[go: up one dir, main page]

CN1323538C - A method and system for dynamic identity authentication - Google Patents

A method and system for dynamic identity authentication Download PDF

Info

Publication number
CN1323538C
CN1323538C CNB200310111570XA CN200310111570A CN1323538C CN 1323538 C CN1323538 C CN 1323538C CN B200310111570X A CNB200310111570X A CN B200310111570XA CN 200310111570 A CN200310111570 A CN 200310111570A CN 1323538 C CN1323538 C CN 1323538C
Authority
CN
China
Prior art keywords
user
password
information
mobile phone
identity authentication
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Expired - Fee Related
Application number
CNB200310111570XA
Other languages
Chinese (zh)
Other versions
CN1547142A (en
Inventor
胡汉平
王祖喜
吴晓刚
曾伟国
吴俊�
王凌斐
刘博�
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huazhong University of Science and Technology
Original Assignee
Huazhong University of Science and Technology
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huazhong University of Science and Technology filed Critical Huazhong University of Science and Technology
Priority to CNB200310111570XA priority Critical patent/CN1323538C/en
Publication of CN1547142A publication Critical patent/CN1547142A/en
Application granted granted Critical
Publication of CN1323538C publication Critical patent/CN1323538C/en
Anticipated expiration legal-status Critical
Expired - Fee Related legal-status Critical Current

Links

Images

Landscapes

  • Telephonic Communication Services (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

本发明公开了一种动态身份认证方法及系统,其步骤为:①输入用户信息,向认证服务器发送认证请求;②认证服务器接收到请求后,先验证用户信息的合法性,提示合法用户输入用户端密码;③用户通过手机令牌产生用户端密码;④用户将上述用户端密码通过用户终端输入并传送到认证服务器;⑤如果认证服务器接收到的密码与其产生的一致,则通过身份认证;否则不通过。其系统包括用户终端、用户信息服务器、认证服务器和手机令牌。认证服务器负责接收和完成用户的服务请求,手机令牌用于产生同步的当前身份认证密码。本发明既可有效防范通过窥视或猜测认证密码来进行的非法登录,又可有效防范通过截获传输信息来进行的非法登录,从而大大提高了系统的安全性。

Figure 200310111570

The invention discloses a dynamic identity authentication method and system. The steps are as follows: ① input user information, and send an authentication request to an authentication server; ③The user generates the client password through the mobile phone token; ④The user inputs the above-mentioned client password through the user terminal and sends it to the authentication server; ⑤If the password received by the authentication server is consistent with the one generated, the identity authentication is passed; otherwise Fail. Its system includes user terminal, user information server, authentication server and mobile phone token. The authentication server is responsible for receiving and completing the user's service request, and the mobile phone token is used to generate a synchronized current identity authentication password. The invention can not only effectively prevent illegal login through peeping or guessing authentication password, but also effectively prevent illegal login through intercepting transmission information, thus greatly improving the security of the system.

Figure 200310111570

Description

一种动态身份认证方法和系统A method and system for dynamic identity authentication

技术领域technical field

本发明属于信息安全认证技术,它综合利用电子计算机、信息编码及移动通讯技术实现,可以应用于银行、证券等许多需要进行身份认证的系统和领域。The invention belongs to information security authentication technology, which is realized by comprehensive utilization of electronic computer, information coding and mobile communication technology, and can be applied to many systems and fields requiring identity authentication such as banks and securities.

背景技术Background technique

身份认证是实现网络安全的重要机制之一,在安全的网络通信中,涉及的通信各方必须通过某种形式的身份认证机制来验证他们的身份与所宣称的是否一致,然后才能实现对于不同用户的访问控制和记录。早在二十世纪七十年代初期,国际银行卡片协会就遇到了如何对用户进行身份认证以确保系统安全性的问题。随着信息技术的快速发展,窃听者可以采用低级的窥视方法获取口令;利用“Password文件”系统的猜测口令、分析协议和滤出口令(利用嗅控程序);用TSR(终端驻留程序)监视和获得口令;用特洛伊木马程序截获口令等方法突破计算机安全机制进行非法访问;用电脑病毒(如:bugbear病毒)从电脑上盗取信用卡号码、网上银行的资料和银行密码。比较有效的预防方法就是采用动态电子密码技术。其实质是按某种规律定时或每次使用之后更换密码,用户每次访问时输入的密码都不相同,这就给电子盗窃增加了难度。Identity authentication is one of the important mechanisms to achieve network security. In secure network communication, all parties involved in the communication must pass some form of identity authentication mechanism to verify whether their identities are consistent with what they claim, and then they can achieve different User access control and logging. As early as the early 1970s, the International Bank Card Association encountered the problem of how to authenticate users to ensure system security. With the rapid development of information technology, eavesdroppers can use low-level peeping methods to obtain passwords; use the "Password file" system to guess passwords, analyze protocols and filter passwords (using sniffing programs); use TSR (terminal resident program) Monitor and obtain passwords; use Trojan horse programs to intercept passwords and other methods to break through computer security mechanisms for illegal access; use computer viruses (such as: bugbear virus) to steal credit card numbers, online banking information and bank passwords from computers. A more effective preventive method is to use dynamic electronic password technology. Its essence is to change the password regularly according to a certain rule or after each use, and the password entered by the user every time it visits is different, which increases the difficulty for electronic theft.

利用上述技术的方法和系统我们已在“动态电子密码形成方法”(99116451.2)和“动态电子密码系统”(00114328.X)两项发明专利中提出。但是,由于用户密码卡与主机系统的同步主要是采用非接触式时钟同步技术,由此可能会导致时间上的误差积累,因此需要在一段时间之后校正双方的时钟;此外,用户密码卡的使用增加了用户的使用负担;而且这种带键盘和液晶显示屏的用户密码卡也会因使用不慎而损坏。为克服上述缺点,我们又提出了“动态密码无线传输方法”(99116517.9)的发明专利。但是,由于该方法中动态密码以明文方式传输,窃听者可以很方便的截获身份认证密码。而且,该方法在无线网络通信拥挤时无法保证认证的实时性。The method and system utilizing the above technology have been proposed in two invention patents of "Dynamic Electronic Password Formation Method" (99116451.2) and "Dynamic Electronic Password System" (00114328.X). However, because the synchronization between the user password card and the host system mainly adopts non-contact clock synchronization technology, which may cause the accumulation of time errors, it is necessary to correct the clocks of both parties after a period of time; in addition, the use of the user password card Increased user's use burden; And this user code card with keyboard and liquid crystal display also can be damaged because of using carelessly. In order to overcome the above-mentioned shortcoming, we proposed the invention patent of "dynamic password wireless transmission method" (99116517.9) again. However, since the dynamic password is transmitted in clear text in this method, an eavesdropper can easily intercept the identity authentication password. Moreover, this method cannot guarantee the real-time performance of the authentication when the wireless network communication is crowded.

发明内容Contents of the invention

本发明的目的在于克服上述缺陷之处,提供一种动态身份认证方法,该方法采用广泛使用的手机作为身份令牌,既可有效防范通过窥视或猜测认证密码来进行的非法登录,又可有效防范通过截获传输数据来进行的非法登录,可大幅度提高系统的安全性,而且认证过程中的动态密码不需要使用无线网络传输,保证了认证的实时性。本发明的目的还在于提供上述方法的实现系统。The purpose of the present invention is to overcome the above defects and provide a dynamic identity authentication method, which uses widely used mobile phones as identity tokens, which can effectively prevent illegal logins by peeping or guessing authentication passwords, and effectively Preventing illegal login through interception of transmitted data can greatly improve the security of the system, and the dynamic password in the authentication process does not need to use wireless network transmission, which ensures the real-time authentication. The object of the present invention is also to provide a system for realizing the above method.

本发明一种手机令牌动态身份认证方法,利用计算机技术和移动通信技术实现,其步骤为:A kind of mobile phone token dynamic identity authentication method of the present invention, utilizes computer technology and mobile communication technology to realize, and its steps are:

(1).用户在用户终端输入用户信息,向身份认证服务器发送身份认证请求;(1). The user inputs user information on the user terminal and sends an identity authentication request to the identity authentication server;

(2).身份认证服务器接收到认证请求后,首先验证用户信息的合法性。如果该用户是合法用户,身份认证服务器产生服务器端动态身份认证密码并暂存,并在用户终端提示用户输入用户端动态身份认证密码;(2). After receiving the authentication request, the identity authentication server first verifies the legitimacy of the user information. If the user is a legitimate user, the identity authentication server generates the server-side dynamic identity authentication password and stores it temporarily, and prompts the user to input the user-side dynamic identity authentication password at the user terminal;

(3).用户输入手机令牌中的应用模块启动密码,通过手机令牌端的身份验证;(3). The user enters the application module startup password in the mobile phone token, and passes the identity verification of the mobile phone token terminal;

(4).用户通过手机令牌产生用户端动态身份认证密码,并通过手机告知用户;(4). The user generates the user-side dynamic identity authentication password through the mobile phone token, and informs the user through the mobile phone;

(5).用户将所告知的用户端动态身份认证密码通过用户终端输入并传送到身份认证服务器,等待身份认证;(5). The user inputs and transmits the dynamic identity authentication password of the user terminal notified to the identity authentication server through the user terminal, and waits for identity authentication;

(6).如果身份认证服务器接收到的用户端动态身份认证密码与服务器端动态身份认证密码一致,则通过身份认证;否则,认证不通过。(6). If the user end dynamic identity authentication password received by the identity authentication server is consistent with the server end dynamic identity authentication password, the identity authentication is passed; otherwise, the authentication fails.

