技术领域technical field
本发明涉及信息安全领域,尤其涉及一种动态口令认证方法及系统。The invention relates to the field of information security, in particular to a dynamic password authentication method and system.
背景技术Background technique
随着信息科技的发展,信息安全技术在各领域的应用更为广泛和深入。在信息安全领域,身份认证往往是信息系统使用的第一把钥匙,其安全性受到越来越多的重视。相应地,为了加强身份认证安全性的动态口令技术已经越来越多地应用于各个不同领域,尤其在网银、网游、电信运营商、电子政务、企业服务器等应用领域。另外,动态口令在企业应用也是当前的热点,越来越多的企业或实体采用动态口令保护其VPN(Virtual Private Network,虚拟专用网络)、服务器、网络设备等。With the development of information technology, the application of information security technology in various fields is more extensive and in-depth. In the field of information security, identity authentication is often the first key used by information systems, and its security has received more and more attention. Correspondingly, the dynamic password technology for enhancing the security of identity authentication has been more and more applied in various fields, especially in the application fields such as online banking, online games, telecom operators, e-government affairs, and enterprise servers. In addition, the application of dynamic passwords in enterprises is also a current hotspot. More and more enterprises or entities use dynamic passwords to protect their VPN (Virtual Private Network, virtual private network), servers, and network equipment.
动态口令是根据专门的算法生成一个不可预测的随机数字组合,一个密码使用一次有效,目前被广泛运用在网银、网游、电信运营商、电子政务、企业等应用领域。动态口令是一种安全便捷的帐号防盗技术,可以有效保护交易和登录的认证安全,采用动态口令就无需定期修改密码,安全省心,从而在最基本的密码认证这一环节保证了系统的安全性。解决因口令欺诈而导致的重大损失,防止恶意入侵者或人为破坏,解决由口令泄密导致的入侵问题。Dynamic password is an unpredictable combination of random numbers generated according to a special algorithm. A password is valid once used. It is currently widely used in online banking, online games, telecom operators, e-government, enterprises and other application fields. Dynamic password is a safe and convenient account anti-theft technology, which can effectively protect the authentication security of transactions and logins. Using dynamic password does not need to change the password regularly, which is safe and worry-free, thus ensuring the security of the system in the most basic password authentication. sex. Solve the major losses caused by password fraud, prevent malicious intruders or man-made sabotage, and solve the intrusion problem caused by password leaks.
根据密码生成方式的不同,可以分为基于时间的动态口令技术、基于事件的动态口令技术以及基于挑战/应答的动态口令技术。其中,基于时间的动态口令技术在软件令牌上使用较为广泛,然而目前软件令牌的时间一般都是通过本机获取,然而本机的时间却可以通过人为更改,这样就可以预知下一时刻的动态口令,存在安全隐患。According to different password generation methods, it can be divided into time-based dynamic password technology, event-based dynamic password technology and challenge/response-based dynamic password technology. Among them, the time-based dynamic password technology is widely used in software tokens. However, the time of software tokens is generally obtained through the local machine, but the local time can be changed manually, so that the next moment can be predicted. dynamic password, there is a security risk.
发明内容Contents of the invention
针对上述问题,本发明提供了一种基于软件令牌动态口令的认证方法及系统,在认证过程中通过客户端和服务器中的时间分别通过卫星授时模块精确的获取,这样保证了时间的准确性,从而提高了用户认证过程中的安全性能。In view of the above problems, the present invention provides a kind of authentication method and system based on the software token dynamic password, in the authentication process, the time in the client and the server is respectively accurately obtained by the satellite timing module, thus ensuring the accuracy of the time , thereby improving the security performance in the user authentication process.
一种基于软件令牌的动态口令认证方法,客户端通过一内置的第一卫星授时模块获取第一时间,服务器通过内置的第二卫星授时模块获取第二时间,随后分别在客户端中和服务器中生成基于第一时间和第二时间的第一动态口令和第二动态口令,最后在服务器中实现动态口令的认证,具体包括以下步骤:A dynamic password authentication method based on software tokens, the client obtains the first time through a built-in first satellite timing module, the server obtains the second time through a built-in second satellite timing module, and then respectively in the client and the server Generate the first dynamic password and the second dynamic password based on the first time and the second time, and finally realize the authentication of the dynamic password in the server, specifically including the following steps:
S1客户端通过内置的第一卫星授时模块获取第一时间,同时将唯一标识用户的标识信息、获取的所述第一时间、以及获取时间的指令一并发送至服务器;The S1 client obtains the first time through the built-in first satellite timing module, and at the same time sends the identification information that uniquely identifies the user, the obtained first time, and an instruction to obtain the time to the server;
S2服务器通过内置的第二卫星授时模块获取第二时间,同时服务器根据接收到的用户的所述标识信息查找与之唯一关联的密钥参数;The S2 server obtains the second time through the built-in second satellite timing module, and at the same time, the server searches for the key parameter uniquely associated with it according to the received identification information of the user;
S3客户端中结合所述第一时间、预存在所述客户端中与所述用户唯一关联的密钥参数和算法生成第一动态口令,并将所述第一动态口令发送至服务器;In the S3 client, a first dynamic password is generated by combining the first time, key parameters and algorithms pre-stored in the client and uniquely associated with the user, and sending the first dynamic password to the server;
S4服务器中结合获取的第二时间、查找到的所述密钥参数、和预存在服务器中与客户端中相同的所述算法生成第二动态口令;S4 generates a second dynamic password in combination with the obtained second time in the server, the key parameter found, and the same algorithm pre-stored in the server as in the client;
S5服务器中将生成的第二动态口令与接收到的第一动态口令进行比对,完成所述动态口令的认证。The S5 server compares the generated second dynamic password with the received first dynamic password to complete the authentication of the dynamic password.
