is, the user registers the username and password on the server, and the server persistently stores the username and password.
  • the server When the user logs in to the account using password authentication, the user enters the username and password through the client, the client sends the username and password to the server, and the server receives the username and password, and retrieves the same username and password stored in the database. For comparison, if both the user name and the password are consistent, the user's authentication is successful, and if the user name and at least one of the passwords are inconsistent, the authentication fails.
  • PAP Password Authentication Protocol
  • the server stores the user name and the password in plain text during registration, and when verifying, the client directly submits the user name and password in plain text entered by the user.
  • the password in plaintext can be used by attackers using eavesdropping and replay attacks to successfully log in as a legitimate user; and the server stores the password in plaintext. Once the database is breached, the password will be leaked directly. , resulting in the possibility of user identity being impersonated.
  • the embodiments of the present application provide an identity verification method, apparatus, computer equipment, and storage medium.
  • an embodiment of the present application provides an identity verification method, including:
  • the verification request includes a user name, verification digest information, and a user counter
  • the verification digest information is the digest information generated by using the user counter as the number of times to calculate the digest and the password calculation digest
  • the registration parameters include a service counter and standard ciphertext
  • the identity of the client is verified according to the difference between the standard ciphertext and the verification digest information.
  • an identity verification device including:
  • the verification request receiving module is configured to receive the verification request sent by the client, the verification request includes a user name, verification summary information, and a user counter, and the verification summary information is the number of times the user counter is used to calculate the summary, and the password is calculated.
  • Abstract the generated summary information
  • a registration parameter search module configured to search for the registration parameters associated with the username recorded when the client registers, and the registration parameters include a service counter and a standard ciphertext;
  • a counter matching module configured to match the user counter with the service counter, to detect the consistency between the reduced value of the user counter and the reduced value of the service counter during authentication
  • a difference verification module configured to verify the identity of the client according to the difference between the standard ciphertext and the verification digest information in response to a successful match between the user counter and the service counter.
  • an embodiment of the present application further provides a computer device, the computer device comprising:
  • memory arranged to store at least one program
  • the at least one processor is configured to execute the at least one program to implement the authentication method according to the first aspect.
  • an embodiment of the present application further provides a computer-readable storage medium, where a computer program is stored on the computer-readable storage medium, and when the computer program is executed by a processor, the identity verification as described by the first party is implemented method.
  • FIG. 2 is a signaling diagram of a registration process according to Embodiment 1 of the present application.
  • Embodiment 3 is a flowchart of an identity verification method provided in Embodiment 2 of the present application.
  • FIG. 4 is a signaling diagram of a verification process according to Embodiment 2 of the present application.
  • FIG. 6 is a schematic structural diagram of an identity verification device according to Embodiment 4 of the present application.
  • FIG. 7 is a schematic structural diagram of a computer device according to Embodiment 5 of the present application.
  • Password authentication protocols used in the related art include PAP and a challenge-response based password authentication protocol CRAM-MD5.
  • the server uses a one-way hash function to calculate the digest information for the password during the registration phase, and stores the user name and digest information in the database.
  • the client initiates a verification request to the server; after the server receives the verification request, it generates a random number and sends it to the client.
  • the client calculates the digest information for the password entered by the user, it calculates the digest again together with the random number.
  • the server retrieves the summary information associated with the user name from the database, and recalculates the summary information together with the random number. If the digest information finally calculated by the client is consistent, the user's authentication is successful. If the digest information sent by the client is inconsistent with the digest information finally calculated by the server, the user's authentication fails.
  • the server sends an additional random number to the client to challenge, causing the verification between the client and the server to require 2-RTT (Round-Trip Time, round-trip delay), 2-RTT is two interactions,
  • 2-RTT Red-Trip Time, round-trip delay
  • the verification takes a long time; in addition, the server uses a one-way hash function to calculate the digest information for the password, and the digest information is leaked, and it is still possible for an attacker to use a dictionary attack to crack the password.
  • the embodiments of the present application provide a new type of identity verification methods, that is, the embodiments of the present application disclose an identity verification method, device, computer equipment, and storage medium for In the case of reducing the verification time, it can prevent eavesdropping attacks and replay attacks during insecure network transmission, and prevent the threat of dictionary attacks caused by database leakage on the server side.
  • FIG. 1 is a flowchart of an identity verification method provided in Embodiment 1 of the present application.
  • This embodiment can perform the registration behavior of the client, and the method can be performed by an identity verification device, and the identity verification device can be performed by software and/or hardware.
  • the authentication device can be configured in a computer device, such as a server, a workstation, a personal computer, etc., the computer device, as a server server, establishes a secure transmission channel with the client Client, such as applying hypertext transmission security Protocol (Hyper Text Transfer Protocol over SecureSocket Layer, HTTPS), so that the server server communicates with the client client.
  • HTTPS Hyper Text Transfer Protocol over SecureSocket Layer
  • Step 101 Receive a registration request sent by a client.
  • the user name username and password password can be input in the user interface (User Interface, UI) provided by the client terminal Client.
  • UI User Interface
  • the client client is an independent application, such as a live broadcast application, a short video application, an instant messaging tool, a payment application, a shopping application, etc.
  • the application can generate and count the user counter CT.
  • the browser can support storing the user counter CT locally, the browser can also participate in the registration and verification of the identity as a client client.
  • the username username can also be called a user account, a user identification (Identity, ID), etc.
  • the username username is the information that identifies the user
  • the password password can also be called a password.
  • the user can set the password according to business rules.
  • the password password is set to a combination of numbers, letters, symbols, and so on.
  • the client Client assembles the user name username and password as registration parameters into the registration request M11 , and sends the registration request M11 to the server server, that is, the registration request M11 includes Username username, password password.
  • the server server can receive the registration request M 11 sent by the client client, and read the username and password from the registration request M 11 .
  • Step 102 Set a target value, use the target value as the number of times to calculate digests, generate digest information for the password, and use the generated digest information as standard digest information.
  • the server server may set a value of a suitable length as the target value N max according to the requirements of the business scenario for verifying the user's identity.
  • the target value N max is the maximum ordinal number set by the server, and the target value N max can be an integer, indicating the initial number of times and the upper limit of times for calculating digests for the password, which can be set according to the security policy.
  • the length of the target value N max is negatively correlated with the security of the target value N max , and positively correlated with the validity period of the target value N max , that is, the larger the length of the target value N max , the lower the security and the longer the validity period.
  • the shorter the length of N max the higher the security and the shorter the validity period.
  • a larger target value N max can be generated to reduce the frequency of registration.
  • a shorter target value N max can be generated , to improve the security of authentication.
  • the target value N max can be set to 400. In this way, the target value N max is valid for half a year, that is, the client terminal will be valid for about half a year. The time does not need to modify the password password, re-register.
  • the target value N max can be set to 20. In this way, the validity period of the target value N max is about 1 month, guaranteeing a The password should be updated once a month to prevent economic losses caused by the leakage of the password of the client client.
  • the serial one-way hash function can be used to calculate the digest information for the password, and the calculated digest information is used as the standard digest information.
  • serial one-way hash function H In order to use the one-way hash function H, continuously calculate the summary information for N max times for the input password password of any length, and the summary information obtained after calculating the summary information for N max times is regarded as the standard summary information D 1 , which is expressed as follows:
  • the one-way hash function H is a standard secure one-way hash function, which can calculate and generate L-byte fixed-length digest information B 0 B 1 B 2 . . . B L-2 B L- 1.
  • the one-way hash function H may include Message Digest Algorithm 5 (MD5), Secure Hash Algorithm (SHA), and so on. Among them, MD5 outputs 16B digest information, SHA1 outputs 20B digest information, SHA256 outputs 32B digest information, SHA512 outputs 64B digest information, and so on.
  • MD5 outputs 16B digest information
  • SHA1 outputs 20B digest information
  • SHA256 outputs 32B digest information
  • SHA512 outputs 64B digest information, and so on.
  • Step 103 Encrypt the standard digest information to obtain standard ciphertext.
  • an encryption method may be preset, and the standard digest information D1 is encrypted according to the encryption method, and the encrypted ciphertext is the standard ciphertext D.
  • random functions such as rand() and srand() can be called to randomly generate a value as a random number Salt to prevent Man-in-the-Middle Attack (MITM attack) and replay attacks. Increase security.
  • MITM attack Man-in-the-Middle Attack
  • the man-in-the-middle attack is an indirect intrusion attack.
  • This attack mode is to virtually place a computer controlled by the intruder between two communication computers connected by the network through various technical means. This computer is called middleman.
  • the random number Salt is connected to the end of the standard digest information D 1 , and the random number Salt is inserted into the byte specified by the standard digest information D 1 . After that, wait.
  • the standard ciphertext D is expressed as:
  • the above method of generating standard ciphertext is only an example.
  • other methods of generating standard ciphertext may be set according to actual conditions.
  • the information D1 is XORed bitwise with the mask, resulting in standard ciphertext, and so on.
  • those skilled in the art may also adopt other methods for generating standard ciphertext according to actual needs.
  • Step 104 Assign the target value to the service counter.
  • a counter is set in the server server, as the service counter N, and the service counter is set to record the number of times the serial one-way hash function currently calculates the digest.
  • Step 105 Store the user name, standard ciphertext, service counter and target value as registration parameters.
  • the server server after receiving the registration request M 11 of the client Client, the server server responds to the registration request M 11 to register the client Client, and when the registration is successful, the registration process is
  • the user name username, the standard ciphertext D, the service counter N and the target value N max are used as registration parameters, and are stored in the local database of the computer device.
  • the server server uses other parameters other than the username username, the service counter N, and the target value N max to generate the standard ciphertext D, the other parameters can be used as registration parameters for persistence. storage.
  • the random number Salt is used to generate the standard ciphertext D
  • the user name username the standard ciphertext D
  • the service counter N the target value Nmax and the random number Salt can be used as the registration parameters for registration.
  • Persistent storage that is, storing the tuple ⁇ username, D, N, N max , Salt ⁇ .
  • the password password it is deleted when the registration is completed, and it is not stored persistently.
  • Step 106 Send the service counter to the client.
  • the server server encapsulates the service counter N into the registration response M12, and sends the registration response M12 to the client client Client.
  • the client Client When receiving the registration response M12, it can read the service counter N from the registration response M12, and assign the value of the service counter N to the local user counter CT, At this point, the client Client completes the registration with the server server.
  • the computer device receives the registration request sent by the client, the registration request includes the user name and the password, sets the target value, uses the target value as the number of times to calculate the digest, generates digest information for the password, and the generated digest information serves as the standard Digest information, encrypt the standard digest information, obtain the standard ciphertext, assign the target value to the service counter, store the user name, standard ciphertext, service counter and target value as registration parameters, and send the service counter to the client,
  • the client is set to assign the value of the service counter to the local user counter, and uses the irreversibility of the one-way hash function to encrypt and store the password during the registration process to prevent potential dictionary attacks when the password is stored and improve The security of the user's identity is ensured, and the computer device and the client synchronize the count to support the calculation of the digest of the password in a decremented manner during the authentication process and keep it consistent.
  • FIG. 3 is a flowchart of an identity verification method according to Embodiment 2 of the present application. This embodiment may not be based on the foregoing embodiments, or, this embodiment may be based on the foregoing embodiments, and an operation of identity verification may be added. The method includes the following steps:
  • Step 301 Receive a verification request sent by a client.
  • the user counter CT of the client client synchronizes the service counter N of the server server.
  • information such as username and password can be entered in the user interface provided by the client client.
  • the client Client extracts the locally stored user counter CT, uses the value stored in the current user counter CT as the number of times to calculate the digest and the digest information generated for the password, and obtains the verification digest information D c , which is expressed as follows:
  • the client client Client encapsulates the username username, the verification summary information Dc , and the user counter CT into the verification request M21 , and sends the verification request message M21 to the server server, that is, the verification request M21 includes the username username, verification Summary information Dc, user counter CT.
  • the server server can receive the verification request M 21 sent by the client client, and read the username username, verification summary information Dc, and user counter CT from the verification request M 21 .
  • Step 302 look up the registration parameters associated with the user name recorded when the client is registered.
  • the server server can persist parameters such as username, standard ciphertext D, service counter N, target value N max and random number Salt as registration parameters. storage.
  • the client Client When the client Client receives the verification request M21 , it can use the username username in the verification request M21 as an index, search the database in the server server for the same username username, and extract the registration parameters associated with the username username .
  • the registration parameters extracted by the server server include at least a service counter N and a standard ciphertext D.
  • Step 303 Match the user counter with the service counter to detect the consistency between the decreasing value of the user counter and the decreasing value of the service counter during authentication.
  • the user counter CT of the client client and the service counter N of the server server decrease the value in the same way to realize the adjustment of the count.
  • the number of times that the password is digested is less than the number of times that the client Client calculates the digest for the password in the last authentication.
  • the server server can match the user counter CT with the service counter N to detect whether the decrease in the value of the user counter CT is consistent with the decrease in the value of the service counter N during the authentication process. .
  • the user counter CT and the service counter N can be compared.
  • the user counter CT is less than or equal to the service counter N (that is, CT ⁇ N)
  • the user counter CT and the service counter N are both accurate and equal, or the client client runs incorrectly and the user
  • the counter CT is smaller than the service counter N.
  • it can be determined that the decreasing value of the user counter CT is consistent with the decreasing value of the service counter N, that is, the matching of the user counter CT and the service counter N is successful.
  • the client Client may experience a replay attack. At this time, it can be determined that the decreasing value of the user counter CT is not consistent with the decreasing value of the service counter N. , that is, the user counter CT fails to match the service counter N.
  • Step 304 In response to the successful matching between the user counter and the service counter, verify the identity of the client according to the difference between the standard ciphertext and the verification digest information.
  • the standard ciphertext D and the verification digest information Dc can be compared, and the difference between the standard ciphertext D and the verification digest information Dc can be compared, and the Authentication.
  • the target value N max can be extracted from the registration parameter of the client client.
