[go: up one dir, main page]

CN107911343A - The password storage verification method and device of safety - Google Patents

The password storage verification method and device of safety Download PDF

Info

Publication number
CN107911343A
CN107911343A CN201711031339.8A CN201711031339A CN107911343A CN 107911343 A CN107911343 A CN 107911343A CN 201711031339 A CN201711031339 A CN 201711031339A CN 107911343 A CN107911343 A CN 107911343A
Authority
CN
China
Prior art keywords
password
client
server end
hash value
user
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201711031339.8A
Other languages
Chinese (zh)
Other versions
CN107911343B (en
Inventor
高安存
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shenzhen Infinova Ltd
Original Assignee
Shenzhen Infinova Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shenzhen Infinova Ltd filed Critical Shenzhen Infinova Ltd
Priority to CN201711031339.8A priority Critical patent/CN107911343B/en
Publication of CN107911343A publication Critical patent/CN107911343A/en
Application granted granted Critical
Publication of CN107911343B publication Critical patent/CN107911343B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/06Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
    • H04L9/0643Hash functions, e.g. MD5, SHA, HMAC or f9 MAC
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0894Escrow, recovery or storing of secret information, e.g. secret key escrow or cryptographic key storage
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/321Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority
    • H04L9/3213Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority using tickets or tokens, e.g. Kerberos
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3236Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Power Engineering (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer And Data Communications (AREA)
  • Storage Device Security (AREA)

Abstract

The present invention provides a kind of safe password storage verification method and device, in password storage, by adding Salt to password, password is encrypted with hash algorithm, then cryptographic Hash is stored to server end;When user login services device carries out password authentification, server end generation token, and using token as key, after cryptographic Hash carries out secondary encryption when cryptographic Hash and user to server end storage log in, then carry out contrast verification.The present invention can improve security of the user cipher during storage and verification.

Description

The password storage verification method and device of safety
Technical field
The present invention relates to network safety filed, refers in particular to a kind of safe password storage verification method and device.
Background technology
Cryptographic attack means in password storage and login authentication scene common at present, mainly have:
Dictionary and Brute Force attack (Dictionary andBrute ForceAttacks):
The most common Hash means that crack are exactly to guess password, then carry out Hash, contrast to each possible password The password hash value of the Hash and conjecture cracked is needed, if two values are the same before, then the password guessed is exactly correct Decodement.Guess that the common mode of cryptographic attack is exactly dictionary attack and brute force attack.Dictionary attack be by common password, Word, phrase and other may be used for doing character strings of password and be put into a file, then to each word in file into Row Hash, by these Hash compared with the password Hash for needing to crack.The success rate of this mode depends on the big of password dictionary It is small and dictionary whether suitable.This attack pattern, for random and complicated password useless.
Table look-up and crack (Lookup Tables):
For specific hash types, if cracking a large amount of hash if desired, it is a kind of highly effective and fast to table look-up The mode of speed.Its theory is exactly to precalculate the hash that (pre-compute) goes out each password in password dictionary.Then Hash and corresponding password are stored in a table.This attack pattern, for random and complicated password useless.
Reversely table look-up and crack (Reverse Lookup Tables):
This mode can allow attacker to be carried out at the same time to a large amount of hash in the case where not precalculating an inquiry table Dictionary and Brute Force attack.First, attacker can make a user name and corresponding according to the database data that gets Hash tables.Then after common dictionary password being carried out hash, the hash with this table is contrasted, it is possible to is known with which A little users have used this password.This attack pattern is very effective, because many users can have using phase under normal conditions Same password.This attack pattern, for random and complicated password useless.
Rainbow table (Rainbow Tables):
What is stored in rainbow table is one by one " hash chain ".
Assuming that we have a ciphertext hash function H and password P.Traditional way is all outputs exhaustion H (X), H (X [y])==H (P) is searched, draws P==X [y].
And " hash chain " in rainbow table is the requirement in order to reduce traditional method to space.Decline firstly the need of defining one Hashed value is transformed into another character string by subtraction function R.By alternately computing H function and R function, alternate password and hash are formed It is worth chain.Such as:Assuming that password is 6 lowercases, hashed value is 32 bit lengths, and chain appears likely to be such:
aaaaaa-H->281DAF40-R->sgfnyd-H->920ECF10-R->kiebgt
A table is generated, we select one group of random initial password, one regular length K's of each cryptographic calculations Chain, and only store first and last password of each chain.First password is referred to as initial point, last is referred to as end Point.In chain exemplified above, " aaaaaa " is exactly initial point, and " kiebgt " is exactly last point, other passwords (or hashed value) are not It is saved.
If giving a hashed value h, we want inverse operation (finding corresponding password), calculate a chain, to answer h Started with R function, then H function, then R function, continued always.If any point in the calculating process is (every time using R Afterwards), it has been found that the value of the point matches a last point in the table of our generations, then we have just obtained corresponding initial point, Chain is recalculated with this initial point.This chain has very high probability and includes value h, and if included really, it is tight before h in chain The value connect is exactly the password p sought by us.
If for example, the hashed value 920ECF10 that we provide, we will start to calculate chain to be applied to R:
920ECF10-R->kiebgt
Since kiebgt is one of our end point, we find initial point aaaaaa and start with this chain, Zhi Daofa Existing 920ECF10:
aaaaaa-H->281DAF40-R->sgfnyd-H->920ECF10
Therefore, password is " sgfnyd ".
It should be noted that this chain might not include hashed value h.Because with the chain that h starts and some initial point Chain may merge.For example, a hashed value FB107E70, we down calculate its chain, can obtain kiebgt:
FB107E70-R->bvtdll-H->0EE80890-R->kiebgt
Network monitoring:
This is not a kind of attack means for password storage, but obtains the most effective means of user cipher.Net Card-like state is arranged to " mixing " pattern, it is possible to receives the message that All hosts are received and dispatched in local.Or when the control for having router System is temporary, it is possible to obtains all data by this route by router.If the password of user is sent with clear-text way Verified to server-side, it is possible to easily obtain very much the authentic password of user.Just user password HASH is re-send at last Server-side is verified, can still obtain the cryptographic Hash of user password;Then the behavior for only needing to imitate client is to server Send request, it becomes possible to obtain all permissions of user.
At present, existing password storage proof scheme is exactly that a MD5 digest is done to the password of user, then will be obtained " summary info " is stored into database.Username and password can be sent to server end by each user in plain text when logging in, and be taken Business device end is inquired about by user name from database obtains " summary info " of password.Then decodement is after MD5 with number Compared according to " summary info " of the password stored in storehouse;Logined successfully if consistent, if inconsistent prompt cipher is wrong By mistake.
By using rainbow table, it is easy to above-mentioned cipher mode is cracked, and by the attack pattern of network monitoring, It is easy to and gets decodement, the storage of existing password and proof scheme can not resists attacking for ordinary cryptographic attack means Hit;Therefore a kind of a kind of encryption mode of more safe and easy realization is needed.
The content of the invention
The technical problems to be solved by the invention are:For resist ordinary cryptographic attack means provide it is a kind of safer Password storage verification method.
In order to solve the above-mentioned technical problem, a kind of technical solution for using of the present invention for:A kind of safe password storage is tested Card method, it includes password storage flow and password authentification flow, and the password storage flow includes:
S10), client obtains the user name and password of user;
S11), client obtains a Salt from server end;
S12), client adds Salt to the password of user;
S13), client pair adds the password after Salt that hash value password is calculated with hash algorithm;
S14), client stores user name, Salt and hash value password to server end;
The password authentification flow includes:
S20), client obtains the session token of the server end and Salt of storage corresponding with the user name of user, then Hash value password is calculated after adding Salt to the password of user, then using token as key, is calculated using hmac_sha256_hex Secondary hash value password is obtained, and secondary hash value password is sent to server end;
S30 the user name and secondary hash value password that), received server-side is sent from client, server end with visitor The token of family end session is key, and user name pair is sent with user terminal to being stored in server end using hmac_sha256_hex Secondary hash value password is calculated in the hash value password answered, and server end is to the secondary hash value password of client and server end Hash value password carry out contrast verification after feedback validation result to client.
Preferably, step S20 is specifically included:
S21), client obtains the username and password of user;
S22), client sends the user name of user to server end;
S23), server end generates unique token with regard to this session;
S24), token and user are stored in server end Salt corresponding with the user name of user by server end, together Send to client;
S25), hash value password is calculated after adding Salt to the password of user in client;
S26), client splices hash value password and user name;
S27), secondary hash value password is calculated using hmac_sha256_hex using token as key in client;
S28), secondary hash value password is sent to server end by client.
Preferably, step S30 is specifically included:
S31 the user name and secondary hash value password that), received server-side is sent to client;
S32), server end inquires about the corresponding hash value password of user name by user name from server end;
S33), server end splices hash value password and user name;
S34), unique token that server end is generated using this with client session uses hmac_sha256_ as key Secondary hash value password is calculated to the hash value password for being stored in server end in hex;
S35), server end contrasts the secondary hash value password of the secondary hash value password of client and server end Verification;
S36), verification result is sent client by server end;
If password is consistent, it is verified;
If password is inconsistent, verifies and do not pass through.
Preferably, safe password storage verification method, it has further included password modification process, including:
S41), client obtains the user name and new password of user;
S42), client obtains a new Salt from server end;
S43), the new password of user is added Salt by client;
S44), new hash value password is calculated by hash algorithm for client;
S45), client stores user name, new Salt and hash value password to server end.
A kind of safe password storage verification device, it is characterised in that:It includes password storage module and password authentification mould Block, wherein, password storage module includes:
Log-on message acquiring unit, the user name and password of user are obtained for client, are then gone to Salt and are obtained list Member;
Salt acquiring units, obtain a Salt from server end for client, then go to Salt and add unit;
Salt adds unit, adds Salt to the password of user for client, then goes to client encryption unit;
Client encryption unit, it is close with hash algorithm to be calculated cryptographic Hash for the password after client pair plus Salt Code, then goes to storage unit;
Storage unit, stores user name, Salt and hash value password to server end for client;
The password authentication module includes:
Client encrypts submodule, the user name pair for the session token of client acquisition server end and with user The Salt that should be stored, hash value password is calculated after then adding Salt to the password of user, then using token as key, is used Secondary hash value password is calculated in hmac_sha256_hex, and secondary hash value password is sent to server end, then turns To server end encrypted authentication submodule;
Server end encrypted authentication submodule, the user name sent for received server-side from client and secondary Hash It is worth password, server end is using the token with client session as key, using hmac_sha256_hex to being stored in server end Secondary hash value password is calculated in hash value password corresponding with user name, and server end is to the secondary hash value password of client With feedback validation result after the hash value password progress contrast verification of server end to client.
Preferably, the client encryption submodule includes:
Log-on message acquiring unit, the username and password of user is obtained for client, is then gone to information and is sent list Member;
Information transmitting unit, sends the user name of user to server end for client, then goes to token generations Unit;
Token generation units, generate unique token with regard to this session for server end, then go to server end Transmitting element;
Server end transmitting element, server end and the user of user are stored in for server end by token and user The corresponding Salt of name, sends to client, then goes to verification encryption unit together;
Verify encryption unit, hash value password is calculated after adding Salt to the password of user for client, then turns To client concatenation unit;
Client concatenation unit, hash value password and user name are spliced, it is secondary then to go to client for client Encryption unit;
The secondary encryption unit of client, for client using token as key, is calculated using hmac_sha256_hex Secondary hash value password, then goes to password transmitting element;
Password transmitting element, server end is sent to for client by secondary hash value password.
Preferably, server end encrypted authentication submodule includes:
Received server-side unit, the user name sent for received server-side to client and secondary cryptographic Hash are close Code, then goes to query unit;
Query unit, the corresponding hash value password of user name is inquired about for server end by user name from server end, Then go to server end concatenation unit;
Server end concatenation unit, server end splice hash value password and user name, then go to server end two Secondary encryption unit;
The secondary encryption unit of server end, for server end using unique token of this generation with client session as Key, secondary hash value password is calculated using hmac_sha256_hex to the hash value password for being stored in server end, and After go to authentication unit;
Authentication unit, the secondary hash value password for server end to the secondary hash value password of client and server end Contrast verification is carried out, then goes to verification result feedback unit;
Verification result feedback unit, client is sent for server end by verification result;
If password is consistent, it is verified;
If password is inconsistent, verifies and do not pass through.
Preferably, safe password storage verification device, it is further included, Password modified module, including:
New information acquiring unit, the user name and new password of user are obtained for client, are then gone to new Salt and are obtained Unit;
New Salt acquiring units, obtain a new Salt from server end for client, then go to new Salt and add Enter unit;
New Salt adds unit, and the new password of user is added Salt for client, then goes to new encryption unit;
New encryption unit, new hash value password is calculated by hash algorithm for client, then goes to and newly deposits Storage unit;
New storage unit, stores user name, new Salt and hash value password to server end for client.
The present invention a kind of safe password storage verification method and device, in password storage, by being added to password Salt, is encrypted with the password after hash algorithm pair plus Salt, then cryptographic Hash is stored to server end, by increasing capacitance it is possible to increase The difficulty of password cracking, when user login services device carries out password authentification, server generation token, and using token as key, After cryptographic Hash carries out secondary encryption when cryptographic Hash and user to server end storage log in, then carry out contrast and test Card, again increases the security of password, and the program can allow user cipher safer in storage and verification.
Brief description of the drawings
The concrete structure of the present invention is described in detail below in conjunction with the accompanying drawings
Fig. 1 is the password storage figure of the present invention;
Fig. 2 is the user's checking figure of the present invention;
Fig. 3 is the password modification figure of the present invention.
Embodiment
In order to describe the technical content, the structural feature, the achieved object and the effect of this invention in detail, below in conjunction with embodiment And attached drawing is coordinated to be explained in detail.
A kind of safe password storage verification method, it includes password storage flow and password authentification flow, the password Stored Procedure includes:
S10), client obtains the user name and password of user;
S11), client obtains a Salt from server end;
S12), client adds Salt to the password of user;
S13), client pair adds the password after Salt that hash value password is calculated with hash algorithm;
S14), client stores user name, Salt and hash value password to server end;
The password authentification flow includes:
S20), client obtains the session token of the server end and Salt of storage corresponding with the user name of user, then Hash value password is calculated after adding Salt to the password of user, then using token as key, is calculated using hmac_sha256_hex Secondary hash value password is obtained, and secondary hash value password is sent to server end;
S30 the user name and secondary hash value password that), received server-side is sent from client, server end with visitor The token of family end session is key, and user name pair is sent with user terminal to being stored in server end using hmac_sha256_hex Secondary hash value password is calculated in the hash value password answered, and server end is to the secondary hash value password of client and server end Hash value password carry out contrast verification after feedback validation result to client.
The present invention provides a kind of safe password storage verification method, in password storage, by adding to user cipher Enter Salt, be encrypted with the password after hash algorithm pair plus Salt, then by cryptographic Hash storage to server end, therefore take The password of business device end storage be encrypted password, and Crypted password addition have it is encrypted after random string obtain, The difficulty of password cracking can be increased, when user login services device carries out password authentification, server generation token, and with Token is key, after cryptographic Hash carries out secondary encryption when the cryptographic Hash and user to server end storage log in, then Contrast verification is carried out, again increases the security of password, the program can allow user cipher safer in storage and verification.
Embodiment one:
Preferably, step S20 is specifically included:
S21), client obtains the username and password of user;
S22), client sends the user name of user to server end;
S23), server end generates unique token with regard to this session;
S24), token and user are stored in server end Salt corresponding with the user name of user by server end, together Send to client;
S25), hash value password is calculated after adding Salt to the password of user in client;
S26), client splices hash value password and user name;
S27), secondary hash value password is calculated using hmac_sha256_hex using token as key in client;
S28), secondary hash value password is sent to server end by client.
In the present embodiment, client sends the user name got and user cipher to server end, server end life Sent into token to client, token is that client and server end-of-dialogue just fails, client when time dialogue is effective To, using token as parameter, having carried out secondary encryption, secondary encrypted password is more difficult to be broken after user cipher splicing user name Solution, ensure that the security of password.
Embodiment two:
Preferably, step S30 is specifically included:
S31 the user name and secondary hash value password that), received server-side is sent to client;
S32), server end inquires about the corresponding hash value password of user name by user name from server end;
S33), server end splices hash value password and user name;
S34), unique token that server end is generated using this with client session uses hmac_sha256_ as key Secondary hash value password is calculated to the hash value password for being stored in server end in hex;
S35), server end contrasts the secondary hash value password of the secondary hash value password of client and server end Verification;
S36), verification result is sent client by server end;
If password is consistent, it is verified;
If password is inconsistent, verifies and do not pass through.
In the present embodiment:Received server-side is stored in server to the secondary encrypted hash value password of client Verification is compared with the secondary encrypted password of client after secondary encryption in user cipher, and encrypted password passes through twice Compared again after encryption, can effectively ensure the security of password, secondary encryption is using session token as key, only originally Secondary verification is effective, improves the security of password verification process.
Embodiment three:
Preferably, safe password storage verification method, it has further included password modification process, including:
S41), client obtains the user name and new password of user;
S42), client obtains a new Salt from server end;
S43), the new password of user is added Salt by client;
S44), new hash value password is calculated by hash algorithm for client;
S45), client stores user name, new Salt and hash value password to server end.
In the present embodiment, during Modify password, client can obtain a new Salt, due to Salt be by server end with What machine produced, it is not easy to reveal, new password adds after Salt that server end is arrived in storage after hash algorithm is encrypted, and updates user's Password, the Old Password for being stored in server end are capped failure.
Example IV
With reference to figure 1, for user in register account number, when inputting username and password, server end randomly generates one first Salt, into password psw, addition salt obtains psw_salt, and hash value password p_ is calculated by hash algorithm sha256 Hash, then by user name name, salt, hash value password p_hash storage to server end.
With reference to figure 2, for user when logging in, client sends active user name, its salt value is inquired about to server end, takes Business device end generation token and salt corresponding with inquiring about obtained user name send back client, and client is by user cipher psw Add salt and obtain psw_salt, client encrypt must well hash value password p_hash by hash algorithm sha256, client Token carries out hmac_sha256 for key to p_hash, obtains secondary Crypted password password, and client is by user name name Be sent to server end with password, server end inquires about its p_hash value according to name, server end using token as key, Hmac_sha256 is carried out to p_hash values, obtains secondary Crypted password password_, client by password with Password_ is compared, and draws verification result.
With reference to figure 3, during Modify password, client obtains new salt from server end, and new password psw adds new salt, Psw_salt is obtained, sha256 is carried out to psw_salt, p_hash is obtained, name, new salt, p_hash is sent collectively to take Business device end, salt, p_hash of server update active user.
A kind of safe password storage verification device, it is characterised in that:It includes password storage module and password authentification mould Block, wherein, password storage module includes:
Log-on message acquiring unit, the user name and password of user are obtained for client, are then gone to Salt and are obtained list Member;
Salt acquiring units, obtain a Salt from server end for client, then go to Salt and add unit;
Salt adds unit, adds Salt to the password of user for client, then goes to client encryption unit;
Client encryption unit, it is close with hash algorithm to be calculated cryptographic Hash for the password after client pair plus Salt Code, then goes to storage unit;
Storage unit, stores user name, Salt and hash value password to server end for client;
The password authentication module includes:
Client encrypts submodule, the user name pair for the session token of client acquisition server end and with user The Salt that should be stored, hash value password is calculated after then adding Salt to the password of user, then using token as key, is used Secondary hash value password is calculated in hmac_sha256_hex, and secondary hash value password is sent to server end, then turns To server end encrypted authentication submodule;
Server end encrypted authentication submodule, the user name sent for received server-side from client and secondary Hash It is worth password, server end is using the token with client session as key, using hmac_sha256_hex to being stored in server end Secondary hash value password is calculated in hash value password corresponding with user name, and server end is to the secondary hash value password of client With feedback validation result after the hash value password progress contrast verification of server end to client.
In password storage, Salt adds unit by adding Salt to user cipher, after encryption unit pair adds Salt Password is encrypted, and storage unit again stores cryptographic Hash to server end, compares password and is stored after encryption Server is arrived, reduces the risk being stolen of password, when user login services device carries out password authentification, server generation Token, and using token as key, cryptographic Hash carries out secondary when cryptographic Hash and user to server end storage log in After encryption, then contrast verification is carried out, since token is only effective in this verification, again increase the safety of password verification process Property, the program can allow user cipher safer in storage and verification.
Embodiment five:
Preferably, the client encryption submodule includes:
Log-on message acquiring unit, the username and password of user is obtained for client, is then gone to information and is sent list Member;
Information transmitting unit, sends the user name of user to server end for client, then goes to token generations Unit;
Token generation units, generate unique token with regard to this session for server end, then go to server end Transmitting element;
Server end transmitting element, server end and the user of user are stored in for server end by token and user The corresponding Salt of name, sends to client, then goes to verification encryption unit together;
Verify encryption unit, hash value password is calculated after adding Salt to the password of user for client, then turns To client concatenation unit;
Client concatenation unit, hash value password and user name are spliced, it is secondary then to go to client for client Encryption unit;
The secondary encryption unit of client, for client using token as key, is calculated using hmac_sha256_hex Secondary hash value password, then goes to password transmitting element;
Password transmitting element, server end is sent to for client by secondary hash value password.
In the present embodiment, client sends the user name got and user cipher to server end, server end Token generation units generate token, and server end transmitting element sends token to client, the secondary encryption list of client Member has carried out user cipher secondary encryption, and secondary encrypted password is more difficult to be cracked, and ensure that the security of password.
Embodiment six:
Preferably, server end encrypted authentication submodule includes:
Received server-side unit, the user name sent for received server-side to client and secondary cryptographic Hash are close Code, then goes to query unit;
Query unit, the corresponding hash value password of user name is inquired about for server end by user name from server end, Then go to server end concatenation unit;
Server end concatenation unit, server end splice hash value password and user name, then go to server end two Secondary encryption unit;
The secondary encryption unit of server end, for server end using unique token of this generation with client session as Key, secondary hash value password is calculated using hmac_sha256_hex to the hash value password for being stored in server end, and After go to authentication unit;
Authentication unit, the secondary hash value password for server end to the secondary hash value password of client and server end Contrast verification is carried out, then goes to verification result feedback unit;
Verification result feedback unit, client is sent for server end by verification result;
If password is consistent, it is verified;
If password is inconsistent, verifies and do not pass through.
In the present embodiment, the secondary encryption unit of server end carries out secondary add to the hash value password for being stored in server end Close, authentication unit is compared the secondary encrypted hash value password of the secondary encrypted hash value password of client and server end To verification, verification result is fed back into client, the secondary encryption of password has been carried out in password authentification, can ensure password Security, can effectively resist conventional cryptographic attack.
Embodiment seven:
Preferably, safe password storage verification device, it is further included, Password modified module, including:
New information acquiring unit, the user name and new password of user are obtained for client, are then gone to new Salt and are obtained Unit;
New Salt acquiring units, obtain a new Salt from server end for client, then go to new Salt and add Enter unit;
New Salt adds unit, and the new password of user is added Salt for client, then goes to new encryption unit;
New encryption unit, new hash value password is calculated by hash algorithm for client, then goes to and newly deposits Storage unit;
New storage unit, stores user name, new Salt and hash value password to server end for client.
In the present embodiment, during Modify password, the information acquisition unit of client can obtain a new Salt, and Salt is clothes Business device end randomly generates, it is not easy to reveals, new password adds after Salt that server end arrive in storage after encryption unit is encrypted, renewal The password of user, is stored in old Salt and the password failure of server end.
In summary:The present invention a kind of safe password storage verification method and device, in password storage, by Family password adds Salt, and password is encrypted with hash algorithm, then by cryptographic Hash storage to server end, Salt be with Machine produces, it is not easy to reveals, by increasing capacitance it is possible to increase the difficulty of password cracking, when user login services device carries out password authentification, and service Device generates token, and using token as key, when cryptographic Hash and user to server end storage log in cryptographic Hash into After the secondary encryption of row, then contrast verification is carried out, every time after the completion of verification, token can fail, and improve the peace of password verification process Quan Xing;In Modify password, server can regenerate new Salt, be encrypted with new password, and old Salt failures, are protected The security of password has been demonstrate,proved, has made password safer during storage and verification.
The foregoing is merely the embodiment of the present invention, is not intended to limit the scope of the invention, every to utilize this hair The equivalent structure or equivalent flow shift that bright specification and accompanying drawing content are made, is directly or indirectly used in other relevant skills Art field, is included within the scope of the present invention.

Claims (8)

  1. A kind of 1. safe password storage verification method, it is characterised in that:It includes password storage flow and password authentification flow, The password storage flow includes:
    S10), client obtains the user name and password of user;
    S11), client obtains a Salt from server end;
    S12), client adds Salt to the password of user;
    S13), client pair adds the password after Salt that hash value password is calculated with hash algorithm;
    S14), client stores user name, Salt and hash value password to server end;
    The password authentification flow includes:
    S20), client obtain server end session token and storage corresponding with the user name of user Salt, then to Hash value password is calculated after adding Salt in the password at family, then using token as key, is calculated using hmac_sha256_hex Secondary hash value password, and secondary hash value password is sent to server end;
    S30 the user name and secondary hash value password that), received server-side is sent from client, server end with client The token of session is key, corresponding to being stored in server end and user terminal transmission user name using hmac_sha256_hex Secondary hash value password, Kazakhstan of the server end to the secondary hash value password of client and server end is calculated in hash value password Uncommon value password carries out after contrast verification feedback validation result to client.
  2. 2. the password storage verification method of safety as claimed in claim 1, it is characterised in that:Step S20 is specifically included:
    S21), client obtains the username and password of user;
    S22), client sends the user name of user to server end;
    S23), server end generates unique token with regard to this session;
    S24), token and user are stored in server end Salt corresponding with the user name of user by server end, are sent together To client;
    S25), hash value password is calculated after adding Salt to the password of user in client;
    S26), client splices hash value password and user name;
    S27), secondary hash value password is calculated using hmac_sha256_hex using token as key in client;
    S28), secondary hash value password is sent to server end by client.
  3. 3. the password storage verification method of safety as claimed in claim 2, it is characterised in that:Step S30 is specifically included:
    S31 the user name and secondary hash value password that), received server-side is sent to client;
    S32), server end inquires about the corresponding hash value password of user name by user name from server end;
    S33), server end splices hash value password and user name;
    S34), unique token that server end is generated using this with client session uses hmac_sha256_hex pairs as key Secondary hash value password is calculated in the hash value password for being stored in server end;
    S35), server end carries out contrast to the secondary hash value password of the secondary hash value password of client and server end and tests Card;
    S36), verification result is sent client by server end;
    If password is consistent, it is verified;
    If password is inconsistent, verifies and do not pass through.
  4. 4. the password storage verification method of safety as claimed in claim 1, it is characterised in that:It has further included password modification stream Journey, including:
    S41), client obtains the user name and new password of user;
    S42), client obtains a new Salt from server end;
    S43), the new password of user is added Salt by client;
    S44), new hash value password is calculated by hash algorithm for client;
    S45), client stores user name, new Salt and hash value password to server end.
  5. A kind of 5. safe password storage verification device, it is characterised in that:It includes password storage module and password authentication module, Wherein, password storage module includes:
    Log-on message acquiring unit, the user name and password of user are obtained for client, then goes to Salt acquiring units;
    Salt acquiring units, obtain a Salt from server end for client, then go to Salt and add unit;
    Salt adds unit, adds Salt to the password of user for client, then goes to client encryption unit;
    Client encryption unit, hash value password is calculated for the password after client pair plus Salt with hash algorithm, and After go to storage unit;
    Storage unit, stores user name, Salt and hash value password to server end for client;
    The password authentication module includes:
    Client encrypts submodule, obtains the session token of server end for client and corresponding with the user name of user deposits The Salt of storage, hash value password is calculated after then adding Salt to the password of user, then using token as key, uses hmac_ Secondary hash value password is calculated in sha256_hex, and secondary hash value password is sent to server end, then goes to clothes Business device end encrypted authentication submodule;
    Server end encrypted authentication submodule, the user name sent for received server-side from client and secondary cryptographic Hash are close Code, server end is using the token with client session as key, using hmac_sha256_hex to being stored in server end with using Secondary hash value password is calculated in the corresponding hash value password of name in an account book, and server end is to the secondary hash value password of client and clothes The hash value password at device end of being engaged in carries out after contrast verification feedback validation result to client.
  6. 6. the password storage verification device of safety as claimed in claim 5, it is characterised in that:The client encrypts submodule Including:
    Log-on message acquiring unit, the username and password of user is obtained for client, then goes to information transmitting unit;
    Information transmitting unit, sends the user name of user to server end for client, and it is single then to go to token generations Member;
    Token generation units, generate unique token with regard to this session for server end, then go to server end transmission Unit;
    Server end transmitting element, server end and the user name pair of user are stored in for server end by token and user The Salt answered, sends to client, then goes to verification encryption unit together;
    Verify encryption unit, hash value password is calculated after adding Salt to the password of user for client, then goes to visitor Family end concatenation unit;
    Client concatenation unit, hash value password and user name are spliced, then go to the secondary encryption of client for client Unit;
    The secondary encryption unit of client, for client using token as key, is calculated secondary using hmac_sha256_hex Hash value password, then goes to password transmitting element;
    Password transmitting element, server end is sent to for client by secondary hash value password.
  7. 7. the password storage verification device of safety as claimed in claim 6, it is characterised in that:Server end encrypted authentication submodule Block includes:
    Received server-side unit, the user name sent for received server-side to client and secondary hash value password, and After go to query unit;
    Query unit, inquires about the corresponding hash value password of user name, then by user name for server end from server end Go to server end concatenation unit;
    Server end concatenation unit, server end splice hash value password and user name, then go to server end it is secondary plus Close unit;
    The secondary encryption unit of server end, for server end using unique token of this generation with client session as key, Secondary hash value password is calculated to the hash value password for being stored in server end using hmac_sha256_hex, is then turned To authentication unit;
    Authentication unit, carries out the secondary hash value password of the secondary hash value password of client and server end for server end Contrast verification, then goes to verification result feedback unit;
    Verification result feedback unit, client is sent for server end by verification result;
    If password is consistent, it is verified;
    If password is inconsistent, verifies and do not pass through.
  8. 8. the password storage verification device of safety as claimed in claim 5, it is characterised in that:It is further included, password modification mould Block, including:
    New information acquiring unit, the user name and new password of user are obtained for client, then goes to new Salt acquiring units;
    New Salt acquiring units, obtain a new Salt from server end for client, then go to new Salt and add list Member;
    New Salt adds unit, and the new password of user is added Salt for client, then goes to new encryption unit;
    New encryption unit, new hash value password is calculated by hash algorithm for client, and it is single then to go to new storage Member;
    New storage unit, stores user name, new Salt and hash value password to server end for client.
CN201711031339.8A 2017-10-27 2017-10-27 Secure password storage verification method and device Active CN107911343B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201711031339.8A CN107911343B (en) 2017-10-27 2017-10-27 Secure password storage verification method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201711031339.8A CN107911343B (en) 2017-10-27 2017-10-27 Secure password storage verification method and device

Publications (2)

Publication Number Publication Date
CN107911343A true CN107911343A (en) 2018-04-13
CN107911343B CN107911343B (en) 2020-09-15

Family

ID=61841951

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201711031339.8A Active CN107911343B (en) 2017-10-27 2017-10-27 Secure password storage verification method and device

Country Status (1)

Country Link
CN (1) CN107911343B (en)

Cited By (18)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108833109A (en) * 2018-05-28 2018-11-16 苏州科达科技股份有限公司 Identity identifying method, device and electronic equipment
CN109450925A (en) * 2018-12-05 2019-03-08 国网浙江省电力有限公司杭州供电公司 User right verification method, device and electronic equipment for electric power secondary system O&M
CN109992934A (en) * 2019-04-10 2019-07-09 苏州浪潮智能科技有限公司 A kind of response method, device, equipment and medium
CN110493197A (en) * 2019-07-25 2019-11-22 深圳壹账通智能科技有限公司 A kind of login process method and relevant device
CN110572269A (en) * 2019-09-20 2019-12-13 成都安恒信息技术有限公司 method for improving secondary use of token
CN110912683A (en) * 2018-09-18 2020-03-24 阿里巴巴集团控股有限公司 Password storage method and device and password verification method and device
CN110990809A (en) * 2019-11-26 2020-04-10 卓尔购信息科技(武汉)有限公司 Password salting verification method and system based on workload
CN111385093A (en) * 2020-03-20 2020-07-07 杭州趣维科技有限公司 Web system design method combining slow hash and dynamic salt
CN111447613A (en) * 2019-01-16 2020-07-24 南京快轮智能科技有限公司 Encryption system for shared products
CN111639357A (en) * 2020-06-05 2020-09-08 杭州安恒信息技术股份有限公司 Encryption network disk system and authentication method and device thereof
CN112417393A (en) * 2020-11-02 2021-02-26 深圳依时货拉拉科技有限公司 Identity verification method and device, computer equipment and computer readable storage medium
CN113078999A (en) * 2021-04-13 2021-07-06 傲普(上海)新能源有限公司 Password security encryption storage mode
CN113626802A (en) * 2021-08-23 2021-11-09 重庆第二师范学院 Login verification system and method for equipment password
CN114499859A (en) * 2022-03-22 2022-05-13 深圳壹账通智能科技有限公司 Password verification method, device, device and storage medium
CN114567430A (en) * 2022-01-26 2022-05-31 银盛通信有限公司 Method for adding private key to user password by mobile resale system
CN114741716A (en) * 2022-05-20 2022-07-12 南京南瑞信息通信科技有限公司 Industrial control system-oriented configuration engineering file protection method and suite
CN114745173A (en) * 2022-04-08 2022-07-12 湖南长银五八消费金融股份有限公司 Login verification method, login verification device, computer equipment, storage medium and program product
US20230145340A1 (en) * 2021-11-08 2023-05-11 Adobe Inc. Distributing and synchronizing encrypted data for multi-regional accessibility

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20130067229A1 (en) * 2011-09-09 2013-03-14 Stoneware, Inc. Method and apparatus for key sharing over remote desktop protocol
CN105721390A (en) * 2014-12-01 2016-06-29 阿里巴巴集团控股有限公司 Encrypted storage method and encrypted storage device
CN106060078A (en) * 2016-07-11 2016-10-26 浪潮(北京)电子信息产业有限公司 User information encryption method, user registration method and user validation method applied to cloud platform
CN106656476A (en) * 2017-01-18 2017-05-10 腾讯科技(深圳)有限公司 Password protecting method and device

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20130067229A1 (en) * 2011-09-09 2013-03-14 Stoneware, Inc. Method and apparatus for key sharing over remote desktop protocol
CN105721390A (en) * 2014-12-01 2016-06-29 阿里巴巴集团控股有限公司 Encrypted storage method and encrypted storage device
CN106060078A (en) * 2016-07-11 2016-10-26 浪潮(北京)电子信息产业有限公司 User information encryption method, user registration method and user validation method applied to cloud platform
CN106656476A (en) * 2017-01-18 2017-05-10 腾讯科技(深圳)有限公司 Password protecting method and device

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
孔琰等: ""基于安卓平台的多云存储系统"", 《计算机应用》 *

Cited By (25)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108833109A (en) * 2018-05-28 2018-11-16 苏州科达科技股份有限公司 Identity identifying method, device and electronic equipment
CN110912683A (en) * 2018-09-18 2020-03-24 阿里巴巴集团控股有限公司 Password storage method and device and password verification method and device
CN109450925B (en) * 2018-12-05 2021-09-28 国网浙江省电力有限公司杭州供电公司 User authority verification method and device for operation and maintenance of power secondary system and electronic equipment
CN109450925A (en) * 2018-12-05 2019-03-08 国网浙江省电力有限公司杭州供电公司 User right verification method, device and electronic equipment for electric power secondary system O&M
CN111447613A (en) * 2019-01-16 2020-07-24 南京快轮智能科技有限公司 Encryption system for shared products
CN109992934A (en) * 2019-04-10 2019-07-09 苏州浪潮智能科技有限公司 A kind of response method, device, equipment and medium
CN110493197A (en) * 2019-07-25 2019-11-22 深圳壹账通智能科技有限公司 A kind of login process method and relevant device
CN110493197B (en) * 2019-07-25 2022-02-01 深圳壹账通智能科技有限公司 Login processing method and related equipment
CN110572269A (en) * 2019-09-20 2019-12-13 成都安恒信息技术有限公司 method for improving secondary use of token
CN110990809A (en) * 2019-11-26 2020-04-10 卓尔购信息科技(武汉)有限公司 Password salting verification method and system based on workload
CN111385093A (en) * 2020-03-20 2020-07-07 杭州趣维科技有限公司 Web system design method combining slow hash and dynamic salt
CN111385093B (en) * 2020-03-20 2022-05-10 杭州小影创新科技股份有限公司 Web system design method combining slow hash and dynamic salt
CN111639357B (en) * 2020-06-05 2023-05-16 杭州安恒信息技术股份有限公司 Encryption network disk system and authentication method and device thereof
CN111639357A (en) * 2020-06-05 2020-09-08 杭州安恒信息技术股份有限公司 Encryption network disk system and authentication method and device thereof
CN112417393A (en) * 2020-11-02 2021-02-26 深圳依时货拉拉科技有限公司 Identity verification method and device, computer equipment and computer readable storage medium
CN112417393B (en) * 2020-11-02 2024-05-24 深圳依时货拉拉科技有限公司 Identity verification method, device, computer equipment and computer readable storage medium
CN113078999A (en) * 2021-04-13 2021-07-06 傲普(上海)新能源有限公司 Password security encryption storage mode
CN113626802A (en) * 2021-08-23 2021-11-09 重庆第二师范学院 Login verification system and method for equipment password
CN113626802B (en) * 2021-08-23 2023-05-12 重庆第二师范学院 Login verification system and method for equipment password
US12335387B2 (en) * 2021-11-08 2025-06-17 Adobe Inc. Distributing and synchronizing encrypted data for multi-regional accessibility
US20230145340A1 (en) * 2021-11-08 2023-05-11 Adobe Inc. Distributing and synchronizing encrypted data for multi-regional accessibility
CN114567430A (en) * 2022-01-26 2022-05-31 银盛通信有限公司 Method for adding private key to user password by mobile resale system
CN114499859A (en) * 2022-03-22 2022-05-13 深圳壹账通智能科技有限公司 Password verification method, device, device and storage medium
CN114745173A (en) * 2022-04-08 2022-07-12 湖南长银五八消费金融股份有限公司 Login verification method, login verification device, computer equipment, storage medium and program product
CN114741716A (en) * 2022-05-20 2022-07-12 南京南瑞信息通信科技有限公司 Industrial control system-oriented configuration engineering file protection method and suite

Also Published As

Publication number Publication date
CN107911343B (en) 2020-09-15

Similar Documents

Publication Publication Date Title
CN107911343A (en) The password storage verification method and device of safety
CN102202040B (en) Client authentication method and device
JP5058600B2 (en) System and method for providing contactless authentication
US9118663B1 (en) Agile OTP generation
US8769637B2 (en) Iterated password hash systems and methods for preserving password entropy
CN105516195B (en) A kind of security certification system and its authentication method based on application platform login
JP4881119B2 (en) User authentication method, user side authentication device, and program
US7739733B2 (en) Storing digital secrets in a vault
CA2556148C (en) Token authentication system and method
US9118661B1 (en) Methods and apparatus for authenticating a user using multi-server one-time passcode verification
CN1937498A (en) Dynamic cipher authentication method, system and device
CN106789032B (en) Single password three-party authentication method for secret sharing between server and mobile equipment
CN104243158A (en) Authentication method, communication system, device and server
WO2022107591A1 (en) Password authentication system
CN106657002A (en) Novel crash-proof base correlation time multi-password identity authentication method
Klevjer et al. Extended HTTP digest access authentication
KR100842267B1 (en) Integrated user authentication server, client and method in a system with multiple authentication means
KR101996317B1 (en) Block chain based user authentication system using authentication variable and method thereof
KR20130085492A (en) Authentication system and method by use of non-fixed user id
US7757080B1 (en) User validation using cookies and isolated backup validation
Genç et al. A security analysis, and a fix, of a code-corrupted honeywords system
CN1633072A (en) A dual-server authentication scheme supporting weak password
CN117879827A (en) Token transmission verification method, device, system, equipment and medium
Contini Method to protect passwords in databases for web applications
KR20210097652A (en) System and method for providing portal-site relay service

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant