CN101931530B - Generation method, authentication method and device for dynamic password and network system - Google Patents

Generation method, authentication method and device for dynamic password and network system Download PDF

Info

Publication number
CN101931530B
CN101931530B CN200910242477XA CN200910242477A CN101931530B CN 101931530 B CN101931530 B CN 101931530B CN 200910242477X A CN200910242477X A CN 200910242477XA CN 200910242477 A CN200910242477 A CN 200910242477A CN 101931530 B CN101931530 B CN 101931530B
Authority
CN
China
Prior art keywords
dynamic password
authentication
user
server
indication
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Expired - Fee Related
Application number
CN200910242477XA
Other languages
Chinese (zh)
Other versions
CN101931530A (en
Inventor
魏中华
孙江涛
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Bao Bao Network Technology Co ltd
Beijing Shenzhoufu Software Technology Co ltd
Original Assignee
BEIJING SHENZHOUFU E-PAY TECHNOLOGY Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by BEIJING SHENZHOUFU E-PAY TECHNOLOGY Co Ltd filed Critical BEIJING SHENZHOUFU E-PAY TECHNOLOGY Co Ltd
Priority to CN200910242477XA priority Critical patent/CN101931530B/en
Publication of CN101931530A publication Critical patent/CN101931530A/en
Application granted granted Critical
Publication of CN101931530B publication Critical patent/CN101931530B/en
Expired - Fee Related legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Landscapes

  • Storage Device Security (AREA)

Abstract

The invention discloses a generation method, an authentication method and a device for a dynamic password, and a network system. The generation method for the dynamic password comprises the following steps of: after performing encryption computation on stored user personal authentication information to generate a corresponding first dynamic password by using a preset encryption algorithm according to the stored first encryption times; returning the first dynamic password to a mobile terminal, so that a user can request a server to perform identity authentication by using the first dynamic password; and updating the first encryption times. The method is suitable for submitting the dynamic password used for performing identity authentication to the server when people log in or access the server through a client browser or client software or perform electronic transactions.