进行上述步骤(2)时,合法用户如果发现自己的帐户被锁定,可以通过手机令牌申请解锁,其步骤为:When carrying out the above step (2), if the legal user finds that his account is locked, he can apply for unlocking through the mobile phone token, and the steps are as follows:

1)用户输入手机令牌客户应用模块启动密码,通过手机令牌端的身份验证;1) The user enters the activation password of the mobile phone token client application module, and passes the identity verification of the mobile phone token terminal;

2)用户通过手机令牌向认证服务器发送“申请帐号解锁请求”信息;2) The user sends the "Account Unlock Request" message to the authentication server through the mobile phone token;

3)认证服务器接收到“申请帐号解锁请求”信息后验证信息合法性;3) The authentication server verifies the legitimacy of the information after receiving the "request for unlocking the account";

4)认证服务器在用户信息数据库中将该用户的“用户状态”字段设置为解锁状态,然后向用户发送“申请帐号解锁应答”信息;4) The authentication server sets the user's "user status" field as unlocked in the user information database, and then sends the user a message of "response to apply for account unlocking";

5)手机令牌接收“申请帐号解锁应答”信息,提示用户解锁成功。5) The mobile phone token receives the message of "apply for account unlocking response" and prompts the user that the unlocking is successful.

在进行上述步骤(3)时,如果用户发现尚未开启动态身份认证服务,则应开启动态身份认证服务,其步骤为:When performing the above step (3), if the user finds that the dynamic identity authentication service has not been turned on, the dynamic identity authentication service should be turned on, and the steps are:

1)用户输入手机令牌客户应用模块启动密码,通过手机令牌端的身份验证;1) The user enters the activation password of the mobile phone token client application module, and passes the identity verification of the mobile phone token terminal;

2)用户通过手机令牌向认证服务器发送“开启动态身份认证服务请求”信息;2) The user sends a "request for enabling dynamic identity authentication service" message to the authentication server through the mobile phone token;

3)认证服务器接收到“开启动态身份认证服务请求”信息后验证信息合法性;3) The authentication server verifies the legitimacy of the information after receiving the "request to enable dynamic identity authentication service";

4)认证服务器在用户数据库中将该用户的认证方式标记为动态身份认证方式,然后向手机令牌发送“开启动态身份认证服务应答”信息;4) The authentication server marks the user's authentication method as a dynamic identity authentication method in the user database, and then sends the "open dynamic identity authentication service response" message to the mobile phone token;

5)手机令牌接收“开启动态身份认证服务应答”信息,提示动态身份认证服务已经开启。5) The mobile phone token receives the message "Enable Dynamic Identity Authentication Service Response", prompting that the dynamic identity authentication service has been enabled.

在进行身份认证过程中,如果合法用户发现通过正确的操作后无法通过认证,用户可以使用手机令牌请求系统同步,其步骤为:During the identity authentication process, if the legitimate user finds that the authentication cannot be passed after correct operation, the user can use the mobile phone token to request system synchronization, and the steps are as follows:

1)用户输入手机令牌客户应用模块启动密码,通过手机令牌端的身份验证;1) The user enters the activation password of the mobile phone token client application module, and passes the identity verification of the mobile phone token terminal;

2)用户通过手机令牌向认证服务器发送“申请系统同步请求”信息;2) The user sends the "application system synchronization request" message to the authentication server through the mobile phone token;

3)认证服务器接收到“申请系统同步请求”信息后验证信息合法性;3) The authentication server verifies the legitimacy of the information after receiving the "application system synchronization request" information;

4)认证服务器从用户数据库中取出服务器端的当前工作密码;4) The authentication server takes out the current working password of the server from the user database;

5)认证服务器生成“申请系统同步应答”信息,将服务器端的当前工作密码写入信息中的“服务方信息”字段,然后向用户发送应答信息;5) The authentication server generates the "application system synchronous response" message, writes the current working password of the server into the "server information" field in the message, and then sends a response message to the user;

6)手机令牌接收“申请系统同步应答”信息后提取信息中的当前工作密码,并将手机令牌端的当前工作密码设置为信息中所提取的当前工作密码,完成系统同步。6) The mobile phone token extracts the current work password in the information after receiving the "application system synchronization response" information, and sets the current work password on the mobile phone token end as the current work password extracted in the information to complete the system synchronization.

在进行身份认证过程中,如果要取消动态身份认证服务,其步骤为:During the identity authentication process, if you want to cancel the dynamic identity authentication service, the steps are:

1)用户输入手机令牌客户应用模块启动密码,通过手机令牌端的身份验证;1) The user enters the activation password of the mobile phone token client application module, and passes the identity verification of the mobile phone token terminal;

2)用户通过手机令牌向认证服务器发送“取消动态身份认证服务请求”信息;2) The user sends the message "cancel dynamic identity authentication service request" to the authentication server through the mobile phone token;

3)认证服务器接收到“取消动态身份认证服务请求”信息后验证信息合法性;3) The authentication server verifies the legitimacy of the information after receiving the "request to cancel the dynamic identity authentication service";

4)认证服务器在用户信息数据库中将该用户的认证方式标记为固定密码身份认证方式,然后向手机令牌发送“取消动态身份认证服务应答”信息;4) The authentication server marks the user's authentication method as a fixed password identity authentication method in the user information database, and then sends a "cancel dynamic identity authentication service response" message to the mobile phone token;

5)手机令牌接收“取消动态身份认证服务应答”信息,提示动态身份认证服务已经取消。5) The mobile phone token receives the message of "cancellation of dynamic identity authentication service response", prompting that the dynamic identity authentication service has been cancelled.

在进行身份认证过程中,如果要中止动态身份认证过程,其步骤为:During the identity authentication process, if you want to terminate the dynamic identity authentication process, the steps are:

1)用户输入手机令牌预定的中止指令,令牌系统中止认证过程;1) The user inputs the pre-determined termination instruction of the mobile phone token, and the token system terminates the authentication process;

2)用户通过用户终端输入并传送“中止动态身份认证服务请求”到身份认证服务器;2) The user inputs and transmits the "suspend dynamic identity authentication service request" to the identity authentication server through the user terminal;

3)认证服务器接收到“中止动态身份认证服务请求”后,中止服务器端的认证过程。3) The authentication server terminates the authentication process on the server side after receiving the "request to terminate the dynamic identity authentication service".

在进行上述步骤(3)时,如果合法用户发现自己的手机令牌被锁定可以通过手机令牌申请解锁,其步骤为:When carrying out the above step (3), if the legal user finds that his mobile phone token is locked, he can apply for unlocking through the mobile phone token, and the steps are:

1)用户输入手机令牌注册密码,通过手机令牌端的授权身份验证;1) The user enters the mobile phone token registration password and passes the authorized identity verification of the mobile phone token terminal;

2)手机令牌将其中的“用户状态”字段设置为解锁状态,然后通过手机告知用户“解锁应答”信息。2) The mobile phone token sets the "user status" field in it to the unlocked status, and then notifies the user of the "unlock response" information through the mobile phone.

一种实现上述方法的系统,包括用户终端、用户信息服务器、认证服务器和手机令牌;其中,A system for realizing the above method, including a user terminal, a user information server, an authentication server and a mobile phone token; wherein,

用户终端用于输入用户信息,它通过网络与身份认证服务器通信;The user terminal is used to input user information, and it communicates with the identity authentication server through the network;

用户信息服务器用于存放按照身份认证协议所设定的表格,提供认证过程中所需要的每一用户信息,并接收认证服务器的操作;The user information server is used to store the form set according to the identity authentication protocol, provide each user information required in the authentication process, and receive the operation of the authentication server;

认证服务器负责接收和完成用户的服务请求,其中布置有认证服务器端服务模块、密码产生模块和通信模块;认证服务器端服务模块用于网络传输控制、认证系统安全协议处理、信息传输的加密和解密、用户信息访问和动态密码获取与暂存;密码产生模块负责产生服务器端动态身份认证密码,它通过服务器总线和认证服务器通信;通信模块负责认证服务器端的信息发送和接收,它是手机令牌与认证服务器之间通信的中介;The authentication server is responsible for receiving and completing the user's service request, which is equipped with an authentication server-side service module, a password generation module and a communication module; the authentication server-side service module is used for network transmission control, authentication system security protocol processing, and encryption and decryption of information transmission , user information access and dynamic password acquisition and temporary storage; the password generation module is responsible for generating the server-side dynamic identity authentication password, which communicates with the authentication server through the server bus; Intermediary of communication between authentication servers;

手机令牌是在手机的SIM卡中设置有动态身份认证客户端应用模块的用户手机,动态身份认证客户端应用模块和认证服务器中的密码产生模块使用相同的动态密码产生算法和相同的当前工作密码,并独立产生同步的动态身份认证密码。The mobile phone token is a user's mobile phone provided with a dynamic identity authentication client application module in the SIM card of the mobile phone, and the password generation module in the dynamic identity authentication client application module and the authentication server uses the same dynamic password generation algorithm and the same current work Password, and independently generate a synchronous dynamic identity authentication password.

