KR101600474B1 - Authentication method by salted password - Google Patents

Authentication method by salted password Download PDF

Info

Publication number
KR101600474B1
KR101600474B1 KR1020150122084A KR20150122084A KR101600474B1 KR 101600474 B1 KR101600474 B1 KR 101600474B1 KR 1020150122084 A KR1020150122084 A KR 1020150122084A KR 20150122084 A KR20150122084 A KR 20150122084A KR 101600474 B1 KR101600474 B1 KR 101600474B1
Authority
KR
South Korea
Prior art keywords
password
salt
variable
user
rule
Prior art date
Application number
KR1020150122084A
Other languages
Korean (ko)
Inventor
김동현
Original Assignee
주식회사 엔터소프트
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 주식회사 엔터소프트 filed Critical 주식회사 엔터소프트
Priority to KR1020150122084A priority Critical patent/KR101600474B1/en
Application granted granted Critical
Publication of KR101600474B1 publication Critical patent/KR101600474B1/en
Priority to PCT/KR2016/008316 priority patent/WO2017039156A1/en

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/45Structures or tools for the administration of authentication
    • G06F21/46Structures or tools for the administration of authentication by designing passwords or checking the strength of passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3226Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a predetermined code, e.g. password, passphrase or PIN
    • H04L9/3228One-time or temporary data, i.e. information which is sent for every authentication or authorization, e.g. one-time-password, one-time-token or one-time-key

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Storage Device Security (AREA)

Abstract

The present invention allows a user to input, into a server, a SOLID password generated by mixing a password included in an OTP provided by a server with a password according to a predetermined salt rule, and the server transmits the SOLID password A salt password authentication method of deciding whether or not to authenticate a user using an extracted password generated by applying the salt rule in reverse. The solved password authentication method according to the present invention performs a member registration step in which a user connects to a server and registers a member, and an authentication step in which a user accesses a server and performs an authentication procedure.

Description

Authentication method by salted password}

[0001] The present invention relates to a password authentication method, and more particularly, to a password authentication method in which a server (hereinafter, referred to as a server) of a client server system provides a user with an OTP (One Time Password) (Salt variable) at a position specified in the Salt rule among a plurality of variables constituting the password, and inputs the generated password into the server. The server inserts the salt into the salt variable, You have selected the correct salt variable from the OTP, selected the appropriate number of salt variables, inserted the salt variable into the correct position of the password, and entered the password with pre-commit And determines whether the user is authenticated by judging whether or not the encrypted password is matched. Seward relates to authentication methods.

User authentication is a procedure for verifying the eligibility to access certain information. It is introduced to prevent unauthorized access to confidential information of a country to be protected, confidential information of a company, and confidential information of an individual. User authentication consists of a knowledge-based authentication method that uses passwords and pre-established questions and answers, a token-based authentication method that uses information held by the user such as a public certificate or an OTP (One-Time Password) Based authentication method that uses the fingerprint or iris of the user who has made the authentication.

Based authentication methods that use public certificates or one-time passwords, OTP, are used for online banking, online games, portal sites, and corporate networks because they can maintain a high level of security. There are S / KEY method, time synchronization method, challenge / response method and event synchronization method as authentication methods using OTP, but it is vulnerable when OTP list is leaked or synchronization fails, There is a disadvantage.

In the bio-based authentication method, the recognition rate of the fingerprint is not high, and the repetitive operation is required in many cases. In the case of using the red body, the installation cost is considerable.

The above-described knowledge-based authentication is used as a basic authentication method for client / server-based user authentication, and financial institutions and public institutions use the above-described token-based authentication when enhanced authentication is required. Hacker's attack on user accounts is mainly based on attacks on knowledge-based authentication, which is based on Brute Force Attack.

To prevent hacking, KISA proposes to use passwords of 8 digits or more in three character types or more, or to use passwords of 10 digits or more in length with two or more types of characters. However, the knowledge-based authentication method has a disadvantage that it is easy for a user to forget a password having a complicated structure because the same condition is different according to the conditions of the password for each site.