优选地,所述卫星授时模块为GPS授时芯片或北斗授时芯片或北斗/GPS双模芯片组成。Preferably, the satellite timing module is composed of a GPS timing chip, a Beidou timing chip, or a Beidou/GPS dual-mode chip.
优选地,在步骤S3中,所述客户端中通过手动输入或NFC传输或声波传输的方式将所述第一动态口令发送至所述服务器。Preferably, in step S3, the client sends the first dynamic password to the server through manual input or NFC transmission or sound wave transmission.
优选地,在步骤S4中,所述服务器在预设时间窗口内生成第二动态口令集,所述比对模块在所述第二动态口令集中查找与第一动态口令相同的口令,完成动态口令的认证。Preferably, in step S4, the server generates a second dynamic password set within a preset time window, and the comparison module searches for the same password as the first dynamic password in the second dynamic password set, and completes the dynamic password certification.
在本技术方案中,由于客户端中和服务器中获取的时间不能完全同步,且服务器中的时间要晚于客户端中的时间,因而在动态口令比对的时候需要在生成的第二动态口令集中进行查找比对,若在预设时间窗口中的第二动态口令中有与第一动态口令相同的动态口令则比对成功。In this technical solution, since the time obtained in the client and the server cannot be fully synchronized, and the time in the server is later than the time in the client, it is necessary to generate the second dynamic password when comparing the dynamic password. The search and comparison are performed centrally, and if the second dynamic password in the preset time window has the same dynamic password as the first dynamic password, the comparison is successful.
优选地,所述预设时间窗口为2min(min即分钟)。Preferably, the preset time window is 2 minutes (min means minutes).
一种基于软件令牌的动态口令认证系统,包括客户端和服务器,所述客户端中至少包括:A dynamic password authentication system based on a software token, comprising a client and a server, wherein the client at least includes:
第一卫星授时模块,用于获取所述客户端中的第一时间;The first satellite timing module is used to obtain the first time in the client;
信息获取模块,用于获取与用户唯一关联的用户信息;An information acquisition module, configured to acquire user information uniquely associated with the user;
第一运算模块,与所述卫星授时模块连接,结合所述卫星授时模块获取的第一时间、预存在所述客户端中的密钥参数和算法生成第一动态口令;The first calculation module is connected with the satellite timing module, and generates the first dynamic password in combination with the first time obtained by the satellite timing module, the key parameter and the algorithm pre-stored in the client;
信息发送模块,分别与所述第一卫星授时模块、所述信息获取模块、以及所述第一运算模块连接,用于将所述信息获取模块获取的所述用户信息和所述第一动态口令发送至所述服务器;以及当所述第一卫星授时模块获取了第一时间之后,所述信息发送模块即发送获取时间的指令至所述服务器;The information sending module is respectively connected with the first satellite timing module, the information obtaining module, and the first computing module, and is used to obtain the user information and the first dynamic password obtained by the information obtaining module Send to the server; and after the first satellite timing module obtains the first time, the information sending module sends an instruction to obtain the time to the server;
所述服务器中至少包括:The server includes at least:
信息接收模块,用于接收所述客户端发送所述用户信息、第一动态口令、以及所述获取时间的指令;An information receiving module, configured to receive an instruction from the client to send the user information, the first dynamic password, and the acquisition time;
第二卫星授时模块,与所述信息接收模块连接,所述第二卫星授时模块接收了所述获取时间的指令之后,随即获取所述服务器中的第二时间;The second satellite timing module is connected to the information receiving module, after the second satellite timing module receives the instruction to acquire the time, it immediately acquires the second time in the server;
信息查找模块,与所述信息接收模块连接,通过接收的所述用户信息查找与之唯一关联的密钥参数;An information search module, connected to the information receiving module, searches for the key parameter uniquely associated with the received user information;
第二运算模块,与所述信息查找模块和所述第二卫星授时模块连接,结合所述第二时间、在所述信息查找模块中查找到的所述密钥参数、以及与客户端中相同的所述算法生成第二动态口令;The second computing module is connected with the information search module and the second satellite timing module, combines the second time, the key parameter found in the information search module, and the same The algorithm of generating the second dynamic password;
比对模块,分别与所述信息接收模块和所述第二运算模块连接,用于将接收到的所述第一动态口令和所述第二动态口令进行比对,以完成动态口令的认证。The comparison module is connected with the information receiving module and the second operation module respectively, and is used for comparing the received first dynamic password with the second dynamic password to complete the authentication of the dynamic password.
首先在客户端和服务器中通过卫星授时模块精确地获取当前时间,再分别在客户端和服务器中生成基于获取的该时间的动态口令,最后在服务器中进行动态口令的比对认证。这种采用卫星授时模块获取时间的方式,避免了动态口令在使用的过程中由于人为更改时间给用户带来的安全隐患,提高了安全性能。Firstly, the current time is accurately obtained through the satellite timing module in the client and the server, and then the dynamic password based on the obtained time is generated in the client and the server respectively, and finally the dynamic password is compared and authenticated in the server. This method of acquiring time by using the satellite timing module avoids potential safety hazards caused by artificially changing the time during the use of the dynamic password, and improves the safety performance.
