[go: up one dir, main page]

CN100431297C - Method for preventing user passwords from being stolen by adopting two-factor authentication protocol - Google Patents

Method for preventing user passwords from being stolen by adopting two-factor authentication protocol Download PDF

Info

Publication number
CN100431297C
CN100431297C CNB2005100089815A CN200510008981A CN100431297C CN 100431297 C CN100431297 C CN 100431297C CN B2005100089815 A CNB2005100089815 A CN B2005100089815A CN 200510008981 A CN200510008981 A CN 200510008981A CN 100431297 C CN100431297 C CN 100431297C
Authority
CN
China
Prior art keywords
user
authentication
protocol
network
authenticating
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Expired - Fee Related
Application number
CNB2005100089815A
Other languages
Chinese (zh)
Other versions
CN1645796A (en
Inventor
胡祥义
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Individual
Original Assignee
Individual
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Individual filed Critical Individual
Priority to CNB2005100089815A priority Critical patent/CN100431297C/en
Publication of CN1645796A publication Critical patent/CN1645796A/en
Application granted granted Critical
Publication of CN100431297C publication Critical patent/CN100431297C/en
Anticipated expiration legal-status Critical
Expired - Fee Related legal-status Critical Current

Links

Images

Landscapes

  • Computer And Data Communications (AREA)
  • Storage Device Security (AREA)

Abstract

采用双重认证协议来防止用户口令被盗用的方法,是运用计算机、网络和密码技术,在客户端的认证设备中存放两组认证协议,一组为网络认证协议,一组为认证设备的认证协议,用静态口令作为部分密钥,另一部分密钥由认证设备的认证协议自动产生,两者结合成对称加密算法的加密密钥,对用户证书和网络认证协议进行加、解密,来达到对认证设备的识别和对网络认证协议的调控,同时,也在网络服务器端建立网络认证协议,与客户端的网络认证协议对应,并采用对称或者非对称加密算法,生成一次一变的动态口令,实现对网络用户的身份识别,从而,防止用户口令被盗用。

The method of using double authentication protocol to prevent user passwords from being stolen is to use computer, network and password technology to store two sets of authentication protocols in the authentication device of the client, one is the network authentication protocol, and the other is the authentication protocol of the authentication device. The static password is used as part of the key, and the other part of the key is automatically generated by the authentication protocol of the authentication device. The two are combined into an encryption key of a symmetric encryption algorithm to encrypt and decrypt the user certificate and the network authentication protocol to achieve authentication of the authentication device. At the same time, a network authentication protocol is also established on the network server side, which corresponds to the network authentication protocol of the client, and a symmetric or asymmetric encryption algorithm is used to generate a dynamic password that changes once to realize network authentication. User identification, thereby preventing user passwords from being stolen.

Description

采用双重认证协议来防止用户口令被盗用的方法 Method for preventing user passwords from being stolen by adopting two-factor authentication protocol

技术领域:Technical field:

本发明涉及信息安全领域,是运用计算机、网络和密码技术,来解决网络用户的口令被盗用的问题,该技术方法能够对用户的口令进行严格的防护,实现对认证设备的认证和网络的安全登录,同时,杜绝电子政务、电子商务、网上银行和网络游戏等行业的“盗号”现象,本发明适用于各种网络需用身份识别的系统。The present invention relates to the field of information security, and uses computer, network and cipher technology to solve the problem of stolen passwords of network users. The technical method can strictly protect the passwords of users, and realize the authentication of authentication equipment and the security of the network. Login, and at the same time, put an end to the "stealing" phenomenon in industries such as e-government, e-commerce, online banking, and online games. The invention is applicable to various systems that require identification on the network.

