CN104333555B - A kind of dynamic token method of work and system - Google Patents
A kind of dynamic token method of work and system Download PDFInfo
- Publication number
- CN104333555B CN104333555B CN201410647744.2A CN201410647744A CN104333555B CN 104333555 B CN104333555 B CN 104333555B CN 201410647744 A CN201410647744 A CN 201410647744A CN 104333555 B CN104333555 B CN 104333555B
- Authority
- CN
- China
- Prior art keywords
- code
- key
- seed
- signature
- generation
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 claims abstract description 13
- 238000007781 pre-processing Methods 0.000 claims description 5
- 230000001960 triggered Effects 0.000 claims 1
- 230000000875 corresponding Effects 0.000 abstract description 20
- 230000003213 activating Effects 0.000 description 4
- 230000004913 activation Effects 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000006011 modification reaction Methods 0.000 description 2
- 101700059437 ALG2 Proteins 0.000 description 1
- 108060000297 ALG3 Proteins 0.000 description 1
- 238000006243 chemical reaction Methods 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 238000002360 preparation method Methods 0.000 description 1
- 230000000750 progressive Effects 0.000 description 1
- 230000001360 synchronised Effects 0.000 description 1
Abstract
Dynamic token method of work and system disclosed by the invention, are divided into two kinds of classifications by the certification demand of user in advance:Signature authentication demand when being signed in login authentication demand and process of exchange (after login), and dynamic token is in advance after it activate successfully, the corresponding login key of respectively two kinds of certification demands generations and key of signing.Subsequently there is business transaction demand in user, need to be logged in or during signature authentication, dynamic token key and can log in answer back code or signature answer back code according to logging in key or sign with reference to the challenge code that user inputted at that time for user's generation is corresponding respectively.It can be seen that, the present invention is respectively provided with different calculating keys for the different certification demand of user, the key of dynamic token is set to be not easy to be cracked, and the working mechanism of dynamic token and flow are safer, realize double authentication during customer transaction, the anti-difficulty for deriving dynamic token operation principle of criminal is increased, ensure that the security of user account.
Description
Technical field
The invention belongs to the technical field of security authentication of banking system, more particularly to a kind of dynamic token method of work and it is
System.
Background technology
Dynamic token is the terminal for generating dynamic password, and dynamic password is a kind of antitheft skill of the account of safe and convenient
Art, it can effectively protect the certification safety logged in during transaction.
Dynamic token can be divided into three types, time sync-type, event synchronization type and challenge/response type from technical standpoint.
At present, the method for work of challenge/response type dynamic token is based on OATH (vow) algorithm standard rules, the challenge inputted with reference to user
Seed key built in code and token, calculates corresponding answer back code, to realize login authentication when merchandising.It can be seen that existing choose
The working mechanism of war/response type dynamic token and flow are relatively simple, and result in criminal, counter to derive dynamic token work former
The difficulty of reason is relatively low, and then the security that result in user account is relatively low.
The content of the invention
In view of this, it is an object of the invention to provide a kind of dynamic token method of work and system, to solve existing choose
The problem of war/response type dynamic token working mechanism and relatively simple flow, increase the anti-dynamic token that derives of criminal and work
The difficulty of principle, and then ensure the security of user account.
Therefore, the present invention is disclosed directly below technical scheme:
A kind of dynamic token method of work, including:
The login answer back code generation request of user is received, the login answer back code generation request includes logging in challenge code;
At the login key previously generated in the login challenge code, dynamic token and current real-time time
Reason, obtain logging in answer back code, when the login key is activated for dynamic token, according to the seed key built in it, logs in and use
The key that the active coding that way code and certificate server provide is generated;
The signature answer back code generation request of user is received, the signature answer back code generation request includes challenge code of signing;
At the signature key previously generated in the signature challenge code, dynamic token and current real-time time
Reason, answer back code of signing is obtained, when the signature key is activated for dynamic token, is used according to the seed key built in it, signature
The key that the active coding that way code and certificate server provide is generated.
The above method, it is preferred that before the login answer back code generation request of the reception user, in addition to as follows pre-
Processing procedure:
The active coding provided certificate server is verified, following operation is performed if being verified:
Using the close SM3 hash algorithms of state, and it is secret using formula Work_Seed=SM3 (Seed | ActiveCode) generation work
Key Work_Seed, wherein, SM3 represents the close SM3 hash algorithms of state, and Seed represents work key, and ActiveCode represents activation
Code;
Stepped on using the close SM3 hash algorithms of state, and using formula Otp_Seed=SM3 (Work_Seed | alg_type_1) generation
Key Otp_Seed is recorded, wherein, alg_type_1 represents to log in purposes code;
Using the close SM3 hash algorithms of state, and using formula sign_Seed=SM3 (Work_Seed | alg_type_2) generation
Sign key sign_Seed, wherein, alg_type_2 represents signature purposes code.
The above method, it is preferred that to the login challenge code, the login key previously generated in dynamic token and current
Real-time time handled to obtain and log in answer back code, including:
Using the close SM3 hash algorithms of state and SM3 cut position algorithms, and using formula OTP=Truncate_SM3 (SM3 (Otp_
Seed | UTC | ChallengeCode)) generation login answer back code OTP;
Wherein, Truncate_SM3 represents SM3 cut position algorithms, and ChallengeCode is represented to log in challenge code, and UTC is represented
Current world's unified time.