认证服务器端服务模块包括用户信息管理模块、动态密码访问模块、协议处理模块、核心管理模块、加密模块和网络传输模块;The authentication server-side service module includes a user information management module, a dynamic password access module, a protocol processing module, a core management module, an encryption module and a network transmission module;

用户信息管理模块负责完成核心管理模块的用户信息管理命令,包括建立新帐户、修改已有帐户信息、删除过期帐户信息、锁定或解锁用户帐号和控制用户访问权限;The user information management module is responsible for completing the user information management commands of the core management module, including creating new accounts, modifying existing account information, deleting expired account information, locking or unlocking user accounts, and controlling user access rights;

动态密码访问模块是上述密码产生模块的访问模块,它接收核心管理模块提供的用户密钥信息,产生认证过程中的动态密码,并将动态密码交给核心管理模块暂存;The dynamic password access module is the access module of the above-mentioned password generation module, which receives the user key information provided by the core management module, generates the dynamic password in the authentication process, and gives the dynamic password to the core management module for temporary storage;

协议处理模块为动态身份认证系统安全协议的服务处理端,用于接收核心管理模块提供的安全协议信息,并将处理结果返回给核心管理模块;The protocol processing module is the service processing end of the security protocol of the dynamic identity authentication system, which is used to receive the security protocol information provided by the core management module, and return the processing result to the core management module;

加密模块用于完成核心管理模块的信息加解密请求;The encryption module is used to complete the information encryption and decryption request of the core management module;

网络传输模块用于完成服务器端的信息传输和接收任务,并处理核心管理模块的信息传输请求,将不同类型的信息发送到不同的通信网络中;The network transmission module is used to complete the information transmission and reception tasks on the server side, and process the information transmission request of the core management module, and send different types of information to different communication networks;

核心管理模块负责协调上述各模块之间的相互关系和信息传递。The core management module is responsible for coordinating the interrelationships and information transmission among the above modules.

上述手机令牌中的动态身份认证客户端应用模块包括动态密码产生器、存储器、密码比较器和控制器;The dynamic identity authentication client application module in the above-mentioned mobile phone token includes a dynamic password generator, a memory, a password comparator and a controller;

存储器用于存储用户ID、用户身份证号、注册密码Pr、加密密钥Ke,并负责存储用于产生动态身份认证密码的当前工作密码Ks、客户应用模块的启动密码(或手机令牌口令)Pt和在令牌上连续错误地输入令牌访问密码的次数Nt;它与动态密码产生器、密码比较器和控制器相连;The memory is used to store user ID, user ID number, registration password Pr, encryption key Ke, and is responsible for storing the current working password Ks for generating the dynamic identity authentication password, the startup password (or mobile phone token password) of the customer application module Pt and the number of times Nt of consecutively incorrectly inputting the token access password on the token; it is connected with the dynamic password generator, the password comparator and the controller;

动态密码产生器用于由当前工作密码Ks产生用户当前认证密码,该密码与服务器认证密码相对应,并将该认证密码通过手机的输出装置告知用户;The dynamic password generator is used to generate the user's current authentication password by the current working password Ks, which corresponds to the server authentication password, and informs the user of the authentication password through the output device of the mobile phone;

密码比较器用来判断手机用户是否合法;The password comparator is used to judge whether the mobile phone user is legal;

控制器用于控制上述各模块的协调工作。The controller is used to control the coordinated work of the above modules.

本发明与发明专利“互连网上加寻呼系统保障钱款支付安全方法和响应系统”(99123882.6)和“动态密码无线传输方法”(99116517.9)不同在于,本发明用户端采用广泛使用的手机作为令牌,动态身份认证密码分别在手机令牌端和身份认证服务器端独立产生,不需要依靠无线网络传输,保证了认证的实时性而且外界根本无法截获密码,大大提高系统的安全性。此外,在认证过程中不需要用户支付额外通信费用,从而与上两发明相比,动态身份认证服务使用费用大大降低。The present invention differs from the invention patents "Adding Paging System on the Internet to Ensure Money Payment Security Method and Response System" (99123882.6) and "Dynamic Password Wireless Transmission Method" (99116517.9) in that the user terminal of the present invention adopts a widely used mobile phone as an order The dynamic identity authentication password is independently generated on the mobile phone token side and the identity authentication server side, without relying on wireless network transmission, which ensures the real-time authentication and the password cannot be intercepted by the outside world, greatly improving the security of the system. In addition, the user is not required to pay additional communication fees during the authentication process, so that compared with the above two inventions, the cost of using the dynamic identity authentication service is greatly reduced.

附图说明Description of drawings

图1为认证系统整体结构图;Figure 1 is an overall structural diagram of the authentication system;

图2为认证服务器软件体系结构图;Figure 2 is a structural diagram of the authentication server software;

图3为手机令牌实现图;Fig. 3 is the realization figure of mobile phone token;

图4为动态身份认证过程图,其中图4.1是手机令牌端执行过程,图4.2是认证服务器端执行过程;Figure 4 is a diagram of the dynamic identity authentication process, in which Figure 4.1 is the execution process of the mobile phone token end, and Figure 4.2 is the execution process of the authentication server end;

图5为启动动态身份认证服务过程图,其中图5.1是手机令牌端执行过程,图5.2是认证服务器端执行过程;Figure 5 is a diagram of the process of starting the dynamic identity authentication service, in which Figure 5.1 is the execution process of the mobile phone token end, and Figure 5.2 is the execution process of the authentication server end;

图6为申请系统同步过程图,其中图6.1是手机令牌端执行过程,图6.2是认证服务器端执行过程;Figure 6 is a diagram of the synchronization process of the application system, in which Figure 6.1 is the execution process of the mobile phone token side, and Figure 6.2 is the execution process of the authentication server side;

图7为申请用户帐号解锁过程图,其中图7.1是手机令牌端执行过程,图7.2是认证服务器端执行过程;Figure 7 is a diagram of the process of applying for user account unlocking, in which Figure 7.1 is the execution process of the mobile phone token end, and Figure 7.2 is the execution process of the authentication server end;

图8为取消动态身份认证服务过程图,其中图8.1是手机令牌端执行过程,图8.2是认证服务器端执行过程;Figure 8 is a process diagram of canceling the dynamic identity authentication service, in which Figure 8.1 is the execution process of the mobile phone token end, and Figure 8.2 is the execution process of the authentication server end;

图9为安全协议信息格式说明图,其中图9.1是协议信息头格式,图9.2是服务请求信息体格式,图9.3是服务应答信息体格式。Figure 9 is an explanatory diagram of the security protocol information format, in which Figure 9.1 is the format of the protocol information header, Figure 9.2 is the format of the service request information body, and Figure 9.3 is the format of the service response information body.

具体实施方式Detailed ways

下面以银行系统为例,结合附图对本发明作进一步详细的说明。Taking the banking system as an example below, the present invention will be further described in detail in conjunction with the accompanying drawings.

一、系统结构说明1. System Structure Description

图1是认证系统整体结构图,包括用户终端6、用户信息服务器1、认证服务器2和手机令牌5。用户信息服务器1是系统中的数据服务器,使用oracle9i数据库系统,其中存放按照身份认证协议所设定的表格,提供认证过程中所需要的每一用户信息。它包括如下字段:身份证号、用户ID、注册密码Pr、加、解密密钥Ke、当前工作密码Ks(与手机令牌中所存储当前工作密码是相同的)、帐号正被使用的标志(防止竞争攻击)和手机号等。用户信息服务器1接收认证服务器2的操作(查询和修改用户信息)请求,该操作请求使用OLEDB数据接口。认证服务器2是整个认证系统的Server端,负责接收和完成用户的服务请求。认证服务器中布置有认证服务器端的服务模块、密码产生模块3、通信模块4。密码产生模块3负责产生服务器端的动态身份认证密码,是“动态电子密码产生算法”的硬件实现,它使用服务器总线和认证服务器2通信。通信模块4使用COM口和认证服务器2通信,手机令牌5是能够完成认证令牌功能的用户手机,其SIM卡具备JAVA程序运行环境。动态身份认证客户端的应用模块是使用JAVA语言开发的嵌入式应用模块,它通过SIM卡写入设备TY311写入到手机令牌5的SIM卡中。手机令牌5中的动态身份认证客户端的应用模块和认证服务器中的密码产生模块3使用相同的动态密码产生算法,并独立产生同步的动态身份认证密码。用户终端6(如ATM终端)通过银行内部网络7与身份认证服务器2通信。认证时由用户向认证服务器提交手机令牌产生的用户端动态身份认证密码,认证服务器将用户端动态身份认证密码和自己产生的服务器端动态身份认证密码进行比较,并根据比较结果判断用户是否通过身份认证。FIG. 1 is an overall structural diagram of the authentication system, including a user terminal 6, a user information server 1, an authentication server 2 and a mobile phone token 5. User information server 1 is the data server in the system, using the oracle9i database system, which stores the tables set according to the identity authentication protocol, and provides each user information required in the authentication process. It includes the following fields: ID number, user ID, registration password Pr, encryption and decryption key Ke, current work password Ks (same as the current work password stored in the mobile phone token), the sign that the account is being used ( to prevent competitive attacks) and mobile phone numbers, etc. The user information server 1 receives the operation (query and modify user information) request from the authentication server 2, and the operation request uses the OLEDB data interface. The authentication server 2 is the server end of the entire authentication system, responsible for receiving and completing user service requests. The service module of the authentication server, the password generation module 3 and the communication module 4 are arranged in the authentication server. The password generation module 3 is responsible for generating the dynamic identity authentication password on the server side, which is the hardware implementation of the "dynamic electronic password generation algorithm", and communicates with the authentication server 2 using the server bus. The communication module 4 uses the COM port to communicate with the authentication server 2, and the mobile phone token 5 is a user's mobile phone that can complete the authentication token function, and its SIM card has a JAVA program operating environment. The application module of the dynamic identity authentication client is an embedded application module developed by using JAVA language, and it is written into the SIM card of the mobile phone token 5 through the SIM card writing device TY311. The application module of the dynamic identity authentication client in the mobile phone token 5 and the password generation module 3 in the authentication server use the same dynamic password generation algorithm, and independently generate synchronous dynamic identity authentication passwords. The user terminal 6 (such as an ATM terminal) communicates with the identity authentication server 2 through the internal network 7 of the bank. During authentication, the user submits the user-side dynamic identity authentication password generated by the mobile phone token to the authentication server, and the authentication server compares the user-side dynamic identity authentication password with the server-side dynamic identity authentication password generated by itself, and judges whether the user passes the authentication based on the comparison result. Authentication.