Description

Dynamic password formation method, authentication method and device and network system
Technical field
The present invention relates to communication technical field, relate in particular to a kind of dynamic password formation method, dynamic password authentication method, dynamic password generating apparatus and server and network system.
Background technology
Along with the develop rapidly of the communication technology, become important bank transaction business model based on internet and mobile network's electronic transaction.For example, the user can through support WAP (WirelessApplication Protocol, be called for short: WAP) the portable terminal WAP site log-on of technology, carry out internet bank trade.In order to guarantee the reliability and the fail safe of e-bank's transaction, become the key problem in the internet bank trade business based on authentication to subscriber identity information.At present, each large-scale commerce bank mainly adopts dynamic password card and U shield as the e-bank's security medium to the subscriber identity information authentication.
Dynamic password card is big little, a card that shape is similar with bank card, is commonly called as scratch card, is coated with a plurality of different ciphers on every card.The user submits client certificate to server earlier when using e-bank, server is imported trading password to client certificate verification through back prompting user, and the password that this moment, the user inputed on the scratch card in order gets final product, and each password can only use once.Dynamic password adopts the mode of one-time pad, does not need the client to be provided with, to remember, and all uses new password at every turn, has overcome the shortcoming of static password, efficiently solves some lawless persons and utilizes " wooden horse " virus to steal the problem of Web bank's password.
The U shield is a kind of USB (UniversalSerial Bus based on " USB Key " identification authentication mode; Hereinafter to be referred as: USB) equipment, built-in single-chip microcomputer or intelligent chip, shape is similar to USB flash disk.Single-chip microcomputer or intelligent chip have memory space, are used to store user's key or personal digital certificate.When the user concludes the business on the net; Submit client certificate to server earlier; Server inserts the U shield to client certificate verification through back prompting user; The user inserts the USB interface of personal computer with the U shield, built-in 1024 asymmetric key algorithms of U shield just to data encrypt, deciphering and digital signature, thereby guaranteed the fail safe of authentification of user.
But there are following defective in dynamic password card and U shield: the user for using dynamic password card or U shield, when carrying out electronic transaction, must carry dynamic password card or U shield; And dynamic password card or U shield also need use with client certificate simultaneously, otherwise can't carry out electronic transaction.Thereby, for the user, can not carry out electronic transaction anywhere or anytime, limited the applied environment that the user carries out electronic transaction.
Summary of the invention
The purpose of this invention is to provide a kind of dynamic password formation method, authentication method and device and network system, with the dynamic password that impels the user to obtain whenever and wherever possible to carry out authentication to carry out safe electronic transaction and secure log or access server.
For realizing above-mentioned purpose, the invention provides a kind of dynamic password formation method, comprising:
Mobile terminal receive sends, acquisition request is used for the user is carried out the solicited message of the dynamic password of authentication;
Encrypt number of times according to first of storage, use the AES that presets, personal authentication's information of the said user of storage is carried out cryptographic calculation after, generate the first corresponding dynamic password;
Return said first dynamic password to said portable terminal, supply said user to use said first dynamic password and carry out authentication to said server requests;
Upgrade said first and encrypt number of times.
The present invention also provides a kind of dynamic password generating apparatus, comprising:
Receiver module is used for solicited message that mobile terminal receive sends, that acquisition request is used for the user is carried out the dynamic password of authentication;
The first dynamic password generation module is used for encrypting number of times according to first of storage, uses the AES that presets, personal authentication's information of the said user of storage is carried out cryptographic calculation after, generate the first corresponding dynamic password;
Sending module is used for returning said first dynamic password to said portable terminal, supplies said user to use said first dynamic password and carries out authentication to said server requests;
First encrypts the number of times update module, is used to upgrade said first and encrypts number of times.
Embodiment of the invention dynamic password formation method and dynamic password generating apparatus, when the server prompts user obtained the dynamic password that carries out authentication, portable terminal sent the solicited message that generates dynamic password to the dynamic password generating apparatus.The dynamic password generating apparatus for the user in time generates dynamic password, and offers user through portable terminal according to built-in AES and user's the personal authentication's information and the encryption number of times of continual renovation.Therefore, carry mobile terminal user and can obtain the dynamic password that carries out authentication whenever and wherever possible, and use this dynamic password to the request server authentication to carry out safe electronic transaction and secure log, access server.Thereby, satisfied the demand that the user carries out secure electronic transaction and secure log or access server whenever and wherever possible.
The invention provides a kind of dynamic password authentication method, comprising:
Receive after that the user generates through the dynamic password generating apparatus, request carries out first dynamic password of authentication; The AES that application is preset carries out cryptographic calculation according to the second encryption number of times of storing to said first dynamic password and generates second dynamic password;
The 3rd dynamic password according to storage carries out authentication to said second dynamic password;
Under the situation that said authentication is passed through, said the 3rd dynamic password is updated to said first dynamic password;
First dynamic password of confirming and upgrading when next time said user being carried out authentication, said dynamic password generating apparatus is generated carries out second of cryptographic calculation and encrypts number of times.
The present invention also provides a kind of server, comprising:
The second dynamic password generation module after being used to receive user request and carrying out first dynamic password of authentication, is used the AES that presets, and encrypts number of times according to second of storage said first dynamic password is carried out cryptographic calculation, generates second dynamic password;
Authentication module is used for the 3rd dynamic password according to storage, and said second dynamic password is carried out authentication;
Second update module; Be used under the situation that said authentication is passed through; Said the 3rd dynamic password is updated to said first dynamic password, confirms and first dynamic password that upgrades when next time said user being carried out authentication, said dynamic password generating apparatus is generated carries out second of cryptographic calculation and encrypts number of times.
The present invention also provides a kind of network system, comprising:
Be provided with the portable terminal and the said server of said dynamic password generating apparatus.
After embodiment of the invention dynamic password authentication method and server and system, server prompts user obtain the dynamic password that carries out authentication, receive the dynamic password that the user submits to.According to AES that presets and encryption number of times, the dynamic password that the user is submitted to carries out cryptographic calculation, generates the 3rd dynamic password earlier.According to second dynamic password storage, that last time, authentication was passed through, the 3rd dynamic password is carried out authentication then.After each authentication is passed through, preserve first dynamic password that authentication is passed through, the encryption number of times when confirming next authentication is simultaneously again also notified the dynamic password generating apparatus, so that first dynamic password that the dynamic password generating apparatus is generated next time carries out authentication.Thereby, make the dynamic password generating apparatus can generate the first different dynamic passwords at every turn, and can guarantee that server end can carry out authentication to the first different dynamic passwords through the second different dynamic passwords at every turn.Thereby can guarantee that the user carries out safe electronic transaction, and the login or the access server of safety.
