CN103888470B - Dynamic token synchronizing method and system - Google Patents

Abstract

The invention discloses a dynamic token synchronization method and system, which are applied to a system including a dynamic token, a host and an authentication server. The authentication server generates a random number and saves the random number as a challenge code corresponding to the dynamic token ; The dynamic token obtains the random number generated by the authentication server, and generates a synchronization code based on the random number, and the authentication server uses the challenge code corresponding to the dynamic token stored by itself to verify the synchronization code generated by the dynamic token. After the verification is passed, the token offset saved by itself is updated, thereby improving the success rate of synchronization and preventing malicious synchronization caused by using wrong or delayed synchronization codes.

Description

Synchronization method and system for a dynamic token

technical field

The invention relates to the field of information security, in particular to a dynamic token synchronization method and system.

Background technique

A dynamic token is a device used to generate a dynamic password, which is widely used in application fields such as online banking, telecom operators, and e-government. The dynamic password generated by the dynamic token can be used for identity authentication, which can effectively improve the security of identity authentication.

Since the dynamic token generates a dynamic password according to the dynamic factor saved by itself, the authentication server authenticates the dynamic password generated by the dynamic token according to the dynamic factor saved by itself. When the dynamic factor saved by the dynamic token and the dynamic factor saved by the authentication server When the difference between them is greater than the authentication window, the dynamic password of the dynamic token will not pass the authentication, and the dynamic factor saved by the dynamic token and the dynamic factor saved by the authentication server need to be synchronized.

In the prior art, the dynamic token generates a synchronization code according to its own dynamic factor, and after obtaining the synchronization code, the authentication server performs synchronization according to the synchronization code.

In the process of realizing the present invention, the inventor finds that the prior art has at least the following defects:

In the existing synchronization operation process, the dynamic token needs to generate two synchronization codes, and the user needs to input the above two synchronization codes separately, which is prone to input errors and time delays, causing the synchronization code to exceed the scope of the synchronization window, resulting in synchronization failure.

Contents of the invention

The invention provides a dynamic token synchronization method and system to solve the defect of synchronization failure in the prior art.

The invention provides a method for synchronizing dynamic tokens, comprising the following steps:

S1. The authentication server receives the synchronization request from the host, obtains the serial number of the dynamic token from the synchronization request, generates a random number, and saves the random number as a challenge code corresponding to the serial number of the dynamic token , returning the random number to the host for display;

S2. The dynamic token acquires the random number, generates a response code according to the random number, the dynamic factor and the seed key in the dynamic token, and generates synchronization according to the response code and the dynamic factor information;

S3. The dynamic token combines the synchronization information and the response code into a synchronization code, and displays the synchronization code;

S4. The authentication server acquires the synchronization code and the serial number of the dynamic token;

S5. The authentication server acquires the response code and the synchronization information from the synchronization code, and queries the seed key and challenge code corresponding to the dynamic token according to the serial number of the dynamic token;

S6. The authentication server uses the queried seed key and challenge code, and the synchronization information obtained from the synchronization code to verify the response code obtained from the synchronization code. If the verification passes, then Execute step S8; otherwise, execute step S7;

S7. The authentication server sends a synchronization failure message to the host;

S8. The authentication server updates the token offset corresponding to the dynamic token in the authentication server according to the synchronization information obtained from the synchronization code and the dynamic factor in the authentication server.

The present invention also provides a dynamic token synchronization system, including a dynamic token, a host and an authentication server;

Wherein, the dynamic token includes:

A first obtaining module, configured to obtain the random number generated by the authentication server;

A first generating module, configured to generate a response code according to the random number obtained by the first obtaining module, the dynamic factor and the seed key in the dynamic token;

A second generating module, configured to generate synchronization information according to the response code and the dynamic factor generated by the first generating module;

a combination module, configured to combine the synchronization information generated by the second generation module and the response code generated by the first generation module into a synchronization code;

a display module, configured to display the synchronization code combined by the combination module;

The authentication server includes:

a receiving module, configured to receive a synchronization request from the host;

A second acquiring module, configured to acquire the serial number of the dynamic token from the synchronization request received by the receiving module;

A third generating module, configured to generate a random number after the receiving module receives the synchronization request, and store the random number as corresponding to the serial number of the dynamic token obtained by the second obtaining module of the challenge code;

A third acquisition module, configured to acquire the synchronization code generated by the dynamic token and the serial number of the dynamic token;

a fourth obtaining module, configured to obtain the response code and the synchronization information from the synchronization code obtained by the third obtaining module;

A query module, configured to query the seed key and challenge code corresponding to the dynamic token according to the serial number of the dynamic token obtained by the third obtaining module;

A verification module, configured to use the seed key and challenge code queried by the query module, and the synchronization information obtained from the synchronization code by the fourth obtaining module, to respond to the response obtained from the synchronization code code to verify;

An update module, configured to update the synchronization information obtained from the synchronization code by the fourth acquisition module and the dynamic factor in the authentication server when the verification module passes the verification of the response code. The token offset corresponding to the dynamic token in the authentication server;

A sending module, configured to return the random number generated by the third generating module to the host for display, and send a synchronization failure message to the host when the verification module fails to verify the response code .

The beneficial effects achieved by the present invention: the authentication server generates a random number, and saves the random number as a challenge code corresponding to the dynamic token; the dynamic token obtains the random number generated by the authentication server, and generates a synchronization code according to the random number, The authentication server uses the challenge code corresponding to the dynamic token saved by itself to verify the synchronization code generated by the dynamic token, and updates the token offset saved by itself after the verification is passed, thereby improving the success rate of synchronization , to prevent malicious synchronization caused by using wrong or delayed synchronization codes.

Description of drawings

Fig. 1 is a flow chart of a synchronization method of a dynamic token in an embodiment of the present invention;

Fig. 2 is a flow chart of a method for updating token offset time in an embodiment of the present invention;

Fig. 3 is a flow chart of a method for updating the number of token offsets in an embodiment of the present invention;

4 is a schematic structural diagram of a dynamic token synchronization system in an embodiment of the present invention;

FIG. 5 is a schematic structural diagram of an update module in an embodiment of the present invention;

FIG. 6 is a schematic structural diagram of another update module in an embodiment of the present invention.

detailed description

The following will clearly and completely describe the technical solutions in the embodiments of the present invention with reference to the accompanying drawings in the embodiments of the present invention. Obviously, the described embodiments are only some, not all, embodiments of the present invention. Based on the embodiments of the present invention, all other embodiments obtained by persons of ordinary skill in the art without making creative efforts belong to the protection scope of the present invention.

As shown in Figure 1, it is a flowchart of a synchronization method of a dynamic token in an embodiment of the present invention, which is applied to a system including an authentication server, a host and a dynamic token, and the method includes the following steps:

Step 101, the host obtains the serial number of the dynamic token input by the user, generates a synchronization request according to the serial number of the dynamic token, and sends the synchronization request to the authentication server.

Wherein, the serial number of the dynamic token may be included in the synchronization request.

For example, the host obtains the serial number "5740000006" of the dynamic token input by the user, and generates a synchronization request according to the serial number "5740000006" of the dynamic token.

Step 102, the authentication server obtains the serial number of the dynamic token from the received synchronization request, generates a random number, saves the random number as a challenge code corresponding to the serial number of the above-mentioned dynamic token, and records the generation of the random number Time, save the generation time of the random number as the generation time of the challenge code corresponding to the serial number of the dynamic token, and return the random number to the host.

For example, the authentication server obtains the serial number "5740000006" of the dynamic token, generates a random number "1234", saves "1234" as the challenge code corresponding to "5740000006", and records the generation time of "1234" as "1390445039" (equivalent to Natural time (2:43:59 on January 23, 2014), save "1390445039" as the generation time of the challenge code corresponding to "5740000006", and return "1234" to the host.

Step 103, the host computer displays the received random number.

For example, the host displays the random number "1234".

Step 104, the dynamic token obtains the random number input by the user, and generates a response code according to the random number, the dynamic factor and the seed key in the dynamic token.

Wherein, the dynamic factor in the dynamic token can be a time factor; correspondingly, the dynamic token can use the seed key stored by itself to process the time factor in the dynamic token and the random number input by the user to obtain the response code .

The dynamic factor in the dynamic token can also be an event factor; correspondingly, the dynamic token can use the seed key stored by itself to perform data processing on the event factor in the dynamic token and the random number input by the user to obtain a response code.

In this embodiment, the random number input by the user may be the random number generated by the authentication server in step 102 .

For example, the random number input by the user acquired by the dynamic token is "1234", and the dynamic factor in the dynamic token is the time factor "1390445154" (equivalent to the natural time of January 23, 2014 at 2:45:54), The dynamic token generates a response code "4534" according to the random number "1234", the time factor "1390445154" and the seed key "65201D80CB58ADE3DD236CAEF6925010" stored in the dynamic token.

Step 105, the dynamic token generates synchronization information according to the response code and the dynamic factor.

Specifically, the dynamic token can XOR the response code and the dynamic factor, and XOR the obtained XOR result with the preset key information to obtain synchronization information; it can also be based on the preset data and the dynamic token The seed key generates the key information, XORs the response code and the dynamic factor, XORs the obtained XOR result with the above key information, and obtains the synchronization information; it can also start from the lowest bit of the dynamic factor and select a preset Length of data, XOR the selected data with the response code, and XOR the obtained XOR result with the preset key information to obtain synchronization information; it can also be based on the preset data and the seed key in the dynamic token To generate the key information, start from the lowest bit of the dynamic factor, select the data of the preset length, XOR the selected data and the response code, XOR the obtained XOR result with the above key information, and obtain the synchronization information .

For example, when the preset length is 4 digits, the dynamic factor is the time factor "1390445154", the response code is "4534", and the preset key information is "9453", the dynamic token selects 4 digits from the time factor "1390445154" For the data "5154", XOR the selected data "5154" and the response code "4534", XOR the obtained XOR result "6542" with the key information "9453", and obtain the synchronization information "3564".

Step 106, the dynamic token combines the synchronization information and the response code into a synchronization code, and displays the synchronization code.

Wherein, in the combined synchronization code, the response code may be located at a first preset position, and the synchronization information may be located at a second preset position.

For example, the dynamic token combines the response code "4534" and the synchronization information "3564" into the synchronization code "45343564", and displays the synchronization code "45343564".

Step 107, the host obtains the synchronization code input by the user, generates a synchronization execution request according to the synchronization code and the serial number of the dynamic token, and sends the synchronization execution request to the authentication server.

Wherein, the synchronization execution request includes the synchronization code input by the user and the serial number of the dynamic token, and the synchronization code input by the user may be the synchronization code generated and displayed by the dynamic token in step 106 .

For example, the host obtains the synchronization code "45343564" input by the user, generates a synchronization execution request according to the synchronization code "45343564" and the serial number "5740000006" of the dynamic token, and sends the synchronization execution request to the authentication server.