图2是认证服务器端服务模块结构图。认证服务器端服务模块是认证系统的Server端软件,主要完成网络传输控制、认证系统安全协议处理、信息传输的加密和解密、用户信息访问和动态密码获取与暂存等功能。认证服务器端服务模块包括用户信息访问模块8、动态密码访问模块9、协议处理模块10、核心管理模块11、加密模块12和网络传输模块13。用户信息访问模块8是后端用户信息服务器的访问模块,负责完成核心管理模块11的用户信息管理命令,包括建立新帐户、修改已有帐户信息、删除过期帐户信息、锁定或解锁用户帐号和控制用户访问权限等。动态密码访问模块9是认证服务中动态密码产生模块的访问模块,它接收核心管理模块11提供的用户密钥信息,产生认证过程中的动态密码,并将动态密码交给核心管理模块11暂存。协议处理模块10是动态身份认证系统安全协议的Server处理端,它接收核心管理模块11提供的安全协议信息,并将处理结果返回给核心管理模块11。核心管理模块11是整个认证服务器端软件的核心,负责协调其他模块之间的相互关系和信息传递。加密模块12主要完成核心管理模块11的信息加解密请求。网络传输模块13主要完成服务器端的信息传输任务,它接收银行专有网络的信息和认证服务器中通信模块的信息。它同时也处理核心管理模块的信息传输请求,将不同类型的信息发送到不同的通信网络中。Figure 2 is a structural diagram of the authentication server-side service module. The authentication server-side service module is the server-side software of the authentication system, which mainly completes functions such as network transmission control, authentication system security protocol processing, encryption and decryption of information transmission, user information access, and dynamic password acquisition and temporary storage. The authentication server-side service module includes a user information access module 8 , a dynamic password access module 9 , a protocol processing module 10 , a core management module 11 , an encryption module 12 and a network transmission module 13 . The user information access module 8 is the access module of the back-end user information server, responsible for completing the user information management commands of the core management module 11, including establishing new accounts, modifying existing account information, deleting expired account information, locking or unlocking user accounts and controlling User access rights, etc. The dynamic password access module 9 is the access module of the dynamic password generation module in the authentication service, it receives the user key information provided by the core management module 11, generates the dynamic password in the authentication process, and gives the dynamic password to the core management module 11 for temporary storage . The protocol processing module 10 is the server processing end of the security protocol of the dynamic identity authentication system, it receives the security protocol information provided by the core management module 11, and returns the processing result to the core management module 11. The core management module 11 is the core of the entire authentication server-side software, and is responsible for coordinating the interrelationships and information transmission among other modules. The encryption module 12 mainly completes the information encryption and decryption request of the core management module 11 . The network transmission module 13 mainly completes the information transmission task of the server side, and it receives the information of the bank's private network and the information of the communication module in the authentication server. It also handles the information transmission request of the core management module, and sends different types of information to different communication networks.

图3是手机令牌实现图,22是手机令牌中SIM卡部分结构图,23是手机的接口部分结构图。手机令牌中的动态身份认证客户端应用模块包括动态密码产生器14、存储器15、密码比较器16和控制器17。存储器15用于存储用户ID、用户身份证号、注册密码Pr、加、解密密钥Ke,并负责存储用于产生当前动态身份认证密码的当前工作密码Ks(与服务器中所存储当前工作密码是相同的)、客户应用模块的启动密码(或手机令牌口令)Pt和在令牌上连续错误地输入令牌访问密码的次数Nt。加密密钥Ke和当前工作密码Ks是在用户申请服务时,认证服务器为用户手机令牌分配的;客户应用模块的启动密码(或手机令牌口令)Pt由用户提供并写入SIM卡。存储器15与动态密码产生器14、密码比较器16和控制器17相连。动态密码产生器14用来由当前工作密码Ks产生用户当前认证密码,可以是RC4等流密码算法,与服务器认证密码相对应。动态密码产生器14通过手机的显示接口18与显示器20相连,将所产生的密码显示在显示屏上。密码比较器16用来判断手机用户是否合法,它通过键盘接口19与键盘21相连,这样用户通过键盘输入的密码与客户应用模块的启动密码(或手机令牌口令)Pt相比较。控制器17用来控制各个模块的协调工作。Fig. 3 is the realization figure of mobile phone token, and 22 is the partial structural diagram of SIM card in the mobile phone token, and 23 is the partial structural diagram of the interface of mobile phone. The dynamic identity authentication client application module in the mobile phone token includes a dynamic password generator 14, a memory 15, a password comparator 16 and a controller 17. Storer 15 is used for storing user ID, user ID number, registration password Pr, adding, decryption key Ke, and is responsible for storing the current working password Ks that is used to generate current dynamic identity authentication password (the same as the current working password stored in the server. The same), the startup password (or mobile phone token password) Pt of the client application module and the number of times Nt of continuously and incorrectly inputting the token access password on the token. The encryption key Ke and the current working password Ks are distributed by the authentication server for the user's mobile phone token when the user applies for the service; the activation password (or mobile phone token password) Pt of the client application module is provided by the user and written into the SIM card. The memory 15 is connected with the dynamic password generator 14, the password comparator 16 and the controller 17. The dynamic password generator 14 is used to generate the user's current authentication password from the current working password Ks, which can be a stream cipher algorithm such as RC4, corresponding to the server authentication password. The dynamic password generator 14 is connected with the display 20 through the display interface 18 of the mobile phone, and the generated password is displayed on the display screen. Password comparator 16 is used for judging whether mobile phone user is legal, and it links to each other with keyboard 21 by keyboard interface 19, and the password that the user inputs by keyboard is compared with the startup password (or mobile phone token password) Pt of client application module like this. The controller 17 is used to control the coordinated work of each module.

二、认证过程2. Certification process

如图4所示,认证过程包括以下步骤:As shown in Figure 4, the authentication process includes the following steps:

(1)用户在ATM终端插入银行卡,提交用户信息,并向身份认证服务器发送身份认证请求;(1) The user inserts the bank card at the ATM terminal, submits user information, and sends an identity authentication request to the identity authentication server;

(2)身份认证服务器接收到认证请求后,首先验证用户信息的合法性。如果该用户是合法用户(该用户的信息已经保存在用户信息数据库),身份认证服务器产生服务器端动态身份认证密码并暂存,并在用户终端提示用户输入用户端动态身份认证密码。此步骤的详细处理过程如下:(2) After receiving the authentication request, the identity authentication server first verifies the legitimacy of the user information. If the user is a legal user (the user's information has been stored in the user information database), the identity authentication server generates the server-side dynamic identity authentication password and stores it temporarily, and prompts the user to input the user-side dynamic identity authentication password at the user terminal. The detailed process of this step is as follows:

(2.1)身份认证服务器中的网络传输模块接收到认证请求后,向核心管理模块提交用户请求。(2.1) After receiving the authentication request, the network transmission module in the identity authentication server submits the user request to the core management module.

(2.2)核心管理模块通过用户信息访问模块查询用户信息数据库,如果用户信息数据库中没有该用户的信息,核心管理模块生成错误报文,并通过网络传输模块传输给ATM终端,终端收到该报文后向用户提示:用户信息错误。如果用户信息数据库中有该用户的信息,那么用户信息管理模块向核心管理模块返回该用户的用户信息,并查看其中的Identification_Mode字段值(字段值为0表示用户使用静态密码认证,为1则表示使用动态密码认证)。(2.2) The core management module inquires the user information database through the user information access module, if there is no information of the user in the user information database, the core management module generates an error message, and transmits it to the ATM terminal by the network transmission module, and the terminal receives the message After the text, the user is prompted: the user information is wrong. If there is the information of the user in the user information database, the user information management module returns the user information of the user to the core management module, and checks the Identification_Mode field value therein (field value 0 means that the user uses a static password authentication, and 1 means Use dynamic password authentication).

(2.3)如果Identification_Mode=1,则核心管理模块查询此用户的Lock_State字段(字段值为0表示用户为被锁定,为1表示用户已被锁定),如果Lock_State=1,核心管理模块向ATM终端发送信息,提示该用户已被锁定,并退出认证过程,否则核心管理模块向动态密码访问模块传递该用户的当前工作密码,动态密码产生模块根据当前工作密码产生该用户此次动态认证密码并返回给核心管理模块,核心管理模块将该用户的动态身份认证密码暂存,并向ATM终端发送信息,提示用户输入用户端动态身份认证密码。(2.3) If Identification_Mode=1, then the Lock_State field of this user of core management module inquiry (field value 0 represents that the user is locked, is 1 and represents that the user is locked), if Lock_State=1, core management module sends to ATM terminal information, prompting that the user has been locked and exiting the authentication process, otherwise the core management module will pass the current working password of the user to the dynamic password access module, and the dynamic password generating module will generate the dynamic authentication password of the user according to the current working password and return it to A core management module. The core management module temporarily stores the user's dynamic identity authentication password, and sends information to the ATM terminal, prompting the user to input the user terminal dynamic identity authentication password.