Description of drawings
Fig. 1 is the flow chart of dynamic password formation method embodiment one of the present invention;
Fig. 2 is the sketch map of dynamic password short message way of submission among the dynamic password formation method embodiment two of the present invention;
Fig. 3 is the sketch map of dynamic password client way of submission among the dynamic password formation method embodiment three of the present invention;
Fig. 4 is the flow chart of dynamic password authentication method embodiment of the present invention;
Fig. 5 is the structural representation of dynamic password generating apparatus embodiment one of the present invention;
Fig. 6 is the structural representation of dynamic password generating apparatus embodiment two of the present invention;
Fig. 7 is the structural representation of server implementation example one of the present invention;
Fig. 8 is the structural representation of server implementation example two of the present invention;
Fig. 9 is the structural representation of network system embodiment of the present invention.
Embodiment
Through accompanying drawing and embodiment, technical scheme of the present invention is done further detailed description below.
At present, portable terminal (for example mobile phone) has become a kind of means of communication of carrying that all kinds of crowds generally use.The data card that is provided with in the portable terminal, for example subscriber identification module (SubscriberIdentity Module; Hereinafter to be referred as: SIM) or the SIM expansion card, be a kind of intelligent chip with functions such as storage, able to programme, processing.The SIM expansion card is claimed sticker again, is for adapting to the contact conversion thin slice that the corresponding SIM slot of different mobile terminal designs on the external form.Aim at the contact on the sticker to the SIM chip contacts during use, both are bonding, more this " bonding " blocked the SIM slot that directly inserts portable terminal.Thus; The present invention utilizes the advantage of portable terminal and data card; A kind of scheme that solves above-mentioned prior art defective is provided, promptly on the basis that does not influence the portable terminal proper communication, in data card, is built-in with the dynamic password generation module that can in time generate dynamic password for the user.
Fig. 1 is the flow chart of dynamic password formation method embodiment one of the present invention.Executive agent in the present embodiment is the data card that is arranged in the portable terminal, specifically can be SIM, also can be the SIM expansion card.Present embodiment describes the technical scheme of dynamic password formation method of the present invention so that to be arranged on data card in the portable terminal be example.As shown in Figure 1, present embodiment comprises:
Step 11: mobile terminal receive sends, acquisition request is used for the user is carried out the solicited message of the dynamic password of authentication.
The user through client browser (for example; Internet Explorer; Or browser of mobile terminal: MP, Gorilla, UCWEB etc.) or client software (for example, stock exchange software) when carrying out operation such as online payment, online login, or during through client browser/client software login, access server; Server can point out the user that dynamic password is provided, through this dynamic password user identity is carried out authentication.At this moment, the user opens the portable terminal of carrying (for example, mobile phone), through the password menu item of (SIM TOOL Kit is called for short STK) of user identification application development instrument in the operating mobile terminal, sends solicited message to obtain dynamic password to data card.
For guaranteeing the fail safe of dynamic password; When the user starts the password menu item of STK; Need the PIN (Personal Identify Number is called for short PIN code) of input data card, after the PIN code checking is passed through; (Application Protocol Data Unit, be called for short: APDU) instruction generates the information of dynamic password to portable terminal to the data card request of sending through Application Protocol Data Unit again.
Comprise one group among the STK and be used for portable terminal and data card carries out mutual instruction, through STK can the service data card plug-in.Communicating by letter between portable terminal and the data card, specifically the APDU through GSM11.11 and GSM11.14 agreement regulation instructs and realizes.The STK program can be positioned in the data card, and it provides a text menu operation interface for the user on portable terminal: the STK menu, the user can click menu wherein, realizes special application.In addition; If service provider's business has been carried out expansion or has been changed; Can send message to customer mobile terminal; This message can be sent to data card, and the application program in the data card can be made amendment to existing STK menu according to this message, thereby reaches the purpose that new service is provided to the user.
Step 12: encrypt number of times according to first of storage, use the AES that presets, personal authentication's information of the user of storage is carried out cryptographic calculation after, generate the first corresponding dynamic password;
After data card receives the solicited message of portable terminal transmission, use the AES that presets, encrypt number of times, personal authentication's information of user is carried out cryptographic calculation, for the user generates corresponding dynamic password according to first of storage.
Wherein, personal authentication's information is the user after registration personal information on the server, is information that the user generates, the unique identification user identity by server.Personal authentication's information of user, AES and first are encrypted number of times, can the user after succeeding in registration on the server, directly be built in the data card of user's use.After personal authentication's information and AES renewal; Can be by server through air download (Over the Air; Be called for short: OTA) passage promptly sends the OTA short message to the employed portable terminal of user, is handed down to the employed portable terminal of user, sends data card to by portable terminal again.
Wherein, AES can be one-way hash algorithm, and correspondingly the first encryption number of times can be the first hash number of times.Be example with the one-way hash algorithm and the first hash number of times in the present embodiment, AES in the dynamic password formation method of the present invention and first encrypted number of times describe.
For example, store one-way hash algorithm H in the data card, personal authentication's information PW of the first hash number of times A and user; Be preset value during the A initialization wherein.Correspondingly, server end also stores: one-way hash algorithm H, the second hash number of times X and user's personal authentication's information PW and the 3rd dynamic password Y; Wherein, H and PW remain consistent with personal authentication's information of one-way hash algorithm of storing in the data card and user; Be preset value when X and Y initialization, need to confirm again after each authentication is passed through; The initial value of Y is H (N)(PW), N is total hash number of times, N=X+A (the preset first hash number of times is A during the data card initialization).Wherein, the preset value of A can be made as N-1, and the preset value of X can be made as 1.
After data card receives solicited message, calculate H (A)(PW) value Y ', wherein H (A)Expression is carried out hash operations A time to PW.Server calculates the second dynamic password H after receiving the first dynamic password Y ' from data card (X)The value Z of (Y ').If H (X)(Y ') the three dynamic password H preset with server end (N)(PW) value is identical, explains that then authentication passes through.
When the initial value of A was N-1, data card calculated H (N-1)(PW) value Y ' sends to server as first dynamic password.Server calculates the second dynamic password H (1)The value Z of (Y ') promptly only carries out hash operations one time to Y '.If the H that Z and server end are preserved (N)(PW) value is identical, and then authentication is passed through.
Step 13: return first dynamic password to portable terminal, supply the user to use first dynamic password and carry out authentication to server requests;
After generating dynamic password, data card returns first dynamic password to portable terminal, supplies the user to submit this first dynamic password to server, so that server carries out authentication to the user.
Step 14: upgrade first and encrypt number of times.
