CN104333555B - A kind of dynamic token method of work and system - Google Patents

A kind of dynamic token method of work and system Download PDF

Info

Publication number
CN104333555B
CN104333555B CN201410647744.2A CN201410647744A CN104333555B CN 104333555 B CN104333555 B CN 104333555B CN 201410647744 A CN201410647744 A CN 201410647744A CN 104333555 B CN104333555 B CN 104333555B
Authority
CN
China
Prior art keywords
code
key
seed
signature
generation
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201410647744.2A
Other languages
Chinese (zh)
Other versions
CN104333555A (en
Inventor
董思
廖敏飞
李文鹏
吴孟晴
刘丽娟
许腾
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Construction Bank Corp
Original Assignee
China Construction Bank Corp
Filing date
Publication date
Application filed by China Construction Bank Corp filed Critical China Construction Bank Corp
Priority to CN201410647744.2A priority Critical patent/CN104333555B/en
Publication of CN104333555A publication Critical patent/CN104333555A/en
Application granted granted Critical
Publication of CN104333555B publication Critical patent/CN104333555B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Abstract

Dynamic token method of work and system disclosed by the invention, are divided into two kinds of classifications by the certification demand of user in advance:Signature authentication demand when being signed in login authentication demand and process of exchange (after login), and dynamic token is in advance after it activate successfully, the corresponding login key of respectively two kinds of certification demands generations and key of signing.Subsequently there is business transaction demand in user, need to be logged in or during signature authentication, dynamic token key and can log in answer back code or signature answer back code according to logging in key or sign with reference to the challenge code that user inputted at that time for user's generation is corresponding respectively.It can be seen that, the present invention is respectively provided with different calculating keys for the different certification demand of user, the key of dynamic token is set to be not easy to be cracked, and the working mechanism of dynamic token and flow are safer, realize double authentication during customer transaction, the anti-difficulty for deriving dynamic token operation principle of criminal is increased, ensure that the security of user account.

Description

A kind of dynamic token method of work and system
Technical field
The invention belongs to the technical field of security authentication of banking system, more particularly to a kind of dynamic token method of work and it is System.
Background technology
Dynamic token is the terminal for generating dynamic password, and dynamic password is a kind of antitheft skill of the account of safe and convenient Art, it can effectively protect the certification safety logged in during transaction.
Dynamic token can be divided into three types, time sync-type, event synchronization type and challenge/response type from technical standpoint. At present, the method for work of challenge/response type dynamic token is based on OATH (vow) algorithm standard rules, the challenge inputted with reference to user Seed key built in code and token, calculates corresponding answer back code, to realize login authentication when merchandising.It can be seen that existing choose The working mechanism of war/response type dynamic token and flow are relatively simple, and result in criminal, counter to derive dynamic token work former The difficulty of reason is relatively low, and then the security that result in user account is relatively low.
The content of the invention
In view of this, it is an object of the invention to provide a kind of dynamic token method of work and system, to solve existing choose The problem of war/response type dynamic token working mechanism and relatively simple flow, increase the anti-dynamic token that derives of criminal and work The difficulty of principle, and then ensure the security of user account.
Therefore, the present invention is disclosed directly below technical scheme:
A kind of dynamic token method of work, including:
The login answer back code generation request of user is received, the login answer back code generation request includes logging in challenge code;
At the login key previously generated in the login challenge code, dynamic token and current real-time time Reason, obtain logging in answer back code, when the login key is activated for dynamic token, according to the seed key built in it, logs in and use The key that the active coding that way code and certificate server provide is generated;
The signature answer back code generation request of user is received, the signature answer back code generation request includes challenge code of signing;
At the signature key previously generated in the signature challenge code, dynamic token and current real-time time Reason, answer back code of signing is obtained, when the signature key is activated for dynamic token, is used according to the seed key built in it, signature The key that the active coding that way code and certificate server provide is generated.
The above method, it is preferred that before the login answer back code generation request of the reception user, in addition to as follows pre- Processing procedure:
The active coding provided certificate server is verified, following operation is performed if being verified:
Using the close SM3 hash algorithms of state, and it is secret using formula Work_Seed=SM3 (Seed | ActiveCode) generation work Key Work_Seed, wherein, SM3 represents the close SM3 hash algorithms of state, and Seed represents work key, and ActiveCode represents activation Code;
Stepped on using the close SM3 hash algorithms of state, and using formula Otp_Seed=SM3 (Work_Seed | alg_type_1) generation Key Otp_Seed is recorded, wherein, alg_type_1 represents to log in purposes code;
Using the close SM3 hash algorithms of state, and using formula sign_Seed=SM3 (Work_Seed | alg_type_2) generation Sign key sign_Seed, wherein, alg_type_2 represents signature purposes code.
The above method, it is preferred that to the login challenge code, the login key previously generated in dynamic token and current Real-time time handled to obtain and log in answer back code, including:
Using the close SM3 hash algorithms of state and SM3 cut position algorithms, and using formula OTP=Truncate_SM3 (SM3 (Otp_ Seed | UTC | ChallengeCode)) generation login answer back code OTP;
Wherein, Truncate_SM3 represents SM3 cut position algorithms, and ChallengeCode is represented to log in challenge code, and UTC is represented Current world's unified time.
The above method, it is preferred that to the signature challenge code, the signature key previously generated in dynamic token and current Real-time time handled to obtain signature answer back code, including:
Using the close SM3 hash algorithms of state and SM3 cut position algorithms, and using formula Sign_OTP=Truncate_SM3 (SM3 (Sign_Seed | UTC | SignCode)) generation signature answer back code Sign_OTP;
Wherein, Truncate_SM3 represents SM3 cut position algorithms, and SignCode represents signature challenge code, and UTC represents current World's unified time.
The above method, it is preferred that when active coding passes through checking, the preprocessing process also includes:
Using the close SM3 hash algorithms of state, and using formula Puk_Seed=SM3 (Work_Seed | alg_type_3) generation solution Key Puk_Seed is locked, wherein, alg_type_3 represents unblock purposes code.
The above method, it is preferred that also include:
After token start, the personal recognition code PIN code of user's input is received, and correctness is carried out to the PIN code of input Checking, if the number of PIN code mistake input reaches setting numerical value, token is locked, and show that token has locked prompting and unblock please Seek code;
The PUK of user's input and unblock are received, the PUK is certificate server according to formula PUK=Truncate_ SM3 (SM3 (Puk_Seed | Puk_Request)) generation, wherein, Truncate_SM3 represents SM3 cut position algorithms, and PUK represents solution Code-locked, Puk_Request represent unlocking request code.
A kind of dynamic token work system, including:
First receiving module, the login answer back code for receiving user generate request, the login answer back code generation request Including logging in challenge code;
First processing module, for the login challenge code, the login key previously generated in dynamic token and working as Preceding real-time time is handled, and obtains logging in answer back code, when the login key is activated for dynamic token, according to built in it Seed key, log in the key that the active coding that purposes code and certificate server provide is generated;
Second receiving module, the signature answer back code for receiving user generate request, the signature answer back code generation request Including challenge code of signing;
Second processing module, for the signature challenge code, the signature key previously generated in dynamic token and working as Preceding real-time time is handled, and answer back code of signing is obtained, when the signature key is activated for dynamic token, according to built in it The key that is generated of active coding that provides of seed key, signature purposes code and certificate server.
Said system, it is preferred that also include including pretreatment module, the pretreatment module:
Authentication unit, for being verified to the active coding that certificate server provides, and it is being verified below triggering Work key generation unit;