Step 108, the authentication server obtains the synchronization code and the serial number of the dynamic token from the received synchronization execution request, records the acquisition time of the synchronization code, and queries the generation time of the corresponding challenge code according to the serial number of the dynamic token.

For example, the authentication server obtains the synchronization code "45343564" and the serial number of the dynamic token "5740000006", and records the acquisition time of the synchronization code "45343564" as "1390445090" (equivalent to the natural time at 2:44 on January 23, 2014 50 seconds), and according to the serial number "5740000006" of the dynamic token, the generation time "1390445039" of the corresponding challenge code "1234" was queried (equivalent to 2:43:59 on January 23, 2014, natural time).

Step 109 , the authentication server judges whether the acquisition time of the synchronization code is within the first preset time period after the generation time of the challenge code, if yes, execute step 112 ; otherwise, execute step 110 .

For example, the first preset duration is 60 seconds, the acquisition time of the synchronization code is "1390445090" (equivalent to 2:44:50 on January 23, 2014 in natural time), and the generation time of the challenge code is "1390445039" (equivalent to At natural time (2:43:59 on January 23, 2014), the time interval between the acquisition time of the synchronization code and the generation time of the challenge code obtained by the authentication server is 51 seconds, which is less than the first preset The duration, and then it is determined that the acquisition time of the synchronization code is within the first preset duration after the generation time of the challenge code.

Step 110, the authentication server sends a synchronization failure message to the host.

In step 111, the host computer displays a synchronization failure message and ends the process.

Step 112, the authentication server obtains the response code and synchronization information from the synchronization code, and queries the seed key and challenge code corresponding to the dynamic token according to the serial number of the dynamic token.

Specifically, the authentication server may acquire the response code from the first preset position of the synchronization code, and acquire the synchronization information from the second preset position of the synchronization code. The seed key queried by the authentication server according to the serial number of the dynamic token may be the same as the seed key stored in the dynamic token.

For example, the authentication server obtains the response code "4534" and the synchronization information "3564" from the synchronization code "45343564", and queries the corresponding seed key "65201D80CB58ADE3DD236CAEF6925010" and the challenge code "1234" according to the serial number "5740000006" of the dynamic token .

Step 113, the authentication server uses the queried seed key and challenge code, and the synchronization information obtained from the synchronization code to verify the response code obtained from the synchronization code, if the verification is passed, then execute step 114; otherwise, return Step 110.

Specifically, the authentication server can XOR the queried seed key with the preset data, XOR the obtained key information with the synchronization information obtained from the synchronization code, and use the obtained XOR result as a dynamic factor, According to the queried seed key and challenge code, generate a response code in the same way as the dynamic token generation response code, and judge whether the generated response code is the same as the response code obtained from the synchronization code, and if so, confirm The obtained response code has passed the verification; otherwise, it is determined that the obtained response code has not passed the verification.

The authentication server can also XOR the queried seed key with the preset data, XOR the obtained key information with the synchronization information obtained from the synchronization code, and replace the dynamic The data of the preset length of the lowest bit in the factor, the data obtained after replacement is used as the dynamic factor, according to the queried seed key and challenge code, the response code is generated in the same way as the response code generated by the dynamic token, and judged Whether the generated response code is the same as the response code obtained from the synchronization code, if yes, confirm that the obtained response code has passed the verification; otherwise, determine that the obtained response code has not passed the verification.

The authentication server can also XOR the preset key information with the synchronization information obtained from the synchronization code, and use the obtained XOR result as a dynamic factor, according to the queried seed key and challenge code, according to the dynamic token Generate the same method as the response code, generate the response code, and judge whether the generated response code is the same as the response code obtained from the synchronization code, if yes, confirm that the obtained response code is verified; otherwise, determine that the obtained response code is not verified pass.

The authentication server can also XOR the preset key information with the synchronization information obtained from the synchronization code, replace the obtained XOR result with the data of the lowest bit preset length in the dynamic factor in the authentication server, and replace the The obtained data is used as a dynamic factor. According to the queried seed key and challenge code, the response code is generated in the same way as the response code generated by the dynamic token, and it is judged whether the generated response code is consistent with the response code obtained from the synchronization code. Same, if yes, then confirm that the obtained response code has passed the verification; otherwise, determine that the obtained response code has not passed the verification. Wherein, the dynamic factor in the authentication server may be a time factor or an event factor.

For example, the default length is 4 digits, the seed key queried by the authentication server is "65201D80CB58ADE3DD236CAEF6925010", the challenge code is "1234", the key information is "9453", and the authentication server obtains the response code from the synchronization code "45343564" "4534" and synchronization information "3564", when the dynamic factor in the authentication server is the time factor "1390445090" (equivalent to natural time at 2:44:50 on January 23, 2014), the authentication server will use the preset key XOR the information "9453" and the synchronous information "3564", replace the lowest 4 digits of the dynamic factor "1390445090" in the authentication server with the XOR result "5154", and use the replaced data "1390445154" as the dynamic factor, According to the queried seed key "65201D80CB58ADE3DD236CAEF6925010" and the challenge code "1234", generate multiple response codes in the preset authentication window in the same way as dynamic token generation response codes, and determine which of the generated response codes It contains the same response code as the response code "4534" obtained from the synchronization code, and it is determined that the obtained response code "4534" passes the verification.

Step 114, the authentication server updates the token offset corresponding to the dynamic token in the authentication server according to the synchronization information obtained from the synchronization code and the dynamic factor in the authentication server, and sends a synchronization success message to the host, and the host displays the synchronization success information , to end the process.

Specifically, when the dynamic token is a time-type dynamic token, the dynamic factor is the time factor, the token offset in the authentication server is the token offset time, and the authentication server generates the dynamic token according to the token offset time. The dynamic password is authenticated, and after the authentication is successful, the value of the time factor matching the dynamic password is saved as the authentication success time corresponding to the dynamic token.

Correspondingly, in the above step 114, the operation of the authentication server to update the token offset, specifically the operation of the authentication server to update the token offset time, as shown in Figure 2, includes the following steps:

Step 201 , the authentication server judges whether the time factor in the dynamic token is greater than the latest authentication success time corresponding to the dynamic token, if yes, execute step 204 ; otherwise, execute step 202 .

Specifically, the authentication server can XOR the queried seed key with the preset data, XOR the obtained key information with the synchronization information obtained from the synchronization code, and use the XOR result obtained as a dynamic token The time factor in the dynamic token determines whether the time factor in the dynamic token is greater than the latest authentication success time corresponding to the dynamic token; the authentication server can also XOR the queried seed key with the preset data, and will get XOR the key information obtained from the synchronization code and the synchronization information obtained from the synchronization code, replace the obtained XOR result with the data of the lowest bit of the preset length in the time factor in the authentication server, and use the replaced data as a dynamic token The time factor in the dynamic token determines whether the time factor in the dynamic token is greater than the latest authentication success time corresponding to the dynamic token; the authentication server can also compare the preset key information with the synchronization information obtained from the synchronization code Exclusive OR, use the obtained XOR result as the time factor in the dynamic token, and judge whether the time factor in the dynamic token is greater than the latest authentication success time corresponding to the dynamic token; the authentication server can also use the preset The key information is XORed with the synchronization information obtained from the synchronization code, and the obtained XOR result is replaced with the data of the lowest digit of the preset length in the time factor in the authentication server, and the replaced data is used as the data in the dynamic token The time factor of the dynamic token is used to determine whether the time factor in the dynamic token is greater than the latest successful authentication time corresponding to the dynamic token.

For example, the latest successful authentication time corresponding to the dynamic token is "1390440765" (equivalent to 1:32:45 on January 23, 2014 in natural time), and the authentication server obtains the response code from the synchronization code "45343564" "4534" and synchronization information "3564", when the time factor in the authentication server is "1390445090" (equivalent to 2:44:50 on January 23, 2014 in natural time), the authentication server will set the preset key information " 9453" and the synchronization information "3564" are XORed, and the XOR result "5154" is replaced by the lowest 4 digits of the time factor "1390445090" in the authentication server, and the replaced data "1390445154" is used as the dynamic token A time factor, judging that the time factor in the dynamic token is greater than the latest successful authentication time corresponding to the dynamic token.

Step 202, the authentication server sends a synchronization failure message to the host.

In step 203, the host displays a synchronization failure message and ends the process.

In step 204, the authentication server obtains the difference between the current system time and the latest synchronization time stored by itself and corresponding to the dynamic token, and calculates the first offset threshold according to the difference and the first preset step.

Specifically, the authentication server may obtain the difference between the current system time and the latest synchronization time corresponding to the dynamic token, and use the product of the difference and the first preset step as the first offset threshold.

For example, the current system time is "1390445090" (equivalent to natural time at 2:44:50 on January 23, 2014), the first preset step size is 0.00001, and the latest time stored by the authentication server corresponding to the dynamic token When the synchronization time is "1380445090" (equivalent to 16:58:10 on September 29, 2013), the authentication server can obtain the difference between the current system time and the latest synchronization time corresponding to the dynamic token is 1390445090-1380445090=10000000, and the first offset threshold is the product of the difference and the first preset step size, that is, 10000000*0.00001=100.

Step 205, the authentication server judges whether the time difference between the time factor in the dynamic token and the time factor in the authentication server is greater than the first offset threshold, if yes, execute step 207; otherwise, execute step 206.

Specifically, the authentication server can XOR the queried seed key with the preset data, XOR the obtained key information with the synchronization information obtained from the synchronization code, and use the XOR result obtained as a dynamic token The time factor in the dynamic token is used to determine whether the time difference between the time factor in the dynamic token and the time factor in the authentication server is greater than the first offset threshold; the queried seed key can also be XORed with the preset data , XOR the obtained key information with the synchronization information obtained from the synchronization code, replace the obtained XOR result with the data of the lowest bit of the preset length in the time factor in the authentication server, and use the replaced data as The time factor in the dynamic token determines whether the time difference between the time factor in the dynamic token and the time factor in the authentication server is greater than the first offset threshold; it is also possible to combine the preset key information with the synchronization code XOR the synchronous information acquired in , use the XOR result as the time factor in the dynamic token, and judge whether the time difference between the time factor in the dynamic token and the time factor in the authentication server is greater than the first offset The threshold can also be shifted; the preset key information can also be XORed with the synchronization information obtained from the synchronization code, and the obtained XOR result will replace the data of the lowest bit of the preset length in the time factor in the authentication server. The obtained data is used as the time factor in the dynamic token, and it is judged whether the time difference between the time factor in the dynamic token and the time factor in the authentication server is greater than the first offset threshold.

