CN103701787A - User name password authentication method implemented on basis of public key algorithm - Google Patents
User name password authentication method implemented on basis of public key algorithm Download PDFInfo
- Publication number
- CN103701787A CN103701787A CN201310704208.7A CN201310704208A CN103701787A CN 103701787 A CN103701787 A CN 103701787A CN 201310704208 A CN201310704208 A CN 201310704208A CN 103701787 A CN103701787 A CN 103701787A
- Authority
- CN
- China
- Prior art keywords
- user
- password
- client
- private key
- public key
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Landscapes
- Storage Device Security (AREA)
Abstract
The invention discloses a user name password authentication method implemented on the basis of a public key algorithm. According to the user name password authentication method, the public key algorithm is introduced in the authenticating process; the authentication is implemented by using the public key algorithm; a user password is not directly used for authenticating, but is used for protecting a private key of a user. According to the invention, on the premise of not increasing the authentication difficulty of the user, safety of a user name password authentication mode is improved and a rainbow table attack can be effectively resisted.
Description
Technical field
The present invention relates to information security field, relate to more specifically a kind of identity identifying method based on username-password.
Background technology
In the Internet, the mode that the user name of the use that all kinds of websites are very general adds password authenticates website user's identity.Authentication mode based on password has following several implementation method conventionally:
The first: directly password original text is recorded in system database.When user initiates to authenticate, the plaintext of password is submitted to service end, the password recording in service end and database compares.Unanimously authentication is passed through.This mode fail safe is extremely low, and password original text is stored and transmits in mode expressly.Assailant can obtain by means such as network intercepting, attack databases user's password.
The second: process password by hash algorithm.In system, do not preserve password original text, but preserve the cryptographic Hash of password.When authentication, the client of system calculates the cryptographic Hash of the password of user's input, then this cryptographic Hash (rather than password original text) is submitted to server end.The cryptographic Hash that service end is submitted to by contrast client and the whether consistent result of judging authentication of cryptographic Hash in database.Although this mode can solve the problem that in first kind of way, password is listened.But cannot resist rainbow table attacks.Before this, on the Internet, just there is the event that large quantities of website user's name passwords are revealed.
Because the simplicity of the authentication mode based on password has determined that this mode is used on the internet widely, but its fail safe simultaneously also exists larger problem.The fail safe that improves as can be seen here user password authentication is that this area is needed the problem that will solve badly.
Summary of the invention
The existing safety issue of authentication mode for existing password, the object of the present invention is to provide a kind of username-password authentication method, and the method can improve its fail safe when retaining password authentication mode simplicity.
In order to achieve the above object, the present invention adopts following technical scheme:
A username-password authentication method of realizing based on public key algorithm, described authentication method is introduced public key algorithm in verification process, and the algorithm that uses public-key is realized authentication, and user password is not directly used in authentication but for the protection of user's private key.
In preferred version of the present invention, it is a pair of close right as user generates that described authentication method is registered link user.And the user password that user provides is as password encryption private key for user.Private key for user by the client public key of user name, cipher key pair and after encrypting is corresponding simultaneously is stored in the certificate server for authenticating.These information of preserving, using in authentication link, the voucher as authentication is used.
Further, the user of described authentication method authenticates link and comprises the steps:
(1) client submits to user name to initiate authentication request to certificate server;
(2) user name that certificate server is submitted to according to client is inquired about the private key for user after client public key corresponding to this user name and encryption from database;
(3) certificate server generates random number, and uses corresponding client public key to be encrypted this random number, and the random number by the private key for user of corresponding encryption and after encrypting returns to client;
(4) private key data of client user password enabling decryption of encrypted, obtains private key for user;
(5) client is used the private key for user that deciphering obtains to be decrypted computing to the encrypted random number certificate of returning from certificate server in step (3), obtains corresponding random number;
(6) client is submitted to certificate server by the data that generate in step (5);
(7) random number generating in the data of submitting in certificate server contrast step (6) and step (3), if unanimously authenticate and pass through.