Work key generation unit, for using state close SM3 hash algorithms, and using formula Work_Seed=SM3 (Seed | ActiveCode work key Work_Seed) is generated, wherein, SM3 represents the close SM3 hash algorithms of state, and Seed represents that work is secret Key, ActiveCode represent active coding;
Key generation unit is logged in, for utilizing the close SM3 hash algorithms of state, and using formula Otp_Seed=SM3 (Work_ Seed | alg_type_1) generation login key Otp_Seed, wherein, alg_type_1 represents to log in purposes code;
Signature key generation unit, for utilizing the close SM3 hash algorithms of state, and using formula sign_Seed=SM3 (Work_ Seed | alg_type_2) generation signature key sign_Seed, wherein, alg_type_2 represents signature purposes code.
Said system, it is preferred that the first processing module includes:
Answer back code generation unit is logged in, for utilizing the close SM3 hash algorithms of state and SM3 cut position algorithms, and using formula OTP= Truncate_SM3 (SM3 (Otp_Seed | UTC | ChallengeCode)) generation login answer back code OTP;
Wherein, Truncate_SM3 represents SM3 cut position algorithms, and ChallengeCode is represented to log in challenge code, and UTC is represented Current world's unified time.
Said system, it is preferred that the Second processing module includes:
Signature answer back code generation unit, for utilizing the close SM3 hash algorithms of state and SM3 cut position algorithms, and using formula Sign_ OTP=Truncate_SM3 (SM3 (Sign_Seed | UTC | SignCode)) generation signature answer back code Sign_OTP;
Wherein, Truncate_SM3 represents SM3 cut position algorithms, and SignCode represents signature challenge code, and UTC represents current World's unified time.
Said system, it is preferred that the pretreatment module also includes:
Key generation unit is unlocked, for utilizing the close SM3 hash algorithms of state, and using formula Puk_Seed=SM3 (Work_ Seed | alg_type_3) generation unblock key Puk_Seed, wherein, alg_type_3 represents unblock purposes code.
Said system, it is preferred that also include including security protection module, the security protection module:
Lock cell, for after token is started shooting, receiving the personal recognition code PIN code of user's input, and to input PIN code carries out verification of correctness, if the number of PIN code mistake input reaches setting numerical value, locks token, and show token Lock prompting and unlocking request code;
Unlocking unit, for receiving PUK and the unblock of user's input, the PUK is certificate server according to formula PUK=Truncate_SM3 (SM3 (Puk_Seed | Puk_Request)) generation, wherein, Truncate_SM3 represents SM3 cut positions Algorithm, PUK represent PUK, and Puk_Request represents unlocking request code.
From above scheme, the certification demand of user is divided into two kinds of classifications by the present invention in advance, login authentication demand and Signature authentication demand when being signed in process of exchange (after login), and dynamic token is in advance after it is activated successfully, respectively two Kind certification demand generation is corresponding to log in key and signature key.Subsequently have business transaction demand in user, need to be logged in or During signature authentication, dynamic token can be respectively to use according to the challenge code for logging in key or signature key and being inputted at that time with reference to user Family generation is corresponding to log in answer back code or signature answer back code.It can be seen that the present invention is set respectively for the different certification demand of user Different calculating keys, makes the key of dynamic token be not easy to be cracked, and the working mechanism of dynamic token and flow are more pacified Entirely, by being respectively login, the corresponding login of signature authentication demand offer, signature answer back code, pair during customer transaction is realized Re-authentication, the anti-difficulty for deriving dynamic token operation principle of criminal is increased, ensure that the security of user account.
Brief description of the drawings
In order to illustrate more clearly about the embodiment of the present invention or technical scheme of the prior art, below will be to embodiment or existing There is the required accompanying drawing used in technology description to be briefly described, it should be apparent that, drawings in the following description are only this The embodiment of invention, for those of ordinary skill in the art, on the premise of not paying creative work, can also basis The accompanying drawing of offer obtains other accompanying drawings.
Fig. 1 is dynamic token flow chart of work methods disclosed in the embodiment of the present invention one;
Fig. 2 is dynamic token locking disclosed in the embodiment of the present invention two and unblock flow chart;
Fig. 3 is that dynamic token disclosed in the embodiment of the present invention two unlocks schematic diagram;
Fig. 4 is a kind of structural representation of dynamic token work system disclosed in the embodiment of the present invention three;
Fig. 5 is another structural representation of dynamic token work system disclosed in the embodiment of the present invention three;
Fig. 6 is another structural representation of dynamic token work system disclosed in the embodiment of the present invention three.
Embodiment
Below in conjunction with the accompanying drawing in the embodiment of the present invention, the technical scheme in the embodiment of the present invention is carried out clear, complete Site preparation describes, it is clear that described embodiment is only part of the embodiment of the present invention, rather than whole embodiments.It is based on Embodiment in the present invention, those of ordinary skill in the art are obtained every other under the premise of creative work is not made Embodiment, belong to the scope of protection of the invention.
Embodiment one
The present embodiment one discloses a kind of dynamic token method of work, and with reference to figure 1, methods described may comprise steps of:
S101:The login answer back code generation request of user is received, the login answer back code generation request includes logging in challenge Code.
User is for the first time using, it is necessary to enter line activating to dynamic token, i.e., each step of the invention needs to build before dynamic token Stand in and dynamic token is entered on the basis of line activating this pretreatment.
When entering line activating to dynamic token, active coding is produced by certificate server, then user will swash caused by server Code living is manually entered dynamic token, wherein, the generating algorithm of active coding is as follows:
ActiveCode=ChallengeRand | Truncate_SM3 (SM3 (Seed | ChallengeRand))) (1)
In formula (1), ActiveCode represents the active coding of 12;ChallengeRand represents that the decimal system of 6 is random Number, side benefit 0 makes it to 128bit length to needs behind when bringing algorithmic formula into;SM3 represents the close SM3 hash algorithms of state; Truncate_SM3 represents SM3 cut position algorithms, its exportable 6 decimal number;The seed that Seed is 32Byte is in plain text.
Wherein, the present invention proposes a kind of SM3 cut positions algorithm on the basis of the close SM3 hash algorithms of state, and it is determined Justice, SM3 cut position algorithms are exactly the algorithm that SM3 hash results or HMAC results are converted into 6 dynamic passwords.Specifically, this hair Bright made to it is defined as below:
S1, S2, S3, S4, S5, S6, S7, S8 are defined, represents 8 4Byte integers, and assignment by the following method:
S1=S [0]<<24|S[1]<<16|S[2]<<8|S[3]
S2=S [4]<<24|S[5]<<16|S[6]<<8|S[7]
S3=S [8]<<24|S[9]<<16|S[10]<<8|S[11]
S4=S [12]<<24|S[13]<<16|S[14]<<8|S[15]
S5=S [16]<<24|S[17]<<16|S[18]<<8|S[19]
S6=S [20]<<24|S[21]<<16|S[22]<<8|S[23]
S7=S [24]<<24|S[25]<<16|S[26]<<8|S[27]
S8=S [28]<<24|S[29]<<16|S[30]<<8|S[31]
OD=(S1+S2+S3+S4+S5+S6+S7+S8) MOD 232
Password (i.e. the output result of SM3 cut positions algorithm) obtains:Otp=OD mod 1000000.
After dynamic token receives the active coding of user's input, active coding is verified.It is specific to verify that principle is:Make An OTP is calculated with the ChallengeRand (i.e. first 6 of active coding) in active coding (One-time Password, to move State password), then this OTP is compared with latter 6 of active coding, if comparison result is identical for both, be verified, Activate successfully, otherwise activation failure.
In the present invention, after dynamic token is verified and activated successfully to active coding, continue to implement key conversion, specifically Ground, using the close SM3 hash algorithms of state, primordial seed Seed (being built in dynamic token) and active coding are handled, obtain work Make key, and preserve caused work key.
Formula is as follows used by generating work key:
Work_Seed=SM3 (Seed | ActiveCode) (2)
In formula (2), Seed represents seed key, 32Byte;ActiveCode represents active coding, and it is with the shape of ASCII character Formula participates in computing, and for example 123456889012, used form is when it participates in computing:0x31,0x32 ... .0x32.
The certification demand of user is divided into two classes by the present invention:Login authentication demand (logs in authentication demand during transaction) And signature authentication demand (authentication demand when being signed in process of exchange), correspondingly, the present invention is respectively described two to be recognized The setting of card demand is corresponding to calculate key:Log in key and signature key.
In the present embodiment, it is defined as below respectively to logging in key and signature key:
char alg_1[32];// log in key Otp_Seed;
char alg_2[32];// signature key Sign_Seed.
Two kinds calculate the corresponding purposes code of key and are respectively defined as:
Int alg_type_1=1;// dynamic password is logged in, int is 4Byte integers;
Int alg_type_2=2;// signature dynamic password, int is 4Byte integers.
Dynamic token continues using the close SM3 hash algorithms of state to generation after activating successfully and generating work key Work key and calculating key purposes code defined above are handled, and obtain logging in key, signature key accordingly, that is, have Body, by working key (32Byte)+purposes code (4Byte) form message, using the close SM3 hash algorithms of state to being formed Message carries out the generation of Hash Value, and the Hash Value generated is made to the computation key of dynamic password, to be embodied as subsequent user The generation of certification answer back code provides support.
Working key is needed to use due to producing computation key, so, dynamic token must be laggard in synchronous working key Row calculates the generation operation of key.
Wherein, key is specifically logged in using following formula (3) generation:
Otp_Seed=SM3 (Work_Seed | alg_type_1) (3)
In formula (3), Work_Seed represents working key, common 32Byte;Alg_type_1 represents to log in purposes code, common 4Byte, and low level is in preceding, the participation computing in the form of 00000001.
Correspondingly, using following formula (4) generation signature key:
Sign_Seed=SM3 (Work_Seed | alg_type_2) (4)
In formula (3), Work_Seed represents working key, common 32Byte;Alg_type_2 represents signature purposes code, altogether 4Byte, and its low level is in preceding, the participation computing in the form of 00000002.
The work that above section is activated and carried out after being verified at it by dynamic token, the contents of the section can conduct The pretreatment work of the inventive method.
On this basis, when user needs to carry out using transaction, to ensure the security of user account, it is necessary first to right User carries out login authentication, and now, certificate server can be that user generates a login challenge code, and on application system webpage Show user;Afterwards, user inputs the login challenge code on webpage to dynamic token, and press log in answer back code generation by Button (can also use and first press button, the rear mode for inputting challenge code) logs in response accordingly to realize to send to dynamic token Code generation request.After the login answer back code that dynamic token receives user's triggering generates request, i.e., according to the processing of the present invention Logic, which is that user's generation is corresponding, logs in answer back code.
S102:To the login key previously generated in the login challenge code, dynamic token and current real-time time Handled, obtain logging in answer back code, the login key is for dynamic token when being activated, according to the seed key built in it, Log in the key that the active coding that purposes code and certificate server provide is generated.
Specifically, after the login answer back code generation request of user's triggering is received, dynamic token utilizes the close SM3 hash of state Algorithm and SM3 cut position algorithms, and answer back code is logged in using following formula (5) generation:
OTP=Truncate_SM3 (SM3 (Otp_Seed | UTC | ChallengeCode)) (5)
In formula (5), OTP (6Byte) represents that entry password logs in answer back code, is the decimal system;Truncate_SM3 is represented SM3 cut position algorithms;Otp_Seed represents to log in key, is 32Byte:UTC (Universal Time Coordinated, the world Unified time) current UTC time is represented, 8Byte, UTC are to count minute, and a high position is preceding, and low level is rear;ChallengeCode For the login challenge code of 4-20 positions caused by server, high Byte preceding, behind participate in computing is its ASCII character, for example: 123456, it is then 0x31,0x32,0x33,0x34,0x35,0x36 to be converted into ASCII character;
Wherein, UTC | when ChallengeCode brings formula (5) into, if the inadequate 128bit of its total length, 0 is mended below, Making UTC | ChallengeCode total length reaches 128bit, if total length is brought directly to formula (5) and entered more than 128bit Row computing.
Afterwards, user, which can be read, logs in answer back code caused by dynamic token, and is input to the realization of application system webpage Login authentication.
S103:The signature answer back code generation request of user is received, the signature answer back code generation request includes signature challenge Code.
It is of the invention in order to be further ensured that if user needs to be traded signature when login authentication is successfully traded The security of user account, signature authentication need to be carried out to user, now, certificate server is that user generates a signature challenge Code.Signature challenge code caused by user from reading service device on application system webpage is simultaneously input to dynamic token, and presses Signature answer back code generation button on dynamic token, which is realized to dynamic token, sends signature answer back code generation request.
S104:To the signature key previously generated in the signature challenge code, dynamic token and current real-time time Handled, obtain answer back code of signing, the signature key is for dynamic token when being activated, according to the seed key built in it, The key that the active coding that signature purposes code and certificate server provide is generated.
After dynamic token receives above-mentioned request, using the close SM3 hash algorithms of state and SM3 cut position algorithms, and using as follows Formula (6) generation signature answer back code:
Sign_OTP=Truncate_SM3 (SM3 (Sign_Seed | UTC | SignCode)) (6)
In formula (6), Sign_OTP (6Byte) represents signature password i.e. signature answer back code, is the decimal system;Truncate_SM3 Represent SM3 cut position algorithms;Sign_Seed represents signature key, 32Byte;UTC represents current UTC time, and 8Byte, UTC are point Clock counts, and high-order preceding, low level is rear;SignCode represents the signature answer back code of 4-20 positions caused by server, and high Byte exists Before, behind to participate in computing be its ASCII character.
Wherein, UTC | when SignCode brings formula (6) into, if the inadequate 128bit of its total length, 0 is mended below, makes UTC | SignCode total length reaches 128bit;If its total length directly carries it into formula (6) and transported more than 128bit Calculate.
Afterwards, signature answer back code caused by dynamic token can be read in user, and is input to the realization of application system webpage Signature authentication.
From above scheme, the certification demand of user is divided into two kinds of classifications by the present invention in advance:Login authentication demand and Authentication demand when being signed in process of exchange (after login), and dynamic token is in advance after it is activated successfully, respectively two Kind certification demand generation is corresponding to log in key and signature key.Subsequently have business transaction demand in user, need to be logged in or During signature authentication, dynamic token can be respectively to use according to the challenge code for logging in key or signature key and being inputted at that time with reference to user Family generation is corresponding to log in answer back code or signature answer back code.It can be seen that the present invention is set respectively for the different certification demand of user Different calculating keys, makes the key of dynamic token be not easy to be cracked, and the working mechanism of dynamic token and flow are more pacified Entirely, by being respectively login, the corresponding login of signature authentication demand offer, signature answer back code, pair during customer transaction is realized Re-authentication, the anti-difficulty for deriving dynamic token operation principle of criminal is increased, ensure that the security of user account.
Embodiment two
In the present embodiment two, with reference to figure 2, methods described can also comprise the following steps:
S105:After token start, the personal recognition code PIN code of user's input is received, and the PIN code of input is carried out just True property checking, if the number of PIN code mistake input reaches setting numerical value, locks token, and shows that token has locked prompting and solution Lock request code;
S106:Receive the PUK of user's input and unblock.The PUK is certificate server according to formula PUK= Truncate_SM3 (SM3 (Puk_Seed | Puk_Request)) generation, wherein, Truncate_SM3 represents SM3 cut position algorithms, PUK represents PUK, and Puk_Request represents unlocking request code.
Specifically, it is 3 that the present embodiment, which will calculate key and expand,:Log in key, signature key and unblock key.So as to, While pre-defined login key and signature key, also unblock key is defined as below:
char alg_3[32];// Personal Unlocking Key Puk_Seed.
Correspondingly, unblock key purposes code is defined:
Int alg_type_3=3;// unblock, int is 4Byte integers.
On this basis, in the present embodiment, the preprocessing process also includes:Using the close SM3 hash algorithms of state, and use Following formula (7) generation unblock key:
Puk_Seed=SM3 (Work_Seed | alg_type_3) (7)
In formula (7), Work_Seed represents working key, 32Byte;Alg_type_3 represents unblock purposes code, and its is low Position is in preceding, the participation computing in the form of 00000003.
In order to be further ensured that the safety of user account, the present embodiment increases when dynamic token is started shooting for dynamic token The link of PIN (Personal Identification Number, personal recognition code) code checking, i.e. user are every time to dynamic State token start after, be required for inputting corresponding PIN code, if PIN code input is correct, by checking, dynamic token start into Work(, otherwise, boot failure.
If the number of PIN code mistake input reaches setting numerical value, dynamic token locks, in such cases, dynamic token Carry out locking prompting to user and show corresponding unlocking request code.
Afterwards, user inputs the unlocking request code to certificate server, by certificate server according to following formula (8) Produce corresponding PUK:
PUK=Truncate_SM3 (SM3 (Puk_Seed | Puk_Request)) (8)
In formula (8), PUK represents PUK, common 6Byte;Truncate_SM3 represents SM3 cut position algorithms;Puk_Seed tables Show Personal Unlocking Key, common 32Byte;Puk_Request represents the unlocking request code of 6, and it is that the decimal system of token generation is random Number, it participates in using ASCII character form during computing, and high Byte is preceding.
Wherein, Puk_Request is brought into when formula (8) carries out computing, it is necessary to which face benefit 0 reaches its total length behind 128bit。
On this basis, PUK caused by server is inputted dynamic token by user, you can realizes unblock.Dynamic token Unblock principle specifically refer to shown in Fig. 3.
Embodiment three
The present embodiment three discloses a kind of dynamic token work system, is moved disclosed in the system and embodiment one and embodiment two State token method of work is corresponding.
First, corresponding to embodiment one, with reference to figure 4, the system includes the first receiving module 100, first processing module 200th, the second receiving module 300 and Second processing module 400.
First receiving module 100, the login answer back code for receiving user generate request, and the login answer back code generation please Ask including logging in challenge code.
First processing module 200, for the login challenge code, the login key previously generated in dynamic token and Current real-time time is handled, and obtains logging in answer back code, when the login key is activated for dynamic token, according in it The key that the active coding that seed key, login purposes code and the certificate server put provide is generated.
Wherein, first processing module 200 includes logging in answer back code generation unit.