背景技术:Background technique:

目前,国内外能完全解决网络“盗号”问题的技术方法和产品还没有,一些厂商生产的防网络“盗号”产品,是采用智能卡和加密技术产生一次一变的动态口令,来实现网络身份认证,但是,若用户丢失智能卡,容易被盗用,还有一些厂商是采用双因子网络身份认证,采用用户的静态口令和认证协议产生的动态口令同时进行网络身份认证,这类产品也具有易破解的特点,“盗号”者可通过木马病毒和对用户的认证协议进行分析,来盗用用户的静态口令和认证协议产生的动态口令,总之,现有的防网络“盗号”方法和产品都不能满足市场的需求。At present, there are no technical methods and products that can completely solve the problem of network "stealing" at home and abroad. The anti-network "stealing" products produced by some manufacturers use smart cards and encryption technology to generate dynamic passwords that change once and for all to realize network identity authentication. However, if the user loses the smart card, it is easy to be stolen, and some manufacturers use two-factor network identity authentication, using the user's static password and the dynamic password generated by the authentication protocol to perform network identity authentication at the same time. Characteristic, the "stolen account" person can use the Trojan horse virus and analyze the user's authentication protocol to steal the user's static password and the dynamic password generated by the authentication protocol. In a word, the existing anti-network "stolen account" methods and products cannot satisfy the market demand.

发明内容:Invention content:

本防止用户口令被盗用的方法,是运用计算机、网络和密码技术建立网络安全身份认证体系,在网络服务器端和各客户机端,分别设置一对相同的加密设备,其加密算法使用对称密码算法或非对称密码算法,服务器和客户机端分别建立一组网络认证协议,该网络认证协议产生一次一变的动态口令,实现客户机与网络服务器之间的身份认证;在客户机端的认证设备中建立另一组认证协议,用于对客户机端认证设备的识别,使用对称加密算法来实现,其加密密钥由两部分组成:一部分是用户的静态口令,另一部分是认证设备中的认证协议自动产生,两者结合成加密密钥,对用户证书和部分或全部网络认证协议进行加、解密,来达到对认证设备的识别和对网络认证协议的调控,当用户的静态口令通过了客户机端认证设备的识别后,将网络认证协议解密生成明文,再调用该网络认证协议完成对网络服务器的身份识别,从而,防止用户口令被盗用,全部过程用纯软件或软、硬件结合方式实现,具体方法如下:The method to prevent user passwords from being stolen is to use computer, network and password technology to establish a network security identity authentication system, and set up a pair of identical encryption devices on the network server side and each client side, and the encryption algorithm uses a symmetric cryptographic algorithm or asymmetric cryptographic algorithm, the server and the client end establish a set of network authentication protocols respectively, and the network authentication protocol generates a one-time changing dynamic password to realize the identity authentication between the client computer and the network server; in the authentication device of the client computer Establish another set of authentication protocols for the identification of client-side authentication devices, using a symmetric encryption algorithm. The encryption key consists of two parts: one is the user's static password, and the other is the authentication protocol in the authentication device. Automatically generated, the two are combined into an encryption key, and the user certificate and some or all network authentication protocols are encrypted and decrypted to achieve the identification of the authentication device and the regulation of the network authentication protocol. When the user's static password passes the client After the terminal authentication device is identified, the network authentication protocol is decrypted to generate plaintext, and then the network authentication protocol is called to complete the identification of the network server, thereby preventing the user's password from being stolen. The whole process is realized by pure software or a combination of software and hardware. The specific method is as follows:

1、在网络服务器和客户机两端分别建立网络认证协议,网络服务器端的认证协议存放在加密设备中,例如:加密卡、加密机等,或存放在服务器的硬盘里,客户机端的认证协议存放在认证设备中,其中认证设备指:智能卡、U盘、光盘、软盘、硬盘等。1. Establish a network authentication protocol at both ends of the network server and the client. The authentication protocol at the network server is stored in an encryption device, such as an encryption card, encryption machine, etc., or stored in the hard disk of the server, and the authentication protocol at the client is stored. In the authentication device, the authentication device refers to: smart card, U disk, CD, floppy disk, hard disk, etc.