  • the difference between the target value N max and the user counter CT is used as the number of times to calculate the digest, and the digest information is generated for the verification digest information D c , and the generated digest information is used as the intermediate digest information D 2 , which is expressed as follows:
  • the intermediate digest information D2 is encrypted according to a preset encryption method to obtain the verification ciphertext D'.
  • the random number Salt can be extracted from the registration parameters of the client client, and the intermediate summary information D 2 and the random number Salt can be combined into a verification array.
  • the random number Salt is connected to the tail of the intermediate summary information D 2 , and the random number Salt is inserted after the bytes specified by the intermediate digest information D2, and so on .
  • the verification ciphertext D' is compared with the standard ciphertext D.
  • the difference between the standard ciphertext and the verification digest information can be characterized as the difference between the standard ciphertext and the verification ciphertext.
  • the corresponding verification ciphertext may be determined according to the verification summary information.
  • the difference between the target value and the user counter is used as the number of times to calculate the digest, and digest information is generated for the verification digest information, and the generated digest information is used as the intermediate digest information, and the intermediate digest information is encrypted according to a preset encryption method.
  • Perform encryption obtain the verification ciphertext, compare the verification ciphertext with the standard ciphertext, and verify the identity of the client, which can achieve fault tolerance for the situation where the client runs incorrectly and causes a count error, improves the success rate of authentication, and avoids the need for customers to The terminal is repeatedly authenticated.
  • Salt) H(H 100 (password)
  • the verification digest information D c can be encrypted according to the preset encryption method to obtain the verification ciphertext D', and the verification ciphertext D' is compared with the standard ciphertext D to verify the identity of the client. authenticating.
  • the verification request sent by the client is received, and the verification request includes the user name, verification summary information, and user counter.
  • the registration parameters include the service counter, standard ciphertext, and match the user counter with the service counter to detect the decrease of the user counter and the service counter during authentication
  • the identity of the client is verified according to the difference between the standard ciphertext and the verification digest information.
  • 1-RTT one interaction
  • the client completes the verification of the password, which reduces the number of RTTs and reduces the time-consuming of verification.
  • the number of times to calculate the digest of the password is decreased, which can prevent the eavesdropping attack and replay attack of the password in the network transmission process, and prevent the potential dictionary attack when the password is stored, which improves the security of the user's identity.
  • Embodiment 5 is a flowchart of an identity verification method provided in Embodiment 3 of the present application. Based on the foregoing embodiment, this embodiment adds an operation of verifying a response, and the method includes the following steps:
  • Step 501 Receive a verification request sent by a client.
  • the verification request includes the username username, verification summary information Dc, and user counter CT, and the verification summary information Dc is the summary information generated for the password using the user counter CT as the number of times of calculating the digest and the password.
  • Step 502 look up the registration parameters associated with the user name recorded when the client is registered.
  • the registration parameters include service counter N and standard ciphertext D.
  • Step 503 Match the user counter with the service counter to detect the consistency between the decreasing value of the user counter and the decreasing value of the service counter during authentication.
  • Step 504 In response to the failure to match the user counter with the service counter, determine that the authentication of the client fails.
  • the client Client may experience a replay attack.
  • the identity of the client is verified to prevent replay attacks and protect user data security.
  • Step 505 In response to the successful matching between the user counter and the service counter, verify the identity of the client according to the difference between the standard ciphertext and the verification digest information.
  • Step 506 Decrease the value of the user counter in response to the successful authentication of the client.
  • Step 507 Assign the user counter after the reduced value to the service counter.
  • the server of the server may generate an identification indicating successful authentication, such as success, and encapsulate the identification indicating successful authentication into the authentication response M22 .
  • the user counter CT of the client client and the service counter N of the server server are both set to record the number of times the digest of the password is calculated using the serial one-way hash function.
  • the one-way property of the one-way hash function is used, that is, the relationship from the summary information to the original data is irreversible.
  • the user counter CT of the client and the service The service counter N of the end server is decremented to prevent the replay attack of the password during network transmission.
  • the user counter CT of the client client and the service counter N of the server server in order to maximize the duration of use of the user counter CT of the client client and the service counter N of the server server, and reduce the frequency of re-registration, the user counter CT of the client client and the service counter N of the server server.
  • the value reduced each time is the value of the smallest unit, such as 1, that is, the process of reducing the value can be expressed as follows:
  • CT-1 means that the user counter CT is decremented by 1, and the value of CT-1 is assigned to the service counter N.
  • Step 508 Send the service counter to the client.
  • the server server can encapsulate the service counter N into the verification response M 22 and send the verification response M 22 to the client.
  • Step 509 In response to the service counter being less than or equal to the preset threshold, notify the client to modify the password to re-register.
  • the server server can check the service counter N, and compare the value of the service counter N with a preset threshold. If the value of the service counter N is less than or equal to the threshold, it means that the value of the service counter N is low.
  • a prompt message can be sent to the client server, prompting the user to modify the password, re-register, and change the password to ensure the security of user data.
  • the usage time of the user counter CT of the client client and the service counter N of the server server is also increased as much as possible, and the frequency of re-registration is reduced.
  • Step 510 In response to the authentication failure of the client, send the service counter to the client.
  • the server server can generate an identifier indicating a verification failure, such as failure, and encapsulate the identifier representing the verification failure in the verification response M22 ; on the other hand, the server server encapsulates the local service counter N into the verification response M22 . , and send the verification response M 22 to the client client.
  • a verification failure such as failure
  • the server server encapsulates the local service counter N into the verification response M22 . , and send the verification response M 22 to the client client.
  • a target value is set, and the target value is used as the number of times to calculate the digest, and digest information is generated for the password, and the generated digest information is used as standard digest information;
  • the encrypting the standard digest information to obtain standard ciphertext includes:
  • the storing of the user name, the standard ciphertext, the service counter and the target value as registration parameters includes:
  • the user name, the standard ciphertext, the service counter, the target value and the random number are stored as registration parameters.
  • Embodiment 6 is a structural block diagram of an identity verification device provided in Embodiment 4 of the present application, which may include the following modules:
  • the verification request receiving module 601 is configured to receive a verification request sent by a client, the verification request includes a user name, verification summary information, and a user counter, and the verification summary information is the user counter as the number of times to calculate the summary, the corresponding password Calculate the summary, the generated summary information;
  • a registration parameter search module 602 configured to search for the registration parameters associated with the user name recorded when the client registers, the registration parameters include a service counter and a standard ciphertext;
  • Counter matching module 603 is configured to match the user counter with the service counter, to detect the consistency of the reduced value of the user counter and the reduced value of the service counter during identity verification;
  • the difference verification module 604 is configured to verify the identity of the client according to the difference between the standard ciphertext and the verification digest information in response to the successful matching between the user counter and the service counter.
  • the counter matching module 603 includes:
  • a counter comparison submodule configured to compare the user counter with the service counter
  • a matching success submodule configured to determine that the user counter and the service counter are successfully matched in response to the user counter being less than or equal to the service counter;
  • a matching failure submodule configured to determine that the user counter fails to match the service counter in response to the user counter being greater than the service counter.
  • the registration parameter further includes a target value
  • the difference verification module 604 includes:
  • an intermediate summary information calculation submodule configured to use the difference between the target value and the user counter as the number of times to calculate the summary, generate summary information for the verification summary information, and use the generated summary information as the intermediate summary information;
  • a verification ciphertext encryption submodule configured to encrypt the intermediate digest information to obtain a verification ciphertext
  • a verification success submodule configured to determine that the authentication of the client is successful in response to the verification ciphertext being the same as the standard ciphertext
  • the verification failure submodule is configured to determine that the authentication of the client fails in response to the verification ciphertext being different from the standard ciphertext.
  • the registration parameter further includes a random number
  • the verification ciphertext encryption submodule includes:
  • a verification array combination unit configured to combine the intermediate digest information and the random number into a verification array
  • the verification ciphertext calculation unit is configured to calculate digest information for the verification array, and the calculated digest information is used as the verification ciphertext.
  • a numerical value reduction module configured to reduce the numerical value of the user counter in response to the successful authentication of the client
  • a lowering value assignment module is set to assign the user counter after the lowering value to the service counter
  • the first counter synchronization module is configured to send the service counter to the client, wherein the client is configured to assign the service counter to a local user counter.
  • a verification failure determination module configured to determine that the authentication of the client has failed in response to the failure to match the user counter with the service counter
  • the second counter synchronization module is configured to send the service counter to the client in response to the authentication failure of the client, wherein the client is configured to assign the service counter to a local user counter.
  • An update notification module configured to notify the client to modify the password in response to the service counter being less than or equal to a preset threshold.
  • a registration request receiving module configured to receive a registration request sent by the client, where the registration request includes a user name and a password;
  • a standard summary information calculation module configured to set a target numerical value, using the target numerical value as the number of times of calculating the summary, generating summary information for the password, and the generated summary information as the standard summary information;
  • a standard ciphertext encryption module configured to encrypt the standard digest information to obtain a standard ciphertext
  • a target value assignment module configured to assign the target value to a service counter
  • a registration parameter storage module configured to store the user name, the standard ciphertext, the service counter and the target value as registration parameters
  • a third counter synchronization module is configured to send the service counter to the client, wherein the client is configured to assign the value of the service counter to a local user counter.
  • the standard ciphertext encryption module includes:
  • the random number generation sub-module is set to randomly generate a value as a random number
  • a registration array combination submodule configured to combine the standard abstract information and the random number into a registration array
  • a standard ciphertext calculation submodule configured to calculate summary information for the registration array to obtain standard ciphertext
  • the registration parameter storage module is also set to:
  • the user name, the standard ciphertext, the service counter, the target value and the random number are stored as registration parameters.
  • the identity verification device provided by the embodiment of the present application can execute the identity verification method provided by any embodiment of the present application, and has corresponding functional modules and beneficial effects of the execution method.
  • a registration request receiving module configured to receive a registration request sent by the client, where the registration request includes a user name and a password;
  • a standard summary information calculation module configured to set a target numerical value, using the target numerical value as the number of times of calculating the summary, generating summary information for the password, and the generated summary information as the standard summary information;
  • a standard ciphertext encryption module configured to encrypt the standard digest information to obtain a standard ciphertext
  • a target value assignment module configured to assign the target value to a service counter
  • a registration parameter storage module configured to store the user name, the standard ciphertext, the service counter and the target value as registration parameters
  • a third counter synchronization module is configured to send the service counter to the client, wherein the client is configured to assign the value of the service counter to a local user counter.
  • the standard ciphertext encryption module includes:
  • the random number generation sub-module is set to randomly generate a value as a random number
  • a registration array combination submodule configured to combine the standard abstract information and the random number into a registration array
  • a standard ciphertext calculation submodule configured to calculate summary information for the registration array to obtain standard ciphertext
  • the registration parameter storage module is also set to:
  • the user name, the standard ciphertext, the service counter, the target value and the random number are stored as registration parameters.
  • FIG. 7 is a schematic structural diagram of a computer device according to Embodiment 5 of the present application.
  • FIG. 7 shows a block diagram of an exemplary computer device 12 suitable for implementing embodiments of the present application.
  • the computer device 12 shown in FIG. 7 is only one example.
  • computer device 12 takes the form of a general-purpose computing device.
  • Components of computer device 12 may include: one or more processors or processing units 16 , system memory 28 , and bus 18 connecting various system components including system memory 28 and processing unit 16 .
  • Computer device 12 typically includes a variety of computer system readable media, including both volatile and nonvolatile media, removable and non-removable media.
  • System memory 28 may include computer system readable media in the form of volatile memory, such as random access memory (RAM) 30 and/or cache 32 .
  • Computer device 12 may include other removable/non-removable, volatile/non-volatile computer system storage media.
  • storage system 34 may be configured to read and write to non-removable, non-volatile magnetic media.
  • System memory 28 may include at least one program product having a set (eg, at least one) of program modules configured to perform the functions of various embodiments of the present application.
  • a program/utility 40 having a set (eg, at least one) of program modules 42 which may generally perform the functions and/or methods of the embodiments described herein, may be stored, for example, in memory 28 .
  • Computer device 12 may also communicate with one or more external devices 14 (eg, keyboard, pointing device, display 24, etc.). Such communication may take place through input/output (I/O) interface 22 . Also, computer device 12 may communicate with one or more networks through network adapter 20 . As shown in FIG. 7 , network adapter 20 communicates with other modules of computer device 12 via bus 18 . Other hardware and/or software modules may be used in conjunction with computer device 12 .
  • external devices 14 eg, keyboard, pointing device, display 24, etc.
  • I/O input/output
  • network adapter 20 communicates with other modules of computer device 12 via bus 18 .
  • Other hardware and/or software modules may be used in conjunction with computer device 12 .
  • the processing unit 16 executes a variety of functional applications and data processing by running programs stored in the system memory 28, for example, to implement the identity verification method provided by the embodiments of the present application.
  • Embodiment 6 of the present application also provides a computer-readable storage medium, where a computer program is stored on the computer-readable storage medium, and when the computer program is executed by a processor, multiple processes of the above-mentioned identity verification method are implemented, and the same technology can be achieved. The effect, in order to avoid repetition, is not repeated here.
  • the computer-readable storage medium may include, for example, electrical, magnetic, optical, electromagnetic, infrared, or semiconductor systems, apparatuses or devices, or any combination of the above.
  • Examples of computer-readable storage media include: electrical connections with one or more wires, portable computer disks, hard disks, random access memory (RAM), read only memory (ROM), erasable programmable read only memory (Erasable Programmable Read-Only Memory (EPROM), flash memory, fiber optics, portable compact disk read only memory (CD-ROM), optical storage devices, magnetic storage devices, or any suitable combination of the foregoing, a non-exhaustive list.
  • a computer-readable storage medium can be any tangible medium that contains or stores a program that can be used by or in conjunction with an instruction execution system, apparatus, or device.