优选地,所述卫星授时模块为GPS授时芯片或北斗授时芯片或北斗/GPS双模芯片组成。Preferably, the satellite timing module is composed of a GPS timing chip, a Beidou timing chip, or a Beidou/GPS dual-mode chip.
优选地,所述客户端和所述服务器中还分别包括NFC模块,其中,所述客户端中的NFC模块与第一运算模块连接,所述服务器中的NFC模块与比对模块连接,所述客户端中通过所述NFC模块将所述第一动态口令发送至所述服务器。Preferably, the client and the server also include NFC modules respectively, wherein the NFC module in the client is connected to the first computing module, the NFC module in the server is connected to the comparison module, and the The client sends the first dynamic password to the server through the NFC module.
优选地,所述客户端中还包括与所述第一运算模块连接的第一音频转换模块和与所述第一音频转换模块连接的音频发送模块,所述第一音频转换用于将所述第一动态口令转换为音频信息,所述音频发送模块用于将所述音频信息发送至所述服务器;Preferably, the client further includes a first audio conversion module connected to the first computing module and an audio sending module connected to the first audio conversion module, the first audio conversion is used to convert the The first dynamic password is converted into audio information, and the audio sending module is used to send the audio information to the server;
所述服务器中还包括音频接收模块和第二音频转换模块,所述音频接收模块用于接收所述客户端发送的所述音频信息,所述第二音频转换模块分别与所述音频接收模块和所述比对模块连接,用于将接收到的所述音频信息转换为所述第一动态口令。The server also includes an audio receiving module and a second audio conversion module, the audio receiving module is used to receive the audio information sent by the client, and the second audio conversion module is connected with the audio receiving module and the audio conversion module respectively. The comparison module is connected to convert the received audio information into the first dynamic password.
优选地,所述客户端中包括显示模块,与所述第一运算模块连接,用于显示所述第一动态口令;Preferably, the client includes a display module connected to the first computing module for displaying the first dynamic password;
所述服务器中包括输入模块,与所述比对模块连接,用于手动输入所述第一动态口令。The server includes an input module connected to the comparison module for manually inputting the first dynamic password.
本发明提供的基于软件令牌的动态口令认证方法及系统,其有益效果在于:The dynamic password authentication method and system based on the software token provided by the present invention have the beneficial effects of:
1.在本发明中,软件令牌使用的时间通过分别设置在客户端和服务器中的卫星定位器获取,保证了时间的准确性,同时避免出现传统的软件令牌在使用的过程中出现时间被篡改的情况,这样,大大提高了用户使用软件令牌的安全性能;1. In the present invention, the time used by the software token is acquired by satellite locators respectively set in the client and the server, which ensures the accuracy of the time and avoids the occurrence of time in the process of using the traditional software token. In this way, the security performance of users using software tokens is greatly improved;
2.在本发明中,为客户端和服务器之间的通信提供了多种方式,包括NFC近场通信、声波传输、手动输入等,这样提高了系统在认证过程中的灵活性,用户可以根据实际情况进行选择,方便快捷。2. In the present invention, a variety of ways are provided for the communication between the client and the server, including NFC near-field communication, sound wave transmission, manual input, etc., which improves the flexibility of the system in the authentication process, and the user can according to Choose according to the actual situation, convenient and quick.
附图说明Description of drawings
下面结合附图和具体实施方式对本发明作进一步详细说明:Below in conjunction with accompanying drawing and specific embodiment the present invention is described in further detail:
图1为本发明中基于软件令牌的动态口令认证系统的结构框图;Fig. 1 is the structural block diagram of the dynamic password authentication system based on software token among the present invention;
图2为本发明中基于软件令牌的动态口令认证方法流程示意图。Fig. 2 is a schematic flow chart of the dynamic password authentication method based on the software token in the present invention.
具体实施方式Detailed ways
为了更清楚地说明本发明实施例或现有技术中的技术方案,下面结合附图和实施例对本发明进行具体的描述。下面描述中的附图仅仅是本发明的一些实施例。对于本领域普通技术人员来讲,在不付出创造性劳动的前提下,还可以根据这些附图获得其他的附图。In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the present invention will be specifically described below in conjunction with the accompanying drawings and embodiments. The drawings in the following description are only some embodiments of the invention. For those skilled in the art, other drawings can also be obtained based on these drawings without creative effort.
如图1所示为本发明中基于软件令牌的动态口令认证系统,包括客户端和服务器,具体来说,客户端和服务器中分别通过一内置的卫星授时模块获取精确的当前时间,随后分别在客户端和服务器中生成动态口令,最后在服务器中完成动态口令的认证。在认证之前,首先分别在客户端和服务器的中存储相同的算法和密钥参数,且这里的密钥参数与用户一一对应,当然,我们知道在服务器中不可能只存储一个用户的密钥参数,如QQ保密令牌的服务器中存储每个QQ号对应的密钥参数,服务器中根据用户的QQ查找与之对应的密钥参数进行动态口令的认证。As shown in Fig. 1, it is the dynamic password authentication system based on software token among the present invention, comprises client and server, specifically, obtains accurate current time respectively by a built-in satellite timing module in client and server, then respectively Generate a dynamic password in the client and server, and finally complete the authentication of the dynamic password in the server. Before authentication, first store the same algorithm and key parameters in the client and server respectively, and the key parameters here correspond to users one by one. Of course, we know that it is impossible to store only one user's key in the server Parameters, such as the key parameters corresponding to each QQ number are stored in the server of the QQ secret token, and the server searches for the corresponding key parameters according to the user's QQ to perform dynamic password authentication.