For example, the preset length is 4 bits, the key information is "9453", the synchronization information obtained by the authentication server from the synchronization code "45343564" is "3564", the time factor in the authentication server is "1390445090", the first bias When the shift threshold is "100", the authentication server performs XOR of the key information "9453" and the synchronization information "3564", and replaces the lowest 4 bits of the time factor "1390445090" in the authentication server with the obtained XOR result "5154" , use the replaced data "1390445154" as the time factor in the dynamic token, and determine the time difference "64" between the time factor "1390445154" in the dynamic token and the time factor "1390445090" in the authentication server Less than the first offset threshold "100".

Step 206, the authentication server updates the token offset time corresponding to the dynamic token stored by itself according to the time difference, and saves the current system time as the synchronization time corresponding to the dynamic token, and ends the process.

For example, when the current system time is "1390445090" (equivalent to natural time at 2:44:50 on January 23, 2014), and the time difference is "64", the authentication server saves the The token offset time is updated to "64", and "1390445090" (equivalent to 2:44:50 on January 23, 2014, natural time) is saved as the synchronization time corresponding to the dynamic token.

Step 207, the authentication server judges whether the difference between the current system time and the latest synchronization time corresponding to the dynamic token is greater than the second preset duration, if yes, returns to step 206; otherwise, returns to step 202.

For example, the second preset duration is "20000000", the current system time is "1390445090" (equivalent to natural time at 2:44:50 on January 23, 2014), and the latest password corresponding to the dynamic token saved by the authentication server When the synchronization time is "1380445090" (equivalent to 16:58:10 on September 29, 2013), the authentication server calculates the difference between the current system time and the latest synchronization time corresponding to the dynamic token The value is 1390445090-1380445090=10000000, and then it is determined that the calculated difference "10000000" is less than the second preset duration "20000000".

It should be noted that when the dynamic token in the embodiment of the present invention is an event-type dynamic token, the dynamic factor is the event factor, the token offset is the number of token offsets, and the authentication server calculates the dynamic The dynamic password generated by the token is authenticated, and after the authentication is successful, the value of the event factor matching the dynamic password is saved as the number of successful authentications corresponding to the dynamic token.

Correspondingly, in step 114 of the above-mentioned embodiment, the operation of the authentication server to update the token offset, specifically the operation of the authentication server to update the number of token offsets, as shown in FIG. 3 , includes the following steps:

Step 301 , the authentication server judges whether the event factor in the dynamic token is greater than the latest number of authentication successes corresponding to the dynamic token, and if yes, executes step 304 ; otherwise, executes step 302 .

Specifically, the authentication server can XOR the queried seed key with the preset data, XOR the obtained key information with the synchronization information obtained from the synchronization code, and use the XOR result obtained as a dynamic token The event factor in the dynamic token determines whether the event factor in the dynamic token is greater than the latest number of successful authentications corresponding to the dynamic token; the authentication server can also XOR the queried seed key with the preset data, and will get XOR the key information obtained from the synchronization code and the synchronization information obtained from the synchronization code, replace the obtained XOR result with the data of the lowest bit preset length in the event factor corresponding to the dynamic token in the authentication server, and obtain The data in the dynamic token is used as the event factor in the dynamic token to determine whether the event factor in the dynamic token is greater than the latest number of successful authentications corresponding to the dynamic token; the authentication server can also combine the preset key information with the synchronization code XOR the synchronous information obtained in , use the XOR result as the event factor in the dynamic token, and judge whether the event factor in the dynamic token is greater than the latest number of successful authentications corresponding to the dynamic token; the authentication server It is also possible to XOR the preset key information and the synchronization information obtained from the synchronization code, and replace the obtained XOR result with the data of the lowest bit preset length in the event factor corresponding to the dynamic token in the authentication server , using the data obtained after replacement as the event factor in the dynamic token, and judging whether the event factor in the dynamic token is greater than the latest number of successful authentications corresponding to the dynamic token.

For example, the latest number of successful authentications corresponding to the dynamic token is "440765", and the authentication server obtains the response code "4534" and the synchronization information "3564" from the synchronization code "45343564". When the corresponding event factor is "445090", the authentication server XORs the preset key information "9453" and the synchronization information "3564", and replaces the XOR result "5154" in the authentication server with the dynamic token The lowest 4 digits of the corresponding event factor "445090", use the replaced data "445154" as the event factor in the dynamic token, and judge that the event factor in the dynamic token is greater than the latest authentication corresponding to the dynamic token number of successes.

Step 302, the authentication server sends a synchronization failure message to the host.

In step 303, the host displays a synchronization failure message and ends the process.

Step 304, the authentication server acquires the difference between the current system time and the latest synchronization time stored by itself and corresponding to the dynamic token, and calculates a second offset threshold according to the difference and the second preset step.

Specifically, the authentication server may obtain the difference between the current system time and the latest synchronization time corresponding to the dynamic token, and use the product of the difference and the second preset step as the second offset threshold.

For example, the current system time is "1390445090" (equivalent to natural time at 2:44:50 on January 23, 2014), the second preset step size is 0.00001, and the latest time stored by the authentication server corresponding to the dynamic token When the synchronization time is "1380445090" (equivalent to 16:58:10 on September 29, 2013), the authentication server can obtain the difference between the current system time and the latest synchronization time corresponding to the dynamic token is 1390445090-1380445090=10000000, and the second offset threshold is the product of the difference and the second preset step size, that is, 10000000*0.00001=100.

Step 305, the authentication server judges whether the difference in the number of times between the event factor in the dynamic token and the event factor corresponding to the dynamic token in the authentication server is greater than the second offset threshold, if yes, execute step 307; otherwise, execute Step 306.

Specifically, the authentication server can XOR the queried seed key with the preset data, XOR the obtained key information with the synchronization information obtained from the synchronization code, and use the XOR result obtained as a dynamic token The event factor in the dynamic token is used to judge whether the difference between the event factor in the dynamic token and the event factor corresponding to the dynamic token in the authentication server is greater than the second offset threshold; XOR the preset data, XOR the obtained key information with the synchronization information obtained from the synchronization code, replace the obtained XOR result with the lowest preset value in the event factor corresponding to the dynamic token in the authentication server. Set the length of the data, use the replaced data as the event factor in the dynamic token, and judge whether the difference between the event factor in the dynamic token and the event factor corresponding to the dynamic token in the authentication server is greater than the first Two offset thresholds; it is also possible to XOR the preset key information and the synchronization information obtained from the synchronization code, and use the obtained XOR result as the event factor in the dynamic token to judge the event factor in the dynamic token and whether the number of times difference between the event factor corresponding to the dynamic token in the authentication server is greater than the second offset threshold; the preset key information can also be XORed with the synchronization information obtained from the synchronization code, and the The obtained XOR result replaces the data of the lowest bit preset length in the event factor corresponding to the dynamic token in the authentication server, and uses the replaced data as the event factor in the dynamic token to judge the event in the dynamic token Whether the time difference between the factor and the event factor corresponding to the dynamic token in the authentication server is greater than the second offset threshold.

For example, the key information is "9453", the synchronization information obtained by the authentication server from the synchronization code "45343564" is "3564", the event factor corresponding to the dynamic token in the authentication server is "445090", the second offset threshold If it is "100", the authentication server will XOR the key information "9453" and the synchronization information "3564", and replace the obtained XOR result "5154" with the event factor "445090" corresponding to the dynamic token in the authentication server The lowest 4 bits, use the replaced data "445154" as the event factor in the dynamic token, and judge the event factor "445154" in the dynamic token and the event factor "445090" corresponding to the dynamic token in the authentication server The number difference "64" between them is smaller than the second offset threshold "100".

Step 306 , the authentication server updates the stored token offset times corresponding to the dynamic token according to the difference in times, and saves the current system time as the synchronization time corresponding to the dynamic token, and ends the process.

For example, when the current system time is "1390445090" (equivalent to 2:44:50 on January 23, 2014 in natural time), and the time difference is "64", the authentication server saves the dynamic token corresponding to The number of token offsets is updated to "64", and "1390445090" (equivalent to 2:44:50 on January 23, 2014, natural time) is saved as the synchronization time corresponding to the dynamic token.

Step 307, the authentication server judges whether the difference between the current system time and the latest synchronization time corresponding to the dynamic token is greater than the third preset duration, if yes, returns to step 306; otherwise, returns to step 302.

For example, the third preset duration is "20000000", the current system time is "1390445090" (equivalent to natural time at 2:44:50 on January 23, 2014), and the latest password corresponding to the dynamic token saved by the authentication server When the synchronization time is "1380445090" (equivalent to 16:58:10 on September 29, 2013), the authentication server calculates the difference between the current system time and the latest synchronization time corresponding to the dynamic token The value is 1390445090-1380445090=10000000, and then it is determined that the calculated difference "10000000" is less than the third preset duration "20000000".

In the embodiment of the present invention, the authentication server generates a random number, and saves the random number as a challenge code corresponding to the dynamic token; the dynamic token obtains the random number generated by the authentication server, and generates a synchronization code based on the random number, and the authentication The server judges the validity of the synchronization code generated by the dynamic token by comparing the generation time of the challenge code corresponding to the dynamic token with the acquisition time of the synchronization code, and uses the challenge code generated by itself to verify the synchronization code. After the verification is passed, the token offset saved by itself is updated, thereby improving the success rate of synchronization and preventing malicious synchronization caused by using wrong or delayed synchronization codes.

It should be noted that, in other embodiments of the present invention, the first offset threshold can also be the first preset value, and the second offset threshold can also be the second preset value, which can also achieve the purpose of the present invention .

As shown in Figure 4, it is a schematic structural diagram of a dynamic token synchronization system in an embodiment of the present invention, including a dynamic token 400, a host 600 and an authentication server 500;

Among them, the dynamic token 400 includes:

The first acquiring module 410 is configured to acquire the random number generated by the authentication server 500;

The first generating module 420 is used to generate a response code according to the random number obtained by the first obtaining module 410 and the dynamic factor and the seed key in the dynamic token 400;

The second generation module 430 is used to generate synchronization information according to the response code generated by the first generation module 420 and the dynamic factor in the dynamic token 400;

A combination module 440, configured to combine the synchronization information generated by the second generation module 430 and the response code generated by the first generation module 420 into a synchronization code;

The display module 450 is used to display the synchronization code obtained by combining the combination module 440;

Authentication server 500, including:

A receiving module 510, configured to receive a synchronization request from the host 600;

The second acquiring module 520 is configured to acquire the serial number of the dynamic token 400 from the synchronization request received by the receiving module 510;

The third generating module 530 is configured to generate a random number after the receiving module 510 receives the synchronization request, and save the random number as a challenge code corresponding to the serial number of the dynamic token 400 obtained by the second obtaining module 520;

The third acquisition module 540 is used to acquire the synchronization code generated by the dynamic token 400 and the serial number of the dynamic token 400;

The fourth obtaining module 550 is configured to obtain the response code and synchronization information from the synchronization code obtained by the third obtaining module 540;

The query module 560 is used to query the seed key and challenge code corresponding to the dynamic token 400 according to the serial number of the dynamic token 400 obtained by the third obtaining module 540;

The verification module 570 is used to verify the response code obtained from the synchronization code by using the seed key and the challenge code queried by the query module 560, and the synchronization information obtained from the synchronization code by the fourth obtaining module 550;

The update module 580 is used to update the dynamic token 400 in the authentication server 500 according to the synchronization information obtained from the synchronization code by the fourth acquisition module 550 and the dynamic factor in the authentication server 500 when the verification module 570 passes the verification of the response code. The corresponding token offset;

The sending module 590 is configured to return the random number generated by the third generating module 530 to the host 600 for display, and send a synchronization failure message to the host 600 when the verification module 570 fails to verify the response code.