Answer back code generation unit is logged in, for utilizing the close SM3 hash algorithms of state and SM3 cut position algorithms, and using formula OTP= Truncate_SM3 (SM3 (Otp_Seed | UTC | ChallengeCode)) generation login answer back code OTP;
Wherein, Truncate_SM3 represents SM3 cut position algorithms, and ChallengeCode is represented to log in challenge code, and UTC is represented Current world's unified time.
Second receiving module 300, the signature answer back code for receiving user generate request, and the signature answer back code generation please Ask including challenge code of signing.
Second processing module 400, for the signature challenge code, the signature key previously generated in dynamic token and Current real-time time is handled, and answer back code of signing is obtained, when the signature key is activated for dynamic token, according in it The key that the active coding that seed key, signature purposes code and the certificate server put provide is generated.
The Second processing module 400 includes signature answer back code generation unit.
Signature answer back code generation unit, for utilizing the close SM3 hash algorithms of state and SM3 cut position algorithms, and using formula Sign_ OTP=Truncate_SM3 (SM3 (Sign_Seed | UTC | SignCode)) generation signature answer back code Sign_OTP;
Wherein, Truncate_SM3 represents SM3 cut position algorithms, and SignCode represents signature challenge code, and UTC represents current World's unified time.
The need of work of modules is established in present system logs in the calculating keys such as key, signature key in generation On the basis of, therefore, with reference to figure 5, the system also needs to include pretreatment module 500, and the module is secret including authentication unit, work Key generation unit, log in key generation unit and signature key generation unit.
Authentication unit is used to verify the active coding that certificate server provides, and triggers following work being verified Make key generation unit;
Work key generation unit is used to utilize the close SM3 hash algorithms of state, and use formula Work_Seed=SM3 (Seed | ActiveCode work key Work_Seed) is generated, wherein, SM3 represents the close SM3 hash algorithms of state, and Seed represents that work is secret Key, ActiveCode represent active coding;
Key generation unit is logged in be used to utilize the close SM3 hash algorithms of state, and using formula Otp_Seed=SM3 (Work_ Seed | alg_type_1) generation login key Otp_Seed, wherein, alg_type_1 represents to log in purposes code;
Signature key generation unit is used to utilize the close SM3 hash algorithms of state, and using formula sign_Seed=SM3 (Work_ Seed | alg_type_2) generation signature key sign_Seed, wherein, alg_type_2 represents signature purposes code.
Corresponding to embodiment two, with reference to figure 6, the system also includes security protection module 600, and it is single that the module includes locking Member and unlocking unit.
Lock cell, for after token is started shooting, receiving the personal recognition code PIN code of user's input, and to input PIN code carries out verification of correctness, if the number of mistake input reaches setting numerical value, locks token, and show that token has been locked and carry Show and unlocking request code;
Unlocking unit, for receiving PUK and the unblock of user's input, the PUK is certificate server according to formula PUK=Truncate_SM3 (SM3 (Puk_Seed | Puk_Request)) generation, wherein, Truncate_SM3 represents SM3 cut positions Algorithm, PUK represent PUK, and Puk_Request represents unlocking request code.
For dynamic token work system disclosed in the embodiment of the present invention three, because itself and various embodiments above disclose Dynamic token method of work it is corresponding, so description it is fairly simple, related similarity is referred in various embodiments above The explanation of dynamic token method of work part, is no longer described in detail herein.
In summary, the present invention uses safer domestic cryptographic algorithm on challenge/response type dynamic token, and ties Close and answer back code generating process is handled using the cut position algorithm voluntarily innovated on the basis of domestic cryptographic algorithm, can make The working mechanism of state token and flow are safer, while it is domestic to the support of dynamic token equipment to meet national Password Management office The compliance of cryptographic algorithm;And according to the different authentication demand of user to be respectively provided with corresponding different calculating secret by the present invention Key, the key of dynamic token can be made to be not easy to be cracked, increase the anti-difficulty for deriving dynamic token operation principle of criminal, from And it ensure that the security of user account.
For convenience of description, describe to be divided into various modules during system above with function or unit describes respectively.Certainly, exist Implement the function of each unit can be realized in same or multiple softwares and/or hardware during the application.
As seen through the above description of the embodiments, those skilled in the art can be understood that the application can Realized by the mode of software plus required general hardware platform.Based on such understanding, the technical scheme essence of the application On the part that is contributed in other words to prior art can be embodied in the form of software product, the computer software product It can be stored in storage medium, such as ROM/RAM, magnetic disc, CD, including some instructions are causing a computer equipment (can be personal computer, server, either network equipment etc.) performs some of each embodiment of the application or embodiment Method described in part.
Finally, it is to be noted that, herein, the relational terms of such as first, second, third and fourth or the like It is used merely to make a distinction an entity or operation with another entity or operation, and not necessarily requires or imply these Any this actual relation or order be present between entity or operation.Moreover, term " comprising ", "comprising" or its is any Other variants are intended to including for nonexcludability, so that process, method, article or equipment including a series of elements Not only include those key elements, but also the other element including being not expressly set out, or also include for this process, side Method, article or the intrinsic key element of equipment.In the absence of more restrictions, limited by sentence "including a ..." Key element, it is not excluded that other identical element in the process including the key element, method, article or equipment also be present.
It should be noted that each embodiment in this specification is described by the way of progressive, each embodiment weight Point explanation is all difference with other embodiment, between each embodiment identical similar part mutually referring to.
Described above is only the preferred embodiment of the present invention, it is noted that for the ordinary skill people of the art For member, under the premise without departing from the principles of the invention, some improvements and modifications can also be made, these improvements and modifications also should It is considered as protection scope of the present invention.