SUMMARY OF THE INVENTION The present invention has been made in view of the above problems, and it is an object of the present invention to provide a solved password authentication method using a variable password generated by applying a variable OTP in order to disable a hacker's attack such as a random assignment attack using a weak point that a password is fixed And the like.

According to another aspect of the present invention, there is provided a method of authenticating a password in a server, the method comprising the steps of: In the authentication step, the user selects an N (N is a natural number of 2 or more) variables generated and provided by the server by using the arbitrary connection means, and according to the salt rule stored in advance, Selects a specified variable, and transmits the selected password and ID obtained by mixing the selected variable with the password according to the salt rule, to the server, and the server reverses the salt rule to the received password received from the user And compares the acquired password with the ID and password stored in the database to confirm suitability of the ID and the secret password inputted by the user.

A method of authenticating a password according to the present invention is a method in which a password for authentication to be transmitted to a server is changed each time a user tries to authenticate, so that attacks such as a random assignment attack by a hacker and a random assignment attack It is possible to protect user accounts of users of countries, enterprises and individuals from attacks using network loopholes such as sniffing.

In addition, the user only needs to memorize the salt rules and the relatively uncomplicated passwords that have been promised to the server, and it is inconvenient to carry the OTP in order to enhance the security, and the complicated and difficult to memorize password And it is possible to eliminate the inconvenience of having to change the password periodically.

FIG. 1 shows a member registration step of the SOLID password authentication method according to the present invention.
FIG. 2 shows an authentication step of the SOLID password authentication method according to the present invention.
FIG. 3 shows the step of generating a salt variable string during the authentication step shown in FIG.
Figure 4 illustrates a method for generating a solids password using a salt variable string, a salt rule, and a password.
Figure 5 illustrates the effect of using a salt rule according to the present invention.
6 shows an initial screen provided by the server.
FIG. 7 shows a hacking time for a password that does not use the SOLID password authentication method according to the present invention.
FIG. 8 shows the hacking time for a solicited password determined using the solved password authentication method according to the present invention.

In order to fully understand the present invention and the operational advantages of the present invention and the objects achieved by the practice of the present invention, reference should be made to the accompanying drawings, which are provided for explaining exemplary embodiments of the present invention, and the contents of the accompanying drawings.

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS Hereinafter, preferred embodiments of the present invention will be described in detail with reference to the accompanying drawings. Like reference symbols in the drawings denote like elements.

FIG. 1 shows a member registration step of the SOLID password authentication method according to the present invention.

1, a member registration step 110 of a solved password authentication method according to the present invention includes a setting information input step 120, 111, 112 and 113 and an information storage step 130, 114, 115 and 116, . In the setting information input step 120 (111, 112, 113), a user who wishes to register a member uses a first connection means such as a computer to input an ID and password And salt rules. In the information storing step 130, 114, 115, and 116 performed by the server, a predetermined deliberation procedure in which the ID, salt rule, and password input by the user are set in advance in the setting information input step 120 And stores the encrypted password, the registered ID, and the registered salt rule, which are encrypted with the registered password, in the database.

Here, the client server system is a concept including a web system, and a server of a client server system and a server which is a substitute term thereof are concepts including a web server.

The first connection means, which is a means for a user to connect to the server for registration and authentication after use of the member, and the second connection means, which is used in the following description, may be various, for example, a computer or a smart phone. Therefore, the first connection means and the second connection means used in the following description mean one of various means that can be connected to the server wirelessly or wiredly, such as a computer or a smart phone.

When the user connects (111) to the server for registration of the member, the server requests the user to manually input the ID, password and salt rule to be used in the future (112), and the user inputs the ID, A password and a salt rule (113) to the server.

The server judges whether or not the ID and the password received from the user are duplicated or not. If the ID and the password are found to be usable, the server registers 114 an ID, a password and a salt rule. (115), the ID, the encryption password, and the salt rule are collected and stored in the database (116).