Further, the authentication server 500 also includes:

The recording module 710 is used to record the generation time of the random number after the third generation module 530 generates the random number, and save the generation time of the random number as the generation time of the challenge code corresponding to the serial number of the dynamic token 400; After the third acquisition module 540 acquires the synchronization code, record the acquisition time of the synchronization code;

The query module 560 is also used to query the generation time of the corresponding challenge code according to the serial number of the dynamic token 400 acquired by the third acquisition module 540;

Correspondingly, the above authentication server 500 also includes:

Judging module 720, used to judge whether the acquisition time of the synchronization code recorded by the recording module 710 is within the first preset time period after the generation time of the challenge code queried by the query module 560;

The sending module 590 is further configured to send a synchronization failure message to the host 600 when the judging module 720 judges that the acquisition time of the synchronization code is not within the first preset time period after the generation time of the challenge code;

The fourth obtaining module 550 is specifically configured to obtain a response from the synchronization code obtained by the third obtaining module 540 when the judging module 720 judges that the time for obtaining the synchronization code is within the first preset time period after the generation time of the challenge code. code and synchronization information.

Further, the above-mentioned second generation module 430 can be specifically used to XOR the response code generated by the first generation module 420 and the dynamic factor in the dynamic token 400, and combine the obtained XOR result with the preset key information Perform XOR to get synchronization information;

Correspondingly, the above verification module 570 is specifically used to XOR the preset key information and the synchronization information acquired from the synchronization code by the fourth acquisition module 550, and use the obtained XOR result as a dynamic factor, according to the inquiry module 560 Query the seed key and challenge code, generate a response code in the same way as the dynamic token 400 generates the response code, and judge whether the generated response code is the same as the response code obtained from the synchronization code, if yes, confirm The obtained response code has passed the verification; otherwise, it is determined that the obtained response code has not passed the verification.

The above-mentioned second generation module 430 can also be specifically used to generate key information according to the preset data and the seed key in the dynamic token 400, and to the response code generated by the first generation module 420 and the dynamic factor in the dynamic token 400 Execute XOR, and XOR the obtained XOR result with the key information to obtain synchronization information;

Correspondingly, the above verification module 570 is specifically used to XOR the seed key queried by the query module 560 with the preset data, and perform an XOR of the obtained key information with the synchronization information obtained by the fourth acquisition module 550 from the synchronization code. Exclusive OR, use the obtained XOR result as a dynamic factor, according to the seed key and challenge code inquired by the query module 560, generate a response code in the same way as the dynamic token 400 generates a response code, and judge the generated response code Whether it is the same as the response code obtained from the synchronization code, if yes, confirm that the obtained response code has passed the verification; otherwise, determine that the obtained response code has not passed the verification.

The above-mentioned second generation module 430 can also be specifically used to start from the lowest bit of the dynamic factor in the dynamic token 400, select data of a preset length, and perform XOR with the selected data and the response code generated by the first generation module 420 , XOR the obtained XOR result with the preset key information to obtain synchronization information;

Correspondingly, the above verification module 570 is specifically configured to XOR the preset key information with the synchronization information acquired from the synchronization code by the fourth acquisition module 550, and replace the dynamic factor in the authentication server 500 with the obtained XOR result For the data of the preset length in the lowest bit, use the data obtained after replacement as a dynamic factor, and generate a response code according to the seed key and challenge code queried by the query module 560 in the same way as the dynamic token 400 generates a response code , and determine whether the generated response code is the same as the response code obtained from the synchronization code, if yes, confirm that the obtained response code has passed the verification; otherwise, determine that the obtained response code has not passed the verification.

The above-mentioned second generation module 430 can also be specifically used to generate key information according to the preset data and the seed key in the dynamic token 400, starting from the lowest bit of the dynamic factor in the dynamic token 400, and selecting the key information of the preset length data, XORing the selected data with the response code generated by the first generating module 420, XORing the obtained XOR result with the key information to obtain synchronization information;

Correspondingly, the above verification module 570 is specifically used to XOR the seed key queried by the query module 560 with the preset data, and perform an XOR of the obtained key information with the synchronization information obtained by the fourth acquisition module 550 from the synchronization code. Exclusive OR, replace the obtained XOR result with the data of the lowest bit preset length in the dynamic factor in the authentication server 500, use the data obtained after replacement as the dynamic factor, according to the seed key and challenge code found, according to the The dynamic token 400 generates the same method as the response code, generates the response code, and judges whether the generated response code is the same as the response code obtained from the synchronization code, if yes, then confirms that the obtained response code is verified; otherwise, determines the obtained response code. Response code verification failed.

In the embodiment of the present invention, when the dynamic token 400 is a time-type dynamic token, the dynamic factor is a time factor, and the token offset in the authentication server 500 is the token offset time;

Correspondingly, the update module 580, as shown in Figure 5, specifically includes:

The first calculation sub-module 581 is used to obtain the difference between the current system time and the latest synchronization time corresponding to the dynamic token 400 stored by itself, and calculate the first step according to the difference and the first preset step. offset threshold;

The first judgment submodule 582 is used to judge whether the time difference between the time factor in the dynamic token 400 and the time factor in the authentication server 500 is greater than the first offset threshold calculated by the first calculation submodule 581;

The first sending sub-module 583 is configured to send a message to the host when the first judging sub-module 582 judges that the time difference between the time factor in the dynamic token 400 and the time factor in the authentication server 500 is greater than the first offset threshold 600 sends a synchronization failure message; when the first judging submodule 582 judges that the time difference between the time factor in the dynamic token 400 and the time factor in the authentication server 500 is not greater than the first offset threshold, it sends the message to the host 600 Sync success message;

The first updating sub-module 584 is configured to, when the first judging sub-module 582 judges that the time difference between the time factor in the dynamic token 400 and the time factor in the authentication server 500 is not greater than the first offset threshold, according to The time difference updates the token offset time corresponding to the dynamic token 400 saved by itself, and saves the current system time as the synchronization time corresponding to the dynamic token 400 .

Further, the above update module 580 also includes:

The second judging submodule 585 is configured to judge the current time difference after the first judging submodule 582 judges that the time difference between the time factor in the dynamic token 400 and the time factor in the authentication server 500 is greater than the first offset threshold. Whether the difference between the system time and the latest synchronization time corresponding to the dynamic token 400 is greater than the second preset duration;

Correspondingly, the above-mentioned first sending sub-module 583 is specifically used to determine that the difference between the current system time and the latest synchronization time corresponding to the dynamic token 400 is not greater than the second preset duration in the second judging sub-module 585 , send a synchronization failure message to the host 600;

When the second judging submodule 585 judges that the difference between the current system time and the latest synchronization time corresponding to the dynamic token 400 is greater than the second preset duration, and when the first judging submodule 582 judges that the dynamic token When the time difference between the time factor in the card 400 and the time factor in the authentication server 500 is not greater than the first offset threshold, send a synchronization success message to the host 600;

The above-mentioned first updating submodule 584 is also used for determining that the difference between the current system time and the latest synchronization time corresponding to the dynamic token 400 is greater than the second preset duration when the second judging submodule 585 judges the difference according to The time difference between the time factor in the dynamic token 400 and the time factor in the authentication server 500, update the token offset time corresponding to the dynamic token 400 that is saved by itself, and save the current system time as the same as the dynamic Synchronization time corresponding to token 400.

Further, the above update module 580 also includes:

The third judging sub-module 586 is used to judge whether the time factor in the dynamic token 400 is greater than the time corresponding to the dynamic token 400, the latest authentication success time;

Correspondingly, the above-mentioned first calculation sub-module 581 is specifically used to obtain the current The difference between the system time and the latest synchronization time stored by itself and corresponding to the dynamic token 400, and calculate the first offset threshold according to the difference and the first preset step;

The above-mentioned first sending sub-module 583 is also used to send to the host 600 when the third judging sub-module 586 judges that the time factor in the dynamic token 400 is not greater than the latest authentication success time corresponding to the dynamic token 400 Sync failure message.

Specifically, the above-mentioned first judging sub-module 582 can be specifically used to XOR the seed key queried by the query module 560 with the preset data, and obtain the obtained key information and the fourth obtaining module 550 from the synchronization code. The synchronous information of synchronous information carries out XOR, and the XOR result obtained is used as the time factor in the dynamic token 400, judges whether the time difference between the time factor in the dynamic token 400 and the time factor in the authentication server 500 is greater than the first offset threshold;

Correspondingly, the above-mentioned third judging sub-module 586 is specifically used to XOR the seed key queried by the query module 560 with the preset data, and combine the obtained key information with the key information obtained by the fourth obtaining module 550 from the synchronization code. The synchronization information is XORed, and the obtained XOR result is used as the time factor in the dynamic token 400 to determine whether the time factor in the dynamic token 400 is greater than the latest authentication success time corresponding to the dynamic token 400 .

The above-mentioned first judging sub-module 582 can also be specifically used to XOR the seed key queried by the query module 560 with the preset data, and synchronize the obtained key information with the obtained key information from the synchronization code by the fourth obtaining module 550. The information is XORed, and the obtained XOR result is replaced with the data of the lowest bit preset length in the time factor in the authentication server 500, and the data obtained after the replacement is used as the time factor in the dynamic token 400, and the dynamic token 400 is judged. Whether the time difference between the time factor in the authentication server 500 and the time factor in the authentication server is greater than the first offset threshold;

Correspondingly, the above-mentioned third judging sub-module 586 is specifically used to XOR the seed key queried by the query module 560 with the preset data, and combine the obtained key information with the key information obtained by the fourth obtaining module 550 from the synchronization code. The synchronization information is XORed, and the obtained XOR result is replaced with the data of the lowest bit preset length in the time factor in the authentication server 500, and the data obtained after the replacement is used as the time factor in the dynamic token 400, and the dynamic token is judged Whether the time factor in 400 is greater than the latest successful authentication time corresponding to the dynamic token 400 .