2、网络认证协议建立在对称或非对称加密算法体制上,由客户机端的网络认证协议产生一次一变的动态口令K,其中:K=80~2000bit位的“0”、“1”数码,并将该动态口令及其认证参数发送给网络服务器,当网络服务器端收到动态口令和认证参数后,根据网络认证协议生成相同长度的动态口令,经过对比两端的动态口令是否相同,来判断客户端用户的身份。2. The network authentication protocol is based on the symmetric or asymmetric encryption algorithm system, and the network authentication protocol on the client side generates a dynamic password K that changes once, where: K = 80-2000bit "0" and "1" numbers, And send the dynamic password and its authentication parameters to the network server. When the network server receives the dynamic password and authentication parameters, it will generate a dynamic password of the same length according to the network authentication protocol. By comparing whether the dynamic passwords at both ends are the same, the client can be judged. The identity of the end user.

3、当网络认证协议采用对称加密算法时,3. When the network authentication protocol adopts symmetric encryption algorithm,

(1)对称加密密钥采用“密钥种子”技术,在用户的会话密钥和时间戳的控制下,随机选取生成一次一密的加密密钥N,其中:N=80~128bit的“0”、“1”数码,用于对用户证书进行加密生成用户的密证书,并将其定义为动态口令K,由于加密密钥一次一变,则产生的动态口令K一次一变。(1) The symmetric encryption key adopts the "key seed" technology. Under the control of the user's session key and time stamp, the encryption key N is randomly selected to generate a one-time pad, where: N=80~128bit "0" ", "1" numbers, which are used to encrypt the user certificate to generate the user's secret certificate, and define it as a dynamic password K. Since the encryption key changes every time, the generated dynamic password K changes every time.

(2)用户名或用户号由Y位数字或英文字母组成,其中:Y=4~12位,时间戳为8位数字,分别表示年、月、日,根据客户机端计算机系统的时钟产生,会话密钥由N1=8~16位数字组成,由客户机端的网络认证协议产生的N1位随机数字,“密钥种子”为M1组数码,M1=100~2000,每组数码的长度为M2,M2=4~32bit的“0”、“1”数码,在会话密钥与时间戳控制下,从用户的M1组“密钥种子”中选取N1组“密钥种子”并合成一组加密密钥N。(2) The user name or user number is composed of Y digits or English letters, among which: Y=4~12 digits, and the time stamp is 8 digits, respectively representing the year, month and day, generated according to the clock of the client computer system , the session key consists of N1=8~16 digits, N1 random digits generated by the network authentication protocol on the client side, the "key seed" is M1 groups of digits, M1=100~2000, the length of each group of digits is M2, M2=4~32bit "0" and "1" numbers, under the control of the session key and time stamp, select N1 group "key seeds" from the user's M1 group "key seeds" and synthesize a group Encryption key N.

(3)网络认证协议是首先由客户端产生一次一变的动态口令,再将该口令和认证参数发送给网络服务器,网络服务器端收到后,根据认证参数生成加密密钥,并对预存在服务器端的用户证书进行加密生成用户的密证书即:动态口令,经过对比两端的动态口令是否相同来判断用户的身份,其中认证参数包括:用户名或用户号、会话密钥和时间戳等。(3) The network authentication protocol is to first generate a dynamic password that changes once by the client, and then send the password and authentication parameters to the network server. The user certificate on the server side is encrypted to generate the user's secret certificate, that is, a dynamic password, and the identity of the user is determined by comparing whether the dynamic passwords at both ends are the same. The authentication parameters include: user name or user number, session key and time stamp, etc.