具体来说,客户端中至少包括:第一卫星授时模块,用于获取客户端中的第一时间,在具体实施例中,卫星授时模块为GPS授时芯片或北斗授时芯片或北斗/GPS双模芯片组成,在具体实施例中,卫星授时模块中可以选用型号为UBLOX或M8729芯片的GPS授时芯片,也由型号为UM220-Ⅲ的北斗和GPS双模芯片组成,当然,在本发明中,我们对卫星授时模块中包含的授时芯片的具体型号不做限定,只要其能实现本发明的目的,都包括在本发明的内容中。信息获取模块,用于获取与用户唯一关联的用户信息,信息获取的具体方式包括键盘输入等;第一运算模块,与卫星授时模块连接,结合卫星授时模块获取的第一时间、预存在客户端中的密钥参数和算法(如,SM3算法)生成第一动态口令;信息发送模块,分别与第一卫星授时模块、信息获取模块、以及第一运算模块连接,用于将信息获取模块获取的用户信息和第一动态口令发送至服务器;以及当第一卫星授时模块获取了第一时间之后,信息发送模块即发送获取时间的指令至服务器。Specifically, the client includes at least: a first satellite timing module for obtaining the first time in the client. In a specific embodiment, the satellite timing module is a GPS timing chip or a Beidou timing chip or a Beidou/GPS dual mode Chip composition, in specific embodiment, can select the GPS time service chip that model is UBLOX or M8729 chip in the satellite time service module, also is made up of Beidou and GPS dual-mode chip that model is UM220-Ⅲ, certainly, in the present invention, we The specific model of the timing chip contained in the satellite timing module is not limited, as long as it can realize the purpose of the present invention, it is included in the content of the present invention. The information acquisition module is used to obtain the user information uniquely associated with the user. The specific ways of information acquisition include keyboard input, etc.; the first calculation module is connected to the satellite timing module, combined with the first time acquired by the satellite timing module, pre-stored in the client Key parameter and algorithm (such as, SM3 algorithm) in generate the first dynamic password; The information transmission module is connected with the first satellite timing module, the information acquisition module and the first calculation module respectively, and is used for the information acquisition module to obtain The user information and the first dynamic password are sent to the server; and after the first satellite timing module obtains the first time, the information sending module sends an instruction to obtain the time to the server.
服务器中至少包括:信息接收模块,用于接收客户端发送用户信息、第一动态口令、以及获取时间的指令;第二卫星授时模块,与信息接收模块连接,第二卫星授时模块接收了获取时间的指令之后,随即获取服务器中的第二时间,这里,服务器中的第二卫星授时模块与第一卫星授时模块相同;信息查找模块,与信息接收模块连接,通过接收的用户信息查找与之唯一关联的密钥参数;第二运算模块,与信息查找模块和第二卫星授时模块连接,结合第二时间、在信息查找模块中查找到的密钥参数、以及与客户端中相同的算法(如,SM3算法)生成第二动态口令;比对模块,分别与信息接收模块和第二运算模块连接,用于将接收到的第一动态口令和第二动态口令进行比对,以完成动态口令的认证。The server at least includes: an information receiving module, which is used to receive an instruction from the client to send user information, a first dynamic password, and an acquisition time; the second satellite timing module is connected to the information receiving module, and the second satellite timing module receives the acquisition time After the instruction, the second time in the server is obtained immediately, here, the second satellite timing module in the server is the same as the first satellite timing module; the information search module is connected with the information receiving module, and searches for the uniqueness with it through the received user information Associated key parameters; the second computing module, connected with the information search module and the second satellite timing module, combined with the second time, the key parameters found in the information search module, and the same algorithm as in the client (such as , SM3 algorithm) to generate the second dynamic password; the comparison module is connected with the information receiving module and the second computing module respectively, and is used to compare the first dynamic password received with the second dynamic password, so as to complete the identification of the dynamic password certified.
在具体实施例中,客户端和服务器中还分别包括NFC模块,其中,客户端中的NFC模块与第一运算模块连接,服务器中的NFC模块与比对模块连接,客户端中通过NFC模块将第一动态口令发送至服务器。具体来说,客户端包括内置NFC模块的手机,其将NFC芯片安装在手机内部,实现标签信息的读取,由NFC实现的是短距离信息交互,不仅大大简化了整个认证识别过程,而且增强了本发明的安全性能。再有,在动态口令传输的过程中,用户可以在客户端中选择NFC模块中数据传输的速度,如106kbps、212kbps或424kbps;传输速度选定之后,NFC模块以用户选定的速度将动态口令发送至服务器。In a specific embodiment, the client and the server also include NFC modules respectively, wherein the NFC module in the client is connected to the first computing module, the NFC module in the server is connected to the comparison module, and the NFC module in the client is connected to the comparison module. The first dynamic password is sent to the server. Specifically, the client includes a mobile phone with a built-in NFC module, which installs the NFC chip inside the mobile phone to realize the reading of tag information. What is realized by NFC is short-distance information interaction, which not only greatly simplifies the entire authentication and identification process, but also enhances The security performance of the present invention is achieved. Also, in the process of dynamic password transmission, the user can select the speed of data transmission in the NFC module in the client, such as 106kbps, 212kbps or 424kbps; after the transmission speed is selected, the NFC module transmits the dynamic password at the speed selected by the user sent to the server.