合法用户如果发现自己的帐户被锁定,则可以通过手机令牌申请解锁,解锁的具体过程见动态身份认证安全协议的“用户申请解锁”部分。If a legal user finds that his account is locked, he can apply for unlocking through the mobile phone token. For the specific process of unlocking, see the "User Application for Unlocking" section of the dynamic identity authentication security protocol.

(3)用户通过手机令牌产生用户端动态身份认证密码,显示在手机屏幕上。(3) The user generates a user-side dynamic identity authentication password through the mobile phone token, which is displayed on the mobile phone screen.

必须强调的是,用户在使用银行提供的动态身份认证服务之前必须完成“手机令牌初始化”和“开启动态身份认证服务”两个过程。两个过程的详细细节见动态身份认证安全协议的“手机令牌初始化”和“开启动态身份认证服务”两部分。It must be emphasized that before using the dynamic identity authentication service provided by the bank, the user must complete the two processes of "mobile phone token initialization" and "starting the dynamic identity authentication service". For the details of the two processes, see the two parts of the dynamic identity authentication security protocol, "Mobile Token Initialization" and "Enable Dynamic Identity Authentication Service".

(4)用户将手机屏幕上所显示用户端动态身份认证密码通过用户终端输入并传送到身份认证服务器,等待身份认证。(4) The user enters the user terminal dynamic identity authentication password displayed on the mobile phone screen through the user terminal and transmits it to the identity authentication server, waiting for identity authentication.

(5)如果身份认证服务器接收到的用户端动态身份认证密码与服务器端动态身份认证密码一致,则通过身份认证;否则,认证不通过。此步骤的详细过程如下:(5) If the user end dynamic identity authentication password received by the identity authentication server is consistent with the server end dynamic identity authentication password, the identity authentication is passed; otherwise, the authentication fails. The detailed procedure for this step is as follows:

(5.1)认证服务器的核心管理模块从网络传输模块得到该用户提交的用户端动态身份认证密码;(5.1) The core management module of the authentication server obtains the client dynamic identity authentication password submitted by the user from the network transmission module;

(5.2)核心管理模块比较用户端动态身份认证密码和暂存的服务器端动态身份认证密码,如果两者一致,则核心管理模块通过网络传输模块向ATM终端发送信息,提示用户认证成功,否则,核心管理模块通过用户信息网络模块修改用户信息数据库中用户信息,将此用户信息中的WrongPSW_Count字段加1(WrongPSW_Count达到临界值时该用户将被锁定),并通过网络传输模块向ATM终端发送行信息,要求用户重新开始认证过程;(5.2) The core management module compares the user end dynamic identity authentication password and the temporary server end dynamic identity authentication password, if the two are consistent, then the core management module sends information to the ATM terminal by the network transmission module, prompting user authentication success, otherwise, The core management module modifies the user information in the user information database through the user information network module, adds 1 to the WrongPSW_Count field in the user information (the user will be locked when WrongPSW_Count reaches a critical value), and sends the line information to the ATM terminal through the network transmission module , requiring the user to restart the authentication process;

必须指出,如果合法用户发现通过正确的操作后无法通过认证,用户可以使用手机令牌请求系统同步,同步过程见动态身份认证安全协议的“用户申请系统同步”部分。It must be pointed out that if a legitimate user finds that he cannot pass the authentication after correct operation, the user can use the mobile phone token to request system synchronization. For the synchronization process, see the "User Application System Synchronization" section of the dynamic identity authentication security protocol.

三.动态身份认证安全协议3. Dynamic Identity Authentication Security Protocol

基于手机令牌方式的动态身份认证方法是一种基于同步动态身份认证密码的认证方法,在实施过程中需要保证手机令牌和认证服务器的系统同步,本发明使用动态身份认证安全协议来实现该目的。动态身份认证安全协议是基于手机令牌方式的动态身份认证方法的支撑协议。它是一种基于短信的交互协议,定义了手机令牌和认证服务器之间交互的流程、交互的信息格式以及保障交互过程安全性的安全机制(包括交互信息加密方法、加密密钥管理方法以及交互信息的认证方法)。安全协议不但向用户提供了手机令牌和认证服务器端的系统同步功能,而且也支持用户能够使用手机令牌完成动态身份认证服务启动、用户解锁和用户取消动态身份认证服务等功能。下面从协议过程、安全机制和信息格式几方面详细介绍安全协议的基本原理。The dynamic identity authentication method based on the mobile phone token mode is a kind of authentication method based on a synchronous dynamic identity authentication password. In the implementation process, it is necessary to ensure that the mobile phone token and the system synchronization of the authentication server are implemented. The present invention uses a dynamic identity authentication security protocol to realize this Purpose. The security protocol of dynamic identity authentication is the supporting protocol of the dynamic identity authentication method based on mobile phone token. It is an interaction protocol based on SMS, which defines the interaction process between the mobile phone token and the authentication server, the information format of the interaction, and the security mechanism to ensure the security of the interaction process (including the encryption method of the interaction information, the encryption key management method and authentication method for mutual information). The security protocol not only provides the user with the mobile phone token and the authentication server-side system synchronization function, but also supports the user to use the mobile phone token to complete the functions of dynamic identity authentication service startup, user unlocking and user cancellation of dynamic identity authentication service. The following describes the basic principles of the security protocol in detail from the aspects of protocol process, security mechanism and information format.

(一)协议过程(1) Agreement process

1.手机令牌初始化1. Mobile phone token initialization

手机令牌初始化过程分为客户端应用模块写入、客户端应用模块初始化两个环节。客户端应用模块写入指使用SIM卡写入设备TY311在用户手机SIM卡中写入基于JAVA嵌入式动态身份认证客户端应用模块。客户端应用模块初始化主要是对SIM卡中的客户端应用模块进行参数设置,包括设置用户身份信息、信息加、解密密钥、客户端的应用模块启动密码、当前工作密码和用户注册密码等参数。客户端的应用模块启动密码和注册密码由用户自己选定,并随时可以修改。客户端的应用模块启动密码用于保证只有合法的手机令牌使用者才可以使用手机令牌完成动态身份认证过程。注册密码用于保证只有合法用户才可以使用手机令牌完成“解锁”和“取消动态身份认证服务”功能;当前工作密码和信息加、解密密钥分为手机令牌端的当前工作密码和认证服务器端的当前工作密码,认证服务器端的当前工作密码和信息加、解密密钥也是用户信息的一部分,两端应具有相同的当前工作密码和信息加、解密密钥。在初始化时,由随机数产生器分别产生初始的当前工作密码和信息加、解密密钥,并将手机令牌中的当前工作密码、信息加、解密密钥和认证服务器端的当前工作密码、信息加、解密密钥设置为该初始的当前工作密码和该信息加、解密密钥。The mobile phone token initialization process is divided into two links: client application module writing and client application module initialization. Writing the client application module refers to using the SIM card writing device TY311 to write the client application module based on JAVA embedded dynamic identity authentication in the SIM card of the user's mobile phone. The client application module initialization is mainly to set the parameters of the client application module in the SIM card, including setting user identity information, information encryption and decryption keys, client application module startup password, current work password and user registration password and other parameters. The client's application module startup password and registration password are selected by the user and can be modified at any time. The client's application module startup password is used to ensure that only legitimate mobile phone token users can use the mobile phone token to complete the dynamic identity authentication process. The registration password is used to ensure that only legitimate users can use the mobile phone token to complete the "unlock" and "cancel dynamic identity authentication service" functions; the current work password and information encryption and decryption keys are divided into the current work password on the mobile phone token side and the authentication server The current working password of the terminal, the current working password and information encryption and decryption keys of the authentication server are also part of the user information, and both ends should have the same current working password and information encryption and decryption keys. At the time of initialization, the initial current working password and information encryption and decryption keys are respectively generated by the random number generator, and the current working password, information encryption and decryption keys in the mobile phone token and the current working password and information of the authentication server are The encryption and decryption keys are set as the initial current working password and the information encryption and decryption keys.

2.用户开启动态身份认证服务2. The user starts the dynamic identity authentication service

用户开启动态身份认证服务过程是指用户使用手机令牌向认证服务器端发出“开启动态身份认证服务请求”,认证服务器接到该请求后首先验证该用户的用户信息的合法性并做相应的处理,然后向该用户发送“开启动态身份认证服务应答”。详细过程如下:The process of enabling the dynamic identity authentication service by the user means that the user uses the mobile phone token to send a "request to enable the dynamic identity authentication service" to the authentication server. After receiving the request, the authentication server first verifies the legitimacy of the user's user information and performs corresponding processing , and then send the "Enable Dynamic Identity Authentication Service Response" to the user. The detailed process is as follows:

1)用户输入手机令牌客户应用模块启动密码(手机令牌初始化时设定),通过手机令牌端的身份验证;1) The user enters the activation password of the mobile phone token client application module (set when the mobile phone token is initialized), and passes the authentication of the mobile phone token terminal;

2)用户通过手机令牌向认证服务器发送“开启动态身份认证服务请求”信息;2) The user sends a "request for enabling dynamic identity authentication service" message to the authentication server through the mobile phone token;

3)认证服务器接收到“开启动态身份认证服务请求”信息后验证信息合法性(验证信息中的用户ID和注册密码,该注册密码是在用户手机初始化的时候确定);3) The authentication server verifies the legitimacy of the information after receiving the message of "opening the dynamic identity authentication service request" (the user ID and registration password in the verification information, the registration password is determined when the user's mobile phone is initialized);

4)认证服务器在用户信息库中将该用户的认证方式标记为动态身份认证方式,然后向手机令牌发送“开启动态身份认证服务应答”信息;4) The authentication server marks the user's authentication method as a dynamic identity authentication method in the user information database, and then sends the "open dynamic identity authentication service response" message to the mobile phone token;

5)手机令牌接收“开启动态身份认证服务应答”信息,提示动态身份认证服务已经开启。5) The mobile phone token receives the message "Enable Dynamic Identity Authentication Service Response", prompting that the dynamic identity authentication service has been enabled.