4、当网络认证协议采用非对称加密算法时,4. When the network authentication protocol adopts asymmetric encryption algorithm,

(1)在客户机端认证设备中存放一组用户的私钥,其长度为1024或2048bit,在网络服务器端存放一组用户的公钥,其长度也为1024或2048bit,建立随机数组S1,其中:S1=100~2000,每组随机数的长度为S2=8~32bit的“0”、“1”数码,并在用户的会话密钥和时间戳的控制下对随机数组进行选取,每次选取N1组随机数并合成一组随机数S,S=80~2000bit的“0”、“1”数码,将随机数S和用户的证书结合作为明文,再用用户的私钥对其进行加密生成一组密文,将该密文定义为动态口令,由于选取的随机数S一次一变,则经过加密的密文也一次一变,即:动态口令一次一变。(1) Store a group of user's private keys in the client terminal authentication device, its length is 1024 or 2048bit, store a group of user's public keys at the network server end, its length is also 1024 or 2048bit, set up random array S1, Among them: S1=100~2000, the length of each group of random numbers is S2=8~32bit "0" and "1" numbers, and the random array is selected under the control of the user's session key and time stamp. Select N1 sets of random numbers and synthesize a set of random numbers S, S = 80 ~ 2000bit "0" and "1" numbers, combine the random number S with the user's certificate as plaintext, and then use the user's private key to process it Encrypt to generate a set of ciphertext, which is defined as a dynamic password. Since the selected random number S changes once, the encrypted ciphertext also changes once, that is, the dynamic password changes once.

(2)由客户机端产生一次一变的动态口令,再将该口令和认证参数发送给网络服务器,网络服务器端收到后,根据认证参数取出该用户的公钥对动态口令进行解密生成明文,再根据认证参数生成随机数SF,同时,调出网络服务器端预存的用户证书,经过对比两端的证书,并对比随机数S和SF是否完全相同来判断用户的身份,其中认证参数包括:用户名或用户号、会话密钥和时间戳等。(2) The client generates a dynamic password that changes once, and then sends the password and authentication parameters to the network server. After receiving the password, the network server takes out the user's public key according to the authentication parameters to decrypt the dynamic password to generate plaintext , and then generate a random number SF according to the authentication parameters. At the same time, call out the user certificate stored on the network server side, compare the certificates at both ends, and compare whether the random number S and SF are identical to determine the identity of the user. The authentication parameters include: user Name or user ID, session key and timestamp, etc.

5、在客户机端的认证设备中建立对用户身份进行识别的认证协议,5. Establish an authentication protocol for identifying user identities in the authentication device on the client side,

(1)使用对称加密算法,将用户设置的静态口令作为加密密钥的一部分,另一部分加密密钥由认证协议自动产生,两者合成一组完整的加密密钥,对用户的证书进行加密生成用户的密证书,同时,对部分或全部网络认证协议进行加密生成密文,即密网络认证协议,并将用户的证书和密证书以及密网络认证协议存放在认证设备中。(1) Using a symmetric encryption algorithm, the static password set by the user is used as part of the encryption key, and the other part of the encryption key is automatically generated by the authentication protocol. The two are combined into a complete set of encryption keys, and the user's certificate is encrypted and generated At the same time, encrypt part or all of the network authentication protocol to generate ciphertext, that is, the encrypted network authentication protocol, and store the user's certificate, the encrypted certificate, and the encrypted network authentication protocol in the authentication device.

(2)在认证设备中的认证协议中,将静态口令设为K1,K1由数字或A~F之间的英文字母组成,长度为L1,L1=8~32位,认证协议再将L1位口令经过1变4后,L1=32~128bit。(2) In the authentication protocol in the authentication device, set the static password as K1, K1 is composed of numbers or English letters between A ~ F, and the length is L1, L1 = 8 ~ 32 bits, and the authentication protocol further sets the L1 bit After the password changes from 1 to 4, L1=32~128bit.