Claims (12)

  1. A kind of 1. dynamic token method of work, it is characterised in that including:
    The login answer back code generation request of user is received, the login answer back code generation request includes logging in challenge code;
    The login key and current real-time time previously generated in the login challenge code, dynamic token is handled, Obtain logging in answer back code, when the login key is activated for dynamic token, according to the seed key built in it, log in purposes generation The key that the active coding that code and certificate server provide is generated;
    The signature answer back code generation request of user is received, the signature answer back code generation request includes challenge code of signing;
    The signature key and current real-time time previously generated in the signature challenge code, dynamic token is handled, Answer back code of signing is obtained, when the signature key is activated for dynamic token, according to the seed key built in it, signature purposes generation The key that the active coding that code and certificate server provide is generated.
  2. 2. according to the method for claim 1, it is characterised in that generate request in the login answer back code of the reception user Before, in addition to following preprocessing process:
    The active coding provided certificate server is verified, following operation is performed if being verified:
    Using the close SM3 hash algorithms of state, and using formula Work_Seed=SM3 (Seed | ActiveCode) generation work key Work_Seed, wherein, SM3 represents the close SM3 hash algorithms of state, and Seed represents work key, and ActiveCode represents active coding;
    Using the close SM3 hash algorithms of state, and logged in using formula Otp_Seed=SM3 (Work_Seed | alg_type_1) generation secret Key Otp_Seed, wherein, alg_type_1 represents to log in purposes code;
    Using the close SM3 hash algorithms of state, and using formula sign_Seed=SM3 (Work_Seed | alg_type_2) generation signature Key sign_Seed, wherein, alg_type_2 represents signature purposes code.
  3. 3. according to the method for claim 2, it is characterised in that to being previously generated in the login challenge code, dynamic token Login key and current real-time time handled to obtain and log in answer back code, including:
    Using the close SM3 hash algorithms of state and SM3 cut position algorithms, and using formula OTP=Truncate_SM3 (SM3 (Otp_Seed | UTC | ChallengeCode)) generation login answer back code OTP;
    Wherein, Truncate_SM3 represents SM3 cut position algorithms, and ChallengeCode represents to log in challenge code, and UTC represents current World's unified time.
  4. 4. according to the method for claim 2, it is characterised in that to being previously generated in the signature challenge code, dynamic token Signature key and current real-time time handled to obtain signature answer back code, including:
    Using the close SM3 hash algorithms of state and SM3 cut position algorithms, and using formula Sign_OTP=Truncate_SM3 (SM3 (Sign_ Seed | UTC | SignCode)) generation signature answer back code Sign_OTP;
    Wherein, Truncate_SM3 represents SM3 cut position algorithms, and SignCode represents signature challenge code, and UTC represents the current world Unified time.
  5. 5. according to the method for claim 2, it is characterised in that when active coding passes through checking, the preprocessing process is also Including:
    Using the close SM3 hash algorithms of state, and it is secret using formula Puk_Seed=SM3 (Work_Seed | alg_type_3) generation unblock Key Puk_Seed, wherein, alg_type_3 represents unblock purposes code.
  6. 6. according to the method for claim 5, it is characterised in that also include:
    After token start, the personal recognition code PIN code of user's input is received, and verification of correctness is carried out to the PIN code of input, If the number of PIN code mistake input reaches setting numerical value, token is locked, and shows that token has locked prompting and unlocking request code;
    The PUK of user's input and unblock are received, the PUK is certificate server according to formula PUK=Truncate_SM3 (SM3 (Puk_Seed | Puk_Request)) generation, wherein, Truncate_SM3 represents SM3 cut position algorithms, and PUK represents unblock Code, Puk_Request represent unlocking request code.
  7. A kind of 7. dynamic token work system, it is characterised in that including:
    First receiving module, the login answer back code for receiving user generate request, and the login answer back code generation request includes Log in challenge code;
    First processing module, for the login key to being previously generated in the login challenge code, dynamic token and currently Real-time time is handled, and obtains logging in answer back code, when the login key is activated for dynamic token, according to the kind built in it Sub- key, log in the key that the active coding that purposes code and certificate server provide is generated;
    Second receiving module, the signature answer back code for receiving user generate request, and the signature answer back code generation request includes Signature challenge code;
    Second processing module, for the signature key to being previously generated in the signature challenge code, dynamic token and currently Real-time time is handled, and answer back code of signing is obtained, when the signature key is activated for dynamic token, according to the kind built in it The key that the active coding that sub- key, signature purposes code and certificate server provide is generated.
  8. 8. system according to claim 7, it is characterised in that also include including pretreatment module, the pretreatment module:
    Authentication unit, following work is triggered for being verified to the active coding that certificate server provides, and being verified Key generation unit;
    Work key generation unit, for using state close SM3 hash algorithms, and using formula Work_Seed=SM3 (Seed | ActiveCode work key Work_Seed) is generated, wherein, SM3 represents the close SM3 hash algorithms of state, and Seed represents that work is secret Key, ActiveCode represent active coding;
    Log in key generation unit, for using state close SM3 hash algorithms, and using formula Otp_Seed=SM3 (Work_Seed | Alg_type_1) generation logs in key Otp_Seed, wherein, alg_type_1 represents to log in purposes code;
    Signature key generation unit, for utilizing the close SM3 hash algorithms of state, and using formula sign_Seed=SM3 (Work_Seed | alg_type_2) generation signature key sign_Seed, wherein, alg_type_2 represents signature purposes code.
  9. 9. system according to claim 8, it is characterised in that the first processing module includes:
    Answer back code generation unit is logged in, for utilizing the close SM3 hash algorithms of state and SM3 cut position algorithms, and using formula OTP= Truncate_SM3 (SM3 (Otp_Seed | UTC | ChallengeCode)) generation login answer back code OTP;
    Wherein, Truncate_SM3 represents SM3 cut position algorithms, and ChallengeCode represents to log in challenge code, and UTC represents current World's unified time.
  10. 10. system according to claim 8, it is characterised in that the Second processing module includes:
    Signature answer back code generation unit, for utilizing the close SM3 hash algorithms of state and SM3 cut position algorithms, and using formula Sign_OTP =Truncate_SM3 (SM3 (Sign_Seed | UTC | SignCode)) generation signature answer back code Sign_OTP;
    Wherein, Truncate_SM3 represents SM3 cut position algorithms, and SignCode represents signature challenge code, and UTC represents the current world Unified time.
  11. 11. system according to claim 8, it is characterised in that the pretreatment module also includes:
    Unlock key generation unit, for using state close SM3 hash algorithms, and using formula Puk_Seed=SM3 (Work_Seed | Alg_type_3) generation unblock key Puk_Seed, wherein, alg_type_3 represents unblock purposes code.
  12. 12. system according to claim 11, it is characterised in that also including security protection module, the safeguard protection mould Block includes:
    Lock cell, for after token is started shooting, receiving the personal recognition code PIN code of user's input, and to the PIN code of input Verification of correctness is carried out, if the number of PIN code mistake input reaches setting numerical value, locks token, and show that token has been locked and carry Show and unlocking request code;
    Unlocking unit, for receiving PUK and the unblock of user's input, the PUK is certificate server according to formula PUK= Truncate_SM3 (SM3 (Puk_Seed | Puk_Request)) generation, wherein, Truncate_SM3 represents SM3 cut position algorithms, PUK represents PUK, and Puk_Request represents unlocking request code.
CN201410647744.2A 2014-11-14 A kind of dynamic token method of work and system Active CN104333555B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201410647744.2A CN104333555B (en) 2014-11-14 A kind of dynamic token method of work and system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201410647744.2A CN104333555B (en) 2014-11-14 A kind of dynamic token method of work and system