在另一个具体实施例中,客户端中还包括与第一运算模块连接的第一音频转换模块和与第一音频转换模块连接的音频发送模块,第一音频转换用于将第一动态口令转换为音频信息,音频发送模块用于将音频信息发送至服务器;服务器中还包括音频接收模块和第二音频转换模块,音频接收模块用于接收客户端发送的音频信息,第二音频转换模块分别与音频接收模块和比对模块连接,用于将接收到的音频信息转换为第一动态口令。具体来说,客户端中包括的第一音频转换模块和服务器中包括的第二音频转换模块都使用相同的音频转换技术对待发送的数据和接收的数据进行转换,如DTMF(Dual-ToneMulti-Frequency,多音多频)技术等,当然,我们对音频转换的方法不作具体限定,只要其能实现本发明的目的即可。In another specific embodiment, the client also includes a first audio conversion module connected to the first computing module and an audio sending module connected to the first audio conversion module, the first audio conversion is used to convert the first dynamic password For audio information, the audio sending module is used to send the audio information to the server; the server also includes an audio receiving module and a second audio conversion module, the audio receiving module is used to receive the audio information sent by the client, and the second audio conversion module is connected with The audio receiving module is connected with the comparing module, and is used to convert the received audio information into the first dynamic password. Specifically, the first audio conversion module included in the client and the second audio conversion module included in the server all use the same audio conversion technology to convert the data to be sent and received data, such as DTMF (Dual-ToneMulti-Frequency , multi-tone multi-frequency) technology, etc., of course, we do not specifically limit the method of audio conversion, as long as it can realize the purpose of the present invention.
在另一个具体实施例中,客户端中包括显示模块,如液晶显示屏等,与第一运算模块连接,用于显示第一动态口令;服务器中包括输入模块,如键盘灯,与比对模块连接,用于手动输入第一动态口令。In another specific embodiment, the client includes a display module, such as a liquid crystal display, connected to the first computing module for displaying the first dynamic password; the server includes an input module, such as a keyboard light, and a comparison module Connection, used to manually enter the first dynamic password.
当然,在一些特殊的情况下,客户端和服务器可以为同一设备,这样动态口令的传输即可通过应用程序之间的相互跳转来实现。Of course, in some special cases, the client and the server can be the same device, so that the transmission of the dynamic password can be realized by jumping between applications.
如图2所示,本发明还提供了一种基于软件令牌的动态口令认证方法,客户端通过一内置的第一卫星授时模块获取第一时间,服务器通过内置的第二卫星授时模块获取第二时间,随后分别在客户端中和服务器中生成基于第一时间和第二时间的第一动态口令和第二动态口令,最后在服务器中实现动态口令的认证,具体包括以下步骤:As shown in Figure 2, the present invention also provides a dynamic password authentication method based on software tokens, the client obtains the first time through a built-in first satellite timing module, and the server obtains the first time through a built-in second satellite timing module. Second time, then generate the first dynamic password and the second dynamic password based on the first time and the second time respectively in the client and the server, and finally realize the authentication of the dynamic password in the server, specifically including the following steps:
S1客户端通过内置的第一卫星授时模块获取第一时间,同时将唯一标识用户的标识信息、获取的第一时间、以及获取时间的指令一并发送至服务器;The S1 client obtains the first time through the built-in first satellite timing module, and at the same time sends the identification information that uniquely identifies the user, the obtained first time, and the command to obtain the time to the server;
S2服务器通过内置的第二卫星授时模块获取第二时间,同时服务器根据接收到的用户的标识信息查找与之唯一关联的密钥参数;The S2 server obtains the second time through the built-in second satellite timing module, and at the same time, the server searches for the key parameter uniquely associated with it according to the received identification information of the user;
S3客户端中结合第一时间、预存在客户端中与用户唯一关联的密钥参数和算法生成第一动态口令,并将第一动态口令发送至服务器;In the S3 client, the first dynamic password is generated in conjunction with the first time, the pre-stored key parameter and the algorithm uniquely associated with the user in the client, and the first dynamic password is sent to the server;
S4服务器中结合获取的第二时间、查找到的密钥参数、和预存在服务器中与客户端中相同的算法生成第二动态口令;In the S4 server, generate the second dynamic password in combination with the obtained second time, the key parameter found, and the same algorithm pre-stored in the server as in the client;
S5服务器中将生成的第二动态口令与接收到的第一动态口令进行比对,完成动态口令的认证。The S5 server compares the generated second dynamic password with the received first dynamic password to complete the authentication of the dynamic password.
具体来说,在步骤S1中,卫星授时模块为GPS授时芯片或北斗授时芯片或北斗/GPS双模芯片组成,在具体实施例中,卫星授时模块中可以选用型号为UBLOX或M8729芯片的GPS授时芯片,也由型号为UM220-Ⅲ的北斗和GPS双模芯片组成,当然,在本发明中,我们对卫星授时模块中包含的授时芯片的具体型号不做限定,只要其能实现本发明的目的,都包括在本发明的内容中。另外,在步骤S1中用于标识用户的标识信息具体包括但不限于用户名、用户的身份证号等,只要其能用于唯一的标识用户都包括在本发明的内容中。Specifically, in step S1, the satellite timing module is composed of a GPS timing chip or a Beidou timing chip or a Beidou/GPS dual-mode chip. In a specific embodiment, the satellite timing module can use a GPS timing module with a model of UBLOX or M8729 chip The chip is also composed of a Beidou and GPS dual-mode chip whose model is UM220-Ⅲ. Of course, in the present invention, we do not limit the specific model of the timing chip contained in the satellite timing module, as long as it can realize the purpose of the present invention , are included in the content of the present invention. In addition, the identification information used to identify the user in step S1 specifically includes but is not limited to the user name, the user's ID card number, etc., as long as it can be used to uniquely identify the user, it is included in the content of the present invention.