(3)由认证协议自动产生的另一部分加密密钥设为K2,其长度为L2=80~128,K2在时间戳和会话密钥的控制下,从用户的“密钥种子”中选取N1组“密钥种子”并合并而成,将K1和K2两部分加密密钥结合生成一组加密密钥K3,用于对用户证书加密和对网络认证协议加解密,其中:K1和K2结合的方式为:逻辑同或者逻辑异,同时,两者结合的位置由认证设备中的认证协议规定,生成的加密密钥K3长度为L2。(3) Another part of the encryption key automatically generated by the authentication protocol is set to K2, and its length is L2=80~128. K2 selects N1 from the user's "key seed" under the control of the time stamp and session key The group "key seed" is combined, and the two parts of the encryption key K1 and K2 are combined to generate a set of encryption key K3, which is used to encrypt the user certificate and encrypt and decrypt the network authentication protocol. Among them: the combination of K1 and K2 The method is: logical same or logical exclusive, and at the same time, the position where the two are combined is specified by the authentication protocol in the authentication device, and the length of the generated encryption key K3 is L2.

(4)将用户的密证书定义为认证设备中认证协议的认证码,作为用户使用静态口令K1对认证设备进行认证的对比参数,即:以用户的静态口令K1和认证协议自动产生的另一部分加密密钥K2一起合成一组加密密钥K3,用K3对用户的证书进行加密,生成用户的密证书即认证码,与存放在认证设备中用户的密证书即认证码进行对比,来实现用户对认证设备识别。(4) Define the user's secret certificate as the authentication code of the authentication protocol in the authentication device, as a comparison parameter for the user to use the static password K1 to authenticate the authentication device, that is: another part automatically generated by the user's static password K1 and the authentication protocol Encryption key K2 together synthesizes a group of encryption key K3, encrypts the user's certificate with K3, generates the user's secret certificate, that is, the authentication code, and compares it with the user's secret certificate, that is, the authentication code stored in the authentication device, to realize the user's Identify the authentication device.

(5)用户的静态口令通过认证设备的认证后,用该静态口令生成的加密密钥K3将密网络认证协议解密成明文,即网络认证协议,再调用其进行网络用户的身份识别;若用户的静态口令未能通过认证设备的认证,用其生成的加密密钥K3不能将密网络认证协议解密成正确的明文,则不能调用网络认证协议进行网络用户的身份识别。(5) After the user's static password is authenticated by the authentication device, the encryption key K3 generated by the static password is used to decrypt the encrypted network authentication protocol into plain text, that is, the network authentication protocol, and then call it to identify the network user; if the user If the static password fails to pass the authentication of the authentication device, the encryption key K3 generated by it cannot decrypt the encrypted network authentication protocol into correct plaintext, and the network authentication protocol cannot be called to identify the identity of the network user.

6、用户的静态口令只作为认证设备中认证协议的部分加密密钥,而不作为两组认证协议中的认证对比参数,用户的静态口令是记忆在用户的脑海里,用户可对其静态口令随时进行修改,用户的静态口令不存放在认证设备和客户机里,也不存放在网络服务器里,同时,也不在网络上传输。6. The user's static password is only used as part of the encryption key of the authentication protocol in the authentication device, not as the authentication comparison parameter in the two sets of authentication protocols. The user's static password is stored in the user's mind, and the user can change the static password. It can be modified at any time, and the user's static password is not stored in the authentication device and client, nor is it stored in the network server, and at the same time, it is not transmitted on the network.

7、存放在客户机端认证设备中的两种认证协议包括:认证设备的认证协议和密网络认证协议,同时,还存放用户名或用户号、用户的证书、用户的密证书、“密钥种子”,以及控制生成加密密钥K2的时间戳和会话密钥等数据。7. The two authentication protocols stored in the authentication device on the client side include: the authentication protocol of the authentication device and the encrypted network authentication protocol. At the same time, it also stores the user name or user number, user certificate, user encryption Seed", as well as data such as time stamps and session keys that control the generation of the encryption key K2.

