CN100431297C - Method for preventing user's pin from illegal use by double verification protocol - Google Patents
Method for preventing user's pin from illegal use by double verification protocol Download PDFInfo
- Publication number
- CN100431297C CN100431297C CNB2005100089815A CN200510008981A CN100431297C CN 100431297 C CN100431297 C CN 100431297C CN B2005100089815 A CNB2005100089815 A CN B2005100089815A CN 200510008981 A CN200510008981 A CN 200510008981A CN 100431297 C CN100431297 C CN 100431297C
- Authority
- CN
- China
- Prior art keywords
- user
- protocol
- network
- authentication
- authenticating
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Landscapes
- Computer And Data Communications (AREA)
- Storage Device Security (AREA)
Abstract
The present invention discloses a method for preventing user's pin from illegal use by a double verification protocol, which stores two sets of authentication protocols in authentication equipment of a client end by using the computer, network and cryptographic technique, wherein authentication protocols in one set are network authentication protocols, and authentication protocols in the other set are authentication protocols of the authentication equipment. A static password is used as partial cipher key, and the other part of cipher key is automatically generated by the authentication protocols of the authentication equipment. The two parts of cipher keys are combined into an encryption key of the symmetric encryption algorithm to encrypt and decrypt a user certificate and the network authentication protocols so as to identify the authentication equipment and control the network authentication protocols, and simultaneously, the network authentication protocols are arranged on a network server end and are corresponding to the network authentication protocols of the client end, and the symmetrical or asymmetric encryption algorithm is used to generate a variable dynamic password to realize the personal identification on the network user, and therefore, embezzling the user password is prevented.
Description
Technical field:
The present invention relates to information security field, be utilization computer, network and cryptographic technique, solve the network user's the stolen problem of password, this technical method can carry out strict protection to user's password, realization is to the authentication of authenticating device and the secure log of network, simultaneously, stop " steal-number " phenomenon of industries such as E-Government, ecommerce, Web bank and online game, the present invention is applicable to that diverse network need be with the system of identification.
Background technology:
At present, technical method and product that domestic external enwergy solves network " steal-number " problem fully also do not have, anti-network " steal-number " product of some manufacturers produce, be to adopt smart card and encryption technology to produce the dynamic password of one time one change, realize network ID authentication, but, if the user loses smart card, stolen easily, also have some manufacturers to adopt the double factor network ID authentication, adopt user's the static password and the dynamic password of authentication protocol generation to carry out network ID authentication simultaneously, this series products also has the characteristics that easily crack, and " steal-number " person can analyze by trojan horse with to user's authentication protocol, usurps user's static password and the dynamic password that authentication protocol produces, in a word, existing anti-network " steal-number " method and product all can not satisfy the demand in market.
Summary of the invention:
Originally prevent the method for user's pin from illegal use, be that utilization computer, network and cryptographic technique are set up network security authentication system, at network server end and each client-side, a pair of identical encryption device is set respectively, its cryptographic algorithm is used symmetric cryptographic algorithm or asymmetric cryptographic algorithm, server and client-side are set up a group network authentication protocol respectively, and this network authenticating protocol produces one time one dynamic password that becomes, and realizes the authentication between the client computer and the webserver; In the authenticating device of client-side, set up another group authentication protocol, be used for identification to the client-side authenticating device, use symmetric encipherment algorithm to realize, its encryption key is made up of two parts: a part is user's a static password, another part is that the authentication protocol in the authenticating device produces automatically, both are combined into encryption key, user certificate and part or all of network authenticating protocol are added, deciphering, reach to the identification of authenticating device with to the regulation and control of network authenticating protocol, after user's static password has passed through the identification of client-side authenticating device, the network authenticating protocol deciphering is generated expressly, call this network authenticating protocol again and finish identification the webserver, thereby, user's pin from illegal use prevented, all processes is with pure software or soft, the combination of hardware mode realizes that concrete grammar is as follows:
1, sets up network authenticating protocol respectively at the webserver and client computer two ends, the authentication protocol of network server end leaves in the encryption device, for example: encrypted card, encryption equipment etc., or leave in the hard disk of server, the authentication protocol of client-side leaves in the authenticating device, and wherein authenticating device refers to: smart card, USB flash disk, CD, floppy disk, hard disk etc.