The above method, it is preferred that to the signature challenge code, the signature key previously generated in dynamic token and current
Real-time time handled to obtain signature answer back code, including:
Using the close SM3 hash algorithms of state and SM3 cut position algorithms, and using formula Sign_OTP=Truncate_SM3 (SM3
(Sign_Seed | UTC | SignCode)) generation signature answer back code Sign_OTP;
Wherein, Truncate_SM3 represents SM3 cut position algorithms, and SignCode represents signature challenge code, and UTC represents current
World's unified time.
The above method, it is preferred that when active coding passes through checking, the preprocessing process also includes:
Using the close SM3 hash algorithms of state, and using formula Puk_Seed=SM3 (Work_Seed | alg_type_3) generation solution
Key Puk_Seed is locked, wherein, alg_type_3 represents unblock purposes code.
The above method, it is preferred that also include:
After token start, the personal recognition code PIN code of user's input is received, and correctness is carried out to the PIN code of input
Checking, if the number of PIN code mistake input reaches setting numerical value, token is locked, and show that token has locked prompting and unblock please
Seek code;
The PUK of user's input and unblock are received, the PUK is certificate server according to formula PUK=Truncate_
SM3 (SM3 (Puk_Seed | Puk_Request)) generation, wherein, Truncate_SM3 represents SM3 cut position algorithms, and PUK represents solution
Code-locked, Puk_Request represent unlocking request code.
A kind of dynamic token work system, including:
First receiving module, the login answer back code for receiving user generate request, the login answer back code generation request
Including logging in challenge code;
First processing module, for the login challenge code, the login key previously generated in dynamic token and working as
Preceding real-time time is handled, and obtains logging in answer back code, when the login key is activated for dynamic token, according to built in it
Seed key, log in the key that the active coding that purposes code and certificate server provide is generated;
Second receiving module, the signature answer back code for receiving user generate request, the signature answer back code generation request
Including challenge code of signing;
Second processing module, for the signature challenge code, the signature key previously generated in dynamic token and working as
Preceding real-time time is handled, and answer back code of signing is obtained, when the signature key is activated for dynamic token, according to built in it
The key that is generated of active coding that provides of seed key, signature purposes code and certificate server.
Said system, it is preferred that also include including pretreatment module, the pretreatment module:
Authentication unit, for being verified to the active coding that certificate server provides, and it is being verified below triggering
Work key generation unit;
Work key generation unit, for using state close SM3 hash algorithms, and using formula Work_Seed=SM3 (Seed |
ActiveCode work key Work_Seed) is generated, wherein, SM3 represents the close SM3 hash algorithms of state, and Seed represents that work is secret
Key, ActiveCode represent active coding;
Key generation unit is logged in, for utilizing the close SM3 hash algorithms of state, and using formula Otp_Seed=SM3 (Work_
Seed | alg_type_1) generation login key Otp_Seed, wherein, alg_type_1 represents to log in purposes code;
Signature key generation unit, for utilizing the close SM3 hash algorithms of state, and using formula sign_Seed=SM3 (Work_
Seed | alg_type_2) generation signature key sign_Seed, wherein, alg_type_2 represents signature purposes code.
Said system, it is preferred that the first processing module includes:
Answer back code generation unit is logged in, for utilizing the close SM3 hash algorithms of state and SM3 cut position algorithms, and using formula OTP=
Truncate_SM3 (SM3 (Otp_Seed | UTC | ChallengeCode)) generation login answer back code OTP;
Wherein, Truncate_SM3 represents SM3 cut position algorithms, and ChallengeCode is represented to log in challenge code, and UTC is represented
Current world's unified time.
Said system, it is preferred that the Second processing module includes:
Signature answer back code generation unit, for utilizing the close SM3 hash algorithms of state and SM3 cut position algorithms, and using formula Sign_
OTP=Truncate_SM3 (SM3 (Sign_Seed | UTC | SignCode)) generation signature answer back code Sign_OTP;
Wherein, Truncate_SM3 represents SM3 cut position algorithms, and SignCode represents signature challenge code, and UTC represents current
World's unified time.
Said system, it is preferred that the pretreatment module also includes:
Key generation unit is unlocked, for utilizing the close SM3 hash algorithms of state, and using formula Puk_Seed=SM3 (Work_
Seed | alg_type_3) generation unblock key Puk_Seed, wherein, alg_type_3 represents unblock purposes code.
Said system, it is preferred that also include including security protection module, the security protection module:
Lock cell, for after token is started shooting, receiving the personal recognition code PIN code of user's input, and to input
PIN code carries out verification of correctness, if the number of PIN code mistake input reaches setting numerical value, locks token, and show token
Lock prompting and unlocking request code;
Unlocking unit, for receiving PUK and the unblock of user's input, the PUK is certificate server according to formula
PUK=Truncate_SM3 (SM3 (Puk_Seed | Puk_Request)) generation, wherein, Truncate_SM3 represents SM3 cut positions
Algorithm, PUK represent PUK, and Puk_Request represents unlocking request code.
From above scheme, the certification demand of user is divided into two kinds of classifications by the present invention in advance, login authentication demand and
Signature authentication demand when being signed in process of exchange (after login), and dynamic token is in advance after it is activated successfully, respectively two
Kind certification demand generation is corresponding to log in key and signature key.Subsequently have business transaction demand in user, need to be logged in or
During signature authentication, dynamic token can be respectively to use according to the challenge code for logging in key or signature key and being inputted at that time with reference to user
Family generation is corresponding to log in answer back code or signature answer back code.It can be seen that the present invention is set respectively for the different certification demand of user
Different calculating keys, makes the key of dynamic token be not easy to be cracked, and the working mechanism of dynamic token and flow are more pacified
Entirely, by being respectively login, the corresponding login of signature authentication demand offer, signature answer back code, pair during customer transaction is realized
Re-authentication, the anti-difficulty for deriving dynamic token operation principle of criminal is increased, ensure that the security of user account.