In the above description, the method of accessing and performing the member registration step 110 directly by the user has been described. However, in any method, the user is allowed to access the server and promise and register the salt rule before communicating with the real server Will be included in the member registration step. For example, in an intranet system, an administrator performs a member registration step on behalf of a user, and this registration method is also included in the member registration step of the present invention.

The salt rule proposed in the present invention will be described later in detail together with the salt variable string to be described later.

After the above process, the user's ID, password, and salt rule are registered, the member registration step 110 is completed, and the user who has completed registration of the member can access the server through the authentication step described below.

FIG. 2 shows an authentication step of the SOLID password authentication method according to the present invention.

2, the authenticating step 210 of the solved password authentication method according to the present invention includes an access step 211, a salt variable string generating step 212, an input window providing step 214, An identity suitability determination step 217, a solicited password suitability determination step 219, an assigned password encryption step 220, and a password determination step 222 are performed.

In the connection step 211, the user accesses the server using the first connection means or the second connection means for authentication.

In the salt variable string generation step 212 performed by the server, a salt variable string is generated, and the generated salt variable string 213 is stored in a database or a session variable (not shown). The salt variable string used in the present invention corresponds to OTP. A plurality of variables used in the salt variable string can be used by calling a plurality of variables stored in, for example, a memory of the server itself or a database. Of these, N (N is a natural number of 2 or more) variables Quot; is a salt variable string, which will be described later.

A session is a technique for maintaining the identity of a user on a client server system by not communicating again within a certain time-out after the start of communication or by closing the browser used. When storing the salt variable string 213 in the database, the server must connect to the database to refer to the salt variable string 213, which may cause an excessive load on the data processing, It is possible to use a method in which a large load is not generated in the processing by utilizing a session variable that can be temporarily stored in the memory of the server.

In the input window providing step 214, the server provides an ID input window, a password input window, and a salt variable string window to the user through the first connecting means or the second connecting means. The ID input window and the password input window are in an empty state so that the user can input an arbitrary variable, but the salt variable string window displays the salt variable string generated in the salt variable string generating step 212.

In the authentication information input step 215, the user inputs the ID and the SOLID password into the input window provided by the server. The process of generating a secure password will be described later.

In the ID suitability determination step 217, the server calls the ID stored in the database (216), and determines whether the ID input by the user is the same as the ID stored in the database.

In the case of judging whether or not the identity inputted by the user is included in the database (Yes) in the identity suitability determination step 217, in step 219, the salt variable suitability determination step performed in the database or the session variable and the database The stored salt rule is referred to (218) to determine whether the user-entered salt password is created according to the salt rule. The committed password suitability determination step 219 simultaneously determines whether the user has selected a legitimate variable from the salt variable string and inserted a legitimate variable into the correct place. If either the selection of the legitimate variable or the insertion of the correct position of the selected variable is performed incorrectly, then it will not pass through the step 219 of judging the solicited password conformity.

The extracted password encryption step 220, which is performed when it is determined that the registered password entered by the user has been created in accordance with the Salt rule (Yes) in step 219, And generates an encrypted password by encrypting the password in the same manner as the method of encrypting the password registered in the information storage step 130 included in the member registration step 110 .

In the password determination step 222, the server calls the encryption password stored in the database (221), and determines whether the encrypted password is the same as the encryption password stored in the database. As described above, the encrypted password is an encrypted password of a user that the user and the server promised each other in the member registration step 110, and the encrypted password registered in advance matches the encrypted distributed password input in the authentication process , The user should be recognized as entering the correct password in the normal way.

If it is determined that the ID inputted by the user is not included in the database in the ID suitability determination step 217 (No), the solved password suitability determination step 219 creates the solicit password inputted by the user according to the salt rule (No) and when the password determination step 222 does not match the encrypted password stored in the database (No), the salt variable string generating step 212 is performed again. When re-executing step 212 of creating a salt variable string, the existing salt variable string stored in the database or session variable is replaced with the newly created salt variable string.

In the present invention, as described above, in the authentication process, when a wrong user's wrong information is inputted as well as a mistake of a legitimate user input as well as a wrong user, a new salt variable string is generated and a new secure password is generated using the new salt variable string So that the possibility of hacking is minimized.