Abstract

Embodiments of the present application provide an identity authentication method and apparatus, a computer device, and a storage medium. The method comprises: receiving an authentication request sent by a client, the authentication request comprising a username, authentication digest information, and a user counter; looking up registration parameters recorded when the client is registered and associated with the user name, the registration parameters comprising a service counter and standard ciphertext; matching the user counter with the service counter to detect consistency between a reduced value of the user counter and a reduced value of the service counter during identity authentication; and in response to successful matching between the user counter and the service counter, authenticating the identity of the client according to a difference between the standard ciphertext and the authentication digest information.

Description

身份验证方法、装置、计算机设备和存储介质Authentication method, apparatus, computer equipment and storage medium
本公开要求在2020年08月31日提交中国专利局、申请号为202010895360.8的中国专利申请的优先权,以上申请的全部内容通过引用结合在本公开中。The present disclosure claims the priority of a Chinese patent application with application number 202010895360.8 filed with the Chinese Patent Office on August 31, 2020, the entire contents of which are incorporated into the present disclosure by reference.
技术领域technical field
本申请实施例涉及信息安全的技术领域,例如涉及一种身份验证方法、装置、计算机设备和存储介质。The embodiments of the present application relate to the technical field of information security, for example, to an identity verification method, apparatus, computer device, and storage medium.
背景技术Background technique
口令认证是一种广泛使用的身份验证方式,即用户在服务端注册用户名与口令,服务端持久化存储用户名与口令。在用户使用口令认证登录账户时,用户通过客户端输入用户名和口令,客户端将用户名与口令发送给服务端,服务端收到用户名与口令后,取出数据库中存储的相同用户名与口令进行对比,如果用户名与口令两者均一致,则用户的身份验证成功,如果用户名与口令中的至少一项不一致,则验证失败。Password authentication is a widely used authentication method, that is, the user registers the username and password on the server, and the server persistently stores the username and password. When the user logs in to the account using password authentication, the user enters the username and password through the client, the client sends the username and password to the server, and the server receives the username and password, and retrieves the same username and password stored in the database. For comparison, if both the user name and the password are consistent, the user's authentication is successful, and if the user name and at least one of the passwords are inconsistent, the authentication fails.
相关技术中使用的口令认证协议包含密码认证协议(Password Authentication Protocol,PAP)。Password authentication protocols used in the related art include Password Authentication Protocol (PAP).
在PAP中,服务端在注册时存储用户名和明文形式的口令,在验证时,客户端直接提交用户输入的用户名和明文形式的口令。明文形式的口令在不安全网络环境中,能够被攻击者使用窃听攻击和重放攻击,成功冒充合法用户成功登陆;并且,服务端存储明文形式的口令,一旦数据库被攻破,口令则被直接泄漏,造成用户身份被冒充的可能性。In PAP, the server stores the user name and the password in plain text during registration, and when verifying, the client directly submits the user name and password in plain text entered by the user. In an insecure network environment, the password in plaintext can be used by attackers using eavesdropping and replay attacks to successfully log in as a legitimate user; and the server stores the password in plaintext. Once the database is breached, the password will be leaked directly. , resulting in the possibility of user identity being impersonated.
发明内容SUMMARY OF THE INVENTION
本申请实施例提出了一种身份验证方法、装置、计算机设备和存储介质。The embodiments of the present application provide an identity verification method, apparatus, computer equipment, and storage medium.
第一方面,本申请实施例提供了一种身份验证方法,包括:In a first aspect, an embodiment of the present application provides an identity verification method, including:
接收客户端发送的验证请求,所述验证请求包括用户名、验证摘要信息、用户计数器,所述验证摘要信息为以所述用户计数器作为计算摘要的次数、对口令计算摘要,生成的摘要信息;Receive a verification request sent by the client, where the verification request includes a user name, verification digest information, and a user counter, and the verification digest information is the digest information generated by using the user counter as the number of times to calculate the digest and the password calculation digest;
查找在所述客户端注册时记录的、与所述用户名关联的注册参数,所述注册参数包括服务计数器、标准密文;Find the registration parameters associated with the username recorded when the client registers, where the registration parameters include a service counter and standard ciphertext;
将所述用户计数器与所述服务计数器进行匹配,以检测在身份验证时所述 用户计数器的降低数值与所述服务计数器的降低数值的一致性;matching the user counter with the service counter to detect the consistency of the reduced value of the user counter and the reduced value of the service counter during authentication;
响应于所述用户计数器与所述服务计数器匹配成功,根据所述标准密文与所述验证摘要信息之间的差异对所述客户端的身份进行验证。In response to a successful match between the user counter and the service counter, the identity of the client is verified according to the difference between the standard ciphertext and the verification digest information.
第二方面,本申请实施例还提供了一种身份验证装置,包括:In a second aspect, the embodiments of the present application also provide an identity verification device, including:
验证请求接收模块,设置为接收客户端发送的验证请求,所述验证请求包括用户名、验证摘要信息、用户计数器,所述验证摘要信息为以所述用户计数器作为计算摘要的次数、对口令计算摘要,生成的摘要信息;The verification request receiving module is configured to receive the verification request sent by the client, the verification request includes a user name, verification summary information, and a user counter, and the verification summary information is the number of times the user counter is used to calculate the summary, and the password is calculated. Abstract, the generated summary information;
注册参数查找模块,设置为查找在所述客户端注册时记录的、与所述用户名关联的注册参数,所述注册参数包括服务计数器、标准密文;a registration parameter search module, configured to search for the registration parameters associated with the username recorded when the client registers, and the registration parameters include a service counter and a standard ciphertext;
计数器匹配模块,设置为将所述用户计数器与所述服务计数器进行匹配,以检测在身份验证时所述用户计数器的降低数值与所述服务计数器的降低数值的一致性;A counter matching module, configured to match the user counter with the service counter, to detect the consistency between the reduced value of the user counter and the reduced value of the service counter during authentication;
差异验证模块,设置为响应于所述用户计数器与所述服务计数器匹配成功,根据所述标准密文与所述验证摘要信息之间的差异对所述客户端的身份进行验证。A difference verification module, configured to verify the identity of the client according to the difference between the standard ciphertext and the verification digest information in response to a successful match between the user counter and the service counter.
第三方面,本申请实施例还提供了一种计算机设备,所述计算机设备包括:In a third aspect, an embodiment of the present application further provides a computer device, the computer device comprising:
至少一个处理器;at least one processor;
存储器,设置为存储至少一个程序,memory, arranged to store at least one program,
所述至少一个处理器设置为,执行所述至少一个程序以实现如第一方面所述的身份验证方法。The at least one processor is configured to execute the at least one program to implement the authentication method according to the first aspect.
第四方面,本申请实施例还提供了一种计算机可读存储介质,所述计算机可读存储介质上存储计算机程序,所述计算机程序被处理器执行时实现如第一方所述的身份验证方法。In a fourth aspect, an embodiment of the present application further provides a computer-readable storage medium, where a computer program is stored on the computer-readable storage medium, and when the computer program is executed by a processor, the identity verification as described by the first party is implemented method.
附图说明Description of drawings
图1为本申请实施例一提供的一种身份验证方法的流程图;1 is a flowchart of an identity verification method provided in Embodiment 1 of the present application;
图2为本申请实施例一提供的一种注册过程的信令图;FIG. 2 is a signaling diagram of a registration process according to Embodiment 1 of the present application;
图3是本申请实施例二提供的一种身份验证方法的流程图;3 is a flowchart of an identity verification method provided in Embodiment 2 of the present application;
图4为本申请实施例二提供的一种验证过程的信令图;FIG. 4 is a signaling diagram of a verification process according to Embodiment 2 of the present application;
图5是本申请实施例三提供的一种身份验证方法的流程图;5 is a flowchart of an identity verification method provided in Embodiment 3 of the present application;
图6为本申请实施例四提供的一种身份验证装置的结构示意图;FIG. 6 is a schematic structural diagram of an identity verification device according to Embodiment 4 of the present application;
图7为本申请实施例五提供的一种计算机设备的结构示意图。FIG. 7 is a schematic structural diagram of a computer device according to Embodiment 5 of the present application.
具体实施方式detailed description
相关技术中使用的口令认证协议包含PAP和基于挑战-响应的口令认证协议CRAM-MD5。Password authentication protocols used in the related art include PAP and a challenge-response based password authentication protocol CRAM-MD5.
在CRAM-MD5中,服务端在注册阶段使用单向散列函数对口令计算摘要信息,在数据库中存储用户名及摘要信息。在登录时,客户端向服务端发起验证请求;服务端收到验证请求后,生成随机数并发送给客户端,客户端对用户输入的口令计算摘要信息之后,与随机数一同再次计算摘要信息,将用户输入的用户名和最终的摘要信息发送给服务端;服务端从数据库中取出该用户名关联的摘要信息,与随机数一同再次计算摘要信息,如果客户端发送的摘要信息与服务端最终计算的摘要信息一致,则用户的身份验证成功,如果客户端发送的摘要信息与服务端最终计算的摘要信息不一致,则用户的身份验证失败。In CRAM-MD5, the server uses a one-way hash function to calculate the digest information for the password during the registration phase, and stores the user name and digest information in the database. When logging in, the client initiates a verification request to the server; after the server receives the verification request, it generates a random number and sends it to the client. After the client calculates the digest information for the password entered by the user, it calculates the digest again together with the random number. information, send the user name entered by the user and the final summary information to the server; the server retrieves the summary information associated with the user name from the database, and recalculates the summary information together with the random number. If the digest information finally calculated by the client is consistent, the user's authentication is successful. If the digest information sent by the client is inconsistent with the digest information finally calculated by the server, the user's authentication fails.
每次验证,服务端额外向客户端发起一个随机数进行挑战,造成客户端与服务端之间的验证需要2-RTT(Round-Trip Time,往返时延),2-RTT为两次交互,验证耗时较长;此外,服务端使用单向散列函数对口令计算摘要信息,摘要信息被泄漏,攻击者仍然有可能使用字典攻击破解出口令。For each verification, the server sends an additional random number to the client to challenge, causing the verification between the client and the server to require 2-RTT (Round-Trip Time, round-trip delay), 2-RTT is two interactions, The verification takes a long time; in addition, the server uses a one-way hash function to calculate the digest information for the password, and the digest information is leaked, and it is still possible for an attacker to use a dictionary attack to crack the password.
鉴于相关技术中的上述身份验证技术存在上述缺陷,本申请实施例提供了一类新的身份验证方式,即,本申请实施例公开了一种身份验证方法、装置、计算机设备和存储介质,以在降低验证耗时的情况下,防止不安全网络传输过程中的窃听攻击和重放攻击,以及防止服务端的数据库泄漏造成字典攻击的威胁。In view of the above-mentioned defects in the above-mentioned identity verification technologies in the related art, the embodiments of the present application provide a new type of identity verification methods, that is, the embodiments of the present application disclose an identity verification method, device, computer equipment, and storage medium for In the case of reducing the verification time, it can prevent eavesdropping attacks and replay attacks during insecure network transmission, and prevent the threat of dictionary attacks caused by database leakage on the server side.
下面结合附图和实施例对本申请进行说明。The present application will be described below with reference to the accompanying drawings and embodiments.
实施例一Example 1
图1为本申请实施例一提供的一种身份验证方法的流程图,本实施例可进行客户端的注册行为,该方法可以由身份验证装置来执行,该身份验证装置可以由软件和/或硬件实现,该身份验证装置可配置在计算机设备中,计算机设备例如,服务器、工作站、个人电脑,等等,该计算机设备作为服务端Server,与客户端Client建立安全传输通道,如应用超文本传输安全协议(Hyper Text Transfer Protocol over SecureSocket Layer,HTTPS),以便服务端Server与客户端Client进行通信,该方法包括如下步骤:FIG. 1 is a flowchart of an identity verification method provided in Embodiment 1 of the present application. This embodiment can perform the registration behavior of the client, and the method can be performed by an identity verification device, and the identity verification device can be performed by software and/or hardware. Realization, the authentication device can be configured in a computer device, such as a server, a workstation, a personal computer, etc., the computer device, as a server server, establishes a secure transmission channel with the client Client, such as applying hypertext transmission security Protocol (Hyper Text Transfer Protocol over SecureSocket Layer, HTTPS), so that the server server communicates with the client client. The method includes the following steps:
步骤101、接收客户端发送的注册请求。Step 101: Receive a registration request sent by a client.
在本实施例中,用户向服务端Server注册身份时,可在客户端Client提供的用户界面(User Interface,UI)中输入用户名username、口令password。In this embodiment, when the user registers the identity with the server server, the user name username and password password can be input in the user interface (User Interface, UI) provided by the client terminal Client.
一般情况下,客户端Client为独立的应用,如直播应用、短视频应用、即时通讯工具、支付应用、购物应用等,应用可生成用户计数器CT,并进行计数。In general, the client client is an independent application, such as a live broadcast application, a short video application, an instant messaging tool, a payment application, a shopping application, etc. The application can generate and count the user counter CT.
若浏览器可支持在本地存储用户计数器CT,浏览器也可以作为客户端Client参与身份的注册、验证。If the browser can support storing the user counter CT locally, the browser can also participate in the registration and verification of the identity as a client client.
此外,用户名username又可以称为用户账号、用户标识(Identity,ID)等,用户名username是标识用户的信息,口令password又可以称为密码,用户可以根据业务规则设置口令password,例如,将口令password设置为数字、字母、符号的组合,等等。In addition, the username username can also be called a user account, a user identification (Identity, ID), etc. The username username is the information that identifies the user, and the password password can also be called a password. The user can set the password according to business rules. The password password is set to a combination of numbers, letters, symbols, and so on.
如图2所示,在注册时,客户端Client将用户名username、口令password作为注册参数组装至注册请求M 11中,并将该注册请求M 11发送至服务端Server,即注册请求M 11包括用户名username、口令password。 As shown in Figure 2, during registration, the client Client assembles the user name username and password as registration parameters into the registration request M11 , and sends the registration request M11 to the server server, that is, the registration request M11 includes Username username, password password.
服务端Server可接收客户端Client发送的注册请求M 11,并从注册请求M 11中读取用户名username、口令password。 The server server can receive the registration request M 11 sent by the client client, and read the username and password from the registration request M 11 .
步骤102、设置目标数值,以目标数值作为计算摘要的次数、对口令生成摘要信息,生成的摘要信息作为标准摘要信息。Step 102: Set a target value, use the target value as the number of times to calculate digests, generate digest information for the password, and use the generated digest information as standard digest information.
在本实施例中,如图2所示,服务端Server可以根据业务场景对验证用户的身份的需求,设置一个相适配长度的数值,作为目标数值N maxIn this embodiment, as shown in FIG. 2 , the server server may set a value of a suitable length as the target value N max according to the requirements of the business scenario for verifying the user's identity.
其中,目标数值N max是服务端Server设置的最大序数,目标数值N max可为整数,表示对口令password计算摘要的起始次数、上限次数,可根据安全策略设定。 The target value N max is the maximum ordinal number set by the server, and the target value N max can be an integer, indicating the initial number of times and the upper limit of times for calculating digests for the password, which can be set according to the security policy.
目标数值N max的长度与目标数值N max的安全性负相关、与目标数值N max的有效期正相关,即目标数值N max的长度越大,安全性越低、有效期越长,反之,目标数值N max的长度越短,安全性越高、有效期越短。 The length of the target value N max is negatively correlated with the security of the target value N max , and positively correlated with the validity period of the target value N max , that is, the larger the length of the target value N max , the lower the security and the longer the validity period. The shorter the length of N max , the higher the security and the shorter the validity period.
在对安全性要求较低的应用场景中,可以生成长度较大的目标数值N max,减少注册的频次,在对安全性要求较高的应用场景中,可以生成长度较短的目标数值N max,提高身份验证的安全性。 In application scenarios with lower security requirements, a larger target value N max can be generated to reduce the frequency of registration. In application scenarios with higher security requirements, a shorter target value N max can be generated , to improve the security of authentication.
例如,若业务场景为登录,用户体验更为重要,若用户平均每天登录2次,则可以设置目标数值N max为400,这样,目标数值N max的有效期为半年,即客户端Client在半年左右的时间不需要修改口令password、重新注册。 For example, if the business scenario is login, the user experience is more important. If the user logs in twice a day on average, the target value N max can be set to 400. In this way, the target value N max is valid for half a year, that is, the client terminal will be valid for about half a year. The time does not need to modify the password password, re-register.