附图说明:Description of drawings:

图1:认证设备的认证协议流程图Figure 1: Authentication Protocol Flowchart for Authenticating Devices

图2:认证协议中用户静态口令修改流程图Figure 2: Flow chart of user static password modification in the authentication protocol

具体实施方式:Detailed ways:

以下结合附图说明防止用户口令被盗用方法的实现步骤:The implementation steps of the method for preventing user passwords from being stolen are illustrated below in conjunction with the accompanying drawings:

图1:说明认证设备的认证协议流程,首先,用户输入其静态口令给认证设备后,在认证设备中生成加密密钥,并将加密密钥输入对称加密算法中,对用户的证书进行加密生成密证书即:认证码,将该组认证码与认证设备中预存的一组认证码进行对比?若正确,则用户对认证设备的认证通过,接下来用已生成的加密密钥将认证设备中的密网络认证协议解密成明文,即:网络认证协议,再调用其实现网络用户身份识别,并可重复调用之,之后停机;若不正确,则提示用户的静态口令错,请重新输入静态口令或者停机。Figure 1: Illustrates the authentication protocol process of the authentication device. First, after the user enters his static password to the authentication device, an encryption key is generated in the authentication device, and the encryption key is input into the symmetric encryption algorithm to encrypt the user's certificate to generate The encrypted certificate is: the authentication code, compare this set of authentication codes with the set of authentication codes pre-stored in the authentication device? If it is correct, the user's authentication of the authentication device is passed, and then use the generated encryption key to decrypt the encrypted network authentication protocol in the authentication device into plain text, that is, the network authentication protocol, and then call it to realize the network user identification, and It can be called repeatedly, and then shut down; if it is incorrect, it will prompt the user that the static password is wrong, please re-enter the static password or shut down.

图2:说明用户修改认证协议中用户的静态口令过程,首先,用户输入其现静态口令给认证设备,同时也输入用户的新静态口令,并重复输入新静态口令一次,在认证设备中对比两次输入的用户新静态口令是否相同?若不相同,则重新输入新静态口令两遍或停机;若相同,则使用现静态口令生成加密密钥,调用加密算法对用户证书进行加密生成密证书,即认证码,取出存放在认证设备中的另一组认证码,经对比两组认证码是否相同?若不相同,则提示输入现静态口令错,重新输入现静态口令或停机,若相同,则调用现静态口令生成的加密密钥,对密网络认证协议解密生成明文,即网络认证协议,再用新静态口令生成新的加密密钥,对部分或全部网络认证协议加密生成密文,即:新的密网络认证协议,并代替原密网络认证协议,存放在认证设备中,再用新静态口令生成的加密密钥对用户证书加密生成新的密证书,即新的认证码,将新的认证码代替原认证码,存放在认证设备中,至此,可重复进行用户静态口令的修改或停机。Figure 2: Illustrates the process of the user modifying the user's static password in the authentication protocol. First, the user enters his current static password to the authentication device, and at the same time inputs the user's new static password, and repeats the new static password once, and compares the two in the authentication device. Are the new static passwords of the users entered last time the same? If not, re-enter the new static password twice or shut down; if the same, use the current static password to generate an encryption key, call the encryption algorithm to encrypt the user certificate to generate a secret certificate, that is, the authentication code, take it out and store it in the authentication device Another set of authentication codes for , are the two sets of authentication codes the same after comparison? If they are not the same, it will prompt that the current static password is wrong, re-enter the current static password or shut down, if the same, then call the encryption key generated by the current static password, decrypt the encrypted network authentication protocol to generate plaintext, that is, the network authentication protocol, and then use the The new static password generates a new encryption key, encrypts part or all of the network authentication protocol to generate ciphertext, that is: the new encrypted network authentication protocol, and replaces the original encrypted network authentication protocol, stores it in the authentication device, and then uses the new static password The generated encryption key encrypts the user certificate to generate a new encrypted certificate, that is, a new authentication code. The new authentication code replaces the original authentication code and is stored in the authentication device. At this point, the modification of the user's static password or shutdown can be repeated.