If it is determined in the password determination step 222 that the encrypted password is the same as the encrypted password stored in the database (Yes), the user is authenticated (223).

In the above description, the step of judging the solicited password conformity 219 can be selectively used according to the embodiment.

FIG. 3 shows the step of generating a salt variable string during the authentication step shown in FIG.

3, in the salt variable string generating step 212, a variable selecting step 311 for selecting N (N is a natural number of 2 or more) variables randomly among a plurality of characters, a plurality of numbers and a plurality of symbols, A salt variable string storing step 312 for storing the selected N variables in a database or a session variable, a variable image transforming step 313 for generating and storing the selected N variables as image state variables using the CAPTCHA technique, A variable string generation step 314 is performed in which N variables of the image state are arranged in a line to generate a salt variable string.

The salt variable string displayed in the salt variable string window in the input window providing step 214 is a variable of the deformed image state generated in the variable string generating step 314.

The salt variable string proposed in the present invention is a string of N variables randomly selected from at least one of a plurality of characters, a plurality of numbers (0 to 9) and a plurality of symbols. The greater the number of N, the more effective it will be. Here, it is preferable to use at least one of alphabetic uppercase letters (A to Z) and lowercase alphabetic characters (a to z).

The salt rule includes a first selection rule for selecting at least one variable in a plurality of variables constituting a salt variable string, that is, a salt variable, and a second selection rule for selecting a salt variable selected in accordance with the first selection rule, And a second selection rule for determining which one of the variables is to be inserted next. Accordingly, the solid password can be obtained by inserting the salt variable selected according to the first selection rule at a selected position according to the second selection rule among the plurality of variables constituting the password.

For example, if the first selection rule is set to a salt variable of 4, it indicates to select the fourth variable from the left among the plurality of variables constituting the salt variable string. Also, if the second selection rule is set to 3, it indicates to insert the variable selected by the first selection rule after the third variable among the plurality of variables constituting the password.

Figure 4 illustrates a method for generating a solids password using a salt variable string, a salt rule, and a password.

4, when the password is preset to "entersoft", the first selection rule is 4, the second selection rule is 3, and the salt variable string provided from the server is N (10) Assuming "MK6QY92C4H", the user must input the signed password "entQersoft" which is obtained by inserting "Q", the fourth character of the salt variable string to be non-portable OTP, after the third character of the password Will be.

It can be seen that the ten variables constituting the salt variable string shown in FIG. 4 are not merely letters and numbers but are images modified by the CAPTCHA method for the corresponding letters and numbers.

CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Aparts) is an image obtained by intentionally twisting or overlaying objects that can be distinguished from one another by a computer, but the hacking program reads the OTP string and automatically logs in. So that it can not be attempted.

4, numeral 4 is selected in the first selection rule. If two variables are set in the salt variable, such as 4 and 6, the salt variable inserted in the password is set to "9" Will be included. In this case, the second selection rule may also retain the existing "3 ", but for example," 4 "may be added.

Quot; Q "and" 9 "should be inserted consecutively after the third digit of the password, and when the second selection rule is selected as 3 and 4, "Q" is inserted after the digit, but "9" should be inserted after the fourth digit of the password. The method of inserting, etc., can be set in various ways by a program in advance, and the above description is made by taking one of them as an example.

Figure 5 illustrates the effect of using a salt rule according to the present invention.

Referring to FIG. 5, which shows the use of the password (no Salt), inserting one salt variable into the password (1 Salt) and inserting 2 salt variables into the password (2 Salts) The number of salt variables to be added to the password is one, the number of each case in no Salt, 1 Salt and 2 Salts is 62 , 1240 and 5580, and when the number of salt variables is two, 3844, 115320 and 1037880, respectively. When the number of salt variables is 8, it can be seen that the use of two salt variables (2 Salts) has a number of 3240 times as compared to the case of no salt (no salt).

6 shows an initial screen provided by the server.