Further, described user registers in link and adopts symmetry algorithm to using user password as password encryption private key for user.
The authentication realizing by above-mentioned steps, can authenticate under the prerequisite of difficulty (more complicated mutual, more authenticate device etc.) not increasing user, improves the fail safe of user password authentication.
Above-mentioned certificate scheme, when implementing, still only need to provide user name and the user password voucher as authentication from authentic user's angle simultaneously; And from the angle of certificate server, no longer need storage, transmit the cryptographic Hash of password or password, can when retaining password authentication mode simplicity, effectively prevent that like this rainbow table from attacking, guarantee the fail safe of user password authentication.
Accompanying drawing explanation
Below in conjunction with the drawings and specific embodiments, further illustrate the present invention.
Fig. 1 is user's register flow path figure in example of the present invention;
Fig. 2 is the flow chart of the data processing in user registration course in example of the present invention;
Fig. 3 is the flow chart of user password authentication in example of the present invention;
Fig. 4 is the flow chart of data processing in user password verification process in example of the present invention.
Embodiment
For technological means, creation characteristic that the present invention is realized, reach object and effect is easy to understand, below in conjunction with concrete diagram, further set forth the present invention.
The present invention is directed to the software platforms such as website, information system and adopt existing password authentication mode to carry out user password when authentication, existing safety issue, is incorporated into PKI (asymmetric) cryptographic algorithm in password authentication.The distinguishing feature of public key encryption algorithm is in encrypting, to relate to pair of secret keys: PKI and private key.By the data of public key encryption, only have with corresponding private key and could decipher, use the data of encrypted private key to only have the corresponding PKI of use to decipher.
Scheme provided by the invention is based on this characteristic, and the mode by the encryption key deciphering that uses public-key, authenticates, and the user password that user provides simultaneously is not directly used in authentication, but for encipherment protection user's private key.Thereby the people that can only know so correct user password could obtain private key and complete authentication.Therefore,, by introducing public key algorithm, authenticate under the prerequisite of difficulty (more complicated mutual, more authenticate device etc.) fail safe that has improved password authentication not increasing user.
Below will process of the invention process be described with a concrete application example.It should be noted that, following instance is just for explaining that how the present invention works, and is not intended to limit the present invention.
With a mobile phone, be applied as example.This application is the application of a user terminal/server framework.The function that user provides by the client software use system being arranged on mobile phone.This application is used the method for the invention to realize the authentication to user.
Whole verification process relates to two links: user registers link and user authenticates link.
Referring to Fig. 1, it is depicted as user in this example and registers link flow process.Details are as follows for its process:
1. when user enters register flow path, Client-Prompt user inputs user name, user password (being password) and confirms password.User, input after relevant information, client is carried out the checking of validity to the information of user's input.The user name that user inputs need to meet the requirement of uniqueness in system.Both in system, can not there is the user name of repetition.
2. client is used SM2 algorithm for this user name generates a key pair, uses the user password of user's input in step 1 as password simultaneously, uses SM1 algorithm to be encrypted (as shown in Figure 2) to the private key of cipher key pair.
In this step, the right generation of key must complete and the process of user's password encryption private key also must complete in client in client, and main is like this in order to guarantee that private key for user can, with clear-text way transmission, not make user password without transmission simultaneously.
Also have, in this step, for generating the right algorithm of key, be not limited to SM2 algorithm, it also can adopt according to system requirements the rivest, shamir, adelmans such as RSA, DSA; Simultaneously for usining the algorithm that private key adopted of user password as password encryption cipher key pair, be also not limited to SM1 algorithm, it also can adopt other symmetry algorithm according to system requirements.
3. client is only uploaded onto the server the private key for user after user name, client public key, encryption (authentication authorization and accounting service end), and user password is without transmission, as shown in Figure 2.
4. server is by the database that is recorded in server end corresponding to the information such as private key for user after the user name of client submission, client public key, encryption.
So far, user registration course completes.