又例如,若应用场景为支付,安全性更为重要,若用户平均每周支付5次, 则可以设置目标数值N max为20,这样,目标数值N max的有效期在1个月左右,保证一个月内要更新一次口令password,防止客户端Client的口令password外泄造成经济损失。 For another example, if the application scenario is payment, security is more important. If the user pays an average of 5 times a week, the target value N max can be set to 20. In this way, the validity period of the target value N max is about 1 month, guaranteeing a The password should be updated once a month to prevent economic losses caused by the leakage of the password of the client client.
在确定了计算摘要信息的次数(即目标数值N max)之后,可使用串行单向散列函数对口令password计算摘要信息,计算出的摘要信息作为标准摘要信息。 After the number of times of calculating the digest information (ie, the target value N max ) is determined, the serial one-way hash function can be used to calculate the digest information for the password, and the calculated digest information is used as the standard digest information.
此外,所谓串行单向散列函数
Figure PCTCN2021109292-appb-000001
为,使用单向散列函数H,对所输入的、任意长度的口令password连续计算N max次摘要信息,计算N max次摘要信息后得到的摘要信息作为标准摘要信息D 1,表示如下: In addition, the so-called serial one-way hash function
Figure PCTCN2021109292-appb-000001
In order to use the one-way hash function H, continuously calculate the summary information for N max times for the input password password of any length, and the summary information obtained after calculating the summary information for N max times is regarded as the standard summary information D 1 , which is expressed as follows:
Figure PCTCN2021109292-appb-000002
Figure PCTCN2021109292-appb-000002
其中,N max≥0;当N max=0时,H 0(password)=password,当N max=1时,H 1(password)=H(password),等等。 where N max ≥ 0; when N max =0, H 0 (password)=password, when N max =1, H 1 (password)=H (password), and so on.
在一实施例中,单向散列函数H为标准安全单向散列函数,可将任意长度数据计算生成L字节固定长度的摘要信息B 0B 1B 2…B L-2B L-1,单向散列函数H可以包括消息摘要算法第五版(Message Digest Algorithm 5,MD5)、安全哈希算法(Secure Hash Algorithm,SHA),等等。其中,MD5输出16B的摘要信息、SHA1输出20B的摘要信息、SHA256输出32B的摘要信息、SHA512输出64B的摘要信息,等等。 In one embodiment, the one-way hash function H is a standard secure one-way hash function, which can calculate and generate L-byte fixed-length digest information B 0 B 1 B 2 . . . B L-2 B L- 1. The one-way hash function H may include Message Digest Algorithm 5 (MD5), Secure Hash Algorithm (SHA), and so on. Among them, MD5 outputs 16B digest information, SHA1 outputs 20B digest information, SHA256 outputs 32B digest information, SHA512 outputs 64B digest information, and so on.
步骤103、对标准摘要信息进行加密,获得标准密文。Step 103: Encrypt the standard digest information to obtain standard ciphertext.
在本实施例中,如图2所示,可以预先设置加密方式,按照该加密方式对标准摘要信息D 1进行加密,加密之后的密文为标准密文D。 In this embodiment, as shown in FIG. 2 , an encryption method may be preset, and the standard digest information D1 is encrypted according to the encryption method, and the encrypted ciphertext is the standard ciphertext D.
在一种加密方式中,可调用rand()、srand()等随机函数,随机生成一数值作为随机数Salt,防止中间人攻击(Man-in-the-Middle Attack,MITM攻击)和重放攻击,增加安全性。In an encryption method, random functions such as rand() and srand() can be called to randomly generate a value as a random number Salt to prevent Man-in-the-Middle Attack (MITM attack) and replay attacks. Increase security.
其中,中间人攻击是一种间接的入侵攻击,这种攻击模式是通过多种技术手段将受入侵者控制的一台计算机虚拟放置在网络连接的两台通信计算机之间,这台计算机就称为中间人。Among them, the man-in-the-middle attack is an indirect intrusion attack. This attack mode is to virtually place a computer controlled by the intruder between two communication computers connected by the network through various technical means. This computer is called middleman.
将标准摘要信息D 1与随机数Salt按照预设的组合方式组合为注册数组,如随机数Salt衔接在标准摘要信息D 1的尾部,将随机数Salt插入在标准摘要信息D 1指定的字节之后,等等。 Combine the standard digest information D 1 and the random number Salt into a registered array according to a preset combination method. For example, the random number Salt is connected to the end of the standard digest information D 1 , and the random number Salt is inserted into the byte specified by the standard digest information D 1 . After that, wait.
对注册数组计算摘要信息,即可获得标准密文D,标准密文D表示为:Calculate the digest information for the registration array, and then the standard ciphertext D can be obtained. The standard ciphertext D is expressed as:
D=H(D 1|Salt) D=H(D 1 |Salt)
上述生成标准密文的方式只是作为示例,在实施本申请实施例时,可以根据实际情况设置其他生成标准密文的方式,例如,生成与标准摘要信息D 1长度相同的掩码,将标准摘要信息D 1与掩码按位进行异或操作,从而生成标准密文,等等。另外,除了上述生成标准密文的方式外,本领域技术人员还可以根据实际需要采用其它生成标准密文的方式。 The above method of generating standard ciphertext is only an example. When implementing the embodiments of the present application, other methods of generating standard ciphertext may be set according to actual conditions. The information D1 is XORed bitwise with the mask, resulting in standard ciphertext, and so on. In addition, in addition to the above-mentioned methods for generating standard ciphertext, those skilled in the art may also adopt other methods for generating standard ciphertext according to actual needs.
步骤104、将目标数值赋值给服务计数器。Step 104: Assign the target value to the service counter.
在本实施例中,如图2所示,在服务端Server可中设置一个计数器,作为服务计数器N,该服务计算器设置为记录串行单向散列函数当前计算摘要的次数。In this embodiment, as shown in FIG. 2 , a counter is set in the server server, as the service counter N, and the service counter is set to record the number of times the serial one-way hash function currently calculates the digest.
在客户端Client注册时,可将目标数值N max赋值给服务计数器N,表示为N=N max,实现服务计数器N的初始化。 When the client client is registered, the target value N max can be assigned to the service counter N, expressed as N=N max , to realize the initialization of the service counter N.
步骤105、将用户名、标准密文、服务计数器与目标数值作为注册参数进行存储。Step 105: Store the user name, standard ciphertext, service counter and target value as registration parameters.
在本实施例中,如图2所示,服务端Server在接收到客户端Client的注册请求M 11之后,响应该注册请求M 11,对客户端Client进行注册,在注册成功时,将注册过程中用户名username、标准密文D、服务计数器N与目标数值N max作为注册参数,存储在计算机设备本地的数据库中。 In this embodiment, as shown in FIG. 2 , after receiving the registration request M 11 of the client Client, the server server responds to the registration request M 11 to register the client Client, and when the registration is successful, the registration process is The user name username, the standard ciphertext D, the service counter N and the target value N max are used as registration parameters, and are stored in the local database of the computer device.
在一实施例中,若服务端Server在先使用了除用户名username、服务计数器N与目标数值N max之外的其他参数生成标准密文D,则可以将该其他参数作为注册参数进行持久化存储。 In one embodiment, if the server server uses other parameters other than the username username, the service counter N, and the target value N max to generate the standard ciphertext D, the other parameters can be used as registration parameters for persistence. storage.
在一个示例中,如图2所示,若使用了随机数Salt生成标准密文D,则可以将用户名username、标准密文D、服务计数器N、目标数值Nmax与随机数Salt作为注册参数进行持久化存储,即存储元组{username,D,N,N max,Salt}。 In an example, as shown in Figure 2, if the random number Salt is used to generate the standard ciphertext D, the user name username, the standard ciphertext D, the service counter N, the target value Nmax and the random number Salt can be used as the registration parameters for registration. Persistent storage, that is, storing the tuple {username, D, N, N max , Salt}.
此外,对于口令password,则在完成注册时删除,并不进行持久化存储。In addition, for the password password, it is deleted when the registration is completed, and it is not stored persistently.
步骤106、将服务计数器发送至客户端。Step 106: Send the service counter to the client.
在本实施例中,如图2所示,服务端Server将服务计数器N封装至注册响应M 12中,将该注册响应M 12发送至客户端Client。 In this embodiment, as shown in FIG . 2 , the server server encapsulates the service counter N into the registration response M12, and sends the registration response M12 to the client client Client.
客户端Client在本地生成一计数器,作为用户计数器CT,在接收到注册响应M 12时,可从注册响应M 12中读取服务计数器N,将服务计数器N的数值赋值给本地的用户计数器CT,此时,客户端Client完成向服务端Server注册。 The client Client generates a counter locally as a user counter CT. When receiving the registration response M12, it can read the service counter N from the registration response M12, and assign the value of the service counter N to the local user counter CT, At this point, the client Client completes the registration with the server server.
在注册的过程中,计算机设备接收客户端发送的注册请求,该注册请求包括用户名、口令,设置目标数值,以目标数值作为计算摘要的次数、对口令生 成摘要信息,生成的摘要信息作为标准摘要信息,对标准摘要信息进行加密,获得标准密文,将目标数值赋值给服务计数器,将用户名、标准密文、服务计数器与目标数值作为注册参数进行存储,将服务计数器发送至客户端,客户端设置为将服务计数器的数值赋值给本地的用户计数器,利用单向散列函数的不可逆性,在注册的过程中对口令进行加密存储,防止口令在存储时面临的潜在的字典攻击,提高了用户身份的安全性,并且,计算机设备与客户端同步计数,以支持在认证的过程中以递减的方式对口令计算摘要,并保持一致。During the registration process, the computer device receives the registration request sent by the client, the registration request includes the user name and the password, sets the target value, uses the target value as the number of times to calculate the digest, generates digest information for the password, and the generated digest information serves as the standard Digest information, encrypt the standard digest information, obtain the standard ciphertext, assign the target value to the service counter, store the user name, standard ciphertext, service counter and target value as registration parameters, and send the service counter to the client, The client is set to assign the value of the service counter to the local user counter, and uses the irreversibility of the one-way hash function to encrypt and store the password during the registration process to prevent potential dictionary attacks when the password is stored and improve The security of the user's identity is ensured, and the computer device and the client synchronize the count to support the calculation of the digest of the password in a decremented manner during the authentication process and keep it consistent.
实施例二Embodiment 2
图3为本申请实施例二提供的一种身份验证方法的流程图。本实施例可不以前述实施例为基础,或者,本实施例可以前述实施例为基础,增加身份验证的操作。该方法包括如下步骤:FIG. 3 is a flowchart of an identity verification method according to Embodiment 2 of the present application. This embodiment may not be based on the foregoing embodiments, or, this embodiment may be based on the foregoing embodiments, and an operation of identity verification may be added. The method includes the following steps:
步骤301、接收客户端发送的验证请求。Step 301: Receive a verification request sent by a client.
如图4所示,客户端Client在向服务端Server注册时,客户端Client的用户计数器CT同步服务端Server的服务计数器N。As shown in FIG. 4 , when the client client registers with the server server, the user counter CT of the client client synchronizes the service counter N of the server server.
在用户进行身份验证时,可在客户端Client提供的用户界面中输入用户名username、口令password等信息。When a user authenticates, information such as username and password can be entered in the user interface provided by the client client.
客户端Client提取本地存储的用户计数器CT,以当前用户计数器CT存储的数值作为计算摘要的次数、对口令password生成的摘要信息,获得验证摘要信息D c,表示如下: The client Client extracts the locally stored user counter CT, uses the value stored in the current user counter CT as the number of times to calculate the digest and the digest information generated for the password, and obtains the verification digest information D c , which is expressed as follows:
D c=H CT(password) D c = H CT (password)
客户端Client将用户名username、验证摘要信息D c、用户计数器CT封装至验证请求M 21中,并将验证请求消息M 21发送至服务端Server,即验证请求M 21中包括用户名username、验证摘要信息Dc、用户计数器CT。 The client client Client encapsulates the username username, the verification summary information Dc , and the user counter CT into the verification request M21 , and sends the verification request message M21 to the server server, that is, the verification request M21 includes the username username, verification Summary information Dc, user counter CT.
服务端Server可接收客户端Client发送的验证请求M 21,并从验证请求M 21中读取用户名username、验证摘要信息Dc、用户计数器CT。 The server server can receive the verification request M 21 sent by the client client, and read the username username, verification summary information Dc, and user counter CT from the verification request M 21 .
步骤302、查找在客户端注册时记录的、与用户名关联的注册参数。 Step 302 , look up the registration parameters associated with the user name recorded when the client is registered.
如图4所示,客户端Client在向服务端Server注册时,服务端Server可将用户名username、标准密文D、服务计数器N、目标数值N max与随机数Salt等参数作为注册参数持久化存储。 As shown in Figure 4, when the client client registers with the server server, the server server can persist parameters such as username, standard ciphertext D, service counter N, target value N max and random number Salt as registration parameters. storage.
在客户端Client在接收到验证请求M 21时,可以以验证请求M 21中的用户名 username作为索引,在服务端Server中的数据库查找相同的用户名username,提取该用户名username关联的注册参数。 When the client Client receives the verification request M21 , it can use the username username in the verification request M21 as an index, search the database in the server server for the same username username, and extract the registration parameters associated with the username username .
在本实施例中,服务端Server提取的注册参数至少包括服务计数器N、标准密文D。In this embodiment, the registration parameters extracted by the server server include at least a service counter N and a standard ciphertext D.
步骤303、将用户计数器与服务计数器进行匹配,以检测在身份验证时所述用户计数器的降低数值与所述服务计数器的降低数值的一致性。Step 303: Match the user counter with the service counter to detect the consistency between the decreasing value of the user counter and the decreasing value of the service counter during authentication.
如图4所示,在身份验证的过程中,客户端Client的用户计数器CT与服务端Server的服务计数器N以相同的方式降低数值,实现计数的调整,即本次身份验证中客户端Client对口令password计算摘要的次数少于上一次身份验证中客户端Client对口令password计算摘要的次数。As shown in Figure 4, in the process of authentication, the user counter CT of the client client and the service counter N of the server server decrease the value in the same way to realize the adjustment of the count. The number of times that the password is digested is less than the number of times that the client Client calculates the digest for the password in the last authentication.
因此,在本实施例中,服务端Server可以将用户计数器CT与服务计数器N进行匹配,以检测在身份验证的过程中,用户计数器CT降低数值的状况与服务计数器N降低数值的状况是否保持一致。Therefore, in this embodiment, the server server can match the user counter CT with the service counter N to detect whether the decrease in the value of the user counter CT is consistent with the decrease in the value of the service counter N during the authentication process. .
如果用户计数器CT降低数值与服务计数器N降低数值保持一致,则可以认为用户计数器CT与服务计数器N匹配成功。If the decreasing value of the user counter CT is consistent with the decreasing value of the service counter N, it can be considered that the matching of the user counter CT and the service counter N is successful.
如果用户计数器CT降低数值与服务计数器N降低数值未保持一致,则可以认为用户计数器CT与服务计数器N匹配失败。If the decreasing value of the user counter CT is not consistent with the decreasing value of the service counter N, it may be considered that the matching of the user counter CT and the service counter N fails.
在一种匹配的方式中,考虑到客户端Client在运行的过程中,会出现一些错误,导致用户计数器CT计数出错。In a matching method, considering that there will be some errors during the running of the client client, the user counter CT will be counted incorrectly.
为提高容错的能力,保证客户端Client正常进行身份验证,在本方式中,可对用户计数器CT与服务计数器N进行比较。In order to improve the fault tolerance capability and ensure that the client client performs authentication normally, in this mode, the user counter CT and the service counter N can be compared.
若用户计数器CT小于或等于服务计数器N(即CT≤N),则可能是客户端Client正常运行,用户计数器CT与服务计数器N计数均准确、两者相等,或者,客户端Client运行出错导致用户计数器CT小于服务计数器N,此时,可确定用户计数器CT降低数值的状况与服务计数器N降低数值的状况保持一致,即用户计数器CT与服务计数器N匹配成功。If the user counter CT is less than or equal to the service counter N (that is, CT≤N), it may be that the client client is running normally, the user counter CT and the service counter N are both accurate and equal, or the client client runs incorrectly and the user The counter CT is smaller than the service counter N. At this time, it can be determined that the decreasing value of the user counter CT is consistent with the decreasing value of the service counter N, that is, the matching of the user counter CT and the service counter N is successful.
若用户计数器CT大于服务计数器N(即CT>N),则客户端Client可能出现重放攻击的情况,此时,可确定用户计数器CT降低数值的状况与服务计数器N降低数值的状况未保持一致,即用户计数器CT与服务计数器N匹配失败。If the user counter CT is greater than the service counter N (that is, CT>N), the client Client may experience a replay attack. At this time, it can be determined that the decreasing value of the user counter CT is not consistent with the decreasing value of the service counter N. , that is, the user counter CT fails to match the service counter N.
步骤304、响应于用户计数器与服务计数器匹配成功,根据标准密文与验证摘要信息之间的差异对客户端的身份进行验证。Step 304: In response to the successful matching between the user counter and the service counter, verify the identity of the client according to the difference between the standard ciphertext and the verification digest information.
如图4所示,如果用户计数器CT与服务计数器N匹配成功,则可以比较 标准密文D与验证摘要信息Dc,参考标准密文D与验证摘要信息Dc之间的差异,对客户端Client进行身份验证。As shown in Figure 4, if the user counter CT and the service counter N are successfully matched, the standard ciphertext D and the verification digest information Dc can be compared, and the difference between the standard ciphertext D and the verification digest information Dc can be compared, and the Authentication.
在一种身份验证的方式中,为提高容错的能力,保证客户端Client正常进行身份验证,可从客户端Client的注册参数提取目标数值N maxIn an authentication method, in order to improve the fault tolerance capability and ensure the normal authentication of the client client, the target value N max can be extracted from the registration parameter of the client client.