2, network authenticating protocol is based upon on symmetry or the rivest, shamir, adelman system, produce the dynamic password K of one time one change by the network authenticating protocol of client-side, wherein: " 0 " of K=80~2000bit position, " 1 " number, and this dynamic password and parameters for authentication thereof sent to the webserver, after network server end is received dynamic password and parameters for authentication, generate the dynamic password of equal length according to network authenticating protocol, whether the dynamic password through the contrast two ends is identical, judges client user's identity.
3, when network authenticating protocol adopts symmetric encipherment algorithm,
(1) symmetric cryptographic key adopts " key seed " technology, under the control of user's session key and timestamp, picked at random generates the encryption key N of one-time pad, wherein: " 0 " of N=80~128bit, " 1 " number, be used for user certificate is encrypted the close certificate that generates the user, and it is defined as dynamic password K, since one time one change of encryption key, then one time one change of the dynamic password K of Chan Shenging.
(2) user name or user number are made up of Y bit digital or English alphabet, wherein: Y=4~12, timestamp is 8 bit digital, represent year respectively, month, day, clock generating according to the client-side computer system, session key is made up of N1=8~16 bit digital, the N1 position random digit that produces by the network authenticating protocol of client-side, " key seed " is digital for the M1 group, M1=100~2000, the length of every group of number are M2, " 0 " of M2=4~32bit, " 1 " number, under session key and timestamp control, from user's M1 group " key seed ", choose a N1 group " key seed " and a synthetic set of encryption keys N.
(3) network authenticating protocol is the dynamic password that is at first produced one time one change by client, again this password and parameters for authentication are sent to the webserver, after network server end is received, generate encryption key according to parameters for authentication, and to the user certificate that is pre-stored in server end encrypt generate the user close certificate promptly: dynamic password, through the dynamic password at the contrast two ends identical identity of judging the user whether, wherein parameters for authentication comprises: user name or user number, session key and timestamp etc.
4, when network authenticating protocol adopts rivest, shamir, adelman,
(1) in the client-side authenticating device, deposits one group of user's private key, its length is 1024 or 2048bit, deposit one group of user's PKI in network server end, its length also is 1024 or 2048bit, set up array S1 at random, wherein: S1=100~2000, the length of every group of random number be S2=8~32bit's " 0 ", " 1 " number, and under the control of user's session key and timestamp, array is at random chosen, choose N1 group random number and synthetic one group of random number S at every turn, " 0 " of S=80~2000bit, " 1 " number in conjunction with as expressly, is encrypted one group of ciphertext of generation with user's private key to it with random number S and user's certificate again, this ciphertext is defined as dynamic password, because one time one change of choosing of random number S is then through also one time one change of encrypted ciphertext, that is: one time one change of dynamic password.
(2) dynamic password that becomes for a time by the client-side generation, again this password and parameters for authentication are sent to the webserver, after network server end is received, the PKI that takes out this user according to parameters for authentication is decrypted dynamic password and generates expressly, generate random number SF according to parameters for authentication again, simultaneously, access the user certificate that network server end prestores, certificate through the contrast two ends, and contrast random number S and the SF identical identity of judging the user whether, wherein parameters for authentication comprises: user name or user number, session key and timestamp etc.
5, in the authenticating device of client-side, set up the authentication protocol that user identity is discerned,
(1) uses symmetric encipherment algorithm, the static password that the user is provided with is as the part of encryption key, another part encryption key is produced automatically by authentication protocol, both synthesize one group of complete encryption key, user's certificate is encrypted the close certificate that generates the user, simultaneously, part or all of network authenticating protocol is encrypted the generation ciphertext, be close network authenticating protocol, and user's certificate and close certificate and close network authenticating protocol are left in the authenticating device.
(2) in the authentication protocol in authenticating device, static password is made as K1, K1 is made up of the English alphabet between numeral or the A~F, and length is L1, L1=8~32, and after authentication protocol becomes 4 with L1 position password through 1 again, L1=32~128bit.