Claims (6)

1, adopting double verification protocol to prevent the method for user's pin from illegal use, is that utilization computer, network and cryptographic technique realize that implementation step is as follows:
In the authenticating device of client, deposit two groups of authentication protocols, one group is network authenticating protocol, one group is the authentication protocol of authenticating device, with static password as the part key, another part key is produced automatically by the authentication protocol of authenticating device, both are combined into the encryption key of symmetric encipherment algorithm, user certificate and network authenticating protocol are added, deciphering, reach to the identification of authenticating device with to the regulation and control of network authenticating protocol, simultaneously, also set up network authenticating protocol in network server end, corresponding with the network authenticating protocol of client, and adopt symmetry or rivest, shamir, adelman, generate the dynamic password of one time one change, realization is to the network user's identification, thereby, prevent user's pin from illegal use.
2, require described employing double verification protocol to prevent the method for user's pin from illegal use according to right 1, it is characterized in that:
(1) according to network authenticating protocol, the dynamic password that is generated one time one change by client-side automatically sends to the webserver, realizes network ID authentication;
(2), directly import static password by the user and realize identification authenticating device according to the authentication protocol of authenticating device.
3, require described employing double verification protocol to prevent the method for user's pin from illegal use according to right 1, it is characterized in that:
In the authentication protocol of authenticating device, user's static password is the part as key, a part of in addition key is produced automatically by the authentication protocol in the authenticating device, the encryption key of both synthetic symmetric encipherment algorithms, with this encryption key and symmetric encipherment algorithm, respectively user's certificate and part or all of network authenticating protocol are encrypted the generation ciphertext, prevent that user's static password is decrypted, prevent that also network authenticating protocol is stolen.
4, require described employing double verification protocol to prevent the method for user's pin from illegal use according to right 3, it is characterized in that:
Close certificate authentication authorization and accounting sign indicating number with the user, the reduced parameter of using static password that authenticating device is authenticated as the user, that is: another part encryption key that produces automatically with static password and authentication protocol synthesizes a set of encryption keys together, certificate to the user is encrypted, generate user's close certificate authentication authorization and accounting sign indicating number, with leave that user's close certificate authentication authorization and accounting sign indicating number compares in the authenticating device in, realize that the user discerns authenticating device.
5, require described employing double verification protocol to prevent the method for user's pin from illegal use according to right 3, it is characterized in that:
(1) fails authentication by authenticating device when user's static password, then can not call network authenticating protocol by force, because the network authenticating protocol that leaves in the authenticating device is a ciphertext;
(2) have only user's static password to pass through the authentication of authenticating device after, close network authenticating protocol could be decrypted into expressly, and call the identification that it carries out the network user.
6, require described employing double verification protocol to prevent the method for user's pin from illegal use according to right 3 and 4, it is characterized in that:
User's static password is not as the authentication reduced parameter in two groups of authentication protocols, user's static password is that memory is in user's brain, the user can make amendment at any time to its static password, user's static password does not leave in authenticating device and the client computer, do not leave in the webserver yet, simultaneously, also not in transmission over networks.
CNB2005100089815A 2005-02-28 2005-02-28 Method for preventing user passwords from being stolen by adopting two-factor authentication protocol Expired - Fee Related CN100431297C (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CNB2005100089815A CN100431297C (en) 2005-02-28 2005-02-28 Method for preventing user passwords from being stolen by adopting two-factor authentication protocol

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CNB2005100089815A CN100431297C (en) 2005-02-28 2005-02-28 Method for preventing user passwords from being stolen by adopting two-factor authentication protocol

Publications (2)

Publication Number Publication Date
CN1645796A CN1645796A (en) 2005-07-27
CN100431297C true CN100431297C (en) 2008-11-05

Family

ID=34875369

Family Applications (1)

Application Number Title Priority Date Filing Date
CNB2005100089815A Expired - Fee Related CN100431297C (en) 2005-02-28 2005-02-28 Method for preventing user passwords from being stolen by adopting two-factor authentication protocol

Country Status (1)

Country Link
CN (1) CN100431297C (en)