After data card generates first dynamic password; Need to encrypt number of times to first and upgrade, a kind of update mode can be: after generating first dynamic password, data card according to the server mode of agreement in advance; The mode of promptly deciding through consultation with server in when registration is upgraded the first encryption number of times automatically.Hold the above, for example, generate dynamic password at every turn after, data card can subtract 1 with the first hash number of times A automatically; Simultaneously, server replaces with first dynamic password the with as authentication foundation next time with original verify data, and does not change the second hash number of times X after having verified first dynamic password at every turn.So, when follow-up first dynamic password that at every turn data card is sent of server carries out authentication, only this first dynamic password is carried out hash operations one time.
In addition; A kind of optimal way that the first encryption number of times is upgraded can be: after authentication is passed through; When server end is dynamically confirmed authentication next time second encrypted number of times; Send renewal according to this second encryption number of times to data card and encrypt the number of times indication, make data card, the first encryption number of times is upgraded according to this renewal encryption number of times indication.Above-mentioned update mode is specially: under the situation that authentication is passed through, receive that portable terminal sends, from the renewal hash number of times indication of server, according to upgrading the indication of hash number of times the first hash number of times is upgraded.
For example, the second hash number of times X when server is confirmed next authentication is X ', and then correspondingly the first hash number of times of designation data card storage is updated to A ', and wherein X ', A ' satisfy formula: X '+A '=A.That is to say, when non-first dynamic password that receives first from data card, earlier to the second dynamic password H (A ')(PW) carry out the inferior hash of X ', obtain H (A '+X ')(PW), then with H (A '+X ')(PW) and H (A)(PW) compare, with to H (A '+X ')(PW) carry out authentication.If identical, then authentication is passed through, and the 3rd dynamic password Y is updated to H (A ')(PW).Then, the second hash number of times X when confirming next authentication again ", and pass through X " first hash number of times A when generate first dynamic password next time in the specified data card " and renewal.Equally, X " and A " satisfy formula: X "+A "=A '.
Embodiment of the invention dynamic password formation method, when the server prompts user obtained the dynamic password that carries out authentication, portable terminal sent the solicited message that generates dynamic password to the dynamic password generating apparatus.The dynamic password generating apparatus for the user in time generates dynamic password, and offers user through portable terminal according to built-in AES and user's the personal authentication's information and the encryption number of times of continual renovation.Therefore, carry mobile terminal user and can obtain the dynamic password that carries out authentication whenever and wherever possible, and use this dynamic password to the request server authentication to carry out safe electronic transaction and secure log, access server.Thereby, satisfied the demand that the user carries out secure electronic transaction and secure log or access server whenever and wherever possible.
In scheme shown in Figure 1; The user submits to the mode of first dynamic password to be sent to server by client browser or client transaction software for direct input first dynamic password on client browser or client transaction software of: user to server.Fig. 2 is the sketch map of dynamic password short message way of submission among the dynamic password formation method embodiment two of the present invention.As shown in Figure 2, server, can be pointed out the user " please import dynamic password " simultaneously, and provide the dynamic password input frame when prompting user submits first dynamic password to through client browser or client transaction software interface.Portable terminal is after the user provides first dynamic password, and the user imports first dynamic password in this input frame, and first dynamic password sends to server through client browser or client transaction software.After server receives this dynamic password, the user is carried out authentication, if checking is through then allowing the user to get into concrete business according to this first dynamic password.
In addition, the user submit first dynamic password to server mode also can for: the user uses portable terminal and submits to server with the short message mode.Fig. 3 is the sketch map of dynamic password client way of submission among the dynamic password formation method embodiment three of the present invention; As shown in Figure 3; Server is passing through client browser or client transaction software interface; When the prompting user submits first dynamic password to, can point out the user " please submit dynamic password to " simultaneously through short message.After server sent first dynamic password, server carried out authentication according to this first dynamic password to the user to user's operating mobile terminal with the short message mode, if checking is through then allowing the user to get into concrete business.
In such scheme; If server update personal authentication's information of dynamic password generating algorithm and dynamic password generation parameter and user; Dynamic password generating algorithm after will upgrading through the OTA short message and personal authentication's information of user are handed down to the portable terminal that the user uses, and are sent to SIM or the SIM expansion card that is arranged in the portable terminal by portable terminal.
Fig. 4 is the flow chart of dynamic password authentication method embodiment of the present invention, the server of the executive agent in the present embodiment for above-mentioned dynamic password is carried out authentication.As shown in Figure 4, present embodiment comprises:
Step 41: receive first dynamic password that the user generates through the dynamic password generating apparatus, that authentication is carried out in request;
Dynamic password generating apparatus in the present embodiment can be above-mentioned data card.
Step 42: use the AES that presets, according to the second encryption number of times of storing first dynamic password is carried out cryptographic calculation and generate second dynamic password;
Wherein, AES can be one-way hash algorithm, and correspondingly the second encryption number of times can be the second hash number of times.Be example with one-way hash algorithm and hash number of times in the present embodiment, AES in the dynamic password formation method of the present invention and second encrypted number of times describe.
For example, server stores has: one-way hash algorithm H, the second hash number of times X and user's personal authentication's information PW and the 3rd dynamic password Y; Wherein, H and PW remain consistent with personal authentication's information of one-way hash algorithm of storing in the data card and user; Be preset value when X and Y initialization, need to confirm again after each authentication is passed through; The initial value of Y is H (N)(PW), N is total hash number of times, N=X+A (the preset first hash number of times is A during the data card initialization).
The user is after registration on the server, and the first hash number of times initial value in the preset data card is A, after data card receives solicited message first, calculates the first dynamic password H (A)(PW) value Y ' sends to server.Server calculates the second dynamic password H after receiving first the first dynamic password Y ' from data card (X)The value of (Y ').
Step 43: the 3rd dynamic password according to storage, carry out authentication to second dynamic password;
After server receives first the first dynamic password Y ' from data card, if H (X)(Y ') the three dynamic password H preset with server end (N)(PW) value is identical, explains that then authentication passes through.
Step 44: under the situation that authentication is passed through, the 3rd dynamic password is updated to first dynamic password;
If authentication is passed through first, the 3rd preset dynamic password Y is updated to first dynamic password H this moment during then with initialization (A)(PW) value Y '.Pass through if not authentication first, then the 3rd dynamic password Y with the last time storage is updated to first dynamic password H this moment (A)(PW) value Y ', i.e. Y=Y '=H (A)(PW).
Step 45: confirm and upgrade when carrying out authentication next time that first dynamic password that the dynamic password generating apparatus is generated carries out second of cryptographic calculation and encrypts number of times.