(3) another part encryption key that is produced automatically by authentication protocol is made as K2, its length is L2=80~128, K2 is under the control of timestamp and session key, from user " key seed ", choose N1 group " key seed " and merge and form, with K1 and K2 two parts encryption key in conjunction with generating a set of encryption keys K3, be used for to the user certificate encryption with to the network authenticating protocol encryption and decryption, wherein: the mode of K1 and K2 combination is: the same or logical difference of logic, simultaneously, the position of both combinations is by the regulation of the authentication protocol in the authenticating device, and the encryption key K3 length of generation is L2.
(4) user's close certificate is defined as the authentication code of authentication protocol in the authenticating device, the reduced parameter of using static password K1 that authenticating device is authenticated as the user, that is: static password K1 and the automatic another part encryption key K2 that produces of authentication protocol with the user synthesizes a set of encryption keys K3 together, with K3 user's certificate is encrypted, generate user's close certificate authentication authorization and accounting sign indicating number, with leave that user's close certificate authentication authorization and accounting sign indicating number compares in the authenticating device in, realize that the user discerns authenticating device.
(5) user's static password is by after the authentication of authenticating device, and the encryption key K3 that generates with this static password is decrypted into close network authenticating protocol expressly, and promptly network authenticating protocol calls the identification that it carries out the network user again; If user's static password is failed by the authentication of authenticating device, close network authenticating protocol can not be decrypted into correct plaintext with the encryption key K3 of its generation, then can not call the identification that network authenticating protocol carries out the network user.
6, user's static password a part encryption key as authentication protocol in the authenticating device, and not as the authentication reduced parameter in two groups of authentication protocols, user's static password is that memory is in user's brain, the user can make amendment at any time to its static password, user's static password does not leave in authenticating device and the client computer, do not leave in the webserver yet, simultaneously, also not in transmission over networks.
7, two kinds of authentication protocols that leave in the client-side authenticating device comprise: the authentication protocol of authenticating device and close network authenticating protocol, simultaneously, also deposit user name or user number, user's certificate, user's close certificate, " key seed ", and data such as the timestamp of control generation encryption key K2 and session key.
Description of drawings:
Fig. 1: the authentication protocol flow chart of authenticating device
Fig. 2: user's static password modification process figure in the authentication protocol
Embodiment:
Prevent the performing step of user's pin from illegal use method below in conjunction with description of drawings:
Fig. 1: the authentication protocol flow process that authenticating device is described, at first, the user imports its static password to behind the authenticating device, in authenticating device, generate encryption key, and encryption key imported in the symmetric encipherment algorithm, user's certificate is encrypted the close certificate of generation promptly: authentication code, the one group of authentication code that prestores in this group authentication code and the authenticating device is compared? if it is correct, then the user passes through the authentication of authenticating device, next with the encryption key that has generated the close network authenticating protocol in the authenticating device is decrypted into expressly, that is: network authenticating protocol calls existing network network user identity identification in fact again, and can repeat to call it, shut down afterwards; As if incorrect, then point out user's static password mistake, please re-enter static password or shutdown.
Fig. 2: the static password process that user in the user's modification authentication protocol is described, at first, the user imports its existing static password and gives authenticating device, also import simultaneously user's new static password, and repeat to import new static password once, whether the new static password of user of twice input of contrast identical in authenticating device? if inequality, then re-enter new static password twice or shutdown; If it is identical; then use existing static password to generate encryption key; call cryptographic algorithm user certificate is encrypted the close certificate of generation; the authentication authorization and accounting sign indicating number; another group authentication code in the authenticating device is left in taking-up in; whether identical through contrasting two groups of authentication codes? if it is inequality; then the existing static password mistake of prompting input is re-entered existing static password or shutdown, if identical; then call the encryption key that existing static password generates; close network authenticating protocol deciphering is generated expressly, and promptly network authenticating protocol generates new encryption key with new static password again; part or all of network authenticating protocol is encrypted the generation ciphertext; that is: new close network authenticating protocol, and replace former close network authenticating protocol, leave in the authenticating device; the encryption key that generates with new static password is encrypted user certificate and is generated new close certificate again; be new authentication code, new authentication code is replaced former authentication code, leave in the authenticating device; so far, can repeat the modification or the shutdown of user's static password.