Publications (2)

Publication Number Publication Date
CN104333555A CN104333555A (en) 2015-02-04
CN104333555B true CN104333555B (en) 2018-02-09

Family

ID=

Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2008004312A1 (en) * 2006-07-07 2008-01-10 Jcb Co., Ltd. Net settlement assisting device
CN101500011A (en) * 2009-03-13 2009-08-05 北京华大智宝电子***有限公司 Method and system for implementing dynamic password security protection
CN101789864A (en) * 2010-02-05 2010-07-28 中国工商银行股份有限公司 On-line bank background identity identification method, device and system
CN101800645A (en) * 2010-02-05 2010-08-11 中国工商银行股份有限公司 Identity authentication method, device and system
CN102664736A (en) * 2012-04-13 2012-09-12 天地融科技股份有限公司 Electronic cipher generating method, device and equipment and electronic cipher authentication system
CN103457739A (en) * 2013-09-06 2013-12-18 北京握奇智能科技有限公司 Method and device for acquiring dynamic token parameters
CN103731272A (en) * 2014-01-06 2014-04-16 飞天诚信科技股份有限公司 Identity authentication method, system and equipment
CN103888470A (en) * 2014-04-02 2014-06-25 飞天诚信科技股份有限公司 Dynamic token synchronizing method and system

Patent Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2008004312A1 (en) * 2006-07-07 2008-01-10 Jcb Co., Ltd. Net settlement assisting device
CN101500011A (en) * 2009-03-13 2009-08-05 北京华大智宝电子***有限公司 Method and system for implementing dynamic password security protection
CN101789864A (en) * 2010-02-05 2010-07-28 中国工商银行股份有限公司 On-line bank background identity identification method, device and system
CN101800645A (en) * 2010-02-05 2010-08-11 中国工商银行股份有限公司 Identity authentication method, device and system
CN102664736A (en) * 2012-04-13 2012-09-12 天地融科技股份有限公司 Electronic cipher generating method, device and equipment and electronic cipher authentication system
CN103457739A (en) * 2013-09-06 2013-12-18 北京握奇智能科技有限公司 Method and device for acquiring dynamic token parameters
CN103731272A (en) * 2014-01-06 2014-04-16 飞天诚信科技股份有限公司 Identity authentication method, system and equipment
CN103888470A (en) * 2014-04-02 2014-06-25 飞天诚信科技股份有限公司 Dynamic token synchronizing method and system

Similar Documents

Publication Publication Date Title
Yu et al. An efficient generic framework for three-factor authentication with provably secure instantiation
CN101197667B (en) Dynamic password authentication method
CN102281138B (en) Method and system for improving safety of verification code
CN102148685B (en) Method and system for dynamically authenticating password by multi-password seed self-defined by user
CN101651675B (en) By the method and system that authentication code is verified client
CN107274532A (en) The temporary password gate control system that encryption parameter dynamically updates
KR20210091155A (en) Biocrypt Digital Wallet
CN108711209A (en) dynamic password generation and verification method and system
CN101958913B (en) Bidirectional ID (Identity) authentication method based on dynamic password and digital certificate
CN103853950A (en) Authentication method based on mobile terminal and mobile terminal
CN110519300A (en) Client key method for secure storing based on password bidirectional authentication
CN106357679B (en) Method, system and the client of cipher authentication, server and smart machine
CN105553667A (en) Dynamic password generating method
KR101202245B1 (en) System and Method For Transferring Money Using OTP Generated From Account Number
CN109285256A (en) Computer room based on block chain authentication enter permission give method
CN114758433A (en) Cloud-based dynamic password generation method and system and intelligent lock
CN112529573A (en) Combined block chain threshold signature method and system
CN106452845B (en) A kind of implementation method unlocked online and device
CN104135371B (en) A kind of password store method and device
CN104333555B (en) A kind of dynamic token method of work and system
US10990978B2 (en) Method of transaction without physical support of a security identifier and without token, secured by the structural decoupling of the personal and service identifiers
CN102164036B (en) Dynamic token as well as two-way authentication method and two-way authentication system with dynamic token
Yang et al. A Hybrid Blockchain-Based Authentication Scheme for Smart Home
CN110084031B (en) Method for security authentication of information system account with customizable authentication logic
Prinslin et al. Secure online transaction with user authentication

Legal Events

Date Code Title Description
PB01 Publication
SE01 Entry into force of request for substantive examination
GR01 Patent grant