在步骤S3中,客户端中使用算法,如SM3算法生成第一动态口令,当然,我们对客户端中第一动态口令生成的算法不作具体限定,只要其能实现本发明的目的,都包括在本发明的目的中。在步骤S4中服务器中使用与客户端中相同的算法生成第二动态口令。In step S3, an algorithm is used in the client, such as the SM3 algorithm to generate the first dynamic password. Of course, we do not specifically limit the algorithm for generating the first dynamic password in the client, as long as it can achieve the purpose of the present invention, it is included in In the object of the present invention. In step S4, the server uses the same algorithm as the client to generate the second dynamic password.
另外,在步骤S3中,客户端中通过手动输入或NFC传输或声波传输的方式将第一动态口令发送至服务器。具体来说,若要通过手动输入的方式进行传输,则在客户端中包括用于显示第一动态口令的显示模块,在服务器中包括用输入该第一动态口令的输入模块,如键盘等;若要通过NFC进行传输,在只需要客户端和服务器中都有NFC芯片即可实现;若要通过声波方式进行传输,则在客户端和服务器中分别要包括音频转换模块,用于将音频信号和数字信息之间进行转换。要值得注意的是,在步骤S4中,服务器在预设时间窗口内生成第二动态口令集,比对模块在第二动态口令集中查找与第一动态口令相同的口令,完成动态口令的认证;在认证的过程中,由于客户端中和服务器中获取的时间不能完全同步(客户端中的第一授时模块先获取时间,随后客户端发送指令至服务器中,服务器中的第二授时模块再获取时间,即服务器中的时间要晚于客户端中的时间),因而在动态口令比对的时候需要在生成的第二动态口令集中进行查找比对,若在预设时间窗口,如2min,中的第二动态口令中有与第一动态口令相同的动态口令则比对成功,当然,在本发明中,我们对预设的窗口时间不作具体限定,只要其能实现本发明的目的都可以,如1min,3min等。In addition, in step S3, the client sends the first dynamic password to the server through manual input or NFC transmission or sound wave transmission. Specifically, if it is to be transmitted by manual input, the client includes a display module for displaying the first dynamic password, and the server includes an input module for inputting the first dynamic password, such as a keyboard; If you want to transmit by NFC, you only need to have NFC chips in both the client and the server; Convert between digital information. It should be noted that, in step S4, the server generates the second dynamic password set within the preset time window, and the comparison module searches for the same password as the first dynamic password in the second dynamic password set, and completes the authentication of the dynamic password; In the process of authentication, because the time obtained in the client and the server cannot be fully synchronized (the first timing module in the client obtains the time first, then the client sends instructions to the server, and the second timing module in the server obtains the time again) time, that is, the time in the server is later than the time in the client), so when comparing dynamic passwords, it is necessary to search and compare in the generated second dynamic password set. If it is in the preset time window, such as 2min, If there is a dynamic password identical to the first dynamic password in the second dynamic password, the comparison is successful. Of course, in the present invention, we do not specifically limit the preset window time, as long as it can achieve the purpose of the present invention. Such as 1min, 3min, etc.
作为一个完成的实施例,若客户端和服务器中都包括NFC模块,客户端和服务器中都包括GPS定位器以下对动态口令的认证过程作出具体描述:As a completed embodiment, if both the client and the server include the NFC module, and the client and the server include the GPS locator, the authentication process of the dynamic password is described in detail below:
客户端通过键盘等输入设备获取唯一标识用户的标识信息,如用户名等,同时客户端中的GPS定位器获取第一时间,之后,客户端将标识信息和获取时间的指令一起发送到服务器,与此同时,客户端中结合第一时间、密钥参数和SM3算法生成第一动态口令;服务器接收之后,首先利用其内部的GPS定位器获取第二时间,随后利用接收到的标识信息查找到与之关联的密钥参数,再结合查找到的密钥参数和SM3算法、在获取的第二时间信息的预设时间窗口(获取的第二时间+/-2min内)的范围内生成第二动态口令集;最后,客户端和服务器建立NFC连接,客户端将第一动态口令发送至服务器,服务器将接收到的第一动态口令与第二动态口令集进行比对,知道在第二动态口令集中查找到与之相同的动态口令,完成动态口令的认证,若认证失败,提醒用户重新认证。The client obtains the identification information that uniquely identifies the user through the input device such as the keyboard, such as the user name, and at the same time, the GPS locator in the client obtains the first time. After that, the client sends the identification information and the command to obtain the time to the server. At the same time, the client generates the first dynamic password by combining the first time, key parameters and SM3 algorithm; after receiving it, the server first uses its internal GPS locator to obtain the second time, and then uses the received identification information to find The key parameters associated with it, combined with the found key parameters and the SM3 algorithm, generate a second A dynamic password set; finally, the client and the server establish an NFC connection, the client sends the first dynamic password to the server, and the server compares the received first dynamic password with the second dynamic password set, and knows that the dynamic password in the second dynamic password Centrally find the same dynamic password, complete the authentication of the dynamic password, if the authentication fails, remind the user to re-authenticate.