Referring to FIG. 6, the user inputs his / her ID into the ID input window (ID *) presented at the upper part, selects a predetermined variable according to a predetermined salt rule among the variables presented in the salt variable string window , It can be understood that a password generated by inserting the selected variable into the agreed position of the password according to the salt rule can be input into the password input window (password *) shown in the middle. The form and position of the ID input window, the password input window, and the salt variable string window may be different according to the embodiment.

The effect of the solved password authentication method according to the present invention can be confirmed on an internet site (https://howsecureismypassword.net/) which indicates the possibility of password hacking.

FIG. 7 shows a hacking time for a password that does not use the SOLID password authentication method according to the present invention.

Referring to FIG. 7, as a result of examining the possibility of hacking provided by an Internet site, it was determined that the time spent for hacking when using "entersoft" as the password was 22 minutes (22 minutes).

FIG. 8 shows the hacking time for a solicited password determined using the solved password authentication method according to the present invention.

Referring to FIG. 8, it can be seen that hacking takes one year if one variable is inserted into the password.

Referring to FIG. 7 and FIG. 8, it can be seen that when one variable Y is added to the password, 23891 times of the time is required for hacking, compared to the case in which one variable is not further inserted into the password.

The description of FIG. 7 and FIG. 8 is for the case where the added variable is fixed to "Y", and in reality, the added variable is changed every time it is tried, so that the hacking of the random assignment attack method will become impossible.

As described above, the SOLID password authentication method according to the present invention, which proposes to use a combination of token-based authentication using OTP and knowledge-based authentication using a password, does not carry the OTP, which is one of the disadvantages of OTP The dictionary attack is a dictionary attack that can be used as a password, and it can be created within a range of strings by checking the passwords one by one. Hacking methods such as random assignment attack that assigns all passwords are ineffective. By applying CAPTCHA to the constituent variables of the OTP, the automated attack was originally blocked.

While the present invention has been described in connection with what is presently considered to be the most practical and preferred embodiment, it is to be understood that the invention is not limited to the disclosed embodiments. It will be apparent to those skilled in the art that various modifications and variations can be made in the present invention without departing from the scope of the present invention.

110: Member registration step
120: setting information input step 130: information storing step
210: authentication step
211: connection step
212: Steps for creating a salt variable string
214: Input window provisioning step
215: Step of inputting authentication information
217: Identity suitability determination step
219: Solved password suitability determination step
220: Detached Password Encryption Phase
222: password determination step

Claims (10)

