Summary of the invention
The present invention provides a kind of Bidirectional identity authentication method and system based on dynamic password, can to applying unit into
Row authentication improves the safety of application system.
On the one hand, the present invention provides a kind of Bidirectional identity authentication methods based on dynamic password, including:
S1:Applying unit receives externally input user identifier and the first dynamic password;
S2:The applying unit by the user identifier, first dynamic password and it is pre-stored be used for verify answer
Authentication unit is sent to the verification information of unit;
S3:The authentication unit receives the user identifier, first dynamic password and the verification information;
S4:The authentication unit verifies first dynamic password according to the user identifier;
S5:After first verifying dynamic password passes through, the authentication unit is according to the verification information to the application
Unit carries out authentication, and if the verification passes, then the authentication unit generates the second dynamic password according to the user identifier,
Second dynamic password is sent to the applying unit, successively executes S6, S7, otherwise, the authentication unit does not generate the
Two dynamic passwords;
S6:The applying unit receives second dynamic password;
S7:The applying unit exports second dynamic password.
Further, the S4 includes:
S41:The authentication unit is according to the user identifier and pre-set user identifier and the first verifying dynamic mouth
The corresponding relationship of the seed of order determines the seed of the first verifying dynamic password;
S42:It seed, the time that the authentication unit verifies dynamic password according to described first, is generated by hash algorithm
First verifying dynamic password;
S43:The authentication unit judges whether the first verifying dynamic password and first dynamic password are identical, such as
Fruit is then to be verified, and executes step S5, and otherwise, authentication failed, the authentication unit sends authentication failed information and answers to described
With unit, so that the applying unit exports the authentication failed message.
Further, the authentication unit generates the second dynamic password according to the user identifier, including:
S51:The authentication unit is according to the user identifier and pre-set user identifier and the second dynamic password
The corresponding relationship of seed determines the second seed of second dynamic password;
S52:The authentication unit generates the second dynamic mouth according to the second seed, time, by hash algorithm
It enables.
Further, the S7 includes:
The applying unit exports second dynamic password, so that external the second verifying according in dynamic password terminal
Dynamic password verifies second dynamic password, wherein first dynamic password and the second verifying dynamic password are equal
In the dynamic password terminal.
Further, the S5 further includes:If the verification passes, then the authentication unit is sent to additional information is verified
The applying unit, so that the applying unit exports the verifying additional information, wherein the verifying additional information, including:
The identification information of the applying unit.
On the other hand, the bidirectional identity authentication system based on dynamic password that the present invention provides a kind of, including:Using list
Member, authentication unit;
The applying unit, for receiving externally input user identifier and the first dynamic password, by the user identifier,
First dynamic password and the pre-stored verification information for verifying applying unit are sent to the authentication unit, receive
The second dynamic password that the authentication unit is sent exports second dynamic password;
The authentication unit, for receiving the user identifier, first dynamic password and the verification information, according to
The user identifier verifies first dynamic password, after first verifying dynamic password passes through, is tested according to described
It demonstrate,proves information and authentication, if passed through to the authentication of the applying unit, the certification is carried out to the applying unit
Unit generates the second dynamic password according to the user identifier, and second dynamic password is sent to the applying unit, no
Then, the authentication unit does not generate the second dynamic password.
Further, the authentication unit includes:
First determines subelement, for according to the user identifier and pre-set user identifier and the first verifying dynamic
The corresponding relationship of the seed of password determines the seed of the first verifying dynamic password;
First generates subelement, raw by hash algorithm for the seed according to the first verifying dynamic password, time
At the first verifying dynamic password;
Judgment sub-unit, for judging whether the first verifying dynamic password and first dynamic password are identical, such as
Fruit is that then decision verification passes through, and authentication is carried out to the applying unit according to the verification information, otherwise, it is determined that verifying
Failure sends authentication failed information to the applying unit, so that the applying unit exports the authentication failed message.
Further, the authentication unit, including:
Second determines subelement, for according to the user identifier and pre-set user identifier and the second dynamic password
The corresponding relationship of seed determine the second seed of second dynamic password;
Second generates subelement, for generating second dynamic by hash algorithm according to the second seed, time
Password.
Further, the applying unit is specifically used for exporting second dynamic password, so that outside is according to dynamic mouth
Enable in terminal second verify dynamic password second dynamic password is verified, wherein first dynamic password and
Second verifying dynamic password is in the dynamic password terminal.
Further, the authentication unit will verifying if being also used to pass through the authentication of the applying unit
Additional information is sent to the applying unit, so that the applying unit exports the verifying additional information, wherein the verifying
Additional information, including:The identification information of the applying unit.