在本方式中,以目标数值N max与用户计数器CT之间的差值作为计算摘要的次数、对验证摘要信息D c生成摘要信息,生成的摘要信息作为中间摘要信息D 2,表示如下: In this method, the difference between the target value N max and the user counter CT is used as the number of times to calculate the digest, and the digest information is generated for the verification digest information D c , and the generated digest information is used as the intermediate digest information D 2 , which is expressed as follows:
Figure PCTCN2021109292-appb-000003
Figure PCTCN2021109292-appb-000003
按照预设的加密方式对中间摘要信息D 2进行加密,获得验证密文D′。 The intermediate digest information D2 is encrypted according to a preset encryption method to obtain the verification ciphertext D'.
示例性地,可从客户端Client的注册参数中提取随机数Salt,将中间摘要信息D 2与随机数Salt组合为验证数组,如随机数Salt衔接在中间摘要信息D 2的尾部,将随机数Salt插入在中间摘要信息D 2指定的字节之后,等等。 Exemplarily, the random number Salt can be extracted from the registration parameters of the client client, and the intermediate summary information D 2 and the random number Salt can be combined into a verification array. For example, the random number Salt is connected to the tail of the intermediate summary information D 2 , and the random number Salt is inserted after the bytes specified by the intermediate digest information D2, and so on .
对验证数组计算摘要信息,计算出的摘要信息作为验证密文D′,则标准密文D′表示为:Calculate the digest information for the verification array, and use the calculated digest information as the verification ciphertext D', then the standard ciphertext D' is expressed as:
D′=H(D 2|Salt) D'=H(D 2 |Salt)
将验证密文D′与标准密文D进行比较。The verification ciphertext D' is compared with the standard ciphertext D.
若验证密文D′与标准密文D相同(即D′=D),则确定对客户端的身份验证成功。If the verification ciphertext D' is the same as the standard ciphertext D (ie D'=D), it is determined that the authentication of the client is successful.
若验证密文D′与标准密文D不同(即D′≠D),则确定对客户端的身份验证失败。If the verification ciphertext D' is different from the standard ciphertext D (ie D'≠D), it is determined that the authentication of the client fails.
例如,标准密文与验证摘要信息之间的差异,可表征为,标准密文与验证密文之间的差异。其中,可根据验证摘要信息确定对应的验证密文。For example, the difference between the standard ciphertext and the verification digest information can be characterized as the difference between the standard ciphertext and the verification ciphertext. The corresponding verification ciphertext may be determined according to the verification summary information.
在本实施例中,以目标数值与用户计数器之间的差值作为计算摘要的次数、对验证摘要信息生成摘要信息,生成的摘要信息作为中间摘要信息,按照预设的加密方式对中间摘要信息进行加密,获得验证密文,将验证密文与标准密文进行比较,对客户端的身份进行验证,可对客户端运行出现错误导致计数错误的情况实现容错,提高身份验证的成功率,避免客户端反复进行身份验证。In this embodiment, the difference between the target value and the user counter is used as the number of times to calculate the digest, and digest information is generated for the verification digest information, and the generated digest information is used as the intermediate digest information, and the intermediate digest information is encrypted according to a preset encryption method. Perform encryption, obtain the verification ciphertext, compare the verification ciphertext with the standard ciphertext, and verify the identity of the client, which can achieve fault tolerance for the situation where the client runs incorrectly and causes a count error, improves the success rate of authentication, and avoids the need for customers to The terminal is repeatedly authenticated.
在一个示例中,假设目标数值N max=100,服务计数器N=90,用户计数器CT=80。 In one example, assume the target value N max =100, the service counter N=90, and the user counter CT=80.
在注册时,服务端Server可生成标准摘要信息D 1=H 100(password),则可生成标准密文D=H(D 1|Salt)=H(H 100(password)|Salt)。 During registration, the server server can generate standard digest information D 1 =H 100 (password), and then can generate standard cipher text D=H(D 1 |Salt)=H(H 100 (password)|Salt).
在验证时,客户端Client生成验证摘要信息D c=H 80(password),服务端Server 在确定用户计数器CT(即80)<服务计数器N(即90),计算中间摘要信息D 2=H 100-80(H 80(password))=H 100(password),相应地,可生成验证密文D′=H(H 100(password)|Salt)。 During verification, the client client generates verification summary information D c =H 80 (password), and the server server determines the user counter CT (ie 80) < service counter N (ie 90), and calculates the intermediate summary information D 2 =H 100 -80 (H 80 (password))=H 100 (password), correspondingly, the verification ciphertext D′=H (H 100 (password)|Salt) can be generated.
因此,标准密文D=验证密文D′,客户端Client的身份验证成功。Therefore, the standard ciphertext D=verified ciphertext D', and the authentication of the client client Client succeeds.
此外,在非容错的情况下,可按照预设的加密方式对验证摘要信息D c进行加密,获得验证密文D′,将验证密文D′与标准密文D进行比较,对客户端的身份进行验证。 In addition, in the case of non-fault tolerance, the verification digest information D c can be encrypted according to the preset encryption method to obtain the verification ciphertext D', and the verification ciphertext D' is compared with the standard ciphertext D to verify the identity of the client. authenticating.
在验证的流程中,接收客户端发送的验证请求,验证请求包括用户名、验证摘要信息、用户计数器,验证摘要信息为以用户计数器作为计算摘要的次数、对口令计算摘要,生成的摘要信息,查找在客户端注册时记录的、与用户名关联的注册参数,注册参数包括服务计数器、标准密文,将用户计数器与服务计数器进行匹配,以检测在身份验证时用户计数器的降低数值与服务计数器的降低数值的一致性,响应于用户计数器与服务计数器匹配成功,根据标准密文与验证摘要信息之间的差异对客户端的身份进行验证。本实施例一方面,在1-RTT(一次交互)内,客户端完成口令的验证,减少了RTT的次数,降低了验证的耗时,另一方面,利用单向散列函数的不可逆性,在验证的过程中递减对口令计算摘要的次数,能够防止口令在网络传输过程中的窃听攻击和重放攻击,以及,防止口令在存储时面临的潜在的字典攻击,提高了用户身份的安全性。In the verification process, the verification request sent by the client is received, and the verification request includes the user name, verification summary information, and user counter. Look up the registration parameters associated with the username recorded at the time of client registration, the registration parameters include the service counter, standard ciphertext, and match the user counter with the service counter to detect the decrease of the user counter and the service counter during authentication In response to a successful match between the user counter and the service counter, the identity of the client is verified according to the difference between the standard ciphertext and the verification digest information. In this embodiment, on the one hand, within 1-RTT (one interaction), the client completes the verification of the password, which reduces the number of RTTs and reduces the time-consuming of verification. On the other hand, using the irreversibility of the one-way hash function, During the verification process, the number of times to calculate the digest of the password is decreased, which can prevent the eavesdropping attack and replay attack of the password in the network transmission process, and prevent the potential dictionary attack when the password is stored, which improves the security of the user's identity. .
实施例三Embodiment 3
图5为本申请实施例三提供的一种身份验证方法的流程图,本实施例以前述实施例为基础,增加验证响应的操作,该方法包括如下步骤:5 is a flowchart of an identity verification method provided in Embodiment 3 of the present application. Based on the foregoing embodiment, this embodiment adds an operation of verifying a response, and the method includes the following steps:
步骤501、接收客户端发送的验证请求。Step 501: Receive a verification request sent by a client.
其中,验证请求包括用户名username、验证摘要信息Dc、用户计数器CT,验证摘要信息Dc为以用户计数器CT作为计算摘要的次数、对口令生成的摘要信息。The verification request includes the username username, verification summary information Dc, and user counter CT, and the verification summary information Dc is the summary information generated for the password using the user counter CT as the number of times of calculating the digest and the password.
步骤502、查找在客户端注册时记录的、与用户名关联的注册参数。 Step 502 , look up the registration parameters associated with the user name recorded when the client is registered.
其中,注册参数包括服务计数器N、标准密文D。The registration parameters include service counter N and standard ciphertext D.
步骤503、将用户计数器与服务计数器进行匹配,以检测在身份验证时用户计数器的降低数值与服务计数器的降低数值的一致性。Step 503: Match the user counter with the service counter to detect the consistency between the decreasing value of the user counter and the decreasing value of the service counter during authentication.
步骤504、响应于用户计数器与服务计数器匹配失败,确定对客户端的身份验证失败。Step 504: In response to the failure to match the user counter with the service counter, determine that the authentication of the client fails.
如图4所示,如果用户计数器CT与服务计数器N匹配失败(如CT>N),客户端Client可能出现重放攻击的情况,则可以认定对客户端Client的身份验证失败,停止对客户端Client的身份进行验证,防止重放攻击,保护用户数据安全。As shown in Figure 4, if the user counter CT fails to match the service counter N (for example, CT>N), the client Client may experience a replay attack. The identity of the client is verified to prevent replay attacks and protect user data security.
步骤505、响应于用户计数器与服务计数器匹配成功,根据标准密文与验证摘要信息之间的差异对客户端的身份进行验证。Step 505: In response to the successful matching between the user counter and the service counter, verify the identity of the client according to the difference between the standard ciphertext and the verification digest information.
步骤506、响应于对客户端的身份验证成功,降低用户计数器的数值。Step 506: Decrease the value of the user counter in response to the successful authentication of the client.
步骤507、将降低数值之后的用户计数器赋值给服务计数器。Step 507: Assign the user counter after the reduced value to the service counter.
如图4所示,在客户端的身份验证成功的情况下,服务端Server可生成表示验证成功的标识,如success,将表示验证成功的标识封装验证响应M 22中。 As shown in FIG. 4 , in the case that the authentication of the client is successful, the server of the server may generate an identification indicating successful authentication, such as success, and encapsulate the identification indicating successful authentication into the authentication response M22 .
此外,客户端Client的用户计数器CT与服务端Server的服务计数器N,均设置为记录使用串行单向散列函数对口令password计算摘要的次数。In addition, the user counter CT of the client client and the service counter N of the server server are both set to record the number of times the digest of the password is calculated using the serial one-way hash function.
在本实施例中,利用单向散列函数的单向性,即从摘要信息至原数据之间具有不可逆性,在客户端的身份验证成功的情况下,对客户端Client的用户计数器CT与服务端Server的服务计数器N进行递减,防止口令password在网络传输过程中的重放攻击。In this embodiment, the one-way property of the one-way hash function is used, that is, the relationship from the summary information to the original data is irreversible. In the case that the authentication of the client is successful, the user counter CT of the client and the service The service counter N of the end server is decremented to prevent the replay attack of the password during network transmission.
例如,客户端Client在上一次验证身份时,对口令password计算了5次摘要,表示为H 5(password),在本次验证身份时,对口令password计算了4次摘要,表示为H 4(password),假设在网络传输过程中,攻击者拦截了H 5(password),鉴于单向散列函数的单向性,攻击者难以从H 5(password)重放至H 4(password)。 For example, when the client client authenticated the identity last time, it calculated 5 digests for the password, which is represented as H 5 (password) . password), assuming that the attacker intercepts H 5 (password) during network transmission, given the one-way nature of the one-way hash function, it is difficult for the attacker to replay from H 5 (password) to H 4 (password).
在一实施例中,为了尽可能提高客户端Client的用户计数器CT与服务端Server的服务计数器N的使用时长,减少重新注册的频次,客户端Client的用户计数器CT与服务端Server的服务计数器N每次降低的数值为最小单位的数值,如1,即降低数值的过程可表示如下:In one embodiment, in order to maximize the duration of use of the user counter CT of the client client and the service counter N of the server server, and reduce the frequency of re-registration, the user counter CT of the client client and the service counter N of the server server The value reduced each time is the value of the smallest unit, such as 1, that is, the process of reducing the value can be expressed as follows:
N=CT-1N=CT-1
N=CT-1表示,对用户计数器CT进行减1操作,将CT-1的数值赋予服务计数器N。N=CT-1 means that the user counter CT is decremented by 1, and the value of CT-1 is assigned to the service counter N.
为了防止重放攻击,提高口令password在网络传输过程中的安全性,除了可设置最小单位的数值(如1)之外,也可以设置其他数值,例如,2、3、4,等等。In order to prevent replay attacks and improve the security of the password during network transmission, in addition to the minimum unit value (such as 1), other values can also be set, such as 2, 3, 4, and so on.
步骤508、将服务计数器发送至客户端。Step 508: Send the service counter to the client.
如图4所示,服务端Server在降低服务计数器N的数值之后,可将服务计 数器N封装至验证响应M 22中,并将验证响应M 22发送至客户端。 As shown in FIG. 4 , after reducing the value of the service counter N, the server server can encapsulate the service counter N into the verification response M 22 and send the verification response M 22 to the client.
客户端Client在接收到验证响应M 22之后,从验证响应M 22中读取表示验证成功的标识,如success,以及,服务计数器N。一方面,客户端Client基于表示验证成功的标识进行业务操作,如执行登录、支付等操作,另一方面,将服务计数器N赋值给本地的用户计数器CT,即CT=N,降低本地的用户计数器CT的数值,并与服务端Server的服务计数器N保持一致,保证后续验证的准确性。 After receiving the verification response M 22 , the client Client reads, from the verification response M 22 , an identifier indicating successful verification, such as success, and a service counter N. On the one hand, the client Client performs business operations based on the identifier indicating successful authentication, such as performing operations such as login and payment, on the other hand, assigns the service counter N to the local user counter CT, that is, CT=N, and reduces the local user counter The value of CT is consistent with the service counter N of the server server to ensure the accuracy of subsequent verification.
步骤509、响应于服务计数器小于或等于预设的阈值,通知客户端修改口令、以重新注册。Step 509: In response to the service counter being less than or equal to the preset threshold, notify the client to modify the password to re-register.
在本实施例中,服务端Server可检查服务计数器N,将服务计数器N的数值与预设的阈值进行比较,如果服务计数器N的数值小于或等于该阈值,表示服务计数器N的数值较低,为避免服务计数器N耗尽导致无法进行身份验证,可发送提示消息至客户端Server,提示用户修改口令password,重新进行注册,变更口令,保证用户数据的安全性。In this embodiment, the server server can check the service counter N, and compare the value of the service counter N with a preset threshold. If the value of the service counter N is less than or equal to the threshold, it means that the value of the service counter N is low, To avoid the failure of authentication due to the exhaustion of the service counter N, a prompt message can be sent to the client server, prompting the user to modify the password, re-register, and change the password to ensure the security of user data.
通过设置计数器数值的可降低机制,也尽可能提高了客户端Client的用户计数器CT与服务端Server的服务计数器N的使用时长,减少了重新注册的频次。By setting the mechanism for reducing the counter value, the usage time of the user counter CT of the client client and the service counter N of the server server is also increased as much as possible, and the frequency of re-registration is reduced.
步骤510、响应于对客户端的身份验证失败,将服务计数器发送至客户端。Step 510: In response to the authentication failure of the client, send the service counter to the client.
如图4所示,对于客户端Client的身份验证失败的情况,可能是用户计数器CT与服务计数器N匹配失败,也可能是根据标准密文D与验证摘要信息Dc之间的差异不满足验证的条件。As shown in Figure 4, for the case where the authentication of the client client fails, it may be that the user counter CT fails to match the service counter N, or the difference between the standard ciphertext D and the verification digest information Dc does not satisfy the verification. condition.
一方面,服务端Server可生成表示验证失败的标识,如failure,将表示验证失败的标识封装验证响应M 22中,另一方面,服务端Server将本地的服务计数器N封装至验证响应M 22中,并将验证响应M 22发送至客户端Client。 On the one hand, the server server can generate an identifier indicating a verification failure, such as failure, and encapsulate the identifier representing the verification failure in the verification response M22 ; on the other hand, the server server encapsulates the local service counter N into the verification response M22 . , and send the verification response M 22 to the client client.
客户端Client在接收到验证响应M 22之后,从验证响应M 22中读取表示验证失败的标识,如failure,以及,服务计数器N,一方面,客户端Client基于表示验证失败的标识进行业务操作,如提示身份验证失败,禁止登录、支付等操作,另一方面,将服务计数器N赋值给本地的用户计数器CT,即CT=N,客户端本地的用户计数器CT与服务端Server的服务计数器N保持一致,减少因客户端运行出错、网络传输出错等因素造成验证失败的情况。 After receiving the verification response M 22 , the client Client reads the identification indicating the verification failure, such as failure, and the service counter N, from the verification response M 22. On the one hand, the client Client performs business operations based on the identification indicating the verification failure. , such as prompting authentication failure, prohibit login, payment and other operations, on the other hand, assign the service counter N to the local user counter CT, that is, CT=N, the local user counter CT of the client and the service counter N of the server server Keep it consistent and reduce authentication failures caused by client operation errors, network transmission errors, and other factors.
另一实施例another embodiment
本申请另一实施例提供的一种身份注册方法,该方法包括如下步骤:An identity registration method provided by another embodiment of the present application includes the following steps:
接收客户端发送的注册请求,所述注册请求包括用户名、口令;Receive a registration request sent by the client, where the registration request includes a user name and a password;
设置目标数值,以所述目标数值作为计算摘要的次数、对所述口令生成摘要信息,生成的摘要信息作为标准摘要信息;A target value is set, and the target value is used as the number of times to calculate the digest, and digest information is generated for the password, and the generated digest information is used as standard digest information;
对所述标准摘要信息进行加密,获得标准密文;Encrypting the standard digest information to obtain standard ciphertext;
将所述目标数值赋值给服务计数器;assigning the target value to the service counter;
将所述用户名、所述标准密文、所述服务计数器与所述目标数值作为注册参数进行存储;storing the username, the standard ciphertext, the service counter and the target value as registration parameters;