Brief description of the drawings
In order to illustrate more clearly about the embodiment of the present invention or technical scheme of the prior art, below will be to embodiment or existing
There is the required accompanying drawing used in technology description to be briefly described, it should be apparent that, drawings in the following description are only this
The embodiment of invention, for those of ordinary skill in the art, on the premise of not paying creative work, can also basis
The accompanying drawing of offer obtains other accompanying drawings.
Fig. 1 is dynamic token flow chart of work methods disclosed in the embodiment of the present invention one;
Fig. 2 is dynamic token locking disclosed in the embodiment of the present invention two and unblock flow chart;
Fig. 3 is that dynamic token disclosed in the embodiment of the present invention two unlocks schematic diagram;
Fig. 4 is a kind of structural representation of dynamic token work system disclosed in the embodiment of the present invention three;
Fig. 5 is another structural representation of dynamic token work system disclosed in the embodiment of the present invention three;
Fig. 6 is another structural representation of dynamic token work system disclosed in the embodiment of the present invention three.
Embodiment
Below in conjunction with the accompanying drawing in the embodiment of the present invention, the technical scheme in the embodiment of the present invention is carried out clear, complete
Site preparation describes, it is clear that described embodiment is only part of the embodiment of the present invention, rather than whole embodiments.It is based on
Embodiment in the present invention, those of ordinary skill in the art are obtained every other under the premise of creative work is not made
Embodiment, belong to the scope of protection of the invention.
Embodiment one
The present embodiment one discloses a kind of dynamic token method of work, and with reference to figure 1, methods described may comprise steps of:
S101:The login answer back code generation request of user is received, the login answer back code generation request includes logging in challenge
Code.
User is for the first time using, it is necessary to enter line activating to dynamic token, i.e., each step of the invention needs to build before dynamic token
Stand in and dynamic token is entered on the basis of line activating this pretreatment.
When entering line activating to dynamic token, active coding is produced by certificate server, then user will swash caused by server
Code living is manually entered dynamic token, wherein, the generating algorithm of active coding is as follows:
ActiveCode=ChallengeRand | Truncate_SM3 (SM3 (Seed | ChallengeRand))) (1)
In formula (1), ActiveCode represents the active coding of 12;ChallengeRand represents that the decimal system of 6 is random
Number, side benefit 0 makes it to 128bit length to needs behind when bringing algorithmic formula into;SM3 represents the close SM3 hash algorithms of state;
Truncate_SM3 represents SM3 cut position algorithms, its exportable 6 decimal number;The seed that Seed is 32Byte is in plain text.
Wherein, the present invention proposes a kind of SM3 cut positions algorithm on the basis of the close SM3 hash algorithms of state, and it is determined
Justice, SM3 cut position algorithms are exactly the algorithm that SM3 hash results or HMAC results are converted into 6 dynamic passwords.Specifically, this hair
Bright made to it is defined as below:
S1, S2, S3, S4, S5, S6, S7, S8 are defined, represents 8 4Byte integers, and assignment by the following method:
S1=S [0]<<24|S[1]<<16|S[2]<<8|S[3]
S2=S [4]<<24|S[5]<<16|S[6]<<8|S[7]
S3=S [8]<<24|S[9]<<16|S[10]<<8|S[11]
S4=S [12]<<24|S[13]<<16|S[14]<<8|S[15]
S5=S [16]<<24|S[17]<<16|S[18]<<8|S[19]
S6=S [20]<<24|S[21]<<16|S[22]<<8|S[23]
S7=S [24]<<24|S[25]<<16|S[26]<<8|S[27]
S8=S [28]<<24|S[29]<<16|S[30]<<8|S[31]
OD=(S1+S2+S3+S4+S5+S6+S7+S8) MOD 232
Password (i.e. the output result of SM3 cut positions algorithm) obtains:Otp=OD mod 1000000.
After dynamic token receives the active coding of user's input, active coding is verified.It is specific to verify that principle is:Make
An OTP is calculated with the ChallengeRand (i.e. first 6 of active coding) in active coding (One-time Password, to move
State password), then this OTP is compared with latter 6 of active coding, if comparison result is identical for both, be verified,
Activate successfully, otherwise activation failure.
In the present invention, after dynamic token is verified and activated successfully to active coding, continue to implement key conversion, specifically
Ground, using the close SM3 hash algorithms of state, primordial seed Seed (being built in dynamic token) and active coding are handled, obtain work
Make key, and preserve caused work key.
Formula is as follows used by generating work key:
Work_Seed=SM3 (Seed | ActiveCode) (2)
In formula (2), Seed represents seed key, 32Byte;ActiveCode represents active coding, and it is with the shape of ASCII character
Formula participates in computing, and for example 123456889012, used form is when it participates in computing:0x31,0x32 ... .0x32.
The certification demand of user is divided into two classes by the present invention:Login authentication demand (logs in authentication demand during transaction)
And signature authentication demand (authentication demand when being signed in process of exchange), correspondingly, the present invention is respectively described two to be recognized
The setting of card demand is corresponding to calculate key:Log in key and signature key.
In the present embodiment, it is defined as below respectively to logging in key and signature key:
char alg_1[32];// log in key Otp_Seed;
char alg_2[32];// signature key Sign_Seed.
Two kinds calculate the corresponding purposes code of key and are respectively defined as:
Int alg_type_1=1;// dynamic password is logged in, int is 4Byte integers;
Int alg_type_2=2;// signature dynamic password, int is 4Byte integers.