A kind of Bidirectional identity authentication method and system based on dynamic password provided through the invention, in authentication unit pair
After the authentication of applying unit passes through, the second dynamic password can be generated, and the second dynamic password of generation is exported to use
Family allows users to verify applying unit, improves the safety of application system.
Specific embodiment
In order to make the object, technical scheme and advantages of the embodiment of the invention clearer, below in conjunction with the embodiment of the present invention
In attached drawing, technical scheme in the embodiment of the invention is clearly and completely described, it is clear that described embodiment is
A part of the embodiment of the present invention, instead of all the embodiments, based on the embodiments of the present invention, those of ordinary skill in the art
Every other embodiment obtained without making creative work, shall fall within the protection scope of the present invention.
The embodiment of the invention provides a kind of Bidirectional identity authentication methods based on dynamic password, referring to Fig. 1, this method packet
It includes:
Step 101:Applying unit receives externally input user identifier and the first dynamic password;
Step 102:The applying unit is by the user identifier, first dynamic password and pre-stored is used to test
The verification information of card applying unit is sent to authentication unit;
Step 103:The authentication unit receives the user identifier, first dynamic password and the verification information;
Step 104:The authentication unit verifies first dynamic password according to the user identifier;
Step 105:After first verifying dynamic password passes through, the authentication unit is according to the verification information to described
Applying unit carries out authentication, if the verification passes, then successively executes step 106,107,108,109, if verifying is not led to
It crosses, thens follow the steps 110;
Step 106:The authentication unit generates the second dynamic password according to the user identifier;
Step 107:Second dynamic password is sent to the applying unit by the authentication unit;
Step 108:The applying unit receives second dynamic password;
Step 109:The applying unit exports second dynamic password;
Step 110:The authentication unit does not generate the second dynamic password.
The method provided through the foregoing embodiment, after authentication unit passes through the authentication of applying unit, Ke Yisheng
It exports at the second dynamic password, and by the second dynamic password of generation to user, allows users to verify applying unit,
Improve the safety of application system.
Applying unit in the present embodiment can be website, application software, application server etc., the certification in the present embodiment
Unit can be certificate server, certification software, authentication module etc..
In step 109, applying unit can be shown the second dynamic password, can also be defeated by voice signal
Out.After user knows second dynamic password, in oneself dynamic password terminal for verifying testing for the second dynamic password
Card dynamic password is compared, if identical, proves that applying unit has passed through the verifying of authentication unit, applying unit is safety
, the Dangerous Internets such as fishing website avoided.Wherein, first dynamic password and for verifying testing for the second dynamic password
Dynamic password is demonstrate,proved in the same dynamic password terminal.The dynamic password terminal of user can be hardware state, APP
(Application, application software) form etc..
In above embodiment, the message being verified to applying unit is informed by dynamic password and is used by authentication unit
Family avoids unverified applying unit and exports false verifying message to user.For example, if authentication unit passes through
One text message informs that user's checking passes through, then unverified applying unit can easily forge a text
Message informs that user's checking passes through;If informing user using dynamic password, unverified applying unit is difficult to
It forges, improves the safety of application system.
In one possible implementation, the step 104 include the steps that being not shown in the figure 1041, step 1042,
Step 1043:
Step 1041:The authentication unit is dynamic according to the user identifier and pre-set user identifier and the first verifying
The corresponding relationship of the seed of state password determines the seed of the first verifying dynamic password;
Step 1042:Seed, the time that the authentication unit verifies dynamic password according to described first, pass through hash algorithm
Generate the first verifying dynamic password;
Step 1043:The authentication unit judge the first verifying dynamic password and first dynamic password whether phase
Together, if it is, being verified, execute step 105, otherwise, authentication failed, the authentication unit send authentication failed information to
The applying unit, so that the applying unit exports the authentication failed message.
In step 106, the authentication unit generates the second dynamic password according to the user identifier, including does not show in figure
Step 1061 out, step 1062:
Step 1061:The authentication unit is according to the user identifier and pre-set user identifier and the second dynamic mouth
The corresponding relationship of the seed of order determines the second seed of second dynamic password;
Step 1062:The authentication unit generates described second by hash algorithm and moves according to the second seed, time
State password.
The S7 includes:
The applying unit exports second dynamic password, so that external the second verifying according in dynamic password terminal
Dynamic password verifies second dynamic password, wherein first dynamic password and the second verifying dynamic password are equal
In the dynamic password terminal.
For example, external the second verifying dynamic password according in dynamic password terminal to second dynamic password into
Row verifying, specifically includes:Obtain the second verifying dynamic in the second dynamic password and dynamic password terminal of application terminal output
Password;Second dynamic password and the second verifying dynamic password are compared, if the same by verifying, otherwise verifying is lost
It loses.