将所述服务计数器发送至所述客户端,其中所述客户端设置为将所述服务计数器的数值赋值给本地的用户计数器。Sending the service counter to the client, wherein the client is configured to assign the value of the service counter to a local user counter.
在一实施例中,所述对所述标准摘要信息进行加密,获得标准密文,包括:In an embodiment, the encrypting the standard digest information to obtain standard ciphertext includes:
随机生成一数值,作为随机数;Randomly generate a value as a random number;
将所述标准摘要信息与所述随机数组合为注册数组;combining the standard summary information and the random number into a registration array;
对所述注册数组计算摘要信息,获得标准密文;Calculate summary information for the registration array to obtain standard ciphertext;
所述将所述用户名、所述标准密文、所述服务计数器与所述目标数值作为注册参数进行存储,包括:The storing of the user name, the standard ciphertext, the service counter and the target value as registration parameters includes:
将所述用户名、所述标准密文、所述服务计数器、所述目标数值与所述随机数作为注册参数进行存储。The user name, the standard ciphertext, the service counter, the target value and the random number are stored as registration parameters.
为了简化描述,将方法实施例表述为一类方式的动作组合,但是本领域技术人员应该知悉,本申请实施例并不受所描述的动作顺序的限制,因为依据本申请实施例,部分步骤可以采用其他顺序或者同时进行。In order to simplify the description, the method embodiments are expressed as a combination of actions in a type of manner, but those skilled in the art should know that the embodiments of the present application are not limited by the described sequence of actions, because according to the embodiments of the present application, some steps may be In another order or simultaneously.
实施例四Embodiment 4
图6为本申请实施例四提供的一种身份验证装置的结构框图,可以包括如下模块:6 is a structural block diagram of an identity verification device provided in Embodiment 4 of the present application, which may include the following modules:
验证请求接收模块601,设置为接收客户端发送的验证请求,所述验证请求包括用户名、验证摘要信息、用户计数器,所述验证摘要信息为以所述用户计数器作为计算摘要的次数、对口令计算摘要,生成的摘要信息;The verification request receiving module 601 is configured to receive a verification request sent by a client, the verification request includes a user name, verification summary information, and a user counter, and the verification summary information is the user counter as the number of times to calculate the summary, the corresponding password Calculate the summary, the generated summary information;
注册参数查找模块602,设置为查找在所述客户端注册时记录的、与所述用户名关联的注册参数,所述注册参数包括服务计数器、标准密文;A registration parameter search module 602, configured to search for the registration parameters associated with the user name recorded when the client registers, the registration parameters include a service counter and a standard ciphertext;
计数器匹配模块603,设置为将所述用户计数器与所述服务计数器进行匹 配,以检测在身份验证时所述用户计数器的降低数值与所述服务计数器的降低数值的一致性; Counter matching module 603 is configured to match the user counter with the service counter, to detect the consistency of the reduced value of the user counter and the reduced value of the service counter during identity verification;
差异验证模块604,设置为响应于所述用户计数器与所述服务计数器匹配成功,根据所述标准密文与所述验证摘要信息之间的差异对所述客户端的身份进行验证。The difference verification module 604 is configured to verify the identity of the client according to the difference between the standard ciphertext and the verification digest information in response to the successful matching between the user counter and the service counter.
在本申请的一个实施例中,所述计数器匹配模块603包括:In an embodiment of the present application, the counter matching module 603 includes:
计数器比较子模块,设置为对所述用户计数器与所述服务计数器进行比较;a counter comparison submodule, configured to compare the user counter with the service counter;
匹配成功子模块,设置为响应于所述用户计数器小于或等于所述服务计数器,确定所述用户计数器与所述服务计数器匹配成功;A matching success submodule, configured to determine that the user counter and the service counter are successfully matched in response to the user counter being less than or equal to the service counter;
匹配失败子模块,设置为响应于所述用户计数器大于所述服务计数器,确定所述用户计数器与所述服务计数器匹配失败。A matching failure submodule, configured to determine that the user counter fails to match the service counter in response to the user counter being greater than the service counter.
在本申请的一个实施例中,所述注册参数还包括目标数值;In an embodiment of the present application, the registration parameter further includes a target value;
所述差异验证模块604包括:The difference verification module 604 includes:
中间摘要信息计算子模块,设置为以所述目标数值与所述用户计数器之间的差值作为计算摘要的次数、对所述验证摘要信息生成摘要信息,生成的摘要信息作为中间摘要信息;an intermediate summary information calculation submodule, configured to use the difference between the target value and the user counter as the number of times to calculate the summary, generate summary information for the verification summary information, and use the generated summary information as the intermediate summary information;
验证密文加密子模块,设置为对所述中间摘要信息进行加密,获得验证密文;A verification ciphertext encryption submodule, configured to encrypt the intermediate digest information to obtain a verification ciphertext;
验证成功子模块,设置为响应于所述验证密文与所述标准密文相同,确定对所述客户端的身份验证成功;A verification success submodule, configured to determine that the authentication of the client is successful in response to the verification ciphertext being the same as the standard ciphertext;
验证失败子模块,设置为响应于所述验证密文与所述标准密文不同,确定对所述客户端的身份验证失败。The verification failure submodule is configured to determine that the authentication of the client fails in response to the verification ciphertext being different from the standard ciphertext.
在本申请的一个实施例中,所述注册参数还包括随机数;In an embodiment of the present application, the registration parameter further includes a random number;
所述验证密文加密子模块包括:The verification ciphertext encryption submodule includes:
验证数组组合单元,设置为将所述中间摘要信息与所述随机数组合为验证数组;A verification array combination unit, configured to combine the intermediate digest information and the random number into a verification array;
验证密文计算单元,设置为对所述验证数组计算摘要信息,计算出的摘要信息作为验证密文。The verification ciphertext calculation unit is configured to calculate digest information for the verification array, and the calculated digest information is used as the verification ciphertext.
在本申请的一个实施例中,还包括:In an embodiment of the present application, it also includes:
数值降低模块,设置为响应于对所述客户端的身份验证成功,降低所述用户计数器的数值;A numerical value reduction module, configured to reduce the numerical value of the user counter in response to the successful authentication of the client;
降值赋值模块,设置为将降低数值之后的所述用户计数器赋值给所述服务 计数器;A lowering value assignment module is set to assign the user counter after the lowering value to the service counter;
第一计数器同步模块,设置为将所述服务计数器发送至所述客户端,其中所述客户端设置为将所述服务计数器赋值给本地的用户计数器。The first counter synchronization module is configured to send the service counter to the client, wherein the client is configured to assign the service counter to a local user counter.
在本申请的一个实施例中,还包括:In an embodiment of the present application, it also includes:
验证失败确定模块,设置为响应于所述用户计数器与所述服务计数器匹配失败,确定对所述客户端的身份验证失败;A verification failure determination module, configured to determine that the authentication of the client has failed in response to the failure to match the user counter with the service counter;
第二计数器同步模块,设置为响应于对所述客户端的身份验证失败,将所述服务计数器发送至所述客户端,其中所述客户端设置为将所述服务计数器赋值给本地的用户计数器。The second counter synchronization module is configured to send the service counter to the client in response to the authentication failure of the client, wherein the client is configured to assign the service counter to a local user counter.
在本申请的一个实施例中,还包括:In an embodiment of the present application, it also includes:
更新通知模块,设置为响应于所述服务计数器小于或等于预设的阈值,通知所述客户端修改口令。An update notification module, configured to notify the client to modify the password in response to the service counter being less than or equal to a preset threshold.
在本申请的一个实施例中,还包括:In an embodiment of the present application, it also includes:
注册请求接收模块,设置为接收客户端发送的注册请求,所述注册请求包括用户名、口令;a registration request receiving module, configured to receive a registration request sent by the client, where the registration request includes a user name and a password;
标准摘要信息计算模块,设置为设置目标数值,以所述目标数值作为计算摘要的次数、对所述口令生成摘要信息,生成的摘要信息作为标准摘要信息;A standard summary information calculation module, configured to set a target numerical value, using the target numerical value as the number of times of calculating the summary, generating summary information for the password, and the generated summary information as the standard summary information;
标准密文加密模块,设置为对所述标准摘要信息进行加密,获得标准密文;a standard ciphertext encryption module, configured to encrypt the standard digest information to obtain a standard ciphertext;
目标数值赋值模块,设置为将所述目标数值赋值给服务计数器;A target value assignment module, configured to assign the target value to a service counter;
注册参数存储模块,设置为将所述用户名、所述标准密文、所述服务计数器与所述目标数值作为注册参数进行存储;a registration parameter storage module, configured to store the user name, the standard ciphertext, the service counter and the target value as registration parameters;
第三计数器同步模块,设置为将所述服务计数器发送至所述客户端,其中所述客户端设置为将所述服务计数器的数值赋值给本地的用户计数器。A third counter synchronization module is configured to send the service counter to the client, wherein the client is configured to assign the value of the service counter to a local user counter.
在本申请的一个实施例中,所述标准密文加密模块包括:In an embodiment of the present application, the standard ciphertext encryption module includes:
随机数生成子模块,设置为随机生成一数值,作为随机数;The random number generation sub-module is set to randomly generate a value as a random number;
注册数组组合子模块,设置为将所述标准摘要信息与所述随机数组合为注册数组;A registration array combination submodule, configured to combine the standard abstract information and the random number into a registration array;
标准密文计算子模块,设置为对所述注册数组计算摘要信息,获得标准密文;A standard ciphertext calculation submodule, configured to calculate summary information for the registration array to obtain standard ciphertext;
所述注册参数存储模块还设置为:The registration parameter storage module is also set to:
将所述用户名、所述标准密文、所述服务计数器、所述目标数值与所述随机数作为注册参数进行存储。The user name, the standard ciphertext, the service counter, the target value and the random number are stored as registration parameters.
本申请实施例所提供的身份验证装置可执行本申请任意实施例所提供的身份验证方法,具备执行方法相应的功能模块和有益效果。The identity verification device provided by the embodiment of the present application can execute the identity verification method provided by any embodiment of the present application, and has corresponding functional modules and beneficial effects of the execution method.
另一实施例another embodiment
本申请另一实施例提供的一种身份注册装置,包括:An identity registration device provided by another embodiment of the present application includes:
注册请求接收模块,设置为接收客户端发送的注册请求,所述注册请求包括用户名、口令;a registration request receiving module, configured to receive a registration request sent by the client, where the registration request includes a user name and a password;
标准摘要信息计算模块,设置为设置目标数值,以所述目标数值作为计算摘要的次数、对所述口令生成摘要信息,生成的摘要信息作为标准摘要信息;A standard summary information calculation module, configured to set a target numerical value, using the target numerical value as the number of times of calculating the summary, generating summary information for the password, and the generated summary information as the standard summary information;
标准密文加密模块,设置为对所述标准摘要信息进行加密,获得标准密文;a standard ciphertext encryption module, configured to encrypt the standard digest information to obtain a standard ciphertext;
目标数值赋值模块,设置为将所述目标数值赋值给服务计数器;A target value assignment module, configured to assign the target value to a service counter;
注册参数存储模块,设置为将所述用户名、所述标准密文、所述服务计数器与所述目标数值作为注册参数进行存储;a registration parameter storage module, configured to store the user name, the standard ciphertext, the service counter and the target value as registration parameters;
第三计数器同步模块,设置为将所述服务计数器发送至所述客户端,其中所述客户端设置为将所述服务计数器的数值赋值给本地的用户计数器。A third counter synchronization module is configured to send the service counter to the client, wherein the client is configured to assign the value of the service counter to a local user counter.
在本申请的一个实施例中,所述标准密文加密模块包括:In an embodiment of the present application, the standard ciphertext encryption module includes:
随机数生成子模块,设置为随机生成一数值,作为随机数;The random number generation sub-module is set to randomly generate a value as a random number;
注册数组组合子模块,设置为将所述标准摘要信息与所述随机数组合为注册数组;A registration array combination submodule, configured to combine the standard abstract information and the random number into a registration array;
标准密文计算子模块,设置为对所述注册数组计算摘要信息,获得标准密文;A standard ciphertext calculation submodule, configured to calculate summary information for the registration array to obtain standard ciphertext;
所述注册参数存储模块还设置为:The registration parameter storage module is also set to:
将所述用户名、所述标准密文、所述服务计数器、所述目标数值与所述随机数作为注册参数进行存储。The user name, the standard ciphertext, the service counter, the target value and the random number are stored as registration parameters.
实施例五Embodiment 5
图7为本申请实施例五提供的一种计算机设备的结构示意图。图7示出了适于实现本申请实施方式的示例性计算机设备12的框图。图7显示的计算机设备12仅仅是一个示例。FIG. 7 is a schematic structural diagram of a computer device according to Embodiment 5 of the present application. FIG. 7 shows a block diagram of an exemplary computer device 12 suitable for implementing embodiments of the present application. The computer device 12 shown in FIG. 7 is only one example.
如图7所示,计算机设备12以通用计算设备的形式表现。计算机设备12的组件可以包括:一个或者多个处理器或者处理单元16,系统存储器28,连接不同系统组件的总线18,不同系统组件包括系统存储器28和处理单元16。As shown in FIG. 7, computer device 12 takes the form of a general-purpose computing device. Components of computer device 12 may include: one or more processors or processing units 16 , system memory 28 , and bus 18 connecting various system components including system memory 28 and processing unit 16 .
计算机设备12典型地包括多种计算机系统可读介质,这些介质包括易失性和非易失性介质,可移动的和不可移动的介质。 Computer device 12 typically includes a variety of computer system readable media, including both volatile and nonvolatile media, removable and non-removable media.
系统存储器28可以包括易失性存储器形式的计算机系统可读介质,例如随机存取存储器(Random Access Memory,RAM)30和/或高速缓存32。计算机设备12可以包括其它可移动/不可移动的、易失性/非易失性计算机系统存储介质。仅作为举例,存储系统34可以设置为读写不可移动的、非易失性磁介质。系统存储器28可以包括至少一个程序产品,该程序产品具有一组(例如至少一个)程序模块,这些程序模块被配置以执行本申请多实施例的功能。 System memory 28 may include computer system readable media in the form of volatile memory, such as random access memory (RAM) 30 and/or cache 32 . Computer device 12 may include other removable/non-removable, volatile/non-volatile computer system storage media. For example only, storage system 34 may be configured to read and write to non-removable, non-volatile magnetic media. System memory 28 may include at least one program product having a set (eg, at least one) of program modules configured to perform the functions of various embodiments of the present application.
具有一组(例如至少一个)程序模块42的程序/实用工具40,可以存储在例如存储器28中,程序模块42通常执行本申请所描述的实施例中的功能和/或方法。A program/utility 40 having a set (eg, at least one) of program modules 42 , which may generally perform the functions and/or methods of the embodiments described herein, may be stored, for example, in memory 28 .
计算机设备12也可以与一个或多个外部设备14(例如键盘、指向设备、显示器24等)通信。这种通信可以通过输入/输出(I/O)接口22进行。并且,计算机设备12还可以通过网络适配器20与一个或者多个网络通信。如图7所示,网络适配器20通过总线18与计算机设备12的其它模块通信。可以结合计算机设备12使用其它硬件和/或软件模块。 Computer device 12 may also communicate with one or more external devices 14 (eg, keyboard, pointing device, display 24, etc.). Such communication may take place through input/output (I/O) interface 22 . Also, computer device 12 may communicate with one or more networks through network adapter 20 . As shown in FIG. 7 , network adapter 20 communicates with other modules of computer device 12 via bus 18 . Other hardware and/or software modules may be used in conjunction with computer device 12 .
处理单元16通过运行存储在系统存储器28中的程序,执行多种功能应用以及数据处理,例如实现本申请实施例所提供的身份验证方法。The processing unit 16 executes a variety of functional applications and data processing by running programs stored in the system memory 28, for example, to implement the identity verification method provided by the embodiments of the present application.
实施例六Embodiment 6
本申请实施例六还提供一种计算机可读存储介质,计算机可读存储介质上存储有计算机程序,该计算机程序被处理器执行时实现上述身份验证方法的多个过程,且能达到相同的技术效果,为避免重复,这里不再赘述。Embodiment 6 of the present application also provides a computer-readable storage medium, where a computer program is stored on the computer-readable storage medium, and when the computer program is executed by a processor, multiple processes of the above-mentioned identity verification method are implemented, and the same technology can be achieved. The effect, in order to avoid repetition, is not repeated here.
其中,计算机可读存储介质例如可以包括电、磁、光、电磁、红外线、或半导体的系统、装置或器件,或者任意以上的组合。计算机可读存储介质的例子包括:具有一个或多个导线的电连接、便携式计算机磁盘、硬盘、随机存取存储器(RAM)、只读存储器(ROM)、可擦式可编程只读存储器(Erasable Programmable Read-Only Memory,EPROM)、闪存、光纤、便携式紧凑磁盘只读存储器(CD-ROM)、光存储器件、磁存储器件、或者上述的任意合适的组合,非穷举的列表。在本文件中,计算机可读存储介质可以是任何包含或存储程序的有形介质,该程序可以被指令执行系统、装置或者器件使用或者结合使用。The computer-readable storage medium may include, for example, electrical, magnetic, optical, electromagnetic, infrared, or semiconductor systems, apparatuses or devices, or any combination of the above. Examples of computer-readable storage media include: electrical connections with one or more wires, portable computer disks, hard disks, random access memory (RAM), read only memory (ROM), erasable programmable read only memory (Erasable Programmable Read-Only Memory (EPROM), flash memory, fiber optics, portable compact disk read only memory (CD-ROM), optical storage devices, magnetic storage devices, or any suitable combination of the foregoing, a non-exhaustive list. In this document, a computer-readable storage medium can be any tangible medium that contains or stores a program that can be used by or in conjunction with an instruction execution system, apparatus, or device.