After completing user registration, will enter into user and authenticate link, referring to Fig. 3, it is depicted as the flow process of user password authentication link in this example, and specifically details are as follows (referring to Fig. 3 and Fig. 4):
1. user's running client, enters login interface.Login interface requires user to input user name and user password.
2. user end to server sends authentication request, and in request, carries username information.
3. the user name that server is submitted to according to client is inquired about the private key for user after client public key corresponding to this user name and encryption from database.If less than corresponding record, return to mistake to client according to submitted to user name inquiry; If inquire corresponding record, enter subsequent step.
4. server generates random number, and usings the client public key that inquires in step 3 as key, uses this random number of SM2 algorithm for encryption.
5. the random number after encrypting in the encrypting user private key inquiring in step 3 and step 4 is returned to client.
6. client is used the user password of user's input in step 1 as key, uses SM1 cryptographic algorithm decrypted private key data, obtains private key for user.The cryptographic algorithm of using in this step must be consistent with the cryptographic algorithm of using in register flow path step 2.If the user password of user input cannot decrypted private key, point out user password mistake, and finish identifying procedure.
7. client is used the resulting private key for user of step 6 deciphering to be decrypted computing to the encrypted random number certificate of returning from server in step 5, obtains corresponding random data.If cannot decipher, the resulting private key of description of step 6 is incorrect, points out user password mistake, and finishes identifying procedure.
8. client is submitted to server again by the data of deciphering gained in step 7.
9. the random number generating in the data of submitting in server contrast step 8 and step 4, if unanimously authenticate and pass through, otherwise authentication is not passed through.
Known by above-mentioned example, application system (particularly server) does not need to store the cryptographic Hash of user's password or password, but has stored the key pair that a pair of randomness is very strong.Wherein private key user password is encrypted, and private key original text and password are without in transmission over networks in whole verification process, and therefore, the present invention can effectively resist rainbow table and attack.
More than show and described basic principle of the present invention, principal character and advantage of the present invention.The technical staff of the industry should understand; the present invention is not restricted to the described embodiments; that in above-described embodiment and specification, describes just illustrates principle of the present invention; without departing from the spirit and scope of the present invention; the present invention also has various changes and modifications, and these changes and improvements all fall in the claimed scope of the invention.The claimed scope of the present invention is defined by appending claims and equivalent thereof.
Claims (4)
1. a username-password authentication method of realizing based on public key algorithm; it is characterized in that; described authentication method is introduced public key algorithm in verification process, and the algorithm that uses public-key is realized authentication, and user password is not directly used in authentication but for the protection of user's private key.
2. a kind of username-password authentication method of realizing based on public key algorithm according to claim 1, it is characterized in that, it is a pair of close right as user generates that described authentication method is registered link user, and the user password that user provides is as password encryption private key for user, private key for user by the client public key of user name, cipher key pair and after encrypting is corresponding simultaneously is stored in the certificate server for authenticating, the voucher in authentication link as authentication.
3. a kind of username-password authentication method of realizing based on public key algorithm according to claim 1 and 2, is characterized in that, the user of described authentication method authenticates link and comprises the steps:
(1) client submits to user name to initiate authentication request to certificate server;
(2) user name that certificate server is submitted to according to client is inquired about the private key for user after client public key corresponding to this user name and encryption from database;
(3) certificate server generates random number, and uses corresponding client public key to be encrypted this random number, and the random number by the private key for user of corresponding encryption and after encrypting returns to client;
(4) private key data of client user password enabling decryption of encrypted, obtains private key for user;
(5) client is used the private key for user that deciphering obtains to be decrypted computing to the encrypted random number certificate of returning from certificate server in step (3), obtains corresponding random number;
(6) client is submitted to certificate server by the data that generate in step (5);
(7) random number generating in the data of submitting in certificate server contrast step (6) and step (3), if unanimously authenticate and pass through.