The user selects and stores N (N is a natural number of 2 or more) variables provided by a server (hereinafter, referred to as a server) of the client server system using arbitrary connection means, The server sends a signed password and an ID, which is obtained by mixing the selected variable with the password according to the salt rule, to the corresponding server, And an authentication step of verifying the conformity of the ID and the secret password inputted by the user by comparing the extracted password obtained by applying the rule in reverse and the ID and the ID stored in the database,
In the authentication step, it is confirmed whether or not the variable inserted into the solicit password by the user has been selected from the salt variable string according to the salt rule and whether the selected variable is inserted at the position of the solicit password according to the salt rule A solved password authentication method characterized by. The method of authenticating a soluted password according to claim 1,
A user or an administrator of the server promises and registers a salt rule applied to a process of inputting an ID, a password and a password required for user authentication when a user accesses the server by using arbitrary connection means, and the server registers A member registration step of storing a registered ID, a registered password, and a registered salt rule in a database;
The method of claim 1, further comprising: The salt variable string according to claim 2, wherein N variables randomly selected from at least one of a plurality of characters, a plurality of numbers, and a plurality of symbols are arranged in a line,
Wherein the salt rule includes a first selection rule for selecting at least one variable in a predetermined position among a plurality of variables constituting the salt variable string and a second selection rule for selecting a variable selected in accordance with the first selection rule, And a second selection rule for determining which one of the variables is to be inserted next,
The above-
Wherein a variable selected according to the first selection rule is inserted between a plurality of variables constituting the password at a selected position according to the second selection rule. The character described in claim 3,
Wherein the password is at least one of an uppercase alphabet, a lowercase alphabet, and a special character. Each variable constituting the salt variable string according to claim 4,
Wherein the image is an image modified by using a CAPTCHA method. In the member registration step described in claim 2,
A setting information input step of inputting an ID, a password and a salt rule according to an input method provided by a server connected by a user wishing to register a member using the arbitrary connecting means; And
The server registers the ID, the salt rule and the password inputted by the user through the predetermined deliberation procedure set in advance in the setting information input step, and registers the encrypted password, the registered ID, and the registered salt rule Storing information in the database;
And the password is authenticated. 7. The method according to claim 6,
A connection step in which a user accesses the server using any of the connection means;
A salt variable string generating step of generating the salt variable string in the server and storing the generated salt variable string in the database or the session variable;
An input window providing step in which the server provides an ID input window, a password input window, and a salt variable string window to the user through the arbitrary connection means;
An authentication information input step in which a user generates a solicited password using the salt rule and a salt variable string provided in the salt variable string window and inputs a user ID and the solicited password into the input window;
An ID suitability determination step of determining whether an ID input by a user is included in an ID stored in the database;
Wherein the password is performed when an ID input by the user is included in the database, extracting an extracted password by applying the salt rule to the solicit password in a reverse manner, An extracted password encryption step of encrypting the extracted password in the same manner as the method of encrypting the registered password to generate an encrypted assigned password; And
And a password determination step of determining whether the encrypted password is the same as the encrypted password stored in the database,
If it is determined that the ID input by the user is not included in the database in the ID suitability determination step and if the encrypted password is not matched with the encrypted password stored in the database in the password determination step, Re-execute the generation step,
And authenticating the user when it is determined that the encrypted password is the same as the encrypted password stored in the database as a result of the password determination. 8. The method according to claim 7,
The method according to any one of claims 1 to 3, further comprising: determining whether the ID entered by the user is included in the database in the ID suitability determination step; comparing the salt variable stored in the database or the session variable with the salt rule stored in the database; Judging whether or not the generated password is created according to the salt rule;
The extracted password encryption step is performed when it is determined that the solicit password entered by the user in the solicit password conformity determination step has been created according to the Salt rule,
Wherein the step of generating the salt variable string further comprises the step of re-executing the step of generating the salt variable string if it is determined in the step of judging whether or not the solicit password inputted by the user is not created according to the salt rule. In the salt variable string generating step according to claim 7 or 8,
A variable selecting step of randomly selecting N variables among a plurality of characters, a plurality of numbers and a plurality of symbols;
Storing a salt variable string storing N variables selected in the variable selecting step in the database or the session variable;
A variable image transforming step of generating and storing the N variables selected in the variable selecting step in an image state using a CAPTCHA technique; And
A variable string generating step of arranging N variables in a modified image state in a line to generate the salt variable string;
And the password is authenticated. The method according to claim 9,
And generating the extracted password by removing a variable added to the password among the parameters constituting the solicit password using the salt rule stored in the database and the salt variable string stored in the database or the session variable A solved password authentication method characterized by.
KR1020150122084A 2015-08-28 2015-08-28 Authentication method by salted password KR101600474B1 (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
KR1020150122084A KR101600474B1 (en) 2015-08-28 2015-08-28 Authentication method by salted password
PCT/KR2016/008316 WO2017039156A1 (en) 2015-08-28 2016-07-28 Salted password authentication method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
KR1020150122084A KR101600474B1 (en) 2015-08-28 2015-08-28 Authentication method by salted password

Publications (1)

Publication Number Publication Date
KR101600474B1 true KR101600474B1 (en) 2016-03-07

Family

ID=55540381

Family Applications (1)

Application Number Title Priority Date Filing Date
KR1020150122084A KR101600474B1 (en) 2015-08-28 2015-08-28 Authentication method by salted password

Country Status (2)