The above-mentioned first judging sub-module 582 can also be specifically used to XOR the preset key information and the synchronization information acquired by the fourth acquisition module 550 from the synchronization code, and use the obtained XOR result as the dynamic token 400 The time factor of judging whether the time difference between the time factor in the dynamic token 400 and the time factor in the authentication server 500 is greater than the first offset threshold;

Correspondingly, the above-mentioned third judging sub-module 586 is specifically used to XOR the preset key information and the synchronization information obtained from the synchronization code by the fourth obtaining module 550, and use the obtained XOR result as the dynamic token 400 The time factor in the dynamic token 400 is used to determine whether the time factor in the dynamic token 400 is greater than the latest successful authentication time corresponding to the dynamic token 400 .

The above-mentioned first judging sub-module 582 can also be specifically configured to XOR the preset key information and the synchronization information obtained from the synchronization code by the fourth obtaining module 550, and replace the XOR result obtained in the authentication server 500 The data of the preset length of the lowest bit in the time factor, the data obtained after the replacement is used as the time factor in the dynamic token 400, and the time difference between the time factor in the dynamic token 400 and the time factor in the authentication server 500 is judged whether the value is greater than a first offset threshold;

Correspondingly, the above-mentioned third judging submodule 586 is specifically used to XOR the preset key information and the synchronization information obtained from the synchronization code by the fourth obtaining module 550, and replace the obtained XOR result in the authentication server 500 The data of the preset length of the lowest bit in the time factor of the time factor, the data obtained after the replacement is used as the time factor in the dynamic token 400, and it is judged whether the time factor in the dynamic token 400 is greater than the last time corresponding to the dynamic token 400 authentication success time.

In the embodiment of the present invention, when the dynamic token 400 is an event-type dynamic token, the dynamic factor is an event factor, and the token offset in the authentication server 500 is the number of token offsets;

Correspondingly, the update module 580, as shown in Figure 6, specifically includes:

The second calculation sub-module 621 is used to obtain the difference between the current system time and the latest synchronization time corresponding to the dynamic token 400 stored by itself, and calculate the second time according to the difference and the second preset step. offset threshold;

The fourth judging submodule 622 is used to judge whether the difference in the number of times between the event factor in the dynamic token 400 and the event factor corresponding to the dynamic token 400 in the authentication server 500 is greater than the first calculated by the second computing submodule 621. Two offset thresholds;

The second sending sub-module 623 is used to determine in the fourth judging sub-module 622 that the number of times difference between the event factor in the dynamic token 400 and the event factor corresponding to the dynamic token 400 in the authentication server 500 is greater than the second calculation When the second offset threshold calculated by the submodule 621, a synchronization failure message is sent to the host 600; in the fourth judging submodule 622, it is judged that the event factor in the dynamic token 400 is corresponding to the dynamic token 400 in the authentication server 500 When the number of times difference between event factors is not greater than the second offset threshold calculated by the second calculation submodule 621, send a synchronization success message to the host 600;

The second updating sub-module 624 is used to judge in the fourth judging sub-module 622 that the number of times difference between the event factor in the dynamic token 400 and the event factor corresponding to the dynamic token 400 in the authentication server 500 is not greater than the second When calculating the second offset threshold calculated by the submodule 621, update the token offset times corresponding to the dynamic token 400 stored by itself according to the number of times difference, and save the current system time as corresponding to the dynamic token 400 synchronization time.

Further, the above update module 580 also includes:

The fifth judging submodule 625 is used for judging in the fourth judging submodule 622 that the number of times difference between the event factor in the dynamic token 400 and the event factor corresponding to the dynamic token 400 in the authentication server 500 is greater than the second bias After shifting the threshold, it is judged whether the difference between the current system time and the latest synchronization time corresponding to the dynamic token 400 is greater than the third preset duration;

Correspondingly, the above-mentioned second sending sub-module 623 is specifically used for judging in the fifth judging sub-module 625 that the difference between the current system time and the latest synchronization time corresponding to the dynamic token 400 is not greater than the third preset duration , send a synchronization failure message to the host 600;

When the fifth judging sub-module 625 judges that the difference between the current system time and the latest synchronization time corresponding to the dynamic token 400 is greater than the third preset duration, and when the fourth judging sub-module 622 judges that the dynamic token When the number difference between the event factor in the card 400 and the event factor corresponding to the dynamic token 400 in the authentication server 500 is not greater than the second offset threshold, a synchronization success message is sent to the host 600;

The above-mentioned second update sub-module 624 is also used for determining that the difference between the current system time and the latest synchronization time corresponding to the dynamic token 400 is greater than the third preset duration when the fifth judging sub-module 625 judges that according to the dynamic The number of times difference between the event factor in the token 400 and the event factor corresponding to the dynamic token 400 in the authentication server 500, updates the token offset times corresponding to the dynamic token 400 stored by itself, and updates the current system The time is saved as the sync time corresponding to the dynamic token.

Further, the update module 580 also includes:

The sixth judging submodule 626 is used to judge whether the event factor in the dynamic token 400 is greater than the latest number of successful authentications corresponding to the dynamic token 400;

Correspondingly, the above-mentioned second calculation submodule 621 is specifically used to acquire the current The difference between the system time and the latest synchronization time stored by itself and corresponding to the dynamic token 400, and calculate the second offset threshold according to the difference and the second preset step;

The above-mentioned second sending submodule 623 is also used to send to the host 600 when the sixth judging submodule 626 judges that the event factor in the dynamic token 400 is not greater than the latest number of successful authentications corresponding to the dynamic token 400 Sync failure message.

Specifically, the above-mentioned fourth judging sub-module 622 can be specifically used to XOR the seed key queried by the query module 560 with the preset data, and obtain the obtained key information and the fourth obtaining module 550 from the synchronization code. The synchronous information is XORed, and the XOR result obtained is used as the event factor in the dynamic token 400, and the number of times between the event factor in the dynamic token 400 and the event factor corresponding to the dynamic token 400 in the authentication server 500 is judged Whether the difference is greater than a second offset threshold;

Correspondingly, the above sixth judging submodule 626 is specifically used to XOR the seed key queried by the query module 560 with the preset data, and combine the obtained key information with the key information obtained by the fourth acquisition module 550 from the synchronization code. The synchronization information is XORed, and the obtained XOR result is used as the event factor in the dynamic token 400 to determine whether the event factor in the dynamic token 400 is greater than the latest number of successful authentications corresponding to the dynamic token 400 .

The above fourth judging sub-module 622 can also be specifically used to XOR the seed key queried by the query module 560 with the preset data, and synchronize the obtained key information with the obtained key information from the synchronization code by the fourth acquisition module 550. The information is XORed, and the obtained XOR result is replaced with the data of the lowest bit preset length in the event factor corresponding to the dynamic token 400 in the authentication server 500, and the data obtained after the replacement is used as the event factor in the dynamic token 400 , judging whether the number of times difference between the event factor in the dynamic token 400 and the event factor corresponding to the dynamic token 400 in the authentication server 500 is greater than a second offset threshold;

Correspondingly, the above sixth judging submodule 626 is specifically used to XOR the seed key queried by the query module 560 with the preset data, and combine the obtained key information with the key information obtained by the fourth acquisition module 550 from the synchronization code. The synchronization information is XORed, and the obtained XOR result is replaced with the data of the lowest bit preset length in the event factor corresponding to the dynamic token 400 in the authentication server 500, and the data obtained after the replacement is used as an event in the dynamic token 400 Factor, to determine whether the event factor in the dynamic token 400 is greater than the latest number of successful authentications corresponding to the dynamic token 400 .

The above fourth judging sub-module 622 can also be specifically used to XOR the preset key information and the synchronization information obtained from the synchronization code by the fourth obtaining module 550, and use the obtained XOR result as the dynamic token 400 The event factor of judging whether the number of times difference between the event factor in the dynamic token 400 and the event factor corresponding to the dynamic token 400 in the authentication server 500 and the authentication server 500 is greater than the second offset threshold;

Correspondingly, the above-mentioned sixth judging sub-module 626 is specifically used to XOR the preset key information and the synchronization information obtained from the synchronization code by the fourth obtaining module 550, and use the obtained XOR result as the dynamic token 400 The event factor in the dynamic token 400 is used to determine whether the event factor in the dynamic token 400 is greater than the latest number of successful authentications corresponding to the dynamic token 400 .

The above-mentioned fourth judging sub-module 622 can also be specifically configured to XOR the preset key information with the synchronization information obtained from the synchronization code by the fourth obtaining module 550, and replace the obtained XOR result with the one in the authentication server 500. The data of the preset length of the lowest bit in the event factor corresponding to the dynamic token 400, the data obtained after the replacement is used as the event factor in the dynamic token 400, and the event factor in the dynamic token 400 is judged to be the same as that in the authentication server 500. Whether the number of times difference between the event factors corresponding to the token 400 is greater than the second offset threshold;

Correspondingly, the above-mentioned sixth judging submodule 626 is specifically used to XOR the preset key information and the synchronization information obtained from the synchronization code by the fourth obtaining module 550, and replace the obtained XOR result in the authentication server 500 The data of the preset length of the lowest bit in the event factor corresponding to the dynamic token 400, the data obtained after the replacement is used as the event factor in the dynamic token 400, and it is judged whether the event factor in the dynamic token 400 is greater than that of the dynamic token 400 corresponds to the latest successful authentication times.

In the embodiment of the present invention, the authentication server 500 generates a random number, and saves the random number as a challenge code corresponding to the dynamic token 400; the dynamic token 400 obtains the random number generated by the authentication server 500, and generates a random number according to the random number. Synchronization code, the authentication server 500 judges the validity of the synchronization code generated by the dynamic token 400 by comparing the generation time of the challenge code corresponding to the dynamic token 400 and the acquisition time of the synchronization code, and uses the challenge code generated by itself, Verify the synchronization code, and update the token offset saved by itself after the verification is passed, thereby improving the success rate of synchronization and preventing malicious synchronization caused by using wrong or delayed synchronization codes.

The steps in the methods described in conjunction with the embodiments disclosed herein may be directly implemented by hardware, software modules executed by a processor, or a combination of both. Software modules can be placed in random access memory (RAM), internal memory, read-only memory (ROM), electrically programmable ROM, electrically erasable programmable ROM, registers, hard disk, removable disk, CD-ROM, or any other Any other known storage medium.

The above is only a specific embodiment of the present invention, but the scope of protection of the present invention is not limited thereto. Anyone skilled in the art can easily think of changes or substitutions within the technical scope disclosed in the present invention. Should be covered within the protection scope of the present invention. Therefore, the protection scope of the present invention should be based on the protection scope of the claims.