Claims (12)

  1. 一种身份验证方法,包括:An authentication method that includes:
    接收客户端发送的验证请求,所述验证请求包括用户名、验证摘要信息、用户计数器,所述验证摘要信息为以所述用户计数器作为计算摘要的次数、对口令计算摘要,生成的摘要信息;Receive a verification request sent by the client, where the verification request includes a user name, verification summary information, and a user counter, and the verification summary information is the summary information generated by using the user counter as the number of times to calculate the summary and the password calculation summary;
    查找在所述客户端注册时记录的、与所述用户名关联的注册参数,所述注册参数包括服务计数器、标准密文;Find the registration parameters associated with the username recorded when the client registers, where the registration parameters include a service counter and standard ciphertext;
    将所述用户计数器与所述服务计数器进行匹配,以检测在身份验证时所述用户计数器的降低数值与所述服务计数器的降低数值的一致性;matching the user counter with the service counter to detect the consistency of the decreasing value of the user counter with the decreasing value of the service counter upon authentication;
    响应于所述用户计数器与所述服务计数器匹配成功,根据所述标准密文与所述验证摘要信息之间的差异对所述客户端的身份进行验证。In response to a successful match between the user counter and the service counter, the identity of the client is verified according to the difference between the standard ciphertext and the verification digest information.
  2. 根据权利要求1所述的方法,其中,所述将所述用户计数器与所述服务计数器进行匹配,以检测在身份验证时所述用户计数器的降低数值与所述服务计数器的降低数值的一致性,包括:10. The method of claim 1, wherein the matching of the user counter with the service counter to detect consistency of a decrease in the user counter with a decrease in the service counter upon authentication ,include:
    对所述用户计数器与所述服务计数器进行比较;comparing the user counter with the service counter;
    响应于所述用户计数器小于或等于所述服务计数器,确定所述用户计数器与所述服务计数器匹配成功;In response to the user counter being less than or equal to the service counter, determining that the user counter is successfully matched with the service counter;
    响应于所述用户计数器大于所述服务计数器,确定所述用户计数器与所述服务计数器匹配失败。In response to the user counter being greater than the service counter, it is determined that the user counter fails to match the service counter.
  3. 根据权利要求1所述的方法,其中,所述注册参数还包括目标数值;The method of claim 1, wherein the registration parameter further includes a target value;
    所述根据所述标准密文与所述验证摘要信息之间的差异对所述客户端的身份进行验证,包括:The verifying the identity of the client according to the difference between the standard ciphertext and the verification digest information includes:
    以所述目标数值与所述用户计数器之间的差值作为计算摘要的次数、对所述验证摘要信息生成摘要信息,生成的摘要信息作为中间摘要信息;Using the difference between the target value and the user counter as the number of times of calculating the digest, generating digest information for the verification digest information, and the generated digest information as the intermediate digest information;
    对所述中间摘要信息进行加密,获得验证密文;Encrypting the intermediate digest information to obtain a verification ciphertext;
    响应于所述验证密文与所述标准密文相同,确定对所述客户端的身份验证成功;In response to the verification ciphertext being the same as the standard ciphertext, determining that the authentication of the client is successful;
    响应于所述验证密文与所述标准密文不同,确定对所述客户端的身份验证失败。In response to the verification ciphertext being different from the standard ciphertext, it is determined that authentication of the client has failed.
  4. 根据权利要求3所述的方法,其中,所述注册参数还包括随机数;The method of claim 3, wherein the registration parameter further comprises a random number;
    所述对所述中间摘要信息进行加密,获得验证密文,包括:Encrypting the intermediate digest information to obtain a verification ciphertext, including:
    将所述中间摘要信息与所述随机数组合为验证数组;combining the intermediate digest information and the random number into a verification array;
    对所述验证数组计算摘要信息,计算出的摘要信息作为验证密文。Digest information is calculated for the verification array, and the calculated digest information is used as the verification ciphertext.
  5. 根据权利要求1-4任一项所述的方法,还包括:The method according to any one of claims 1-4, further comprising:
    响应于对所述客户端的身份验证成功,降低所述用户计数器的数值;decreasing the value of the user counter in response to successful authentication of the client;
    将降低数值之后的所述用户计数器赋值给所述服务计数器;assigning the user counter after decreasing the value to the service counter;
    将所述服务计数器发送至所述客户端,其中所述客户端设置为将所述服务计数器赋值给本地的用户计数器。The service counter is sent to the client, wherein the client is configured to assign the service counter to a local user counter.
  6. 根据权利要求1-4任一项所述的方法,还包括:The method according to any one of claims 1-4, further comprising:
    响应于所述用户计数器与所述服务计数器匹配失败,确定对所述客户端的身份验证失败;In response to the user counter failing to match the service counter, determining that authentication of the client has failed;
    响应于对所述客户端的身份验证失败,将所述服务计数器发送至所述客户端,其中所述客户端设置为将所述服务计数器赋值给本地的用户计数器。In response to the authentication failure of the client, the service counter is sent to the client, wherein the client is arranged to assign the service counter to a local user counter.
  7. 根据权利要求1-4任一项所述的方法,还包括:The method according to any one of claims 1-4, further comprising:
    响应于所述服务计数器小于或等于预设的阈值,通知所述客户端修改口令。In response to the service counter being less than or equal to a preset threshold, the client is notified to modify the password.
  8. 根据权利要求1-4任一项所述的方法,还包括:The method according to any one of claims 1-4, further comprising:
    接收客户端发送的注册请求,所述注册请求包括用户名、口令;Receive a registration request sent by the client, where the registration request includes a user name and a password;
    设置目标数值,以所述目标数值作为计算摘要的次数、对所述口令生成摘要信息,生成的摘要信息作为标准摘要信息;A target value is set, and the target value is used as the number of times to calculate the digest, and digest information is generated for the password, and the generated digest information is used as standard digest information;
    对所述标准摘要信息进行加密,获得标准密文;Encrypting the standard digest information to obtain standard ciphertext;
    将所述目标数值赋值给服务计数器;assigning the target value to the service counter;
    将所述用户名、所述标准密文、所述服务计数器与所述目标数值作为注册参数进行存储;storing the username, the standard ciphertext, the service counter and the target value as registration parameters;
    将所述服务计数器发送至所述客户端,其中所述客户端设置为将所述服务计数器的数值赋值给本地的用户计数器。Sending the service counter to the client, wherein the client is configured to assign the value of the service counter to a local user counter.
  9. 根据权利要求8所述的方法,其中,The method of claim 8, wherein,
    所述对所述标准摘要信息进行加密,获得标准密文,包括:Encrypting the standard digest information to obtain standard ciphertext, including:
    随机生成一数值,作为随机数;Randomly generate a value as a random number;
    将所述标准摘要信息与所述随机数组合为注册数组;combining the standard summary information and the random number into a registration array;
    对所述注册数组计算摘要信息,获得标准密文;Calculate summary information for the registration array to obtain standard ciphertext;
    所述将所述用户名、所述标准密文、所述服务计数器与所述目标数值作为注册参数进行存储,包括:The storing of the user name, the standard ciphertext, the service counter and the target value as registration parameters includes:
    将所述用户名、所述标准密文、所述服务计数器、所述目标数值与所述随机数作为注册参数进行存储。The user name, the standard ciphertext, the service counter, the target value and the random number are stored as registration parameters.
  10. 一种身份验证装置,包括:An identity verification device, comprising:
    验证请求接收模块,设置为接收客户端发送的验证请求,所述验证请求包括用户名、验证摘要信息、用户计数器,所述验证摘要信息为以所述用户计数器作为计算摘要的次数、对口令计算摘要,生成的摘要信息;The verification request receiving module is configured to receive the verification request sent by the client, the verification request includes a user name, verification summary information, and a user counter, and the verification summary information is the number of times that the user counter is used as the calculation summary, and the password is calculated. Abstract, the generated summary information;
    注册参数查找模块,设置为查找在所述客户端注册时记录的、与所述用户名关联的注册参数,所述注册参数包括服务计数器、标准密文;a registration parameter search module, configured to search for the registration parameters associated with the username recorded when the client registers, and the registration parameters include a service counter and a standard ciphertext;
    计数器匹配模块,设置为将所述用户计数器与所述服务计数器进行匹配,以检测在身份验证时所述用户计数器的降低数值与所述服务计数器的降低数值的一致性;A counter matching module, configured to match the user counter with the service counter, to detect the consistency between the reduced value of the user counter and the reduced value of the service counter during authentication;
    差异验证模块,设置为响应于所述用户计数器与所述服务计数器匹配成功,根据所述标准密文与所述验证摘要信息之间的差异对所述客户端的身份进行验证。A difference verification module, configured to verify the identity of the client according to the difference between the standard ciphertext and the verification digest information in response to a successful match between the user counter and the service counter.
  11. 一种计算机设备,所述计算机设备包括:A computer device comprising:
    至少一个处理器;at least one processor;
    存储器,设置为存储至少一个程序,memory, arranged to store at least one program,
    所述至少一个处理器设置为,执行所述至少一个程序以实现如权利要求1-9中任一所述的身份验证方法。The at least one processor is configured to execute the at least one program to implement the authentication method according to any one of claims 1-9.
  12. 一种计算机可读存储介质,所述计算机可读存储介质上存储计算机程序,所述计算机程序被处理器执行时实现如权利要求1-9中任一项所述的身份验证方法。A computer-readable storage medium, storing a computer program on the computer-readable storage medium, when the computer program is executed by a processor, the authentication method according to any one of claims 1-9 is implemented.
PCT/CN2021/109292 2020-08-31 2021-07-29 Identity authentication method and apparatus, computer device, and storage medium WO2022042198A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN202010895360.8 2020-08-31
CN202010895360.8A CN112055008B (en) 2020-08-31 2020-08-31 Identity authentication method and device, computer equipment and storage medium