Dynamic token continues using the close SM3 hash algorithms of state to generation after activating successfully and generating work key
Work key and calculating key purposes code defined above are handled, and obtain logging in key, signature key accordingly, that is, have
Body, by working key (32Byte)+purposes code (4Byte) form message, using the close SM3 hash algorithms of state to being formed
Message carries out the generation of Hash Value, and the Hash Value generated is made to the computation key of dynamic password, to be embodied as subsequent user
The generation of certification answer back code provides support.
Working key is needed to use due to producing computation key, so, dynamic token must be laggard in synchronous working key
Row calculates the generation operation of key.
Wherein, key is specifically logged in using following formula (3) generation:
Otp_Seed=SM3 (Work_Seed | alg_type_1) (3)
In formula (3), Work_Seed represents working key, common 32Byte;Alg_type_1 represents to log in purposes code, common
4Byte, and low level is in preceding, the participation computing in the form of 00000001.
Correspondingly, using following formula (4) generation signature key:
Sign_Seed=SM3 (Work_Seed | alg_type_2) (4)
In formula (3), Work_Seed represents working key, common 32Byte;Alg_type_2 represents signature purposes code, altogether
4Byte, and its low level is in preceding, the participation computing in the form of 00000002.
The work that above section is activated and carried out after being verified at it by dynamic token, the contents of the section can conduct
The pretreatment work of the inventive method.
On this basis, when user needs to carry out using transaction, to ensure the security of user account, it is necessary first to right
User carries out login authentication, and now, certificate server can be that user generates a login challenge code, and on application system webpage
Show user;Afterwards, user inputs the login challenge code on webpage to dynamic token, and press log in answer back code generation by
Button (can also use and first press button, the rear mode for inputting challenge code) logs in response accordingly to realize to send to dynamic token
Code generation request.After the login answer back code that dynamic token receives user's triggering generates request, i.e., according to the processing of the present invention
Logic, which is that user's generation is corresponding, logs in answer back code.
S102:To the login key previously generated in the login challenge code, dynamic token and current real-time time
Handled, obtain logging in answer back code, the login key is for dynamic token when being activated, according to the seed key built in it,
Log in the key that the active coding that purposes code and certificate server provide is generated.
Specifically, after the login answer back code generation request of user's triggering is received, dynamic token utilizes the close SM3 hash of state
Algorithm and SM3 cut position algorithms, and answer back code is logged in using following formula (5) generation:
OTP=Truncate_SM3 (SM3 (Otp_Seed | UTC | ChallengeCode)) (5)
In formula (5), OTP (6Byte) represents that entry password logs in answer back code, is the decimal system;Truncate_SM3 is represented
SM3 cut position algorithms;Otp_Seed represents to log in key, is 32Byte:UTC (Universal Time Coordinated, the world
Unified time) current UTC time is represented, 8Byte, UTC are to count minute, and a high position is preceding, and low level is rear;ChallengeCode
For the login challenge code of 4-20 positions caused by server, high Byte preceding, behind participate in computing is its ASCII character, for example:
123456, it is then 0x31,0x32,0x33,0x34,0x35,0x36 to be converted into ASCII character;
Wherein, UTC | when ChallengeCode brings formula (5) into, if the inadequate 128bit of its total length, 0 is mended below,
Making UTC | ChallengeCode total length reaches 128bit, if total length is brought directly to formula (5) and entered more than 128bit
Row computing.
Afterwards, user, which can be read, logs in answer back code caused by dynamic token, and is input to the realization of application system webpage
Login authentication.
S103:The signature answer back code generation request of user is received, the signature answer back code generation request includes signature challenge
Code.
It is of the invention in order to be further ensured that if user needs to be traded signature when login authentication is successfully traded
The security of user account, signature authentication need to be carried out to user, now, certificate server is that user generates a signature challenge
Code.Signature challenge code caused by user from reading service device on application system webpage is simultaneously input to dynamic token, and presses
Signature answer back code generation button on dynamic token, which is realized to dynamic token, sends signature answer back code generation request.
S104:To the signature key previously generated in the signature challenge code, dynamic token and current real-time time
Handled, obtain answer back code of signing, the signature key is for dynamic token when being activated, according to the seed key built in it,
The key that the active coding that signature purposes code and certificate server provide is generated.
After dynamic token receives above-mentioned request, using the close SM3 hash algorithms of state and SM3 cut position algorithms, and using as follows
Formula (6) generation signature answer back code:
Sign_OTP=Truncate_SM3 (SM3 (Sign_Seed | UTC | SignCode)) (6)
In formula (6), Sign_OTP (6Byte) represents signature password i.e. signature answer back code, is the decimal system;Truncate_SM3
Represent SM3 cut position algorithms;Sign_Seed represents signature key, 32Byte;UTC represents current UTC time, and 8Byte, UTC are point
Clock counts, and high-order preceding, low level is rear;SignCode represents the signature answer back code of 4-20 positions caused by server, and high Byte exists
Before, behind to participate in computing be its ASCII character.
Wherein, UTC | when SignCode brings formula (6) into, if the inadequate 128bit of its total length, 0 is mended below, makes UTC
| SignCode total length reaches 128bit;If its total length directly carries it into formula (6) and transported more than 128bit
Calculate.
Afterwards, signature answer back code caused by dynamic token can be read in user, and is input to the realization of application system webpage
Signature authentication.