Can be as the case may be, second when confirming next authentication encrypted number of times.Wherein, a kind of update mode can be, and upgrades according to encrypting number of times with the mode of the prior agreement of data card to second.Hold the above, the preset value X of the second hash number of times is 1, if server is not made amendment to the preset value 1 of the second hash number of times X, then the appointment data card subtracts 1 with the first hash number of times A automatically, and promptly A is updated to A-1; If server is updated to 2 with the second hash number of times X, i.e. X=2, then the appointment data card is updated to A-2 with the first hash number of times A automatically.
Might there be following situation in above-mentioned update mode: the user uses portable terminal trigger data card to generate first dynamic password, first dynamic password is not submitted to server.And according to prior and server commitment: after generating first dynamic password, data card upgrades first automatically and encrypts number of times at every turn.Therefore what can cause using in the data card first encrypts number of times, encrypts number of times with second of server stores and nonsynchronous situation occurs.For example, data card has generated the first dynamic password H (A-1)(PW) value Y ' carries out authentication but Y ' is not submitted to server, and the first hash number of times A-1 that store in the data card this moment has been updated to A-2, and the second hash number of times X that stores in the server is always 1.As the first dynamic password H with data card generation next time (A-2)(PW) value Y 1', sending to server when carrying out authentication, server is only to Y 1' carry out hash, i.e. H one time (1)(Y 1')=H (A-1)(PW).H clearly (A-1)(PW), with the 3rd dynamic password H of server for saving (A)(PW), inconsistent.
Under above-mentioned update mode; For avoiding first dynamic password that data card generates not being sent to server because of reasons such as misoperations; The intransitable situation of first dynamic password authentication that causes server that next data card is generated, server can change the authentication mode of first dynamic password to some extent.For example, when server to the first dynamic password H (A-2)(PW) carry out hash after, with the H of self storage (A)When (PW) inconsistent, can be again to H (A-2)(PW) carry out (B is a preset value, for example five times) hash operations B time.Obtaining among B the result of B hash operations, if one and H are arranged (A)(PW) unanimity thinks that then server end passes through the first dynamic password H (A)(PW) authentication.Thereby when user misoperation caused that the encryption number of times of data card and server is asynchronous, present embodiment can avoid first dynamic password of its follow-up generation that causes can not be through the phenomenon of server authentication.
Another kind of preferred update mode can be: server confirms that dynamically second encrypts number of times; Be that server and data card are not arranged the concrete updating value that the second encryption number of times and first is encrypted number of times in advance; But by server according to after passing through in each authentication; Confirming that second encrypts number of times, is that data card generates the indication of renewal encryption number of times according to this second encryption number of times then.Server returns when upgrade encrypting the number of times indication to data card, can short message way sends to upgrade to the portable terminal that is provided with data card and encrypts the number of times indication, makes portable terminal pass on this renewals to data card and encrypts number of times and indicate.
For example, server is updated to X ' with the second hash number of times X, and then the first hash number of times of corresponding data card storage is updated to A ', and wherein X ', A ' satisfy formula: X '+A '=A.Because the 3rd dynamic password has been updated to first dynamic password, promptly utilize H (A)(PW) to the next first dynamic password H that generates of data card (A ')(PW) carry out authentication, and before authentication, also need the first dynamic password H (A ')(PW) carry out the inferior hash of X '.
That is to say, when non-first dynamic password that receives first from data card, earlier to the second dynamic password H (A ')(PW) carry out the inferior hash of X ', obtain H (A '+X ')(PW), with H (A '+X ')(PW) and H (A)(PW) compare, with to H (A '+X ')(PW) carry out authentication.If identical, then authentication is passed through.And the 3rd dynamic password Y is updated to H (A ')(PW).Then, the second hash number of times X when confirming next authentication again ", through X " the first hash number of times A in the specified data card " and renewal, same, X " and A " satisfy formula: X "+A "=A '.
After each authentication is passed through,, bring in constant renewal in the 3rd dynamic password and the second hash number of times of server, improved the fail safe and the reliability of the authentication foundation of server stores through step 44 and step 45.
Embodiment of the invention dynamic password authentication method after server prompts user obtains the dynamic password that carries out authentication, receives the dynamic password that the user submits to.According to AES that presets and encryption number of times, the dynamic password that the user is submitted to carries out cryptographic calculation, generates the 3rd dynamic password earlier.According to second dynamic password storage, that last time, authentication was passed through, the 3rd dynamic password is carried out authentication then.After each authentication is passed through, preserve first dynamic password that authentication is passed through.Encryption number of times in the time of also can confirming next authentication is simultaneously again also notified the dynamic password generating apparatus, so that first dynamic password that the dynamic password generating apparatus is generated next time carries out authentication.Thereby, make the dynamic password generating apparatus can generate the first different dynamic passwords at every turn, and can guarantee that server end can carry out authentication to the first different dynamic passwords through corresponding second dynamic password at every turn.Therefore, guaranteed that the user can carry out safe electronic transaction through server, and the login or the access server of safety.
Fig. 5 is the structural representation of dynamic password generating apparatus embodiment one of the present invention.The dynamic password generating apparatus specifically can specifically can be SIM or SIM expansion card for being arranged on the data card in the portable terminal in the present embodiment.Present embodiment is example with the data card, and the technical scheme of dynamic password generating apparatus of the present invention is described.As shown in Figure 5, present embodiment comprises: receiver module 51, the first dynamic password generation module 52, sending module 53 and first are encrypted number of times update module 54.
Receiver module 51 is used for solicited message that mobile terminal receive sends, that acquisition request is used for the user is carried out the dynamic password of authentication; The first dynamic password generation module 52 is used for encrypting number of times according to first of storage, uses the AES that presets, personal authentication's information of the user of storage is carried out cryptographic calculation after, generate the first corresponding dynamic password; Sending module 53 is used for returning first dynamic password to portable terminal, supplies the user to use first dynamic password and carries out authentication to server requests; First encrypts number of times update module 54, is used to upgrade first and encrypts number of times.
Wherein, the mode of the first encryption number of times update module, 54 renewals, the first encryption number of times has two kinds.A kind of update mode can be: after generating first dynamic password, according to the prior mode of agreement of server, the mode of promptly when registration, deciding through consultation with server, first encrypts number of times update module 54 upgrades the first encryption number of times automatically; Another kind of optimal way can be: after authentication is passed through; When server end is dynamically confirmed authentication next time second encrypted number of times; Send renewal according to this second encryption number of times to data card and encrypt the number of times indication; Make first to encrypt number of times update module 54, encrypt number of times to first and upgrade according to this renewal encryption number of times indication.
Wherein, the user submits to the mode of dynamic password to have two kinds to server: the one, and the user directly imports dynamic password on client browser or client transaction software, sent to server by client browser or client transaction software; The 2nd, the user uses portable terminal and submits to server with the short message mode.
The working mechanism of dynamic password apparatus can repeat no more at this referring to the record of the corresponding embodiment of Fig. 1 to Fig. 3 in the present embodiment.