Publications (1)

Publication Number Publication Date
WO2022042198A1 true WO2022042198A1 (en) 2022-03-03

Family

ID=73608104

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2021/109292 WO2022042198A1 (en) 2020-08-31 2021-07-29 Identity authentication method and apparatus, computer device, and storage medium

Country Status (2)

Country Link
CN (1) CN112055008B (en)
WO (1) WO2022042198A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117118757A (en) * 2023-10-24 2023-11-24 长扬科技(北京)股份有限公司 Terminal login method, device, equipment and medium in industrial control environment

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112055008B (en) * 2020-08-31 2022-10-14 广州市百果园信息技术有限公司 Identity authentication method and device, computer equipment and storage medium

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102045349A (en) * 2010-12-03 2011-05-04 北京航空航天大学 Time and event based one-time password generation and authentication method
CN107395627A (en) * 2017-08-22 2017-11-24 河海大学 A kind of light-weight authentication agreement based on one-way function
CN108833109A (en) * 2018-05-28 2018-11-16 苏州科达科技股份有限公司 Identity identifying method, device and electronic equipment
US20190104123A1 (en) * 2017-10-02 2019-04-04 Blackberry Limited Authenticating for a software service
US20200162451A1 (en) * 2018-11-20 2020-05-21 Imam Abdulrahman Bin Faisal University Methods, computer readable media, and systems for authentication using a text file and a one-time password
CN111586023A (en) * 2020-04-30 2020-08-25 广州市百果园信息技术有限公司 Authentication method, authentication equipment and storage medium
CN112055008A (en) * 2020-08-31 2020-12-08 广州市百果园信息技术有限公司 Identity authentication method and device, computer equipment and storage medium

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101931530B (en) * 2009-12-14 2012-11-28 北京神州付电子支付科技有限公司 Generation method, authentication method and device for dynamic password and network system
US9015489B2 (en) * 2010-04-07 2015-04-21 Microsoft Technology Licensing, Llc Securing passwords against dictionary attacks
CN109088890A (en) * 2018-10-18 2018-12-25 国网电子商务有限公司 A kind of identity identifying method, relevant apparatus and system
CN109815666B (en) * 2018-12-26 2020-12-25 航天信息股份有限公司 Identity authentication method and device based on FIDO protocol, storage medium and electronic equipment

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102045349A (en) * 2010-12-03 2011-05-04 北京航空航天大学 Time and event based one-time password generation and authentication method
CN107395627A (en) * 2017-08-22 2017-11-24 河海大学 A kind of light-weight authentication agreement based on one-way function
US20190104123A1 (en) * 2017-10-02 2019-04-04 Blackberry Limited Authenticating for a software service
CN108833109A (en) * 2018-05-28 2018-11-16 苏州科达科技股份有限公司 Identity identifying method, device and electronic equipment
US20200162451A1 (en) * 2018-11-20 2020-05-21 Imam Abdulrahman Bin Faisal University Methods, computer readable media, and systems for authentication using a text file and a one-time password
CN111586023A (en) * 2020-04-30 2020-08-25 广州市百果园信息技术有限公司 Authentication method, authentication equipment and storage medium
CN112055008A (en) * 2020-08-31 2020-12-08 广州市百果园信息技术有限公司 Identity authentication method and device, computer equipment and storage medium

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117118757A (en) * 2023-10-24 2023-11-24 长扬科技(北京)股份有限公司 Terminal login method, device, equipment and medium in industrial control environment
CN117118757B (en) * 2023-10-24 2024-01-09 长扬科技(北京)股份有限公司 Terminal login method, device, equipment and medium in industrial control environment

Also Published As

Publication number Publication date
CN112055008B (en) 2022-10-14
CN112055008A (en) 2020-12-08

Similar Documents

Publication Publication Date Title
JP7215684B2 (en) Key exchange through a partially trusted third party
US11089032B2 (en) Signed envelope encryption
US10263969B2 (en) Method and apparatus for authenticated key exchange using password and identity-based signature
US10999272B2 (en) Authenticating and authorizing users with JWT and tokenization
EP1577736B1 (en) Efficient and secure authentication of computing systems
CN112637131B (en) User identity authentication method, device, equipment and storage medium
US11336641B2 (en) Security enhanced technique of authentication protocol based on trusted execution environment
US11018866B2 (en) Dynamic second factor authentication for cookie-based authentication
Uymatiao et al. Time-based OTP authentication via secure tunnel (TOAST): A mobile TOTP scheme using TLS seed exchange and encrypted offline keystore
WO2021047012A1 (en) Token-based identity verification method and related device
US9942042B1 (en) Key containers for securely asserting user authentication
WO2022042198A1 (en) Identity authentication method and apparatus, computer device, and storage medium
US9503442B1 (en) Credential-based application programming interface keys
CN112689014A (en) Double-full-duplex communication method and device, computer equipment and storage medium
JP2022534677A (en) Protecting online applications and web pages that use blockchain
CN112968910B (en) Replay attack prevention method and device
CN117336092A (en) Client login method and device, electronic equipment and storage medium
CN115473655B (en) Terminal authentication method, device and storage medium for access network
CN111901116B (en) Identity authentication method and system based on EAP-MD5 improved protocol
CN116527261A (en) Key recovery method, electronic device and storage medium
US20240007272A1 (en) Secure device pairing
Yevseiev et al. Mathematical models of hybrid crypto code constructions on damaged codes
Staeuble Mitigating Impersonation Attacks on Single Sign-On with Secure Hardware
CN108306883A (en) A kind of auth method and device

Legal Events

Date Code Title Description
NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 21860038

Country of ref document: EP

Kind code of ref document: A1