Claims (40)

1. A method for synchronizing a dynamic token, comprising the following steps: S1. The authentication server receives the synchronization request from the host, obtains the serial number of the dynamic token from the synchronization request, generates a random number, and saves the random number as a challenge code corresponding to the serial number of the dynamic token , returning the random number to the host for display; S2. The dynamic token acquires the random number, generates a response code according to the random number, the dynamic factor and the seed key in the dynamic token, and generates synchronization according to the response code and the dynamic factor information; S3. The dynamic token combines the synchronization information and the response code into a synchronization code, and displays the synchronization code; S4. The authentication server acquires the synchronization code and the serial number of the dynamic token; S5. The authentication server acquires the response code and the synchronization information from the synchronization code, and queries the seed key and challenge code corresponding to the dynamic token according to the serial number of the dynamic token; S6. The authentication server uses the queried seed key and challenge code, and the synchronization information obtained from the synchronization code to verify the response code obtained from the synchronization code. If the verification passes, then Execute step S8; otherwise, execute step S7; S7. The authentication server sends a synchronization failure message to the host; S8. The authentication server updates the token offset corresponding to the dynamic token in the authentication server according to the synchronization information obtained from the synchronization code and the dynamic factor in the authentication server. 2. The method according to claim 1, wherein after the authentication server generates the random number, further comprising: The authentication server records the generation time of the random number; After the step S4, it also includes: The authentication server records the acquisition time of the synchronization code, queries the generation time of the corresponding challenge code according to the serial number of the dynamic token, and determines whether the acquisition time of the synchronization code is after the generation time of the challenge code Within the first preset time period, if yes, execute step S5; otherwise, send a synchronization failure message to the host. 3. The method according to claim 1, wherein the dynamic token generates synchronization information according to the response code and the dynamic factor, specifically: The dynamic token XORs the response code and the dynamic factor, XORs the obtained XOR result with preset key information, and obtains the synchronization information; The step S6 is specifically: The authentication server XORs the preset key information with the synchronization information obtained from the synchronization code, and uses the obtained XOR result as a dynamic factor, according to the queried seed key and challenge code , generate a response code in the same way as the dynamic token generation response code, and judge whether the generated response code is the same as the response code obtained from the synchronization code, and if so, confirm the obtained response code The verification is passed; otherwise, it is determined that the obtained response code has not passed the verification. 4. The method according to claim 1, wherein the dynamic token generates synchronization information according to the response code and the dynamic factor, specifically: The dynamic token generates key information according to the preset data and the seed key in the dynamic token, XORs the response code and the dynamic factor, and combines the obtained XOR result with the key XORing the information to obtain the synchronization information; The step S6 is specifically: The authentication server XORs the queried seed key with the preset data, XORs the obtained key information with the synchronization information obtained from the synchronization code, and XORs the obtained XOR result As a dynamic factor, according to the queried seed key and challenge code, generate a response code in the same way as the dynamic token generation response code, and judge whether the generated response code is the same as that obtained from the synchronization code The response codes are the same, if yes, then confirm that the obtained response code has passed the verification; otherwise, determine that the obtained response code has not passed the verification. 5. The method according to claim 1, wherein the dynamic token generates synchronization information according to the response code and the dynamic factor, specifically: The dynamic token starts from the lowest bit of the dynamic factor, selects data of a preset length, XORs the selected data with the response code, and XORs the obtained XOR result with the preset key information, get synchronous information; The step S6 is specifically: The authentication server XORs the preset key information and the synchronization information obtained from the synchronization code, and replaces the obtained XOR result with the preset length of the lowest bit in the dynamic factor in the authentication server The data obtained after the replacement is used as a dynamic factor, and according to the queried seed key and challenge code, a response code is generated in the same way as the response code generated by the dynamic token, and the generated response code is judged Whether it is the same as the response code obtained from the synchronization code, if yes, confirm that the obtained response code has passed the verification; otherwise, determine that the obtained response code has not passed the verification. 6. The method according to claim 1, wherein the dynamic token generates synchronization information according to the response code and the dynamic factor, specifically: The dynamic token generates key information according to the preset data and the seed key in the dynamic token, starts from the lowest bit of the dynamic factor, selects data of a preset length, and combines the selected data with the response XORing the code, XORing the obtained XOR result with the key information to obtain the synchronization information; The step S6 is specifically: The authentication server XORs the queried seed key with the preset data, XORs the obtained key information with the synchronization information obtained from the synchronization code, and XORs the obtained XOR result Replacing the data of the preset length in the lowest digit of the dynamic factor in the authentication server, using the replaced data as the dynamic factor, according to the queried seed key and challenge code, according to the dynamic token generated The same method for the response code, generate a response code, and judge whether the generated response code is the same as the response code obtained from the synchronization code, if yes, confirm that the obtained response code is verified; otherwise, determine that the obtained Response code validation failed for . 7. The method according to claim 1, wherein when the dynamic token is a time-type dynamic token, the dynamic factor is a time factor, and the token offset in the authentication server is token offset time; The step S8 is specifically: A1. The authentication server obtains the difference between the current system time and the latest synchronization time stored by itself and corresponding to the dynamic token, and calculates the first offset according to the difference and the first preset step shift threshold; A2. The authentication server judges whether the time difference between the time factor in the dynamic token and the time factor in the authentication server is greater than the first offset threshold, if yes, execute step A3; otherwise , execute step A4; A3. The authentication server sends a synchronization failure message to the host; A4. The authentication server updates the token offset time corresponding to the dynamic token stored by itself according to the time difference, and saves the current system time as the synchronization time corresponding to the dynamic token , sending a synchronization success message to the host. 8. The method according to claim 7, wherein the authentication server determines that the time difference between the time factor in the dynamic token and the time factor in the authentication server is greater than the first After shifting the threshold, also include: The authentication server judges whether the difference between the current system time and the latest synchronization time corresponding to the dynamic token is greater than the second preset duration, if yes, execute step A4; otherwise, execute step A3 . 9. The method according to claim 7, characterized in that, before the step A1, further comprising: A0. The authentication server judges whether the time factor in the dynamic token is greater than the latest authentication success time corresponding to the dynamic token, if yes, execute step A1; otherwise, execute step A3. 10. The method according to claim 9, characterized in that, the step A2 is specifically: The authentication server XORs the queried seed key with preset data, XORs the obtained key information with the synchronization information obtained from the synchronization code, and uses the obtained XOR result as the The time factor in the dynamic token, judging whether the time difference between the time factor in the dynamic token and the time factor in the authentication server is greater than the first offset threshold; if yes, then perform the steps A3; otherwise, go to step A4; The step A0 is specifically: The authentication server XORs the queried seed key with the preset data, XORs the obtained key information with the synchronization information obtained from the synchronization code, and XORs the obtained XOR result As the time factor in the dynamic token, judge whether the time factor in the dynamic token is greater than the latest authentication success time corresponding to the dynamic token, if yes, execute step A1; otherwise, execute Step A3. 11. The method according to claim 9, wherein the step A2 is specifically: The authentication server XORs the queried seed key with the preset data, XORs the obtained key information with the synchronization information obtained from the synchronization code, and replaces the XOR result with the obtained XOR result. The data of the preset length of the lowest bit in the time factor in the authentication server, the data obtained after replacement is used as the time factor in the dynamic token, and the time factor in the dynamic token is judged to be the same as that in the authentication server Whether the time difference between the time factors is greater than the first offset threshold, if yes, execute step A3; otherwise, execute step A4; The step A0 is specifically: The authentication server XORs the queried seed key with the preset data, XORs the obtained key information with the synchronization information obtained from the synchronization code, and XORs the obtained XOR result Replacing the data with the preset length of the lowest bit in the time factor in the authentication server, using the data obtained after replacement as the time factor in the dynamic token, and judging whether the time factor in the dynamic token is greater than the specified length The latest authentication success time corresponding to the above dynamic token, if yes, go to step A1; otherwise, go to step A3. 12. The method according to claim 9, wherein the step A2 is specifically: The authentication server XORs the preset key information with the synchronization information obtained from the synchronization code, uses the obtained XOR result as the time factor in the dynamic token, and judges whether the dynamic token is Whether the time difference between the time factor in the authentication server and the time factor in the authentication server is greater than the first offset threshold, if yes, perform step A3; otherwise, perform step A4; The step A0 is specifically: The authentication server XORs the preset key information and the synchronization information obtained from the synchronization code, uses the obtained XOR result as the time factor in the dynamic token, and judges whether the dynamic token Whether the time factor in the card is greater than the latest successful authentication time corresponding to the dynamic token, if yes, execute step A1; otherwise, execute step A3. 13. The method according to claim 9, wherein the step A2 is specifically: The authentication server XORs the preset key information with the synchronization information obtained from the synchronization code, and replaces the obtained XOR result with the data of the lowest digit of the preset length in the time factor in the authentication server , using the data obtained after replacement as the time factor in the dynamic token, and judging whether the time difference between the time factor in the dynamic token and the time factor in the authentication server is greater than the first offset Shift the threshold, if yes, execute step A3; otherwise, execute step A4; The step A0 is specifically: The authentication server XORs the preset key information with the synchronization information obtained from the synchronization code, and replaces the obtained XOR result with the preset length of the lowest bit in the time factor in the authentication server The data obtained after the replacement is used as the time factor in the dynamic token, and it is judged whether the time factor in the dynamic token is greater than the latest authentication success time corresponding to the dynamic token, if yes , execute step A1; otherwise, execute step A3. 14. The method according to claim 1, wherein when the dynamic token is an event-type dynamic token, the dynamic factor is an event factor, and the token offset in the authentication server is token Offset times; The step S8 is specifically: B1. The authentication server acquires the difference between the current system time and the latest synchronization time stored by itself and corresponding to the dynamic token, and calculates the second offset according to the difference and the second preset step shift threshold; B2. The authentication server judges whether the difference in the number of times between the event factor in the dynamic token and the event factor corresponding to the dynamic token in the authentication server is greater than the second offset threshold, if so , execute step B3; otherwise, execute step B4; B3. The authentication server sends a synchronization failure message to the host; B4. The authentication server updates the number of token offsets corresponding to the dynamic token stored by itself according to the difference in the number of times, and saves the current system time as the synchronization time corresponding to the dynamic token , sending a synchronization success message to the host. 15. The method according to claim 14, wherein the authentication server determines the number of times difference between the event factor in the dynamic token and the event factor corresponding to the dynamic token in the authentication server After the value is greater than the second offset threshold, it also includes: The authentication server judges whether the difference between the current system time and the latest synchronization time corresponding to the dynamic token is greater than the third preset duration, if yes, execute step B4; otherwise, execute step B3 . 16. The method according to claim 14, characterized in that, before the step B1, further comprising: B0. The authentication server judges whether the event factor in the dynamic token is greater than the latest number of authentication successes corresponding to the dynamic token, and if yes, execute step B1; otherwise, execute step B3. 