Embodiment of the invention dynamic password generating apparatus, when the server prompts user obtained the dynamic password that carries out authentication, portable terminal sent the solicited message that generates dynamic password to receiver module 51.The first dynamic password generation module 52 is encrypted the encryption number of times that number of times update module 54 is brought in constant renewal in according to personal authentication's information of built-in AES and user and by first; For the user in time generates dynamic password, provide to portable terminal through sending module 53.Therefore, carry mobile terminal user and can obtain the dynamic password that carries out authentication whenever and wherever possible, and use this dynamic password to the request server authentication to carry out safe electronic transaction and secure log, access server.Thereby, satisfied the demand that the user carries out secure electronic transaction and secure log or access server whenever and wherever possible.
Fig. 6 is the structural representation of dynamic password generating apparatus embodiment two of the present invention.For make store in the dynamic password generating apparatus first encrypt that number of times and server end use second encrypt number of times and keep synchronously, after through server-side certificate, the indication of renewal encryption number of times that can the reception server transmission.As shown in Figure 6, on the basis of Fig. 5, such scheme also comprises: upgrade indication receiver module 55.Upgrade indication receiver module 55, be used under the situation that authentication is passed through, receive that portable terminal sends, encrypt the number of times indication from the renewal of server.This upgrades the indication of encryption number of times, is used for the designation data card and according to upgrading the indication of encryption number of times the first encryption number of times is upgraded.
As shown in Figure 6, on the basis of Fig. 5, such scheme also comprises: first memory module 56.First memory module 56, the personal authentication's information and first that is used for storage encryption algorithm, user is encrypted number of times.Above-mentioned first encrypts number of times update module 54 upgrades the indication of encryption number of times according to this, number of times is encrypted in first of first memory module storage upgraded.
Fig. 7 is the structural representation of server implementation of the present invention example one, and as shown in Figure 7, present embodiment comprises: the second dynamic password generation module 71, authentication module 72 and second update module 73.
The second dynamic password generation module 71; After being used to receive that the user generates through the dynamic password generating apparatus, request and carrying out first dynamic password of authentication; The AES that application is preset carries out cryptographic calculation according to the second encryption number of times of storing to first dynamic password and generates second dynamic password; Authentication module 72 is used for the 3rd dynamic password according to storage, and second dynamic password is carried out authentication; Second update module 73; Be used under the situation that authentication is passed through; The 3rd dynamic password is updated to first dynamic password, confirms and first dynamic password that upgrades when next time the user being carried out authentication, the dynamic password generating apparatus is generated carries out second of cryptographic calculation and encrypts number of times;
After embodiment of the invention server prompts user obtains the dynamic password that carries out authentication, receive the dynamic password that the user submits to.The second dynamic password generation module 71 is according to AES that presets and encryption number of times, and the dynamic password that the user is submitted to carries out cryptographic calculation, generates the 3rd dynamic password.Authentication module 72 carries out authentication according to second dynamic password storage, that last time, authentication was passed through to the 3rd dynamic password then.After each authentication is passed through; Second update module 73 is preserved first dynamic password that authentication is passed through; Encryption number of times when confirming simultaneously next authentication is again also notified the dynamic password generating apparatus, so that first dynamic password that the dynamic password generating apparatus is generated next time carries out authentication.Thereby, make the dynamic password generating apparatus can generate the first different dynamic passwords at every turn, and can guarantee that server end can carry out authentication to the first different dynamic passwords through corresponding second dynamic password at every turn.Therefore, guaranteed that the user can carry out safe electronic transaction through server, and the login or the access server of safety.
Fig. 8 is the structural representation of server implementation example two of the present invention; For make store in the dynamic password generating apparatus first encrypt that number of times and server end use second encrypt number of times and keep synchronous; After first dynamic password authentication that server is submitted to dynamic password apparatus passed through, indication dynamic password generating apparatus upgraded the first encryption number of times of self storage.As shown in Figure 8, on basis embodiment illustrated in fig. 7, present embodiment also comprises: upgrade indicating module 74.
Upgrading indicating module 74 is used for encrypting number of times according to second; Generate to upgrade and encrypt the number of times indication; To the portable terminal that is provided with the dynamic password generating apparatus, send to upgrade and encrypt the number of times indication, so that receiving to upgrade through portable terminal, the dynamic password generating apparatus encrypts the number of times indication.
As shown in Figure 8, on basis embodiment illustrated in fig. 7, present embodiment also comprises: second memory module 75.Second memory module 75 is used for the storage encryption algorithm, the 3rd dynamic password and second is encrypted number of times.First dynamic password that generates when above-mentioned second update module 73 confirms that carry out authentication to the user next time, to the dynamic password generating apparatus carries out after second of cryptographic calculation encrypts number of times, upgrades second of storage in second memory module 75 and encrypts number of times.
Fig. 9 is the structural representation of network system embodiment of the present invention, and as shown in Figure 9, present embodiment comprises; Be provided with the portable terminal 91 of dynamic password generating apparatus 90, and server 92.Wherein, the working mechanism of dynamic password generating apparatus 90 is referring to the description of Fig. 5 and the corresponding embodiment of Fig. 6, and server 92 repeats no more at this referring to the description of Fig. 7 and the corresponding embodiment of Fig. 8.
In the embodiment of the invention network system, after server prompts user obtains the dynamic password that carries out authentication, receive the dynamic password that the user submits to.According to AES that presets and encryption number of times, the dynamic password that the user is submitted to carries out cryptographic calculation, generates the 3rd dynamic password earlier.According to second dynamic password storage, that last time, authentication was passed through, the 3rd dynamic password is carried out authentication then.After each authentication is passed through, preserve first dynamic password that authentication is passed through, the encryption number of times when confirming next authentication is simultaneously again also notified the dynamic password generating apparatus, so that first dynamic password that the dynamic password generating apparatus is generated next time carries out authentication.Thereby, make the dynamic password generating apparatus can generate the first different dynamic passwords at every turn, and can guarantee that server end can carry out authentication to the first different dynamic passwords through the second different dynamic passwords at every turn.Thereby can guarantee that the user carries out safe electronic transaction, and the login or the access server of safety.
What should explain at last is: above embodiment is only in order to technical scheme of the present invention to be described but not limit it; Although the present invention has been carried out detailed explanation with reference to preferred embodiment; Those of ordinary skill in the art is to be understood that: it still can make amendment or be equal to replacement technical scheme of the present invention, also can not make amended technical scheme break away from the spirit and the scope of technical scheme of the present invention and these are revised or be equal to replacement.