Claims (6)
1, adopting double verification protocol to prevent the method for user's pin from illegal use, is that utilization computer, network and cryptographic technique realize that implementation step is as follows:
In the authenticating device of client, deposit two groups of authentication protocols, one group is network authenticating protocol, one group is the authentication protocol of authenticating device, with static password as the part key, another part key is produced automatically by the authentication protocol of authenticating device, both are combined into the encryption key of symmetric encipherment algorithm, user certificate and network authenticating protocol are added, deciphering, reach to the identification of authenticating device with to the regulation and control of network authenticating protocol, simultaneously, also set up network authenticating protocol in network server end, corresponding with the network authenticating protocol of client, and adopt symmetry or rivest, shamir, adelman, generate the dynamic password of one time one change, realization is to the network user's identification, thereby, prevent user's pin from illegal use.
2, require described employing double verification protocol to prevent the method for user's pin from illegal use according to right 1, it is characterized in that:
(1) according to network authenticating protocol, the dynamic password that is generated one time one change by client-side automatically sends to the webserver, realizes network ID authentication;
(2), directly import static password by the user and realize identification authenticating device according to the authentication protocol of authenticating device.
3, require described employing double verification protocol to prevent the method for user's pin from illegal use according to right 1, it is characterized in that:
In the authentication protocol of authenticating device, user's static password is the part as key, a part of in addition key is produced automatically by the authentication protocol in the authenticating device, the encryption key of both synthetic symmetric encipherment algorithms, with this encryption key and symmetric encipherment algorithm, respectively user's certificate and part or all of network authenticating protocol are encrypted the generation ciphertext, prevent that user's static password is decrypted, prevent that also network authenticating protocol is stolen.
4, require described employing double verification protocol to prevent the method for user's pin from illegal use according to right 3, it is characterized in that:
Close certificate authentication authorization and accounting sign indicating number with the user, the reduced parameter of using static password that authenticating device is authenticated as the user, that is: another part encryption key that produces automatically with static password and authentication protocol synthesizes a set of encryption keys together, certificate to the user is encrypted, generate user's close certificate authentication authorization and accounting sign indicating number, with leave that user's close certificate authentication authorization and accounting sign indicating number compares in the authenticating device in, realize that the user discerns authenticating device.
5, require described employing double verification protocol to prevent the method for user's pin from illegal use according to right 3, it is characterized in that:
(1) fails authentication by authenticating device when user's static password, then can not call network authenticating protocol by force, because the network authenticating protocol that leaves in the authenticating device is a ciphertext;
(2) have only user's static password to pass through the authentication of authenticating device after, close network authenticating protocol could be decrypted into expressly, and call the identification that it carries out the network user.
6, require described employing double verification protocol to prevent the method for user's pin from illegal use according to right 3 and 4, it is characterized in that:
User's static password is not as the authentication reduced parameter in two groups of authentication protocols, user's static password is that memory is in user's brain, the user can make amendment at any time to its static password, user's static password does not leave in authenticating device and the client computer, do not leave in the webserver yet, simultaneously, also not in transmission over networks.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB2005100089815A CN100431297C (en) | 2005-02-28 | 2005-02-28 | Method for preventing user's pin from illegal use by double verification protocol |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB2005100089815A CN100431297C (en) | 2005-02-28 | 2005-02-28 | Method for preventing user's pin from illegal use by double verification protocol |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN1645796A CN1645796A (en) | 2005-07-27 |