From above scheme, the certification demand of user is divided into two kinds of classifications by the present invention in advance:Login authentication demand and
Authentication demand when being signed in process of exchange (after login), and dynamic token is in advance after it is activated successfully, respectively two
Kind certification demand generation is corresponding to log in key and signature key.Subsequently have business transaction demand in user, need to be logged in or
During signature authentication, dynamic token can be respectively to use according to the challenge code for logging in key or signature key and being inputted at that time with reference to user
Family generation is corresponding to log in answer back code or signature answer back code.It can be seen that the present invention is set respectively for the different certification demand of user
Different calculating keys, makes the key of dynamic token be not easy to be cracked, and the working mechanism of dynamic token and flow are more pacified
Entirely, by being respectively login, the corresponding login of signature authentication demand offer, signature answer back code, pair during customer transaction is realized
Re-authentication, the anti-difficulty for deriving dynamic token operation principle of criminal is increased, ensure that the security of user account.
Embodiment two
In the present embodiment two, with reference to figure 2, methods described can also comprise the following steps:
S105:After token start, the personal recognition code PIN code of user's input is received, and the PIN code of input is carried out just
True property checking, if the number of PIN code mistake input reaches setting numerical value, locks token, and shows that token has locked prompting and solution
Lock request code;
S106:Receive the PUK of user's input and unblock.The PUK is certificate server according to formula PUK=
Truncate_SM3 (SM3 (Puk_Seed | Puk_Request)) generation, wherein, Truncate_SM3 represents SM3 cut position algorithms,
PUK represents PUK, and Puk_Request represents unlocking request code.
Specifically, it is 3 that the present embodiment, which will calculate key and expand,:Log in key, signature key and unblock key.So as to,
While pre-defined login key and signature key, also unblock key is defined as below:
char alg_3[32];// Personal Unlocking Key Puk_Seed.
Correspondingly, unblock key purposes code is defined:
Int alg_type_3=3;// unblock, int is 4Byte integers.
On this basis, in the present embodiment, the preprocessing process also includes:Using the close SM3 hash algorithms of state, and use
Following formula (7) generation unblock key:
Puk_Seed=SM3 (Work_Seed | alg_type_3) (7)
In formula (7), Work_Seed represents working key, 32Byte;Alg_type_3 represents unblock purposes code, and its is low
Position is in preceding, the participation computing in the form of 00000003.
In order to be further ensured that the safety of user account, the present embodiment increases when dynamic token is started shooting for dynamic token
The link of PIN (Personal Identification Number, personal recognition code) code checking, i.e. user are every time to dynamic
State token start after, be required for inputting corresponding PIN code, if PIN code input is correct, by checking, dynamic token start into
Work(, otherwise, boot failure.
If the number of PIN code mistake input reaches setting numerical value, dynamic token locks, in such cases, dynamic token
Carry out locking prompting to user and show corresponding unlocking request code.
Afterwards, user inputs the unlocking request code to certificate server, by certificate server according to following formula (8)
Produce corresponding PUK:
PUK=Truncate_SM3 (SM3 (Puk_Seed | Puk_Request)) (8)
In formula (8), PUK represents PUK, common 6Byte;Truncate_SM3 represents SM3 cut position algorithms;Puk_Seed tables
Show Personal Unlocking Key, common 32Byte;Puk_Request represents the unlocking request code of 6, and it is that the decimal system of token generation is random
Number, it participates in using ASCII character form during computing, and high Byte is preceding.
Wherein, Puk_Request is brought into when formula (8) carries out computing, it is necessary to which face benefit 0 reaches its total length behind
128bit。
On this basis, PUK caused by server is inputted dynamic token by user, you can realizes unblock.Dynamic token
Unblock principle specifically refer to shown in Fig. 3.
Embodiment three
The present embodiment three discloses a kind of dynamic token work system, is moved disclosed in the system and embodiment one and embodiment two
State token method of work is corresponding.
First, corresponding to embodiment one, with reference to figure 4, the system includes the first receiving module 100, first processing module
200th, the second receiving module 300 and Second processing module 400.
First receiving module 100, the login answer back code for receiving user generate request, and the login answer back code generation please
Ask including logging in challenge code.
First processing module 200, for the login challenge code, the login key previously generated in dynamic token and
Current real-time time is handled, and obtains logging in answer back code, when the login key is activated for dynamic token, according in it
The key that the active coding that seed key, login purposes code and the certificate server put provide is generated.
Wherein, first processing module 200 includes logging in answer back code generation unit.
Answer back code generation unit is logged in, for utilizing the close SM3 hash algorithms of state and SM3 cut position algorithms, and using formula OTP=
Truncate_SM3 (SM3 (Otp_Seed | UTC | ChallengeCode)) generation login answer back code OTP;
Wherein, Truncate_SM3 represents SM3 cut position algorithms, and ChallengeCode is represented to log in challenge code, and UTC is represented
Current world's unified time.
Second receiving module 300, the signature answer back code for receiving user generate request, and the signature answer back code generation please
Ask including challenge code of signing.
Second processing module 400, for the signature challenge code, the signature key previously generated in dynamic token and
Current real-time time is handled, and answer back code of signing is obtained, when the signature key is activated for dynamic token, according in it
The key that the active coding that seed key, signature purposes code and the certificate server put provide is generated.
The Second processing module 400 includes signature answer back code generation unit.
Signature answer back code generation unit, for utilizing the close SM3 hash algorithms of state and SM3 cut position algorithms, and using formula Sign_
OTP=Truncate_SM3 (SM3 (Sign_Seed | UTC | SignCode)) generation signature answer back code Sign_OTP;
Wherein, Truncate_SM3 represents SM3 cut position algorithms, and SignCode represents signature challenge code, and UTC represents current
World's unified time.