Claims (8)

1. a dynamic password formation method is characterized in that, comprising:
Mobile terminal receive sends, acquisition request is used for the user is carried out the solicited message of the dynamic password of authentication;
Encrypt number of times according to first of storage, use the AES that presets, personal authentication's information of the said user of storage is carried out cryptographic calculation after, generate the first corresponding dynamic password;
Return said first dynamic password to said portable terminal, supply said user to use said first dynamic password and carry out authentication to said server requests;
Upgrade said first and encrypt number of times;
Upgrading the said first encryption number of times comprises:
Under the situation that said authentication is passed through, receive that said portable terminal sends, encrypt the number of times indication from the renewal of said server;
Encrypting the number of times indication according to said renewal upgrades the said first encryption number of times.
2. dynamic password formation method according to claim 1 is characterized in that, said user uses said first dynamic password and carries out authentication to said server requests and comprise:
Said user uses said portable terminal and sends said first dynamic password with the short message mode to said server; Or,
Said user submits said first dynamic password through client browser or client transaction software to said server.
3. a dynamic password authentication method is characterized in that, comprising:
Receive after that the user generates through the dynamic password generating apparatus, request carries out first dynamic password of authentication; The AES that application is preset carries out cryptographic calculation according to the second encryption number of times of storing to said first dynamic password and generates second dynamic password;
The 3rd dynamic password according to storage carries out authentication to said second dynamic password;
Under the situation that said authentication is passed through, said the 3rd dynamic password is updated to said first dynamic password;
First dynamic password of confirming and upgrading when next time said user being carried out authentication, said dynamic password generating apparatus is generated carries out second of cryptographic calculation and encrypts number of times.
4. dynamic password authentication method according to claim 3; It is characterized in that; Said confirm and upgrade when next time said user being carried out authentication, first dynamic password that said dynamic password generating apparatus is generated carries out also comprising after second of cryptographic calculation encrypts number of times:
Encrypt number of times, the indication of generation renewal encryption number of times according to said second;
To the portable terminal that is provided with said dynamic password generating apparatus, send said renewal and encrypt the number of times indication, make said dynamic password generating apparatus receive said renewal and encrypt the number of times indication through said portable terminal.
5. a dynamic password generating apparatus is characterized in that, comprising:
Receiver module is used for solicited message that mobile terminal receive sends, that acquisition request is used for the user is carried out the dynamic password of authentication;
The first dynamic password generation module is used for encrypting number of times according to first of storage, uses the AES that presets, personal authentication's information of the said user of storage is carried out cryptographic calculation after, generate the first corresponding dynamic password;
Sending module is used for returning said first dynamic password to said portable terminal, supplies said user to use said first dynamic password and carries out authentication to said server requests;
First encrypts the number of times update module, is used to upgrade said first and encrypts number of times; Also comprise:
Upgrade the indication receiver module; Be used under the situation that said authentication is passed through; Receive that said portable terminal sends, encrypt the number of times indication from the renewal of said server; So that the said first encryption number of times update module is encrypted the number of times indication according to said renewal, upgrade said first and encrypt number of times;
The indication of said renewal encryption number of times is used for indication and according to the indication of said renewal encryption number of times the said first encryption number of times is upgraded.
6. a server is characterized in that, comprising:
The second dynamic password generation module; After being used to receive that the user generates through the dynamic password generating apparatus, request and carrying out first dynamic password of authentication; The AES that application is preset carries out cryptographic calculation according to the second encryption number of times of storing to said first dynamic password and generates second dynamic password;
Authentication module is used for the 3rd dynamic password according to storage, and said second dynamic password is carried out authentication;
Second update module; Be used under the situation that said authentication is passed through; Said the 3rd dynamic password is updated to said first dynamic password, confirms and first dynamic password that upgrades when next time said user being carried out authentication, said dynamic password generating apparatus is generated carries out second of cryptographic calculation and encrypts number of times.
7. server according to claim 6 is characterized in that, also comprises:
Upgrade indicating module; Be used for encrypting number of times according to said second; Generate to upgrade and encrypt the number of times indication; To the portable terminal that is provided with said dynamic password generating apparatus, send said renewal and encrypt the number of times indication, make said dynamic password generating apparatus receive said renewal and encrypt the number of times indication through said portable terminal.
8. a network system is characterized in that, comprising: be provided with the portable terminal of dynamic password generating apparatus as claimed in claim 5, and like each described server of claim 6 to 7.
CN200910242477XA 2009-12-14 2009-12-14 Generation method, authentication method and device for dynamic password and network system Expired - Fee Related CN101931530B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN200910242477XA CN101931530B (en) 2009-12-14 2009-12-14 Generation method, authentication method and device for dynamic password and network system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN200910242477XA CN101931530B (en) 2009-12-14 2009-12-14 Generation method, authentication method and device for dynamic password and network system