用户开启动态身份认证服务时手机令牌端和认证服务器端的处理过程见图5。See Figure 5 for the processing process of the mobile phone token side and the authentication server side when the user starts the dynamic identity authentication service.

3.用户申请系统同步3. User application system synchronization

前面提到过,用户能够通过认证服务器认证的关键是手机令牌和认证服务器保持系统同步。但由于存在使两端不同步的异常情况(例如用户认证过程中手机突然断电等),因此需要通过执行动态身份认证安全协议的“用户申请系统同步”恢复两端的系统同步状态。详细过程如下:As mentioned earlier, the key for users to be authenticated by the authentication server is to keep the mobile phone token and the authentication server in sync with the system. However, due to the abnormal situation that makes both ends out of sync (such as sudden power failure of the mobile phone during the user authentication process, etc.), it is necessary to restore the system synchronization status of both ends by implementing the "user application system synchronization" of the dynamic identity authentication security protocol. The detailed process is as follows:

1)用户输入手机令牌客户应用模块启动密码,通过手机令牌端的身份验证;1) The user enters the activation password of the mobile phone token client application module, and passes the identity verification of the mobile phone token terminal;

2)用户通过手机令牌向认证服务器发送“申请系统同步请求”信息;2) The user sends the "application system synchronization request" message to the authentication server through the mobile phone token;

3)认证服务器接收到“申请系统同步请求”信息后验证信息合法性(验证信息中的用户ID和注册密码,该注册密码是在用户手机初始化的时候确定);3) After the authentication server receives the "application system synchronization request" information, it verifies the legitimacy of the information (the user ID and registration password in the verification information, and the registration password is determined when the user's mobile phone is initialized);

4)认证服务器从用户信息库中取出服务器端的当前工作密码;4) The authentication server takes out the current working password of the server from the user information base;

5)认证服务器生成“申请系统同步应答”信息,将服务器端的当前工作密码写入信息中的“服务方信息”字段,然后向用户发送应答信息;5) The authentication server generates the "application system synchronous response" message, writes the current working password of the server into the "server information" field in the message, and then sends a response message to the user;

6)手机令牌接收“申请系统同步应答”信息后提取信息中的当前工作密码,并将手机令牌端的动态电子密码当前工作密码设置为信息中所提取的当前工作密码,完成系统同步。6) The mobile phone token extracts the current work password in the information after receiving the "application system synchronization response" information, and sets the current work password of the dynamic electronic password at the mobile phone token end as the current work password extracted in the information to complete the system synchronization.

用户申请系统同步时手机令牌端和认证服务器端的处理过程见图6。See Figure 6 for the processing process of the mobile phone token side and the authentication server side when the user applies for system synchronization.

4.用户申请解锁4. The user applies for unlocking

如果用户发现自己的帐号被银行锁定,用户可以通过手机令牌申请解锁。详细过程如下:If the user finds that his account is locked by the bank, the user can apply for unlocking through the mobile phone token. The detailed process is as follows:

1)用户输入手机令牌客户应用模块启动密码,通过手机令牌端的身份验证;1) The user enters the activation password of the mobile phone token client application module, and passes the identity verification of the mobile phone token terminal;

2)用户通过手机令牌向认证服务器发送“申请帐号解锁请求”信息;2) The user sends the "Account Unlock Request" message to the authentication server through the mobile phone token;

3)认证服务器接收到“申请帐号解锁请求”信息后验证信息合法性(验证信息中的用户ID和注册密码,该注册密码是在用户手机初始化的时候确定);3) The authentication server verifies the legitimacy of the information after receiving the "application account unlock request" information (verifies the user ID and registration password in the information, and the registration password is determined when the user's mobile phone is initialized);

4)认证服务器在用户信息数据库中将该用户的“用户状态”字段设置为解锁状态,然后向用户发送“申请帐号解锁应答”信息;4) The authentication server sets the user's "user status" field as unlocked in the user information database, and then sends the user a message of "response to apply for account unlocking";

5)手机令牌接收“申请帐号解锁应答”信息,提示用户解锁成功。5) The mobile phone token receives the message of "apply for account unlocking response" and prompts the user that the unlocking is successful.

用户申请解锁时手机令牌端和认证服务器端的处理过程见图7。See Figure 7 for the processing process of the mobile phone token side and the authentication server side when the user applies for unlocking.

如果合法用户发现自己的手机令牌被锁定,可以通过手机令牌申请解锁,其步骤为:If a legal user finds that his mobile phone token is locked, he can apply for unlocking through the mobile phone token, and the steps are as follows:

1)用户输入手机令牌注册密码(一般该密码比启动密码长),通过手机令牌端的授权身份验证;1) The user enters the mobile phone token registration password (generally the password is longer than the activation password), and passes the authorization authentication of the mobile phone token terminal;

2)手机令牌将其中的“用户状态”字段设置为解锁状态,然后通过手机告知用户“解锁应答”信息。2) The mobile phone token sets the "user status" field in it to the unlocked status, and then notifies the user of the "unlock response" information through the mobile phone.

5.用户取消动态身份认证服务5. The user cancels the dynamic identity authentication service

用户不但可以通过手机令牌开启动态身份认证服务,而且可以使用手机令牌取消动态身份认证服务。详细过程如下:Users can not only open the dynamic identity authentication service through the mobile phone token, but also use the mobile phone token to cancel the dynamic identity authentication service. The detailed process is as follows:

1)用户输入手机令牌客户应用模块启动密码,通过手机令牌端的身份验证;1) The user enters the activation password of the mobile phone token client application module, and passes the identity verification of the mobile phone token terminal;

2)用户通过手机令牌向认证服务器发送“取消动态身份认证服务请求”信息;2) The user sends the message "cancel dynamic identity authentication service request" to the authentication server through the mobile phone token;

3)认证服务器接收到“取消动态身份认证服务请求”信息后验证信息合法性(验证信息中的用户ID和注册密码,该注册密码是在用户手机初始化的时候确定);3) The authentication server verifies the legitimacy of the information after receiving the message "cancel dynamic identity authentication service request" (the user ID and registration password in the verification information, the registration password is determined when the user's mobile phone is initialized);

4)认证服务器在用户信息库中将该用户的认证方式标记为固定密码身份认证方式,然后向手机令牌发送“取消动态身份认证服务应答”信息;4) The authentication server marks the user's authentication method as a fixed password identity authentication method in the user information database, and then sends a "cancel dynamic identity authentication service response" message to the mobile phone token;

5)手机令牌接收“取消动态身份认证服务应答”信息,提示动态身份认证服务已经取消。5) The mobile phone token receives the message of "cancellation of dynamic identity authentication service response", prompting that the dynamic identity authentication service has been cancelled.

用户取消动态身份认证服务时手机令牌端和认证服务器端的处理过程见图8。When the user cancels the dynamic identity authentication service, see Figure 8 for the processing process of the mobile phone token end and the authentication server end.

6.用户中止动态身份认证服务6. The user terminates the dynamic identity authentication service

在进行身份认证过程中,如果要中止动态身份认证过程,其步骤为:During the identity authentication process, if you want to terminate the dynamic identity authentication process, the steps are:

1)用户输入手机令牌预定的中止指令,令牌系统中止认证过程;1) The user inputs the pre-determined termination instruction of the mobile phone token, and the token system terminates the authentication process;

2)用户通过用户终端输入并传送“中止动态身份认证服务请求”到身份认证服务器;2) The user inputs and transmits the "suspend dynamic identity authentication service request" to the identity authentication server through the user terminal;

3)认证服务器接收到“中止动态身份认证服务请求”后,中止服务器端的认证过程。3) The authentication server terminates the authentication process on the server side after receiving the "request to terminate the dynamic identity authentication service".

(二)安全协议的安全机制(2) The security mechanism of the security protocol

安全协议根据加、解密密钥和DES(Data Encryption Standard)等分组密码算法对交互信息进行加、解密。The security protocol encrypts and decrypts the interactive information according to encryption and decryption keys and block cipher algorithms such as DES (Data Encryption Standard).

协议不但定义了交互信息的加、解密方法,也规定了相应的加、解密密钥管理细节。协议规定:在手机令牌初始化时写入加、解密密钥;使用基于信息使用次数的加、解密密钥更新方法,也即在用户手机端维护一个信息计数器,统计手机令牌发送的请求信息个数,当计数器达到门限值时,手机令牌自动在交互信息中设置密钥更新标志位,认证服务器接到该信息后就在应答信息中携带新的信息加、解密密钥,手机令牌接到新的密钥后就开始使用新的密钥对信息进行加、解密。The protocol not only defines the encryption and decryption methods of interactive information, but also specifies the corresponding encryption and decryption key management details. The protocol stipulates: write the encryption and decryption keys when the mobile phone token is initialized; use the method of updating the encryption and decryption keys based on the number of information usage times, that is, maintain an information counter on the user's mobile phone terminal, and count the request information sent by the mobile phone token number, when the counter reaches the threshold value, the mobile phone token will automatically set the key update flag in the interactive information, and the authentication server will carry new information encryption and decryption keys in the response information after receiving the information, and the mobile phone token After the card receives the new key, it starts to use the new key to encrypt and decrypt the information.