最后要说明的是,本发明提供的基于软件令牌的动态口令认证方法及系统都是基于客户端和服务器中分别包括卫星授时模块的情况,在其他的实施例中,服务器中的也可以不设置卫星授时模块,即客户端中的卫星授时模块获取了时间之后随即将时间发送至服务器,再各自使用自己获取的时间生成动态口令,最后在服务器中实现动态口令的认证。Finally, it should be noted that the software token-based dynamic password authentication method and system provided by the present invention are all based on the client and the server respectively including the satellite timing module. In other embodiments, the server may not Set the satellite timing module, that is, the satellite timing module in the client will send the time to the server after obtaining the time, and then use the time obtained by itself to generate a dynamic password, and finally realize the authentication of the dynamic password in the server.
以上对发明的具体实施例进行了详细描述,但本发明并不限制于以上描述的具体实施例,其只是作为范例。对于本领域技术人员而言,任何对该系统进行的等同修改和替代也都在本发明的范畴之中。因此,在不脱离发明的精神和范围下所作出的均等变换和修改,都应涵盖在本发明的范围内。The specific embodiments of the invention have been described in detail above, but the present invention is not limited to the specific embodiments described above, which are only examples. For those skilled in the art, any equivalent modifications and substitutions to the system are also within the scope of the present invention. Therefore, equivalent changes and modifications made without departing from the spirit and scope of the invention shall fall within the scope of the present invention.
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510136507.4ACN104683356B (en) | 2015-03-26 | 2015-03-26 | Dynamic password authentication method and system based on software token |
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510136507.4ACN104683356B (en) | 2015-03-26 | 2015-03-26 | Dynamic password authentication method and system based on software token |
| Publication Number | Publication Date |
|---|---|
| CN104683356Atrue CN104683356A (en) | 2015-06-03 |
| CN104683356B CN104683356B (en) | 2018-12-28 |
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201510136507.4AActiveCN104683356B (en) | 2015-03-26 | 2015-03-26 | Dynamic password authentication method and system based on software token |
| Country | Link |
|---|---|
| CN (1) | CN104683356B (en) |
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106790138A (en)* | 2016-12-28 | 2017-05-31 | 山东浪潮云服务信息科技有限公司 | A kind of method of government affairs cloud application User logs in double factor checking |
| CN108337258A (en)* | 2018-01-31 | 2018-07-27 | 中电福富信息科技有限公司 | A method of the remote control vehicle based on long-range actuating code |
| CN110224834A (en)* | 2019-05-24 | 2019-09-10 | 清华大学 | Identity identifying method, decryption and ciphering terminal based on dynamic token |
| CN114666299A (en)* | 2022-04-18 | 2022-06-24 | 北京航天驭星科技有限公司 | Mail receiving and sending method, device, equipment and medium for satellite measurement, operation and control system |
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| KR20070046215A (en)* | 2005-06-17 | 2007-05-03 | 주식회사 유비닉스 | A login system and method using a one-time password that can be used for secure financial transactions and a smart card equipped with the one-time password generation process |
| KR20070059655A (en)* | 2005-12-07 | 2007-06-12 | 주식회사 유비닉스 | Authentication system and authentication method using one-time password |
| CN201408333Y (en)* | 2009-05-26 | 2010-02-17 | 北京飞天诚信科技有限公司 | Time token using GPS to conduct clock calibration |
| US20130036462A1 (en)* | 2011-08-02 | 2013-02-07 | Qualcomm Incorporated | Method and apparatus for using a multi-factor password or a dynamic password for enhanced security on a device |
| CN103152172A (en)* | 2011-12-07 | 2013-06-12 | 中国电信股份有限公司 | Method and client side and server and system for mobile token dynamic password generation |
| CN103401689A (en)* | 2013-08-22 | 2013-11-20 | 赵忠华 | Positional information based dynamic token and encryption method thereof |
| CN103441856A (en)* | 2013-09-06 | 2013-12-11 | 北京握奇智能科技有限公司 | Dynamic password authentication method and device |
| CN104079413A (en)* | 2014-07-14 | 2014-10-01 | 上海众人科技有限公司 | Enhancement type one-time dynamic password authentication method and system |
| CN204103936U (en)* | 2014-10-31 | 2015-01-14 | 上海众人科技有限公司 | A kind of dynamic token and dynamic token Verification System |
| CN104394161A (en)* | 2014-12-03 | 2015-03-04 | 上海众人科技有限公司 | Algorithm reconstruction mechanism based secret key transmission method and system |
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| KR20070046215A (en)* | 2005-06-17 | 2007-05-03 | 주식회사 유비닉스 | A login system and method using a one-time password that can be used for secure financial transactions and a smart card equipped with the one-time password generation process |
| KR20070059655A (en)* | 2005-12-07 | 2007-06-12 | 주식회사 유비닉스 | Authentication system and authentication method using one-time password |
| CN201408333Y (en)* | 2009-05-26 | 2010-02-17 | 北京飞天诚信科技有限公司 | Time token using GPS to conduct clock calibration |
| US20130036462A1 (en)* | 2011-08-02 | 2013-02-07 | Qualcomm Incorporated | Method and apparatus for using a multi-factor password or a dynamic password for enhanced security on a device |
| CN103152172A (en)* | 2011-12-07 | 2013-06-12 | 中国电信股份有限公司 | Method and client side and server and system for mobile token dynamic password generation |
| CN103401689A (en)* | 2013-08-22 | 2013-11-20 | 赵忠华 | Positional information based dynamic token and encryption method thereof |