Publications (2)

Publication Number Publication Date
CN101931530A CN101931530A (en) 2010-12-29
CN101931530B true CN101931530B (en) 2012-11-28

Family

ID=43370467

Family Applications (1)

Application Number Title Priority Date Filing Date
CN200910242477XA Expired - Fee Related CN101931530B (en) 2009-12-14 2009-12-14 Generation method, authentication method and device for dynamic password and network system

Country Status (1)

Country Link
CN (1) CN101931530B (en)

Families Citing this family (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102055768B (en) * 2010-12-31 2014-02-19 奇智软件(北京)有限公司 Network logon method and system
CN102368230A (en) * 2011-10-31 2012-03-07 北京天地融科技有限公司 Mobile memory and access control method thereof as well as system
CN102377783B (en) * 2011-11-07 2014-03-12 飞天诚信科技股份有限公司 Dynamic password generation and authentication method and dynamic password generation and authentication system
CN110505185A (en) * 2018-05-18 2019-11-26 神州付(北京)软件技术有限公司 Auth method, equipment and system
CN112055008B (en) * 2020-08-31 2022-10-14 广州市百果园信息技术有限公司 Identity authentication method and device, computer equipment and storage medium

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101252435A (en) * 2008-03-27 2008-08-27 上海柯斯软件有限公司 Method for realizing dynamic password generation and judge on smart card

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101252435A (en) * 2008-03-27 2008-08-27 上海柯斯软件有限公司 Method for realizing dynamic password generation and judge on smart card

Also Published As

Publication number Publication date
CN101931530A (en) 2010-12-29

Similar Documents

Publication Publication Date Title
CN101699892B (en) Method and device for generating dynamic passwords and network system
CN111080295B (en) Electronic contract processing method and device based on blockchain
CN101414909B (en) System, method and mobile communication terminal for verifying network application user identification
KR101418799B1 (en) System for providing mobile OTP service
US9344896B2 (en) Method and system for delivering a command to a mobile device
CN102202306B (en) Mobile security authentication terminal and method
KR101210260B1 (en) OTP certification device
US20160048460A1 (en) Remote load and update card emulation support
CN103237305A (en) Password protection method for smart card on mobile terminals
CN101931530B (en) Generation method, authentication method and device for dynamic password and network system
CN105635168A (en) Off-line transaction device and security key using method thereof
WO2015168878A1 (en) Payment method and device and payment factor processing method and device
CN108460597A (en) A kind of key management system and method
CN104301288A (en) Method and system for online identity authentication, online transaction certification, and online certification protection
KR101210054B1 (en) The system which supports a authentication process of a user who using a non-facing service
CN104835038A (en) Networking payment device and networking payment method
JP5277888B2 (en) Application issuing system, apparatus and method
KR20110005615A (en) System and method for managing wireless otp using user's media, wireless terminal and recording medium
TWI603222B (en) Trusted service opening method, system, device and computer program product on the internet
CN106713225B (en) Two-dimensional code device and system based on two-dimensional code authentication and operation method thereof
TWM578432U (en) System for assisting a financial card holder in setting password for the first time
KR20170087073A (en) Method for Providing Network type OTP by Seed Combination Mode
WO2018017019A1 (en) Personal security device and method
KR20110005611A (en) System and method for managing otp using user's media, otp device and recording medium
KR101662246B1 (en) Method for Realizing Service by using Installed Program at Handheld Phone

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
ASS Succession or assignment of patent right

Owner name: SHENZHOU PAYMENT (BEIJING) SOFTWARE TECHNOLOGY CO.

Free format text: FORMER OWNER: BEIJING QIANDAIBAO NETWORK TECHNOLOGY CO., LTD.

Effective date: 20140818

C41 Transfer of patent application or patent right or utility model
C56 Change in the name or address of the patentee

Owner name: BEIJING QIANDAIBAO NETWORK TECHNOLOGY CO., LTD.

Free format text: FORMER NAME: BEIJING SHENZHOUFU E-PAY TECHNOLOGY CO., LTD.

CP01 Change in the name or title of a patent holder

Address after: 100088 Beijing City, Haidian District Zhichun Road No. 6 (Jinqiu International Building) No. B03 15

Patentee after: Beijing Bao Bao Network Technology Co.,Ltd.

Address before: 100088 Beijing City, Haidian District Zhichun Road No. 6 (Jinqiu International Building) No. B03 15

Patentee before: Beijing Shenzhoufu E-pay Technology Co.,Ltd.

TR01 Transfer of patent right

Effective date of registration: 20140818

Address after: 100088 Beijing City, Haidian District Zhichun Road No. 6 (Jinqiu International Building) 15 B01 room

Patentee after: BEIJING SHENZHOUFU SOFTWARE TECHNOLOGY Co.,Ltd.

Address before: 100088 Beijing City, Haidian District Zhichun Road No. 6 (Jinqiu International Building) No. B03 15

Patentee before: Beijing Bao Bao Network Technology Co.,Ltd.

EE01 Entry into force of recordation of patent licensing contract

Application publication date: 20101229

Assignee: BEIJING SANKUAI ONLINE TECHNOLOGY Co.,Ltd.

Assignor: BEIJING SHENZHOUFU SOFTWARE TECHNOLOGY Co.,Ltd.

Contract record no.: 2016990000444

Denomination of invention: Generation method, authentication method and device for dynamic password and network system

Granted publication date: 20121128

License type: Common License

Record date: 20161024

LICC Enforcement, change and cancellation of record of contracts on the licence for exploitation of a patent or utility model
CP02 Change in the address of a patent holder
CP02 Change in the address of a patent holder

Address after: 100088, 3 floor, building 1, Tai Yue garden, 3005, Beijing, Haidian District

Patentee after: BEIJING SHENZHOUFU SOFTWARE TECHNOLOGY Co.,Ltd.

Address before: 100088 Beijing City, Haidian District Zhichun Road No. 6 (Jinqiu International Building) 15 B01 room

Patentee before: BEIJING SHENZHOUFU SOFTWARE TECHNOLOGY Co.,Ltd.

CF01 Termination of patent right due to non-payment of annual fee
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20121128