4. a kind of username-password authentication method of realizing based on public key algorithm according to claim 2, is characterized in that, described user registers in link and adopts symmetry algorithm to using user password as password encryption private key for user.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310704208.7A CN103701787A (en) | 2013-12-19 | 2013-12-19 | User name password authentication method implemented on basis of public key algorithm |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310704208.7A CN103701787A (en) | 2013-12-19 | 2013-12-19 | User name password authentication method implemented on basis of public key algorithm |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN103701787A true CN103701787A (en) | 2014-04-02 |
Family
ID=50363184
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201310704208.7A Pending CN103701787A (en) | 2013-12-19 | 2013-12-19 | User name password authentication method implemented on basis of public key algorithm |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN103701787A (en) |
Cited By (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104219228A (en) * | 2014-08-18 | 2014-12-17 | 四川长虹电器股份有限公司 | User registration and user identification method and user registration and user identification system |
| CN104463016A (en) * | 2014-12-22 | 2015-03-25 | 厦门大学 | Data safety storing method suitable for IC cards and two-dimension codes |
| CN105450401A (en) * | 2014-06-27 | 2016-03-30 | 奇点新源国际技术开发(北京)有限公司 | Data communication method and device |
| CN105827411A (en) * | 2016-03-11 | 2016-08-03 | 联想(北京)有限公司 | Information processing method and apparatus |
| CN106878017A (en) * | 2015-12-14 | 2017-06-20 | 中国电信股份有限公司 | Method, user terminal, Website server and system for network ID authentication |
| TWI608361B (en) * | 2016-09-23 | 2017-12-11 | 群暉科技股份有限公司 | Electrionic device, server, communication system and communication method |
| CN108599939A (en) * | 2018-04-25 | 2018-09-28 | 新华三技术有限公司 | a kind of authentication method and device |
| CN109347835A (en) * | 2018-10-24 | 2019-02-15 | 苏州科达科技股份有限公司 | Information transferring method, client, server and computer readable storage medium |
| CN110516435A (en) * | 2019-09-02 | 2019-11-29 | 国网电子商务有限公司 | Private key management method and device based on biological characteristics |
| CN113127912A (en) * | 2021-05-07 | 2021-07-16 | 杭州天谷信息科技有限公司 | Method and system for data confidentiality and publication |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20030046572A1 (en) * | 2001-08-30 | 2003-03-06 | Newman Aaron Charles | Cryptographic infrastructure for encrypting a database |
| US7149311B2 (en) * | 2001-02-08 | 2006-12-12 | Lucent Technologies Inc. | Methods and apparatus for providing networked cryptographic devices resilient to capture |
| CN101035135A (en) * | 2007-04-27 | 2007-09-12 | 清华大学 | Digital certificate system applicable to the no/weak local storage client system |
| CN101753311A (en) * | 2010-01-14 | 2010-06-23 | 杨筑平 | Information privacy and identity authentication method and digital signature program |
| CN101924739A (en) * | 2009-06-10 | 2010-12-22 | 北京环球聚浪网络科技有限公司 | Method for encrypting, storing and retrieving software certificate and private key |
-
2013
- 2013-12-19 CN CN201310704208.7A patent/CN103701787A/en active Pending
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7149311B2 (en) * | 2001-02-08 | 2006-12-12 | Lucent Technologies Inc. | Methods and apparatus for providing networked cryptographic devices resilient to capture |
| US20030046572A1 (en) * | 2001-08-30 | 2003-03-06 | Newman Aaron Charles | Cryptographic infrastructure for encrypting a database |
| CN101035135A (en) * | 2007-04-27 | 2007-09-12 | 清华大学 | Digital certificate system applicable to the no/weak local storage client system |
| CN101924739A (en) * | 2009-06-10 | 2010-12-22 | 北京环球聚浪网络科技有限公司 | Method for encrypting, storing and retrieving software certificate and private key |
| CN101753311A (en) * | 2010-01-14 | 2010-06-23 | 杨筑平 | Information privacy and identity authentication method and digital signature program |
Cited By (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105450401A (en) * | 2014-06-27 | 2016-03-30 | 奇点新源国际技术开发(北京)有限公司 | Data communication method and device |