(三)安全协议信息格式(3) Security protocol information format

协议信息格式见图9。信息分为服务请求信息和服务应答信息两种,每一信息又分为信息头和信息体两部分。具体格式说明如下:The protocol information format is shown in Figure 9. Information is divided into service request information and service response information, and each information is divided into two parts: information header and information body. The specific format is described as follows:

(1)协议信息头(1) Protocol header

版本:协议的版本号;Version: the version number of the protocol;

头部长度:协议信息头的长度;Header length: the length of the protocol information header;

服务方ID:使用唯一ID标识每一个提供动态认证服务的服务方;Server ID: Use a unique ID to identify each server that provides dynamic authentication services;

总长度:信息的总长度,之所以设置该字段是因为考虑到以后信息体的扩展;Total length: the total length of the information, the reason why this field is set is to consider the expansion of the information body in the future;

(2)服务请求信息体(2) Service request information body

服务类型:第1bit指明信息类型;第2bit指明客户是否请求信息加密密钥更新或者在应答信息中是否有携带更新的密钥;3-8比特是信息类型比特;Service type: the 1st bit indicates the information type; the 2nd bit indicates whether the client requests information encryption key update or whether there is an updated key in the response message; 3-8 bits are information type bits;

验证码:信息使用字节求和验证;Verification code: information is verified using byte summation;

序列号:标识每个请求信息,防止应答重放攻击;Serial number: identify each request information to prevent response replay attacks;

用户ID:用户认证帐号;User ID: user authentication account;

注册码:用户手机令牌初始化是生成,用户的私有数据。服务器使用用户ID和用户验证码对用户身份确认;Registration code: The user's mobile phone token initialization is generated, the user's private data. The server uses the user ID and user verification code to confirm the user's identity;

(3)服务应答信息体(3) Service response information body

服务类型:同上;Service type: same as above;

验证码:同上;Verification code: Same as above;

序列号:拷贝请求中的序列号,保证应答和请求的一一对应关系;Serial number: copy the serial number in the request to ensure the one-to-one correspondence between the response and the request;

新密钥:携带协议信息加密新密钥;New key: carry the protocol information to encrypt the new key;

服务方信息:服务方返回给用户的应答信息,例如算法当前工作密码;Server information: the response information returned by the server to the user, such as the current working password of the algorithm;

Claims (10)

1. A dynamic identity authentication method for a mobile phone token is realized by utilizing a computer technology and a mobile communication technology, and comprises the following steps:
(1) a user inputs user information at a user terminal and sends an identity authentication request to an identity authentication server;
(2) after receiving the authentication request, the identity authentication server firstly verifies the validity of the user information; if the user is a legal user, the identity authentication server generates and temporarily stores a current dynamic identity authentication password of the server side, and prompts the user to input the current dynamic identity authentication password of the user side at the user terminal;
(3) the user inputs an application module starting password in the mobile phone token and passes the identity authentication of the mobile phone token end;
(4) the user generates a current dynamic identity authentication password of the user side through the mobile phone token and informs the user through the mobile phone;
(5) the user inputs the informed current dynamic identity authentication password of the user side through the user terminal and transmits the password to the identity authentication server to wait for identity authentication;
(6) if the current dynamic identity authentication password of the user side received by the identity authentication server is consistent with the current dynamic identity authentication password of the server side, passing the identity authentication; otherwise, the authentication is not passed.
2. The method of claim 1, wherein: when the step (2) is carried out, if a legal user finds that the own account is locked, the legal user can apply for unlocking through the mobile phone token, and the steps are as follows:
1) a user inputs a mobile phone token client application module starting password and passes the identity authentication of a mobile phone token end;
2) a user sends an 'application account unlocking request' message to an authentication server through a mobile phone token;
3) the authentication server receives the information of the 'application account unlocking request' and then verifies the validity of the information;
4) the authentication server sets a 'user state' field of the user to be in an unlocking state in a user information database, and then sends 'application account unlocking response' information to the user;
5) the mobile phone token receives the information of 'application account unlocking response' and prompts the user that the unlocking is successful.
3. The method according to claim 1 or 2, characterized in that: when the step (3) is performed, if the user finds that the dynamic identity authentication service is not started, the dynamic identity authentication service should be started, and the steps are as follows:
1) a user inputs a mobile phone token client application module starting password and passes the identity authentication of a mobile phone token end;
2) a user sends a request for opening dynamic identity authentication service to an authentication server through a mobile phone token;
3) the authentication server receives the information of 'starting dynamic identity authentication service request' and then verifies the validity of the information;
4) the authentication server marks the authentication mode of the user as a dynamic identity authentication mode in a user database, and then sends 'start dynamic identity authentication service response' information to the mobile phone token;
5) and the mobile token receives the response information of starting the dynamic identity authentication service and prompts that the dynamic identity authentication service is started.
4. The method of claim 3, wherein: in the process of identity authentication, if a legal user finds that the legal user can not pass the authentication after passing correct operation, the user can use a mobile token to request system synchronization, and the steps are as follows:
1) a user inputs a mobile phone token client application module starting password and passes the identity authentication of a mobile phone token end;
2) a user sends information of applying for a system synchronization request to an authentication server through a mobile phone token;
3) the authentication server receives the information of applying for the system synchronization request and then verifies the validity of the information;
4) the authentication server takes out the current working password of the dynamic electronic password of the server from the user information database;
5) the authentication server generates 'application system synchronous response' information, writes the current working password of the dynamic electronic password of the server end into a 'server side information' field in the information, and then sends response information to the user;
6) and after receiving the 'application system synchronous response' information, the mobile phone token extracts the current working password of the dynamic electronic password in the information, and sets the current working password value of the dynamic electronic password at the mobile phone token end as the current working password extracted from the information, thereby completing system synchronization.
5. The method of claim 4, wherein: in the process of identity authentication, if the dynamic identity authentication service is to be cancelled, the steps are as follows:
1) a user inputs a mobile phone token client application module starting password and passes the identity authentication of a mobile phone token end;
2) a user sends a request for canceling the dynamic identity authentication service to an authentication server through a mobile phone token;
3) the authentication server receives the information of canceling the dynamic identity authentication service request and then verifies the validity of the information;
4) the authentication server marks the authentication mode of the user as a fixed password identity authentication mode in a user information database, and then sends 'cancel dynamic identity authentication service response' information to the mobile phone token;
5) the mobile phone token receives the information of canceling the dynamic identity authentication service response and prompts that the dynamic identity authentication service is canceled.
6. The method of claim 5, wherein: in the process of identity authentication, if the dynamic identity authentication process is to be stopped, the steps are as follows:
1) the user inputs a preset stopping instruction of the mobile phone token, and the token system stops the authentication process;
2) the user inputs and transmits a request for stopping the dynamic identity authentication service to the identity authentication server through the user terminal;
3) and after receiving the request for stopping the dynamic identity authentication service, the authentication server stops the authentication process of the server side.
7. The method of claim 6, wherein: when the step (3) is carried out, if the user finds that the mobile phone token of the user is locked, the user can unlock the mobile phone token through the mobile phone token, and the steps are as follows:
1) the user inputs a preset registration password of the mobile phone token, and the authentication is carried out through the mobile phone token:
2) the mobile phone token sets the 'user state' field in the mobile phone token to be in an unlocking state, and then informs the user of 'unlocking response' information through the mobile phone.
8. A system for implementing the method of claim 1, comprising a user terminal, a user information server, an authentication server and a mobile token; wherein,
the user terminal is used for inputting user information and is communicated with the identity authentication server through a network;
the user information server is used for storing a table set according to the identity authentication protocol, providing each user information required in the authentication process and receiving the operation of the authentication server;
the authentication server is responsible for receiving and completing a service request of a user, and is provided with an authentication server side service module, a password generation module and a communication module; the authentication server side service module is used for network transmission control, authentication system security protocol processing, information transmission encryption and decryption, user information access and dynamic password acquisition and temporary storage; the password generation module is responsible for generating a current dynamic identity authentication password of the server end and is communicated with the authentication server through a bus of the server; the communication module is responsible for sending and receiving information of the authentication server end and is an intermediary for communication between the mobile phone token and the authentication server;
the mobile phone token is a user mobile phone with a dynamic identity authentication client application module arranged in an SIM card of the mobile phone, the dynamic identity authentication client application module and a password generation module in an authentication server use the same dynamic password generation algorithm and the same current working password, and independently generate a synchronous current dynamic identity authentication password.
9. The system of claim 8, wherein: the authentication server side service module comprises a user information management module (8), a dynamic password access module (9), a protocol processing module (10), a core management module (11), an encryption module (12) and a network transmission module (13);
the user information management module (8) is responsible for completing user information management commands of the core management module (11), including establishing a new account, modifying existing account information, deleting outdated account information, locking or unlocking a user account number and controlling user access authority;
the dynamic password access module (9) is an access module of the password generation module, receives the user key information provided by the core management module (11), generates a dynamic password in the authentication process, and sends the dynamic password to the core management module (11) for temporary storage;
the protocol processing module (10) is a service processing end of a dynamic identity authentication system security protocol and is used for receiving security protocol information provided by the core management module (11) and returning a processing result to the core management module (11);
the encryption module (12) is used for completing the information encryption and decryption request of the core management module (11);
the network transmission module (13) is used for completing information transmission tasks of a server end, receiving network information and information of a communication module in the authentication server, processing an information transmission request of the core management module (11), and sending different types of information to different communication networks;
the core management module (11) is responsible for coordinating the interrelation and information transfer among the modules.
10. The system according to claim 8 or 9, characterized in that: the dynamic identity authentication client application module in the mobile token comprises a dynamic password generator (14), a memory (15), a password comparator (16) and a controller (17);
the memory (15) is used for storing a user ID, a user identity card number, a registration password Pr and an encryption key Ke, and is responsible for storing a current working password Ks for generating a current dynamic identity authentication password, a starting password of a client application module or a mobile phone token password Pt and the number Nt of times of continuously and wrongly inputting a token access password on a token; it is connected with a dynamic password generator (14), a password comparator (16) and a controller (17);
the dynamic password generator (14) is used for generating a current authentication password of the user from the current working password Ks, the authentication password corresponds to the current authentication password of the server, and the authentication password is informed to the user through an output device of the mobile phone;
the password comparator (16) is used for judging whether the mobile phone user is legal or not;
the controller (17) is used for controlling the coordination work of the modules.
CNB200310111570XA 2003-12-12 2003-12-12 A method and system for dynamic identity authentication Expired - Fee Related CN1323538C (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CNB200310111570XA CN1323538C (en) 2003-12-12 2003-12-12 A method and system for dynamic identity authentication