Country Link
KR (1) KR101600474B1 (en)
WO (1) WO2017039156A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112636910A (en) * 2020-12-29 2021-04-09 北京深思数盾科技股份有限公司 Method, device and system for generating and verifying temporary password

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10320774B2 (en) * 2016-08-05 2019-06-11 Route1 Inc. Method and system for issuing and using derived credentials
CN113078999A (en) * 2021-04-13 2021-07-06 傲普(上海)新能源有限公司 Password security encryption storage mode

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2005044054A (en) * 2003-07-25 2005-02-17 Base Technology Inc Processing system for code string
JP2007310819A (en) * 2006-05-22 2007-11-29 Sharp Corp Password generation method with improved resistance to password analysis, and authentication apparatus using this password
KR101221955B1 (en) * 2010-11-02 2013-01-15 한국과학기술정보연구원 Method for certificating one time password and apparatus thereof
JP2014029650A (en) * 2012-07-31 2014-02-13 Kyocera Document Solutions Inc Password generation device and electronic apparatus

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR101467247B1 (en) * 2014-01-20 2014-12-02 성균관대학교산학협력단 System and method for verifying one-time password based on graphical images

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2005044054A (en) * 2003-07-25 2005-02-17 Base Technology Inc Processing system for code string
JP2007310819A (en) * 2006-05-22 2007-11-29 Sharp Corp Password generation method with improved resistance to password analysis, and authentication apparatus using this password
KR101221955B1 (en) * 2010-11-02 2013-01-15 한국과학기술정보연구원 Method for certificating one time password and apparatus thereof
JP2014029650A (en) * 2012-07-31 2014-02-13 Kyocera Document Solutions Inc Password generation device and electronic apparatus

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112636910A (en) * 2020-12-29 2021-04-09 北京深思数盾科技股份有限公司 Method, device and system for generating and verifying temporary password
CN112636910B (en) * 2020-12-29 2021-08-24 北京深思数盾科技股份有限公司 Method, device and system for generating and verifying temporary password

Also Published As

Publication number Publication date
WO2017039156A1 (en) 2017-03-09

Similar Documents

Publication Publication Date Title
US8041954B2 (en) Method and system for providing a secure login solution using one-time passwords
US9684780B2 (en) Dynamic interactive identity authentication method and system
US9117065B2 (en) Dynamic interactive identity authentication method and system
US10848304B2 (en) Public-private key pair protected password manager
US8407762B2 (en) System for three level authentication of a user
US10909230B2 (en) Methods for user authentication
CZ2015473A3 (en) The method of authentication security in electronic communication
KR101600474B1 (en) Authentication method by salted password
RU2730386C2 (en) Authentication and encryption system and method with interception protection
Hossain et al. Implementing Biometric or Graphical Password Authentication in a Universal Three-Factor Authentication System
KR100927280B1 (en) How to prevent secure string exposure using fake rounds
US11347831B2 (en) System and method for user recognition based on cognitive interactions
Kenneth et al. Web application authentication using visual cryptography and cued clicked point recall-based graphical password
Kansuwan et al. Authentication model using the bundled CAPTCHA OTP instead of traditional password
CA2611549C (en) Method and system for providing a secure login solution using one-time passwords
Nasiri et al. Using Combined One-Time Password for Prevention of Phishing Attacks.
US20160021102A1 (en) Method and device for authenticating persons
Edwards et al. FFDA: A novel four-factor distributed authentication mechanism
Shah et al. New factor of authentication: Something you process
KR101632582B1 (en) Method and system for user authentication using password included random key
Majdalawieh et al. Assessing the Attacks Against the Online Authentication Methods Using a Comparison Matrix: A Case of Online Banking
US20230057862A1 (en) Fraud resistant passcode entry system
Παπασπύρου A novel two-factor honey token authentication mechanism
KR20210141438A (en) Secure user authentication system and method
JP2008512765A (en) Authentication system and method based on random partial digital path recognition

Legal Events

Date Code Title Description
E902 Notification of reason for refusal
E701 Decision to grant or registration of patent right
GRNT Written decision to grant
LAPS Lapse due to unpaid annual fee