| CN104219228A (en) * | 2014-08-18 | 2014-12-17 | 四川长虹电器股份有限公司 | User registration and user identification method and user registration and user identification system |
| CN104463016A (en) * | 2014-12-22 | 2015-03-25 | 厦门大学 | Data safety storing method suitable for IC cards and two-dimension codes |
| CN106878017A (en) * | 2015-12-14 | 2017-06-20 | 中国电信股份有限公司 | Method, user terminal, Website server and system for network ID authentication |
| CN106878017B (en) * | 2015-12-14 | 2020-02-28 | 中国电信股份有限公司 | Method, user terminal, website server and system for network identity authentication |
| CN105827411A (en) * | 2016-03-11 | 2016-08-03 | 联想(北京)有限公司 | Information processing method and apparatus |
| TWI608361B (en) * | 2016-09-23 | 2017-12-11 | 群暉科技股份有限公司 | Electrionic device, server, communication system and communication method |
| CN108599939A (en) * | 2018-04-25 | 2018-09-28 | 新华三技术有限公司 | a kind of authentication method and device |
| CN109347835A (en) * | 2018-10-24 | 2019-02-15 | 苏州科达科技股份有限公司 | Information transferring method, client, server and computer readable storage medium |
| CN110516435A (en) * | 2019-09-02 | 2019-11-29 | 国网电子商务有限公司 | Private key management method and device based on biological characteristics |
| CN113127912A (en) * | 2021-05-07 | 2021-07-16 | 杭州天谷信息科技有限公司 | Method and system for data confidentiality and publication |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11757662B2 (en) | Confidential authentication and provisioning | |
| CN109040067B (en) | Physical unclonable technology PUF-based user authentication device and authentication method | |
| CN109309565B (en) | Security authentication method and device | |
| CN103701787A (en) | User name password authentication method implemented on basis of public key algorithm | |
| US9294281B2 (en) | Utilization of a protected module to prevent offline dictionary attacks | |
| CN103763631B (en) | Authentication method, server and television set | |
| CN105141425B (en) | A kind of mutual authentication method for protecting identity based on chaotic maps | |
| US20160269393A1 (en) | Protecting passwords and biometrics against back-end security breaches | |
| CN102026195B (en) | One-time password (OTP) based mobile terminal identity authentication method and system | |
| TWI512524B (en) | System and method for identifying users | |
| CN110943976B (en) | Password-based user signature private key management method | |
| CN110990827A (en) | Identity information verification method, server and storage medium | |
| CN104486087B (en) | A kind of digital signature method based on remote hardware security module | |
| CN110677382A (en) | Data security processing method, device, computer system and storage medium | |
| CN108809936B (en) | Intelligent mobile terminal identity verification method based on hybrid encryption algorithm and implementation system thereof | |
| CN104243494A (en) | Data processing method | |
| CN106656489B (en) | Mobile payment-oriented safety improvement method for information interaction between self-service selling equipment and server | |
| CN114513339A (en) | Security authentication method, system and device | |
| CN110572392A (en) | Identity authentication method based on HyperLegger network | |
| CN109412799B (en) | System and method for generating local key | |
| US8769280B2 (en) | Authentication apparatus and method for non-real-time IPTV system | |
| EP3361670B1 (en) | Multi-ttp-based method and device for verifying validity of identity of entity | |
| JP2014081887A (en) | Secure single sign-on system and program | |
| CN117792802B (en) | Identity verification and application access control method and system based on multi-system interaction | |
| CN107454063B (en) | User interaction authentication method, device and system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| CB02 | Change of applicant information | ||
| CB02 | Change of applicant information |
Address after: 200436 Room 601, Lane 299, Lane 299, JIANGCHANG West Road, Jingan District, Shanghai Applicant after: Geer software Limited by Share Ltd Address before: 200070 B, 501E, 199 JIANGCHANG West Road, Zhabei District, Shanghai. Applicant before: Geer Software Co., Ltd., Shanghai |
|
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20140402 |