| CN103441856A (en)* | 2013-09-06 | 2013-12-11 | 北京握奇智能科技有限公司 | Dynamic password authentication method and device |
| CN104079413A (en)* | 2014-07-14 | 2014-10-01 | 上海众人科技有限公司 | Enhancement type one-time dynamic password authentication method and system |
| CN204103936U (en)* | 2014-10-31 | 2015-01-14 | 上海众人科技有限公司 | A kind of dynamic token and dynamic token Verification System |
| CN104394161A (en)* | 2014-12-03 | 2015-03-04 | 上海众人科技有限公司 | Algorithm reconstruction mechanism based secret key transmission method and system |
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106790138A (en)* | 2016-12-28 | 2017-05-31 | 山东浪潮云服务信息科技有限公司 | A kind of method of government affairs cloud application User logs in double factor checking |
| CN108337258A (en)* | 2018-01-31 | 2018-07-27 | 中电福富信息科技有限公司 | A method of the remote control vehicle based on long-range actuating code |
| CN110224834A (en)* | 2019-05-24 | 2019-09-10 | 清华大学 | Identity identifying method, decryption and ciphering terminal based on dynamic token |
| CN114666299A (en)* | 2022-04-18 | 2022-06-24 | 北京航天驭星科技有限公司 | Mail receiving and sending method, device, equipment and medium for satellite measurement, operation and control system |
| Publication number | Publication date |
|---|---|
| CN104683356B (en) | 2018-12-28 |
| Publication | Publication Date | Title |
|---|---|---|
| US11764966B2 (en) | Systems and methods for single-step out-of-band authentication | |
| CN104065653B (en) | A kind of interactive auth method, device, system and relevant device | |
| US10491587B2 (en) | Method and device for information system access authentication | |
| CN104065652B (en) | A kind of auth method, device, system and relevant device | |
| US10587614B2 (en) | Method and apparatus for facilitating frictionless two-factor authentication | |
| US8606234B2 (en) | Methods and apparatus for provisioning devices with secrets | |
| AU2011200445B2 (en) | Method and apparatus for dynamic authentication | |
| EP2887615A1 (en) | Cloud-based scalable authentication for electronic devices | |
| US20180183777A1 (en) | Methods and systems for user authentication | |
| US11025592B2 (en) | System, method and computer-accessible medium for two-factor authentication during virtual private network sessions | |
| US8527762B2 (en) | Method for realizing an authentication center and an authentication system thereof | |
| US9374360B2 (en) | System and method for single-sign-on in virtual desktop infrastructure environment | |
| US20160006743A1 (en) | Bidirectional authorization system, client and method | |
| CN105007274A (en) | Mobile terminal-based identity authentication system and method | |
| TW201545526A (en) | Method, apparatus, and system for providing a security check | |
| CN110278084B (en) | eID establishment method, related equipment and system | |
| CN104683357B (en) | A kind of dynamic password authentication method and system based on software token | |
| CN104767617A (en) | Message processing method, system and related device | |
| CN104063650A (en) | Secret key storage device and application method thereof | |
| CN105101199A (en) | Single sign-on authentication method, equipment and system | |
| WO2018099407A1 (en) | Account authentication login method and device | |
| KR101348079B1 (en) | System for digital signing using portable terminal | |
| CN104683356A (en) | Dynamic password authentication method and system based on software token | |
| Kim et al. | PUF-based IoT device authentication scheme on IoT open platform | |
| CN112565156B (en) | Information registration method, device and system |
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| CB02 | Change of applicant information | ||
| CB02 | Change of applicant information | Address after:201203 Pudong New Area, Shanghai, China (Shanghai) free trade pilot area 899 9, 1-4 1-4 story 01 rooms. Applicant after:SHANGHAI PEOPLENET SECURITY TECHNOLOGY Co.,Ltd. Address before:201821 211 rooms, No. 1411, Yecheng Road, Jiading District, Shanghai Applicant before:SHANGHAI PEOPLENET SECURITY TECHNOLOGY Co.,Ltd. | |
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| PP01 | Preservation of patent right | ||
| PP01 | Preservation of patent right | Effective date of registration:20191216 Granted publication date:20181228 | |
| PD01 | Discharge of preservation of patent | ||
| PD01 | Discharge of preservation of patent | Date of cancellation:20210316 Granted publication date:20181228 | |
| TR01 | Transfer of patent right | ||
| TR01 | Transfer of patent right | Effective date of registration:20241010 Address after:Room 503, Building 3, No. 6 Xicheng Xi'an North Road, Xinluo District, Longyan City, Fujian Province 364031 Patentee after:Xie Xinyong Country or region after:China Address before:201203 Pudong New Area, Shanghai, China (Shanghai) free trade pilot area 899 9, 1-4 1-4 story 01 rooms. Patentee before:SHANGHAI PEOPLENET SECURITY TECHNOLOGY Co.,Ltd. Country or region before:China | |
| TR01 | Transfer of patent right | ||
| TR01 | Transfer of patent right | Effective date of registration:20241014 Address after:251705 West of Dashiji East Road, Lizhuang Town, Huimin County, Binzhou City, Shandong Province Patentee after:Huimin County Haohan Chemical Fiber Rope Net Co.,Ltd. Country or region after:China Address before:Room 503, Building 3, No. 6 Xicheng Xi'an North Road, Xinluo District, Longyan City, Fujian Province 364031 Patentee before:Xie Xinyong Country or region before:China |