Families Citing this family (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101364872B (en) * 2007-08-08 2011-09-21 精品科技股份有限公司 A way to execute instructions through validation
FR2951343A1 (en) * 2009-10-14 2011-04-15 Alcatel Lucent COMMUNICATION DEVICE MANAGEMENT THROUGH A TELECOMMUNICATIONS NETWORK
CN102012993B (en) * 2010-11-29 2012-07-11 北京卓微天成科技咨询有限公司 Methods and devices for selectively encrypting and decrypting data
CN102064936B (en) * 2010-11-29 2012-08-22 北京卓微天成科技咨询有限公司 Data encryption and decryption methods and devices
CN101984574B (en) * 2010-11-29 2012-09-05 北京卓微天成科技咨询有限公司 Data encryption and decryption method and device
KR101944741B1 (en) * 2016-10-28 2019-02-01 삼성에스디에스 주식회사 Apparatus and method for encryption
CN108632296B (en) * 2018-05-17 2021-08-13 中体彩科技发展有限公司 Dynamic encryption and decryption method for network communication

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2004059415A2 (en) * 2002-12-31 2004-07-15 International Business Machines Corporation Method and system for authentification in a heterogeneous federated environment, i.e. single sign on in federated domains
CN1549482A (en) * 2003-05-16 2004-11-24 华为技术有限公司 Method for realizing high rate group data service identification

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2004059415A2 (en) * 2002-12-31 2004-07-15 International Business Machines Corporation Method and system for authentification in a heterogeneous federated environment, i.e. single sign on in federated domains
CN1549482A (en) * 2003-05-16 2004-11-24 华为技术有限公司 Method for realizing high rate group data service identification

Also Published As

Publication number Publication date
CN1645796A (en) 2005-07-27

Similar Documents

Publication Publication Date Title
US7502467B2 (en) System and method for authentication seed distribution
US8966276B2 (en) System and method providing disconnected authentication
CA2590989C (en) Protocol and method for client-server mutual authentication using event-based otp
US7975139B2 (en) Use and generation of a session key in a secure socket layer connection
US20080212771A1 (en) Method and Devices For User Authentication
CN107248075B (en) Method and device for realizing bidirectional authentication and transaction of intelligent key equipment
CN109728909A (en) Identity identifying method and system based on USBKey
RU2584500C2 (en) Cryptographic authentication and identification method with real-time encryption
CN102833075A (en) Identity authentication and digital signature method based on three-layered overlapping type key management technology
CN108199847A (en) Security processing method, computer equipment and storage medium
CN117675285A (en) Identity verification method, chip and equipment
CN106230840B (en) A kind of command identifying method of high security
CN100431297C (en) Method for preventing user passwords from being stolen by adopting two-factor authentication protocol
US8307209B2 (en) Universal authentication method
US20030097559A1 (en) Qualification authentication method using variable authentication information
EP3185504A1 (en) Security management system for securing a communication between a remote server and an electronic device
CN109412799B (en) System and method for generating local key
Davaanaym et al. A ping pong based one-time-passwords authentication system
Mishra et al. Authenticated content distribution framework for digital rights management systems with smart card revocation
KR101271464B1 (en) Method for coding private key in dual certificate system
JP3746919B2 (en) Qualification authentication method using variable authentication information
CN1980127A (en) Command identifying method and command identifying method
CN113922958B (en) Password protection method and device based on biometric identification and SM2 cooperative password algorithm
JP6165044B2 (en) User authentication apparatus, system, method and program
Sain et al. An improved two factor user authentication framework based on captcha and visual secret sharing

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
C56 Change in the name or address of the patentee
CP02 Change in the address of a patent holder

Address after: 100091 No. 4, building 22, West 1, Hongqi hospital, Beijing, Haidian District

Patentee after: Hu Xiangyi

Address before: 100044 Beijing city Xicheng District Xizhimen Street No. 138 room 620 Beijing Planetarium

Patentee before: Hu Xiangyi

CF01 Termination of patent right due to non-payment of annual fee
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20081105