| CN100431297C true CN100431297C (en) | 2008-11-05 |
Family
ID=34875369
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CNB2005100089815A Active CN100431297C (en) | 2005-02-28 | 2005-02-28 | Method for preventing user's pin from illegal use by double verification protocol |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN100431297C (en) |
Families Citing this family (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101364872B (en) * | 2007-08-08 | 2011-09-21 | 精品科技股份有限公司 | Method for instruction execution through verification |
| FR2951343A1 (en) * | 2009-10-14 | 2011-04-15 | Alcatel Lucent | COMMUNICATION DEVICE MANAGEMENT THROUGH A TELECOMMUNICATIONS NETWORK |
| CN101984574B (en) * | 2010-11-29 | 2012-09-05 | 北京卓微天成科技咨询有限公司 | Data encryption and decryption method and device |
| CN102012993B (en) * | 2010-11-29 | 2012-07-11 | 北京卓微天成科技咨询有限公司 | Methods and devices for selectively encrypting and decrypting data |
| CN102064936B (en) * | 2010-11-29 | 2012-08-22 | 北京卓微天成科技咨询有限公司 | Data encryption and decryption methods and devices |
| KR101944741B1 (en) * | 2016-10-28 | 2019-02-01 | 삼성에스디에스 주식회사 | Apparatus and method for encryption |
| CN108632296B (en) * | 2018-05-17 | 2021-08-13 | 中体彩科技发展有限公司 | Dynamic encryption and decryption method for network communication |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2004059415A2 (en) * | 2002-12-31 | 2004-07-15 | International Business Machines Corporation | Method and system for authentification in a heterogeneous federated environment, i.e. single sign on in federated domains |
| CN1549482A (en) * | 2003-05-16 | 2004-11-24 | 华为技术有限公司 | Method for realizing high rate group data service identification |
-
2005
- 2005-02-28 CN CNB2005100089815A patent/CN100431297C/en active Active
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2004059415A2 (en) * | 2002-12-31 | 2004-07-15 | International Business Machines Corporation | Method and system for authentification in a heterogeneous federated environment, i.e. single sign on in federated domains |
| CN1549482A (en) * | 2003-05-16 | 2004-11-24 | 华为技术有限公司 | Method for realizing high rate group data service identification |
Also Published As
| Publication number | Publication date |
|---|---|
| CN1645796A (en) | 2005-07-27 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| EP3289723B1 (en) | Encryption system, encryption key wallet and method | |
| CN101828357B (en) | Credential provisioning method and device | |
| US7571320B2 (en) | Circuit and method for providing secure communications between devices | |
| US6985583B1 (en) | System and method for authentication seed distribution | |
| CN100468438C (en) | Encryption and decryption method for realizing hardware and software binding | |
| CN101282222B (en) | Digital signature method based on CSK | |
| US20060034456A1 (en) | Method and system for performing perfectly secure key exchange and authenticated messaging | |
| CN109728909A (en) | Identity identifying method and system based on USBKey | |
| CN102664739A (en) | PKI (Public Key Infrastructure) implementation method based on safety certificate | |
| CN100431297C (en) | Method for preventing user's pin from illegal use by double verification protocol | |
| US8230218B2 (en) | Mobile station authentication in tetra networks | |
| US20130097427A1 (en) | Soft-Token Authentication System | |
| US6640303B1 (en) | System and method for encryption using transparent keys | |
| CN111526007B (en) | Random number generation method and system | |
| CN102833075A (en) | Identity authentication and digital signature method based on three-layered overlapping type key management technology | |
| CN103378971A (en) | Data encryption system and method | |
| CN108199847A (en) | Security processing method, computer equipment and storage medium | |
| CN107707562A (en) | A kind of method, apparatus of asymmetric dynamic token Encrypt and Decrypt algorithm | |
| CN109218251B (en) | Anti-replay authentication method and system | |
| CN101867471A (en) | Irrational number based DES authentication encryption algorithm | |
| CN115276978A (en) | Data processing method and related device | |
| CN1980127A (en) | Command identifying method and command identifying method | |
| CN104079577A (en) | Authentication method and authentication device | |
| CN107463977B (en) | Circuit and method for authenticating a card by contactless reading | |
| CN115632797A (en) | Safety identity verification method based on zero-knowledge proof |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| C56 | Change in the name or address of the patentee | ||
| CP02 | Change in the address of a patent holder |
Address after: 100091 No. 4, building 22, West 1, Hongqi hospital, Beijing, Haidian District Patentee after: Hu Xiangyi Address before: 100044 Beijing city Xicheng District Xizhimen Street No. 138 room 620 Beijing Planetarium Patentee before: Hu Xiangyi |