17. The method according to claim 16, characterized in that, the step B2 is specifically: The authentication server XORs the queried seed key with preset data, XORs the obtained key information with the synchronization information obtained from the synchronization code, and uses the obtained XOR result as the The event factor in the dynamic token, judging whether the difference in the number of times between the event factor in the dynamic token and the event factor corresponding to the dynamic token in the authentication server is greater than the second offset threshold , if yes, go to step B3; otherwise, go to step B4; The step B0 is specifically: The authentication server XORs the queried seed key with the preset data, XORs the obtained key information with the synchronization information obtained from the synchronization code, and XORs the obtained XOR result As the event factor in the dynamic token, it is judged whether the event factor in the dynamic token is greater than the latest number of successful authentications corresponding to the dynamic token, if yes, then execute step B1; otherwise, execute Step B3. 18. The method according to claim 16, characterized in that, the step B2 is specifically: The authentication server XORs the queried seed key with the preset data, XORs the obtained key information with the synchronization information obtained from the synchronization code, and replaces the XOR result with the obtained XOR result. In the authentication server, the data of the lowest bit preset length in the event factor corresponding to the dynamic token is used, and the data obtained after replacement is used as the event factor in the dynamic token, and the event in the dynamic token is judged Whether the number of times difference between the factor and the event factor corresponding to the dynamic token in the authentication server is greater than the second offset threshold, if yes, perform step B3; otherwise, perform step B4; The step B0 is specifically: The authentication server XORs the queried seed key with the preset data, XORs the obtained key information with the synchronization information obtained from the synchronization code, and XORs the obtained XOR result Replacing the data with the preset length of the lowest bit in the event factor corresponding to the dynamic token in the authentication server, using the data obtained after replacement as the event factor in the dynamic token, and judging whether the event factor in the dynamic token is Whether the event factor of the dynamic token is greater than the latest number of successful authentications corresponding to the dynamic token, if yes, execute step B1; otherwise, execute step B3. 19. The method according to claim 16, characterized in that, the step B2 is specifically: The authentication server XORs the preset key information with the synchronization information obtained from the synchronization code, uses the obtained XOR result as the event factor in the dynamic token, and determines whether Whether the difference in the number of times between the event factor of the authentication server and the event factor corresponding to the dynamic token in the authentication server is greater than the second offset threshold, if yes, perform step B3; otherwise , execute step B4; The step B0 is specifically: The authentication server XORs the preset key information and the synchronization information obtained from the synchronization code, uses the obtained XOR result as the event factor in the dynamic token, and judges whether the dynamic token Whether the event factor in the card is greater than the latest number of successful authentications corresponding to the dynamic token, if yes, execute step B1; otherwise, execute step B3. 20. The method according to claim 16, characterized in that, the step B2 is specifically: The authentication server XORs the preset key information with the synchronization information obtained from the synchronization code, and replaces the obtained XOR result with the lowest event factor corresponding to the dynamic token in the authentication server. The data of the preset length of bits, the data obtained after replacement is used as the event factor in the dynamic token, and the event factor in the dynamic token is judged to be the event corresponding to the dynamic token in the authentication server Whether the number of times difference between the factors is greater than the second offset threshold, if yes, execute step B3; otherwise, execute step B4; The step B0 is specifically: The authentication server XORs the preset key information with the synchronization information obtained from the synchronization code, and replaces the obtained XOR result with the event factor corresponding to the dynamic token in the authentication server The data of the preset length of the lowest bit in the data, the data obtained after the replacement is used as the event factor in the dynamic token, and it is judged whether the event factor in the dynamic token is greater than the latest one corresponding to the dynamic token The number of successful authentications, if yes, go to step B1; otherwise, go to step B3. 21. A synchronization system of a dynamic token, comprising a dynamic token, a host and an authentication server; Wherein, the dynamic token includes: A first obtaining module, configured to obtain the random number generated by the authentication server; A first generating module, configured to generate a response code according to the random number obtained by the first obtaining module, the dynamic factor and the seed key in the dynamic token; A second generating module, configured to generate synchronization information according to the response code and the dynamic factor generated by the first generating module; a combination module, configured to combine the synchronization information generated by the second generation module and the response code generated by the first generation module into a synchronization code; a display module, configured to display the synchronization code combined by the combination module; The authentication server includes: a receiving module, configured to receive a synchronization request from the host; A second acquiring module, configured to acquire the serial number of the dynamic token from the synchronization request received by the receiving module; A third generating module, configured to generate a random number after the receiving module receives the synchronization request, and store the random number as corresponding to the serial number of the dynamic token obtained by the second obtaining module the challenge code; A third acquisition module, configured to acquire the synchronization code generated by the dynamic token and the serial number of the dynamic token; a fourth obtaining module, configured to obtain the response code and the synchronization information from the synchronization code obtained by the third obtaining module; A query module, configured to query the seed key and challenge code corresponding to the dynamic token according to the serial number of the dynamic token obtained by the third obtaining module; A verification module, configured to use the seed key and challenge code queried by the query module, and the synchronization information obtained from the synchronization code by the fourth obtaining module, to respond to the response obtained from the synchronization code code to verify; An update module, configured to update the synchronization information obtained from the synchronization code by the fourth acquisition module and the dynamic factor in the authentication server when the verification module passes the verification of the response code. The token offset corresponding to the dynamic token in the authentication server; A sending module, configured to return the random number generated by the third generating module to the host for display, and send a synchronization failure message to the host when the verification module fails to verify the response code . 22. The system according to claim 21, wherein the authentication server further comprises: A recording module, configured to record the generation time of the random number after the third generation module generates the random number, and store the generation time of the random number as the challenge code corresponding to the serial number of the dynamic token Generation time; after the third acquisition module acquires the synchronization code, record the acquisition time of the synchronization code; The query module is further configured to query the generation time of the corresponding challenge code according to the serial number of the dynamic token acquired by the third acquisition module; The authentication server also includes: A judging module, configured to judge whether the acquisition time of the synchronization code recorded by the recording module is within a first preset time period after the generation time of the challenge code queried by the query module; The sending module is further configured to send a synchronization failure message to the host when the judging module judges that the acquisition time of the synchronization code is not within the first preset time period after the generation time of the challenge code; The fourth acquiring module is specifically configured to acquire from the third acquiring module when the judging module judges that the acquisition time of the synchronization code is within the first preset time period after the generation time of the challenge code. Obtain the response code and the synchronization information from the received synchronization code. 23. The system of claim 21, wherein: The second generating module is specifically configured to XOR the response code generated by the first generating module and the dynamic factor, and XOR the obtained XOR result with preset key information to obtain said synchronization information; The verification module is specifically configured to XOR the preset key information and the synchronization information acquired by the fourth acquisition module from the synchronization code, and use the obtained XOR result as a dynamic factor, according to the The seed key and the challenge code inquired by the query module, according to the same method as the dynamic token generation response code, generate a response code, and judge whether the generated response code is the same as the response code obtained from the synchronization code , if yes, confirm that the obtained response code has passed the verification; otherwise, determine that the obtained response code has not passed the verification. 24. The system of claim 21, wherein: The second generation module is specifically configured to generate key information according to the preset data and the seed key in the dynamic token, and compare the response code and the dynamic factor generated by the first generation module. Or, XORing the obtained XOR result with the key information to obtain the synchronization information; The verification module is specifically configured to XOR the seed key queried by the query module with the preset data, and combine the obtained key information with the key information obtained by the fourth acquisition module from the synchronization code. XOR the synchronous information, and use the obtained XOR result as a dynamic factor, according to the seed key and challenge code inquired by the query module, generate a response code in the same way as the response code generated by the dynamic token, and Judging whether the generated response code is the same as the response code obtained from the synchronization code, if yes, confirming that the obtained response code has passed the verification; otherwise, determining that the obtained response code has not passed the verification. 25. The system of claim 21, wherein: The second generation module is specifically used to select data of a preset length starting from the lowest bit of the dynamic factor, and XOR the selected data with the response code generated by the first generation module to obtain The XOR result of XOR is XORed with the preset key information to obtain synchronization information; The verification module is specifically configured to XOR the preset key information and the synchronization information acquired by the fourth acquisition module from the synchronization code, and replace the obtained XOR result in the authentication server The data of the preset length of the lowest bit in the dynamic factor, the data obtained after replacement is used as the dynamic factor, according to the seed key and challenge code queried by the query module, according to the same method as the response code generated by the dynamic token The method is to generate a response code, and judge whether the generated response code is the same as the response code obtained from the synchronization code, if yes, then confirm that the obtained response code is verified; otherwise, determine that the obtained response code is verified Did not pass. 26. The system of claim 21, wherein: The second generating module is specifically configured to generate key information according to the preset data and the seed key in the dynamic token, select data of a preset length from the lowest bit of the dynamic factor, and select the selected XORing the data with the response code generated by the first generation module, and XORing the obtained XOR result with the key information to obtain the synchronization information; The verification module is specifically configured to XOR the seed key queried by the query module with the preset data, and combine the obtained key information with the key information obtained by the fourth acquisition module from the synchronization code. XOR the synchronization information, replace the obtained XOR result with the data of the lowest bit preset length in the dynamic factor in the authentication server, and use the replaced data as the dynamic factor, according to the queried seed key and challenge code, according to the same method as the dynamic token generation response code, generate a response code, and judge whether the generated response code is the same as the response code obtained from the synchronization code, if yes, then confirm the acquisition The verification of the response code passed; otherwise, it is determined that the obtained response code has not passed the verification. 27. The system according to claim 21, wherein when the dynamic token is a time-type dynamic token, the dynamic factor is a time factor, and the token offset in the authentication server is token offset time; The update module specifically includes: The first calculation sub-module is used to obtain the difference between the current system time and the latest synchronization time stored by itself and corresponding to the dynamic token, and calculate the first step according to the difference and the first preset step an offset threshold; The first judgment submodule is used to judge whether the time difference between the time factor in the dynamic token and the time factor in the authentication server is greater than the first offset calculated by the first calculation submodule shift threshold; The first sending submodule is configured to determine that the time difference between the time factor in the dynamic token and the time factor in the authentication server is greater than the first offset threshold when the first judging submodule judges , send a synchronization failure message to the host; when the first judging submodule judges that the time difference between the time factor in the dynamic token and the time factor in the authentication server is not greater than the first When a threshold is deviated, send a synchronization success message to the host; A first updating submodule, configured to determine that the time difference between the time factor in the dynamic token and the time factor in the authentication server is not greater than the first offset when the first judging submodule judges When the threshold is reached, update the token offset time stored by itself and corresponding to the dynamic token according to the time difference, and save the current system time as the synchronization time corresponding to the dynamic token. 28. The system according to claim 27, wherein the updating module further comprises: The second judging submodule is used for judging by the first judging submodule that the time difference between the time factor in the dynamic token and the time factor in the authentication server is greater than the first offset threshold Afterwards, it is judged whether the difference between the current system time and the latest synchronization time corresponding to the dynamic token is greater than the second preset duration; The first sending submodule is specifically used to determine that the difference between the current system time and the latest synchronization time corresponding to the dynamic token is not greater than the second preset when the second judging submodule judges When the time is long, send a synchronization failure message to the host; When the second judging submodule judges that the difference between the current system time and the latest synchronization time corresponding to the dynamic token is greater than a second preset duration, and, in the first judging submodule When the module determines that the time difference between the time factor in the dynamic token and the time factor in the authentication server is not greater than the first offset threshold, it sends a synchronization success message to the host; The first updating submodule is further configured to determine that the difference between the current system time and the latest synchronization time corresponding to the dynamic token is greater than a second preset duration when the second judging submodule judges , update the token offset time stored by itself and corresponding to the dynamic token according to the time difference, and save the current system time as the synchronization time corresponding to the dynamic token. 29. The system according to claim 27, wherein the updating module further comprises: The third judging submodule is used to judge whether the time factor in the dynamic token is greater than the latest authentication success time corresponding to the dynamic token; The first calculating submodule is specifically used to acquire the current The difference between the system time and the latest synchronization time stored by itself and corresponding to the dynamic token, and calculate the first offset threshold according to the difference and the first preset step; The first sending submodule is further configured to, when the third judging submodule judges that the time factor in the dynamic token is not greater than the latest authentication success time corresponding to the dynamic token, send The host sends a synchronization failure message. 30. The system of claim 29, wherein: The first judging sub-module is specifically configured to XOR the seed key queried by the query module with preset data, and obtain the obtained key information from the synchronization code with the fourth obtaining module XOR the synchronization information, use the obtained XOR result as the time factor in the dynamic token, and judge whether the time difference between the time factor in the dynamic token and the time factor in the authentication server is greater than the first offset threshold; The third judging submodule is specifically used to XOR the seed key queried by the query module with the preset data, and combine the obtained key information with the synchronization code obtained from the fourth acquisition module. XOR the synchronous information acquired in, use the obtained XOR result as the time factor in the dynamic token, and judge whether the time factor in the dynamic token is greater than the last time factor corresponding to the dynamic token Authentication success time. 31. The system of claim 29, wherein: The first judging sub-module is specifically configured to XOR the seed key queried by the query module with preset data, and obtain the obtained key information from the synchronization code with the fourth obtaining module XOR the synchronous information, replace the obtained XOR result with the data of the lowest bit preset length in the time factor in the authentication server, use the replaced data as the time factor in the dynamic token, and judge Whether the time difference between the time factor in the dynamic token and the time factor in the authentication server is greater than the first offset threshold; The third judging submodule is specifically used to XOR the seed key queried by the query module with the preset data, and combine the obtained key information with the synchronization code obtained from the fourth acquisition module. XOR the synchronization information acquired in the authentication server, replace the obtained XOR result with the data of the lowest bit preset length in the time factor in the authentication server, and use the replaced data as the time factor in the dynamic token , judging whether the time factor in the dynamic token is greater than the latest successful authentication time corresponding to the dynamic token. 32. The system of claim 29, wherein The first judging submodule is specifically configured to XOR the preset key information with the synchronization information acquired by the fourth acquisition module from the synchronization code, and use the obtained XOR result as the dynamic order The time factor in the card, judging whether the time difference between the time factor in the dynamic token and the time factor in the authentication server is greater than the first offset threshold; The third judging submodule is specifically configured to XOR the preset key information and the synchronization information obtained by the fourth obtaining module from the synchronization code, and use the obtained XOR result as the A time factor in the dynamic token, judging whether the time factor in the dynamic token is greater than the latest successful authentication time corresponding to the dynamic token. 33. The system of claim 29, wherein: The first judging submodule is specifically configured to XOR the preset key information with the synchronization information acquired by the fourth acquisition module from the synchronization code, and replace the authentication server with the obtained XOR result The data of the preset length of the lowest bit in the time factor in the time factor, use the data obtained after replacement as the time factor in the dynamic token, and judge the time factor in the dynamic token and the time factor in the authentication server Whether the time difference between is greater than the first offset threshold; The third judging submodule is specifically configured to XOR the preset key information and the synchronization information obtained by the fourth obtaining module from the synchronization code, and replace the obtained XOR result with the The data of the preset length of the lowest bit in the time factor in the authentication server, the data obtained after replacement is used as the time factor in the dynamic token, and it is judged whether the time factor in the dynamic token is greater than that of the dynamic token. The latest authentication success time corresponding to the card. 34. The system according to claim 21, wherein when the dynamic token is an event-type dynamic token, the dynamic factor is an event factor, and the token offset in the authentication server is token Offset times; The update module specifically includes: The second calculation sub-module is used to obtain the difference between the current system time and the latest synchronization time stored by itself and corresponding to the dynamic token, and calculate the first step according to the difference and the second preset step Two offset thresholds; The fourth judging submodule is used to judge whether the difference in the number of times between the event factor in the dynamic token and the event factor corresponding to the dynamic token in the authentication server is greater than that calculated by the second calculation submodule The second offset threshold value obtained; The second sending submodule is used to determine that the difference in the number of times between the event factor in the dynamic token and the event factor corresponding to the dynamic token in the authentication server is greater than or equal to When the second offset threshold calculated by the second calculating submodule, send a synchronization failure message to the host; when the fourth judging submodule judges that the event factor in the dynamic token is different from the When the number of times difference between the event factors corresponding to the dynamic token in the authentication server is not greater than the second offset threshold calculated by the second calculation submodule, send a synchronization success message to the host; The second updating submodule is used to determine that the difference in the number of times between the event factor in the dynamic token and the event factor corresponding to the dynamic token in the authentication server is not the same in the fourth judging submodule When it is greater than the second offset threshold calculated by the second calculation submodule, update the number of token offsets stored by itself and corresponding to the dynamic token according to the number of times difference, and set the current The system time is saved as the synchronization time corresponding to the dynamic token. 35. The system according to claim 34, wherein the updating module further comprises: The fifth judging submodule is used for judging in the fourth judging submodule that the difference in the number of times between the event factor in the dynamic token and the event factor corresponding to the dynamic token in the authentication server is greater than After the second offset threshold, determine whether the difference between the current system time and the latest synchronization time corresponding to the dynamic token is greater than a third preset duration; The second sending submodule is specifically used to determine that the difference between the current system time and the latest synchronization time corresponding to the dynamic token is not greater than the third preset when the fifth judging submodule judges When the time is long, send a synchronization failure message to the host; When the fifth judging submodule judges that the difference between the current system time and the latest synchronization time corresponding to the dynamic token is greater than the third preset duration, and, in the fourth judging submodule When the module judges that the difference in the number of times between the event factor in the dynamic token and the event factor corresponding to the dynamic token in the authentication server is not greater than the second offset threshold, it sends Sync success message; The second updating submodule is further configured to determine that the difference between the current system time and the latest synchronization time corresponding to the dynamic token is greater than a third preset duration when the fifth judging submodule judges , update the token offset times stored by itself and corresponding to the dynamic token according to the difference in times, and save the current system time as the synchronization time corresponding to the dynamic token. 36. The system according to claim 34, wherein the updating module further comprises: The sixth judging submodule is used to judge whether the event factor in the dynamic token is greater than the latest number of successful authentications corresponding to the dynamic token; The second calculation submodule is specifically used to acquire the current The difference between the system time and the latest synchronization time stored by itself and corresponding to the dynamic token, and calculate the second offset threshold according to the difference and the second preset step; The second sending submodule is further configured to, when the sixth judging submodule judges that the event factor in the dynamic token is not greater than the latest number of successful authentications corresponding to the dynamic token, send The host sends a synchronization failure message. 37. The system of claim 36, wherein: The fourth judging submodule is specifically used to XOR the seed key queried by the query module with the preset data, and obtain the obtained key information and the fourth obtaining module from the synchronization code Synchronization information XOR, the XOR result obtained as the event factor in the dynamic token, judge the event factor in the dynamic token and the event factor corresponding to the dynamic token in the authentication server Whether the difference between the number of times is greater than the second offset threshold; The sixth judging submodule is specifically used to XOR the seed key queried by the query module with the preset data, and combine the obtained key information with the synchronization code from the synchronization code obtained by the fourth acquisition module. XOR the synchronous information obtained in , use the obtained XOR result as the event factor in the dynamic token, and judge whether the event factor in the dynamic token is greater than the latest corresponding to the dynamic token The number of successful authentications. 38. The system of claim 36, wherein: The fourth judging submodule is specifically used to XOR the seed key queried by the query module with the preset data, and obtain the obtained key information and the fourth obtaining module from the synchronization code Synchronization information XOR, and the obtained XOR result replaces the data of the lowest bit preset length in the event factor corresponding to the dynamic token in the authentication server, and the data obtained after the replacement is used as the dynamic token The event factor in the card, judging whether the difference in the number of times between the event factor in the dynamic token and the event factor corresponding to the dynamic token in the authentication server is greater than the second offset threshold; The sixth judging submodule is specifically used to XOR the seed key queried by the query module with the preset data, and combine the obtained key information with the synchronization code from the synchronization code obtained by the fourth acquisition module. The synchronous information obtained in XOR is performed, and the obtained XOR result is replaced with the data of the lowest bit preset length in the event factor corresponding to the dynamic token in the authentication server, and the replaced data is used as the An event factor in the dynamic token, judging whether the event factor in the dynamic token is greater than the latest number of successful authentications corresponding to the dynamic token. 39. The system of claim 36, wherein: The fourth judging submodule is specifically configured to perform XOR on the preset key information and the synchronization information acquired by the fourth acquisition module from the synchronization code, and use the obtained XOR result as the dynamic order the event factor in the card, and judge whether the difference in times between the event factor in the dynamic token and the event factor corresponding to the dynamic token in the authentication server and the authentication server is greater than the second offset threshold; The sixth judging submodule is specifically configured to XOR the preset key information and the synchronization information obtained by the fourth obtaining module from the synchronization code, and use the obtained XOR result as the An event factor in the dynamic token, judging whether the event factor in the dynamic token is greater than the latest number of successful authentications corresponding to the dynamic token. 40. The system of claim 36, wherein: The fourth judging submodule is specifically configured to XOR the preset key information with the synchronization information acquired by the fourth acquisition module from the synchronization code, and replace the authentication server with the obtained XOR result The data of the preset length of the lowest bit in the event factor corresponding to the dynamic token, the data obtained after replacement is used as the event factor in the dynamic token, and the event factor in the dynamic token is judged to be the same as the event factor in the dynamic token. Whether the number of times difference between the event factors corresponding to the dynamic token in the authentication server is greater than the second offset threshold; The sixth judging submodule is specifically configured to XOR the preset key information and the synchronization information obtained by the fourth obtaining module from the synchronization code, and replace the obtained XOR result with the In the authentication server, the data of the lowest bit preset length in the event factor corresponding to the dynamic token is used as the event factor in the dynamic token, and the event factor in the dynamic token is judged Whether it is greater than the latest successful authentication times corresponding to the dynamic token.