In addition, the step 105 further includes:If the verification passes, then the authentication unit will verify additional information transmission
To the applying unit, so that the applying unit exports the verifying additional information, wherein the verifying additional information, packet
It includes:The identification information of the applying unit.
Wherein, the identification information of applying unit includes:DNS (Domain Name System, the domain name of applying unit
System) address, IP (Internet Protocol, network protocol) address, MAC (Media Access Control, medium visit
Ask control) address etc..Second dynamic password can be the combination of number, letter, symbol or digital alphabet symbol, return
Second dynamic password and verifying additional information can be the representations such as text, image, two dimensional code.
The verifying additional information can also include authentication URL (uniform resource locator, a Uniform
Resource Locator), which is directed toward authentication unit, and user clicks the authentication URL, and user can be in authentication unit
It checks the identification information of applying unit, and can check the number etc. that the verifying is clicked.
The bidirectional identity authentication system based on dynamic password that Fig. 2 shows a kind of, the system include:Applying unit 201 is recognized
Demonstrate,prove unit 202;
The applying unit 201 marks the user for receiving externally input user identifier and the first dynamic password
Knowledge, first dynamic password and the pre-stored verification information for verifying applying unit are sent to the authentication unit,
The second dynamic password that the authentication unit is sent is received, second dynamic password is exported;
The authentication unit 202, for receiving the user identifier, first dynamic password and the verification information,
First dynamic password is verified according to the user identifier, after first verifying dynamic password passes through, according to institute
It states verification information and authentication is carried out to the applying unit, it is described if passed through to the authentication of the applying unit
Authentication unit generates the second dynamic password according to the user identifier, and it is single that second dynamic password is sent to the application
Member, otherwise, the authentication unit do not generate the second dynamic password.
In one possible implementation, the authentication unit includes not shown in the figure:
First determines subelement, for according to the user identifier and pre-set user identifier and the first verifying dynamic
The corresponding relationship of the seed of password determines the seed of the first verifying dynamic password;
First generates subelement, raw by hash algorithm for the seed according to the first verifying dynamic password, time
At the first verifying dynamic password;
Judgment sub-unit, for judging whether the first verifying dynamic password and first dynamic password are identical, such as
Fruit is that then decision verification passes through, and authentication is carried out to the applying unit according to the verification information, otherwise, it is determined that verifying
Failure sends authentication failed information to the applying unit, so that the applying unit exports the authentication failed message.
In alternatively possible implementation, the authentication unit, including it is not shown in the figure:
Second determines subelement, for according to the user identifier and pre-set user identifier and the second dynamic password
The corresponding relationship of seed determine the second seed of second dynamic password;
Second generates subelement, for generating second dynamic by hash algorithm according to the second seed, time
Password.
Wherein, described second generate subelement and be specifically used for according to the second seed, generated by hash algorithm described in
Second dynamic password.
The applying unit is specifically used for exporting second dynamic password, so that outside is according in dynamic password terminal
Second verifying dynamic password verifies second dynamic password, wherein first dynamic password and the second verifying are dynamic
State password is in the dynamic password terminal.
In addition, the authentication unit, additional by verifying if being also used to pass through the authentication of the applying unit
Information is sent to the applying unit, so that the applying unit exports the verifying additional information, wherein the verifying is additional
Information, including:The identification information of the applying unit.
The contents such as the information exchange between each unit, sub-unit, implementation procedure in above equipment, due to side of the present invention
Method embodiment is based on same design, and for details, please refer to the description in the embodiment of the method for the present invention, and details are not described herein again.
It should be noted that, in this document, such as first and second etc relational terms are used merely to an entity
Or operation is distinguished with another entity or operation, is existed without necessarily requiring or implying between these entities or operation
Any actual relationship or order.Moreover, the terms "include", "comprise" or its any other variant be intended to it is non-
It is exclusive to include, so that the process, method, article or equipment for including a series of elements not only includes those elements,
It but also including other elements that are not explicitly listed, or further include solid by this process, method, article or equipment
Some elements.In the absence of more restrictions, the element limited by sentence "including a ...", it is not excluded that including
There is also other identical factors in the process, method, article or equipment of the element.
Those of ordinary skill in the art will appreciate that:Realize that all or part of the steps of above method embodiment can pass through
The relevant hardware of program instruction is completed, and program above-mentioned can store in computer-readable storage medium, the program
When being executed, step including the steps of the foregoing method embodiments is executed;And storage medium above-mentioned includes:ROM, RAM, magnetic disk or light
In the various media that can store program code such as disk.
Finally, it should be noted that:The foregoing is merely presently preferred embodiments of the present invention, is merely to illustrate skill of the invention
Art scheme, is not intended to limit the scope of the present invention.Any modification for being made all within the spirits and principles of the present invention,
Equivalent replacement, improvement etc., are included within the scope of protection of the present invention.