The need of work of modules is established in present system logs in the calculating keys such as key, signature key in generation
On the basis of, therefore, with reference to figure 5, the system also needs to include pretreatment module 500, and the module is secret including authentication unit, work
Key generation unit, log in key generation unit and signature key generation unit.
Authentication unit is used to verify the active coding that certificate server provides, and triggers following work being verified
Make key generation unit;
Work key generation unit is used to utilize the close SM3 hash algorithms of state, and use formula Work_Seed=SM3 (Seed |
ActiveCode work key Work_Seed) is generated, wherein, SM3 represents the close SM3 hash algorithms of state, and Seed represents that work is secret
Key, ActiveCode represent active coding;
Key generation unit is logged in be used to utilize the close SM3 hash algorithms of state, and using formula Otp_Seed=SM3 (Work_
Seed | alg_type_1) generation login key Otp_Seed, wherein, alg_type_1 represents to log in purposes code;
Signature key generation unit is used to utilize the close SM3 hash algorithms of state, and using formula sign_Seed=SM3 (Work_
Seed | alg_type_2) generation signature key sign_Seed, wherein, alg_type_2 represents signature purposes code.
Corresponding to embodiment two, with reference to figure 6, the system also includes security protection module 600, and it is single that the module includes locking
Member and unlocking unit.
Lock cell, for after token is started shooting, receiving the personal recognition code PIN code of user's input, and to input
PIN code carries out verification of correctness, if the number of mistake input reaches setting numerical value, locks token, and show that token has been locked and carry
Show and unlocking request code;
Unlocking unit, for receiving PUK and the unblock of user's input, the PUK is certificate server according to formula
PUK=Truncate_SM3 (SM3 (Puk_Seed | Puk_Request)) generation, wherein, Truncate_SM3 represents SM3 cut positions
Algorithm, PUK represent PUK, and Puk_Request represents unlocking request code.
For dynamic token work system disclosed in the embodiment of the present invention three, because itself and various embodiments above disclose
Dynamic token method of work it is corresponding, so description it is fairly simple, related similarity is referred in various embodiments above
The explanation of dynamic token method of work part, is no longer described in detail herein.
In summary, the present invention uses safer domestic cryptographic algorithm on challenge/response type dynamic token, and ties
Close and answer back code generating process is handled using the cut position algorithm voluntarily innovated on the basis of domestic cryptographic algorithm, can make
The working mechanism of state token and flow are safer, while it is domestic to the support of dynamic token equipment to meet national Password Management office
The compliance of cryptographic algorithm;And according to the different authentication demand of user to be respectively provided with corresponding different calculating secret by the present invention
Key, the key of dynamic token can be made to be not easy to be cracked, increase the anti-difficulty for deriving dynamic token operation principle of criminal, from
And it ensure that the security of user account.
For convenience of description, describe to be divided into various modules during system above with function or unit describes respectively.Certainly, exist
Implement the function of each unit can be realized in same or multiple softwares and/or hardware during the application.
As seen through the above description of the embodiments, those skilled in the art can be understood that the application can
Realized by the mode of software plus required general hardware platform.Based on such understanding, the technical scheme essence of the application
On the part that is contributed in other words to prior art can be embodied in the form of software product, the computer software product
It can be stored in storage medium, such as ROM/RAM, magnetic disc, CD, including some instructions are causing a computer equipment
(can be personal computer, server, either network equipment etc.) performs some of each embodiment of the application or embodiment
Method described in part.
Finally, it is to be noted that, herein, the relational terms of such as first, second, third and fourth or the like
It is used merely to make a distinction an entity or operation with another entity or operation, and not necessarily requires or imply these
Any this actual relation or order be present between entity or operation.Moreover, term " comprising ", "comprising" or its is any
Other variants are intended to including for nonexcludability, so that process, method, article or equipment including a series of elements
Not only include those key elements, but also the other element including being not expressly set out, or also include for this process, side
Method, article or the intrinsic key element of equipment.In the absence of more restrictions, limited by sentence "including a ..."
Key element, it is not excluded that other identical element in the process including the key element, method, article or equipment also be present.
It should be noted that each embodiment in this specification is described by the way of progressive, each embodiment weight
Point explanation is all difference with other embodiment, between each embodiment identical similar part mutually referring to.
Described above is only the preferred embodiment of the present invention, it is noted that for the ordinary skill people of the art
For member, under the premise without departing from the principles of the invention, some improvements and modifications can also be made, these improvements and modifications also should
It is considered as protection scope of the present invention.
Claims (12)
- A kind of 1. dynamic token method of work, it is characterised in that including:The login answer back code generation request of user is received, the login answer back code generation request includes logging in challenge code;The login key and current real-time time previously generated in the login challenge code, dynamic token is handled, Obtain logging in answer back code, when the login key is activated for dynamic token, according to the seed key built in it, log in purposes generation The key that the active coding that code and certificate server provide is generated;The signature answer back code generation request of user is received, the signature answer back code generation request includes challenge code of signing;The signature key and current real-time time previously generated in the signature challenge code, dynamic token is handled, Answer back code of signing is obtained, when the signature key is activated for dynamic token, according to the seed key built in it, signature purposes generation The key that the active coding that code and certificate server provide is generated.
- 2. according to the method for claim 1, it is characterised in that generate request in the login answer back code of the reception user Before, in addition to following preprocessing process:The active coding provided certificate server is verified, following operation is performed if being verified:Using the close SM3 hash algorithms of state, and using formula Work_Seed=SM3 (Seed | ActiveCode) generation work key Work_Seed, wherein, SM3 represents the close SM3 hash algorithms of state, and Seed represents work key, and ActiveCode represents active coding;Using the close SM3 hash algorithms of state, and logged in using formula Otp_Seed=SM3 (Work_Seed | alg_type_1) generation secret Key Otp_Seed, wherein, alg_type_1 represents to log in purposes code;Using the close SM3 hash algorithms of state, and using formula sign_Seed=SM3 (Work_Seed | alg_type_2) generation signature Key sign_Seed, wherein, alg_type_2 represents signature purposes code.
- 3. according to the method for claim 2, it is characterised in that to being previously generated in the login challenge code, dynamic token Login key and current real-time time handled to obtain and log in answer back code, including:Using the close SM3 hash algorithms of state and SM3 cut position algorithms, and using formula OTP=Truncate_SM3 (SM3 (Otp_Seed | UTC | ChallengeCode)) generation login answer back code OTP;Wherein, Truncate_SM3 represents SM3 cut position algorithms, and ChallengeCode represents to log in challenge code, and UTC represents current World's unified time.
- 4. according to the method for claim 2, it is characterised in that to being previously generated in the signature challenge code, dynamic token Signature key and current real-time time handled to obtain signature answer back code, including:Using the close SM3 hash algorithms of state and SM3 cut position algorithms, and using formula Sign_OTP=Truncate_SM3 (SM3 (Sign_ Seed | UTC | SignCode)) generation signature answer back code Sign_OTP;Wherein, Truncate_SM3 represents SM3 cut position algorithms, and SignCode represents signature challenge code, and UTC represents the current world Unified time.
- 5. according to the method for claim 2, it is characterised in that when active coding passes through checking, the preprocessing process is also Including:Using the close SM3 hash algorithms of state, and it is secret using formula Puk_Seed=SM3 (Work_Seed | alg_type_3) generation unblock Key Puk_Seed, wherein, alg_type_3 represents unblock purposes code.
- 6. according to the method for claim 5, it is characterised in that also include:After token start, the personal recognition code PIN code of user's input is received, and verification of correctness is carried out to the PIN code of input, If the number of PIN code mistake input reaches setting numerical value, token is locked, and shows that token has locked prompting and unlocking request code;The PUK of user's input and unblock are received, the PUK is certificate server according to formula PUK=Truncate_SM3 (SM3 (Puk_Seed | Puk_Request)) generation, wherein, Truncate_SM3 represents SM3 cut position algorithms, and PUK represents unblock Code, Puk_Request represent unlocking request code.
- A kind of 7. dynamic token work system, it is characterised in that including:First receiving module, the login answer back code for receiving user generate request, and the login answer back code generation request includes Log in challenge code;First processing module, for the login key to being previously generated in the login challenge code, dynamic token and currently Real-time time is handled, and obtains logging in answer back code, when the login key is activated for dynamic token, according to the kind built in it Sub- key, log in the key that the active coding that purposes code and certificate server provide is generated;Second receiving module, the signature answer back code for receiving user generate request, and the signature answer back code generation request includes Signature challenge code;Second processing module, for the signature key to being previously generated in the signature challenge code, dynamic token and currently Real-time time is handled, and answer back code of signing is obtained, when the signature key is activated for dynamic token, according to the kind built in it The key that the active coding that sub- key, signature purposes code and certificate server provide is generated.
- 8. system according to claim 7, it is characterised in that also include including pretreatment module, the pretreatment module:Authentication unit, following work is triggered for being verified to the active coding that certificate server provides, and being verified Key generation unit;Work key generation unit, for using state close SM3 hash algorithms, and using formula Work_Seed=SM3 (Seed | ActiveCode work key Work_Seed) is generated, wherein, SM3 represents the close SM3 hash algorithms of state, and Seed represents that work is secret Key, ActiveCode represent active coding;Log in key generation unit, for using state close SM3 hash algorithms, and using formula Otp_Seed=SM3 (Work_Seed | Alg_type_1) generation logs in key Otp_Seed, wherein, alg_type_1 represents to log in purposes code;Signature key generation unit, for utilizing the close SM3 hash algorithms of state, and using formula sign_Seed=SM3 (Work_Seed | alg_type_2) generation signature key sign_Seed, wherein, alg_type_2 represents signature purposes code.
- 9. system according to claim 8, it is characterised in that the first processing module includes:Answer back code generation unit is logged in, for utilizing the close SM3 hash algorithms of state and SM3 cut position algorithms, and using formula OTP= Truncate_SM3 (SM3 (Otp_Seed | UTC | ChallengeCode)) generation login answer back code OTP;Wherein, Truncate_SM3 represents SM3 cut position algorithms, and ChallengeCode represents to log in challenge code, and UTC represents current World's unified time.
- 10. system according to claim 8, it is characterised in that the Second processing module includes:Signature answer back code generation unit, for utilizing the close SM3 hash algorithms of state and SM3 cut position algorithms, and using formula Sign_OTP =Truncate_SM3 (SM3 (Sign_Seed | UTC | SignCode)) generation signature answer back code Sign_OTP;Wherein, Truncate_SM3 represents SM3 cut position algorithms, and SignCode represents signature challenge code, and UTC represents the current world Unified time.
- 11. system according to claim 8, it is characterised in that the pretreatment module also includes:Unlock key generation unit, for using state close SM3 hash algorithms, and using formula Puk_Seed=SM3 (Work_Seed | Alg_type_3) generation unblock key Puk_Seed, wherein, alg_type_3 represents unblock purposes code.