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CNB200310111570XA CN1323538C (en) 2003-12-12 2003-12-12 A method and system for dynamic identity authentication

Publications (2)

Publication Number Publication Date
CN1547142A CN1547142A (en) 2004-11-17
CN1323538C true CN1323538C (en) 2007-06-27

Family

ID=34336197

Family Applications (1)

Application Number Title Priority Date Filing Date
CNB200310111570XA Expired - Fee Related CN1323538C (en) 2003-12-12 2003-12-12 A method and system for dynamic identity authentication

Country Status (1)

Country Link
CN (1) CN1323538C (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
TWI412950B (en) * 2009-06-29 2013-10-21 Hon Hai Prec Ind Co Ltd Document protection system and method thereof

Families Citing this family (30)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR100645401B1 (en) * 2006-05-01 2006-11-15 주식회사 미래테크놀로지 Time Synchronous OTP Generator in Mobile Phone
US8364120B2 (en) * 2006-08-02 2013-01-29 Motorola Mobility Llc Identity verification using location over time information
CN1953452B (en) * 2006-10-24 2011-07-20 中国科学院电工研究所 A method for dynamic certification and authorization for stream media
JP5287712B2 (en) * 2007-03-30 2013-09-11 日本電気株式会社 User authentication control device, user authentication device, data processing device, user authentication control method, etc.
CN101072105B (en) * 2007-05-21 2011-05-11 腾讯科技(深圳)有限公司 Network identity authenticating method and system
CN101159542B (en) * 2007-11-12 2010-06-09 中兴通讯股份有限公司 Method and system for saving and/or obtaining authentication parameter on terminal network appliance
CN101222334B (en) * 2008-01-11 2010-08-04 华中科技大学 A Security Authentication Method of Password Token Using Image Interference
CN101990183B (en) 2009-07-31 2013-10-02 国际商业机器公司 Method, device and system for protecting user information
CN101662769B (en) * 2009-09-22 2012-09-05 钱袋网(北京)信息技术有限公司 Method, mobile terminal, server and system of telephone business authentication
CN101926675B (en) 2009-10-30 2012-08-08 华为技术有限公司 Method, device and system for remotely acquiring physical detection data of user
CN102402746B (en) * 2010-09-09 2016-11-02 财付通支付科技有限公司 A kind of methods, devices and systems of mobile payment security checking
CN102085116B (en) * 2010-12-08 2012-08-15 华中科技大学 Multifunctional remote medical care system based on multi-network fusion
CN102098313B (en) * 2011-03-01 2017-03-15 黄泽鑫 A kind of waterproof wall system and its verification method
CN102098317B (en) * 2011-03-22 2013-12-18 浙江中控技术股份有限公司 Data transmitting method and system applied to cloud system
CN102739719B (en) * 2011-04-13 2016-03-30 中国移动通信集团公司 User profile synchronous method and system thereof
CN102377570B (en) * 2011-11-07 2014-03-12 飞天诚信科技股份有限公司 Method and device for generating dynamic passwords
KR102102179B1 (en) * 2013-03-14 2020-04-21 삼성전자 주식회사 Embedded system, authentication system comprising the same, method of authenticating the system
CN103269483B (en) * 2013-06-03 2015-09-23 上海众人网络安全技术有限公司 A kind of OOAC handset token multi-mode activation system and method
CN104539785B (en) * 2014-08-22 2017-02-01 南京速帕信息科技有限公司 Implementation method of one-key release mobile phone token
CN105516069B (en) * 2014-09-28 2020-10-09 腾讯科技(深圳)有限公司 Data processing method, device and system
US10887103B2 (en) * 2015-02-27 2021-01-05 Feitian Technologies Co., Ltd. Operating method for push authentication system and device
CN107317679B (en) * 2017-06-05 2020-01-31 国政通科技股份有限公司 Method and system for preventing fraud after identity cards are lost
CN107172436B (en) * 2017-06-09 2019-11-26 国政通科技股份有限公司 A kind of method and system of ID card information transmission protection
CN107948156B (en) * 2017-11-24 2021-10-22 郑州云海信息技术有限公司 An identity-based closed key management method and system
CN108989346B (en) * 2018-08-30 2021-03-16 上海同态信息科技有限责任公司 Third-party valid identity escrow agile authentication access method based on account hiding
TWI725352B (en) * 2018-11-05 2021-04-21 緯創資通股份有限公司 Method for authentication and authorization and authentication server using the same
CN110062383A (en) * 2019-04-24 2019-07-26 中国联合网络通信集团有限公司 A kind of authentication method, terminal, certificate server, application server
CN110602700B (en) * 2019-09-23 2023-01-17 飞天诚信科技股份有限公司 Seed key processing method and device and electronic equipment
CN111711628B (en) * 2020-06-16 2022-10-21 北京字节跳动网络技术有限公司 Network communication identity authentication method, device, system, equipment and storage medium
CN113468514A (en) * 2021-06-28 2021-10-01 深圳供电局有限公司 Multi-factor identity authentication method and system in intranet environment

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5699507A (en) * 1995-01-17 1997-12-16 Lucent Technologies Inc. Method of identifying similarities in code segments
US6266525B1 (en) * 1998-12-17 2001-07-24 Lucent Technologies Inc. Method for detecting fraudulent use of a communications system
JP2001337929A (en) * 2000-05-26 2001-12-07 Nec Corp Dynamic password control system
CN1086818C (en) * 1999-04-29 2002-06-26 华中理工大学 Method for generating dynamic electronic cipher
CN1394067A (en) * 2001-07-02 2003-01-29 黄金富 Network bank pay system using telephone's incoming display as dynamic encrypting code
JP2003196238A (en) * 2001-12-26 2003-07-11 Fujitsu Ltd Password authentication device and password authentication program

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5699507A (en) * 1995-01-17 1997-12-16 Lucent Technologies Inc. Method of identifying similarities in code segments
US6266525B1 (en) * 1998-12-17 2001-07-24 Lucent Technologies Inc. Method for detecting fraudulent use of a communications system
CN1086818C (en) * 1999-04-29 2002-06-26 华中理工大学 Method for generating dynamic electronic cipher
JP2001337929A (en) * 2000-05-26 2001-12-07 Nec Corp Dynamic password control system
CN1394067A (en) * 2001-07-02 2003-01-29 黄金富 Network bank pay system using telephone's incoming display as dynamic encrypting code
JP2003196238A (en) * 2001-12-26 2003-07-11 Fujitsu Ltd Password authentication device and password authentication program

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
TWI412950B (en) * 2009-06-29 2013-10-21 Hon Hai Prec Ind Co Ltd Document protection system and method thereof

Also Published As

Publication number Publication date
CN1547142A (en) 2004-11-17

Similar Documents

Publication Publication Date Title
CN1323538C (en) A method and system for dynamic identity authentication
JP3754004B2 (en) Data update method
CN102217277B (en) Method and system for token-based authentication
US8683562B2 (en) Secure authentication using one-time passwords
US9160732B2 (en) System and methods for online authentication
US7571489B2 (en) One time passcode system
US9544297B2 (en) Method for secured data processing
US8112787B2 (en) System and method for securing a credential via user and server verification
US8499147B2 (en) Account management system, root-account management apparatus, derived-account management apparatus, and program
CN1268157C (en) A handset used for dynamic identity authentication
WO2007067349A1 (en) Single one-time password token with single pin for access to multiple providers
WO2005015485A9 (en) Authentication and authorization utilizing a personel wireless communication device
WO2007121631A1 (en) System and method of electronic bank safety certification based on cpk
CN106936588A (en) A kind of trustship method, the apparatus and system of hardware controls lock
CN111159656A (en) Method, device, equipment and storage medium for preventing software from being used without authorization
JPH07325785A (en) Network user authentication method, encrypted communication method, application client and server
CN113872992B (en) Method for realizing remote Web access strong security authentication in BMC system
CN109714760A (en) A kind of right access control method suitable for smart machine under direct-connected communication environment
US8176533B1 (en) Complementary client and user authentication scheme
KR102012262B1 (en) Key management method and fido authenticator software authenticator
CN108768941B (en) Method and device for remotely unlocking safety equipment
CN112422280A (en) Man-machine control interaction method, interaction system, computer equipment and storage medium
CN111404680B (en) Password management method and device
JP4499575B2 (en) Network security method and network security system
KR19990038925A (en) Secure Two-Way Authentication Method in a Distributed Environment

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
C17 Cessation of patent right
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20070627

Termination date: 20111212