- 12. system according to claim 11, it is characterised in that also including security protection module, the safeguard protection mould Block includes:Lock cell, for after token is started shooting, receiving the personal recognition code PIN code of user's input, and to the PIN code of input Verification of correctness is carried out, if the number of PIN code mistake input reaches setting numerical value, locks token, and show that token has been locked and carry Show and unlocking request code;Unlocking unit, for receiving PUK and the unblock of user's input, the PUK is certificate server according to formula PUK= Truncate_SM3 (SM3 (Puk_Seed | Puk_Request)) generation, wherein, Truncate_SM3 represents SM3 cut position algorithms, PUK represents PUK, and Puk_Request represents unlocking request code.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201410647744.2A CN104333555B (en) | 2014-11-14 | A kind of dynamic token method of work and system |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201410647744.2A CN104333555B (en) | 2014-11-14 | A kind of dynamic token method of work and system |
Publications (2)
Publication Number | Publication Date |
---|---|
CN104333555A CN104333555A (en) | 2015-02-04 |
CN104333555B true CN104333555B (en) | 2018-02-09 |
Family
ID=
Citations (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2008004312A1 (en) * | 2006-07-07 | 2008-01-10 | Jcb Co., Ltd. | Net settlement assisting device |
CN101500011A (en) * | 2009-03-13 | 2009-08-05 | 北京华大智宝电子***有限公司 | Method and system for implementing dynamic password security protection |
CN101789864A (en) * | 2010-02-05 | 2010-07-28 | 中国工商银行股份有限公司 | On-line bank background identity identification method, device and system |
CN101800645A (en) * | 2010-02-05 | 2010-08-11 | 中国工商银行股份有限公司 | Identity authentication method, device and system |
CN102664736A (en) * | 2012-04-13 | 2012-09-12 | 天地融科技股份有限公司 | Electronic cipher generating method, device and equipment and electronic cipher authentication system |
CN103457739A (en) * | 2013-09-06 | 2013-12-18 | 北京握奇智能科技有限公司 | Method and device for acquiring dynamic token parameters |
CN103731272A (en) * | 2014-01-06 | 2014-04-16 | 飞天诚信科技股份有限公司 | Identity authentication method, system and equipment |
CN103888470A (en) * | 2014-04-02 | 2014-06-25 | 飞天诚信科技股份有限公司 | Dynamic token synchronizing method and system |
Patent Citations (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2008004312A1 (en) * | 2006-07-07 | 2008-01-10 | Jcb Co., Ltd. | Net settlement assisting device |
CN101500011A (en) * | 2009-03-13 | 2009-08-05 | 北京华大智宝电子***有限公司 | Method and system for implementing dynamic password security protection |
CN101789864A (en) * | 2010-02-05 | 2010-07-28 | 中国工商银行股份有限公司 | On-line bank background identity identification method, device and system |
CN101800645A (en) * | 2010-02-05 | 2010-08-11 | 中国工商银行股份有限公司 | Identity authentication method, device and system |
CN102664736A (en) * | 2012-04-13 | 2012-09-12 | 天地融科技股份有限公司 | Electronic cipher generating method, device and equipment and electronic cipher authentication system |
CN103457739A (en) * | 2013-09-06 | 2013-12-18 | 北京握奇智能科技有限公司 | Method and device for acquiring dynamic token parameters |
CN103731272A (en) * | 2014-01-06 | 2014-04-16 | 飞天诚信科技股份有限公司 | Identity authentication method, system and equipment |
CN103888470A (en) * | 2014-04-02 | 2014-06-25 | 飞天诚信科技股份有限公司 | Dynamic token synchronizing method and system |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
Yu et al. | An efficient generic framework for three-factor authentication with provably secure instantiation | |
CN101197667B (en) | Dynamic password authentication method | |
CN102281138B (en) | Method and system for improving safety of verification code | |
CN102148685B (en) | Method and system for dynamically authenticating password by multi-password seed self-defined by user | |
CN101651675B (en) | By the method and system that authentication code is verified client | |
CN107274532A (en) | The temporary password gate control system that encryption parameter dynamically updates | |
KR20210091155A (en) | Biocrypt Digital Wallet | |
CN108711209A (en) | dynamic password generation and verification method and system | |
CN101958913B (en) | Bidirectional ID (Identity) authentication method based on dynamic password and digital certificate | |
CN103853950A (en) | Authentication method based on mobile terminal and mobile terminal | |
CN110519300A (en) | Client key method for secure storing based on password bidirectional authentication | |
CN106357679B (en) | Method, system and the client of cipher authentication, server and smart machine | |
CN105553667A (en) | Dynamic password generating method | |
KR101202245B1 (en) | System and Method For Transferring Money Using OTP Generated From Account Number | |
CN109285256A (en) | Computer room based on block chain authentication enter permission give method | |
CN114758433A (en) | Cloud-based dynamic password generation method and system and intelligent lock | |
CN112529573A (en) | Combined block chain threshold signature method and system | |
CN106452845B (en) | A kind of implementation method unlocked online and device | |
CN104135371B (en) | A kind of password store method and device | |
CN104333555B (en) | A kind of dynamic token method of work and system | |
US10990978B2 (en) | Method of transaction without physical support of a security identifier and without token, secured by the structural decoupling of the personal and service identifiers | |
CN102164036B (en) | Dynamic token as well as two-way authentication method and two-way authentication system with dynamic token | |
Yang et al. | A Hybrid Blockchain-Based Authentication Scheme for Smart Home | |
CN110084031B (en) | Method for security authentication of information system account with customizable authentication logic | |
Prinslin et al. | Secure online transaction with user authentication |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant |