CN111147482A - OTP algorithm-based identity identification code generation and verification method - Google Patents

Abstract

Translated fromChinese

本发明涉及一种基于OTP算法的身份识别码生成及校验方法，步骤S1：在客户端登录成功后，与服务端进行时间同步，确保客户端和服务端时间一致；步骤S2：服务端生成10组固定不重复的质数PN[]，依次进行编号，编号从0‑9；生成10组固定不重复的OTP算法密钥KEY[]，依次进行编号，编号从0‑9；步骤S3：客户端向服务端发起参数请求，服务端根据客户端的UID获取对应质数及密钥；步骤S4：客户端将质数、密钥、编号存储在本地；步骤S5：客户端生成身份识别码；步骤S6：客户端根据步骤S1至步骤S5生成识别码后，以二维码或条形码形式展示；识别端扫描识别码，将识别到的识别码上传到服务端进行校验。本发明不受网络可用性限制，可在客户端网络环境较差或无网络情况下使用。

The invention relates to an identification code generation and verification method based on an OTP algorithm. Step S1: after the client logs in successfully, perform time synchronization with the server to ensure that the time between the client and the server is consistent; step S2: the server generates 10 groups of fixed and non-repeating prime numbers PN[] are numbered in sequence, and the numbers are from 0-9; 10 groups of fixed and non-repeated OTP algorithm keys KEY[] are generated, and they are numbered in sequence, and the numbers are from 0-9; Step S3: Customer The terminal initiates a parameter request to the server, and the server obtains the corresponding prime number and key according to the UID of the client; Step S4: the client stores the prime number, key and serial number locally; Step S5: the client generates an identification code; Step S6: After the client generates the identification code according to steps S1 to S5, it is displayed in the form of a two-dimensional code or barcode; the identification terminal scans the identification code, and uploads the identified identification code to the server for verification. The present invention is not limited by network availability, and can be used when the client's network environment is poor or there is no network.

Description

OTP algorithm-based identity identification code generation and verification method

Technical Field

The invention relates to the field of application software system development, in particular to an identity identification code generating and verifying method based on an OTP algorithm.

Background

With the rapid development of mobile internet, the application of two-dimensional codes to identity recognition scenes is very common, and the two-dimensional codes are widely applied to a plurality of application fields such as travel, consumption payment, attendance access control, electronic ticketing and the like at present. The two-dimensional code has the characteristics of large information carrying capacity, easiness in manufacturing, low cost, accuracy in decoding and the like, can conveniently encode information into the two-dimensional code, is convenient for information transmission and circulation, and is suitable for popularization and application in various application fields. However, with the continuous development of information technology, the two-dimensional code also faces the related problems of information leakage, network limitation on the use scene, and the like.

The existing common technical scheme comprises:

1. the client (APP or H5 application which needs to use the identification code) requests the server interface to generate the corresponding identification code through the network. The identification code is a string of character strings generated by the server. (usually a string of characters containing service information)

2. The client applies for the identification codes in batches to the server interface through the network, caches the identification codes to the local, and directly uses the identification code information cached locally if the network is unavailable.

Most of the existing technical schemes are to request a server side to make codes through a network when a client side needs to use an identification code. The identification code is a string which is generated by the server and uniquely contains the service information. The premise of using the method is that the network is available, the code making request cannot be carried out if the client network is unavailable, and the identification code contains service information, so that the risk of information leakage exists.

In order to solve the problems of information leakage and network unavailability, the prior art also provides some solutions, such as encrypting the identification code, and requesting the identification code to be cached locally in batch when the network is available. Although these solutions can solve the above problems to some extent, the following problems still exist:

1. after the identification code is encrypted, the conventional bar code scanning gun cannot identify and read, and the identification code cannot be manually input under the condition that the scanning equipment fails.

2. The batch request identification is cached locally, the validity period of the identification code is difficult to determine, a large number of invalid code making requests are generated when the validity period is too short, and the risk of illegal use of the local identification code due to theft exists when the validity period is too long.

Disclosure of Invention

In view of the above, an object of the present invention is to provide an identity code generating and verifying method based on OTP algorithm, which can reduce the risk of information leakage to the greatest extent and can be used in a poor network environment or no network environment of a client.

The invention is realized by adopting the following scheme: an identity identification code generating and verifying method based on an OTP algorithm comprises the following steps:

step S1: after the client successfully logs in, time synchronization is carried out with the server, and the time consistency between the client and the server is ensured;

step S2: the server generates 10 groups of fixed and non-repeated prime numbers PN, and the prime numbers are numbered in sequence from 0 to 9; generating 10 groups of fixed and non-repeated OTP algorithm KEYs KEY [ ], and numbering in sequence, wherein the numbering is from 0 to 9;

step S3: the client side sends a parameter request to the server side, and the server side obtains a corresponding prime number and a key according to the UID of the client side;

step S4: the client stores the prime number, the key and the serial number locally;

step S5: the client generates an identification code;

step S6: the client generates the identification code according to the steps S1 to S5 and then displays the identification code in a two-dimensional code or bar code form; and the identification end scans the two-dimensional code or the bar code and uploads the identified identification code to the server for verification.

Further, the step of obtaining the corresponding prime number and the key in step S3 includes the following steps:

step SA: modulus is taken for the UID of the client by 10 to obtain a remainder;

step SB: the remainder is used as a prime number PN of the corresponding number generated in the number searching step S2;

step SC: the remainder is used as a KEY KEY of the corresponding number generated in the number searching step S2;

step SD: and returning the found prime number PN, OTP KEY KEY and serial number NO to the client.

Further, the specific content of the generated id in step S5 is:

generating a 6-bit one-time dynamic password:

p = Totp (K, TC), K being the OTP KEY, TC being the counter TC = (T-T0)/T1; t is the current timestamp, T0 start time is typically 0, T1 time interval;

generating a 2-bit random number:

r = Random (2), 2-digit Random number, not repeated within 1 minute;

identification code PIN = [ prime number PN (6-bit one-time dynamic password P + 2-bit random number R) + identification UID ] | number NO | | 2-bit random number R

Wherein, | | represents concatenation, concatenates random number, serial number in the back.

Further, the step S6 of verifying the received id code by the server specifically includes the following steps:

step Sa: selecting the third last digit of the identity identification code as a serial number NO, and acquiring a corresponding prime number PN and an OTP KEY KEY stored by the server according to the serial number NO; selecting the second last digit as a 2-digit random number R;

and Sb: intercepting the last 3 bits of the identification code PIN, and taking the rest digits as a temporary identification code TPIN;

step Sc: acquiring a 6-bit one-time dynamic password:

p = temporary identity code TPIN/prime PN-2 bit random number R;

the server side calculates a 6-bit one-time dynamic password by using a Totp algorithm:

p1= Totp (K, TC), K being the OTP KEY, TC being the counter;

comparing whether P1 is equal to P, if not, responding the result of verification failure to the client; if equal, continuing to execute step Sd;

step Sd: calculating a client UID: modulus is taken between the temporary identity identification code TPIN and the prime number PN, and the obtained remainder is the client UID; client UID = temporary identity code TPIN mod prime number PN;

step Se: and inquiring specific identity information corresponding to the UID according to the client UID obtained in the step Sd, and responding identity identification verification information to an identification end.

Compared with the prior art, the invention has the following beneficial effects:

(1) the identity identification code of the invention is composed of a group of pure numbers, does not contain plaintext service information, cannot analyze specific service meaning, and reduces information leakage risk to the greatest extent.

(2) The identity identification code is generated by the client according to the specific algorithm rule, is not limited by network availability, and can be used under the conditions of poor network environment or no network of the client.

(3) The identity identification code has timeliness and is dynamically generated, so that the risks of copying, stealing and malicious spreading and use of the identity identification code are reduced to the greatest extent.

(4) The invention gives consideration to the use cost, and the identification code is a group of pure numbers, so that the traditional bar code scanning gun can be directly used for reading and identifying, the upgrading and the reconstruction of identification equipment are not needed, the cost is reduced, and the application and the popularization are convenient.

Drawings

Fig. 1 is a flowchart of identification code generation according to an embodiment of the present invention.

Fig. 2 is a flowchart illustrating an identification code verification method according to an embodiment of the present invention.

Detailed Description

The invention is further explained below with reference to the drawings and the embodiments.

It should be noted that the following detailed description is exemplary and is intended to provide further explanation of the disclosure. Unless defined otherwise, all technical and scientific terms used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this application belongs.

It is noted that the terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of example embodiments according to the present application. As used herein, the singular forms "a", "an" and "the" are intended to include the plural forms as well, and it should be understood that when the terms "comprises" and/or "comprising" are used in this specification, they specify the presence of stated features, steps, operations, devices, components, and/or combinations thereof, unless the context clearly indicates otherwise.

As shown in fig. 1, the present embodiment provides an identity code generation and verification method based on OTP algorithm, which includes the following steps:

step S1: after the client successfully logs in, time synchronization is carried out with the server, and the time consistency between the client and the server is ensured;

step S2: the server generates 10 groups of fixed and non-repeated prime numbers PN, and the prime numbers are numbered in sequence from 0 to 9; (the generated prime number is larger than the total number of the servers needing identification, for example, if one server has 100 ten thousand members needing identification, each generated prime number is larger than 100 ten thousand);

generating 10 groups of fixed and non-repeated OTP algorithm KEYs KEY [ ], and numbering in sequence, wherein the numbering is from 0 to 9;

step S3: the client side sends a parameter request to the server side, and the server side obtains a corresponding prime number and a key according to the UID (a string of numbers capable of uniquely identifying the client side, such as a personnel number, an equipment number and the like) of the client side;

step S4: the client stores the prime number, the key and the serial number locally;

step S5: the client generates an identification code;

step S6: the client generates the identification code according to the steps S1 to S5 and then displays the identification code in a two-dimensional code or bar code form; and the identification end scans the two-dimensional code or the bar code and uploads the identified identification code to the server for verification.

Preferably, in this embodiment, the client may be application software or APP, H5, the identification end is a cash register system, an access control device, and the like, and the server is a program deployed on the server.

In this embodiment, the step of obtaining the corresponding prime number and the key in step S3 includes the following steps:

step SA: taking the module of the client UID (UIDmod 10) by 10 to obtain a remainder;

step SB: the remainder is used as a prime number PN of the corresponding number generated in the number searching step S2;

step SC: the remainder is used as a KEY KEY of the corresponding number generated in the number searching step S2;

step SD: and returning the found prime number PN, OTP KEY KEY and serial number NO to the client.

In this embodiment, the specific content of the generated id in step S5 is:

generating a 6-bit one-time dynamic password:

p = Totp (K, TC), K being the OTP KEY, TC being the counter TC = (T-T0)/T1; t is the current timestamp, the start time of T0 is generally 0, and the T1 time interval is self-defined (e.g., 30 seconds, 1 minute, etc.) according to the service;

generating a 2-bit random number:

r = Random (2), 2-digit Random number, not repeated within 1 minute;

identification code PIN = [ prime number PN (6-bit one-time dynamic password P + 2-bit random number R) + identification UID ] | number NO | | 2-bit random number R

Wherein, | | represents concatenation, concatenates random number, serial number in the back.

Preferably, in this embodiment, the identification code generation example is as follows:

P=726835，R=42，PN=25478448917，UID=10003045，NO=3

PIN = 25478448917*(726835+42)+ 10003045 || 3 || 42

=18519698523445254342

as shown in fig. 2, in this embodiment, the step of verifying the received id code by the server side in step S6 specifically includes the following steps:

step Sa: selecting the third last digit of the identity identification code as a serial number NO, and acquiring a corresponding prime number PN and an OTP KEY KEY stored by the server according to the serial number NO; selecting the second last digit as a 2-digit random number R;

and Sb: intercepting the last 3 bits of the identification code PIN, and taking the rest digits as a temporary identification code TPIN;

step Sc: acquiring a 6-bit one-time dynamic password:

p = temporary identity code TPIN/prime PN-2 bit random number R;

the server side calculates a 6-bit one-time dynamic password by using a Totp algorithm:

p1= Totp (K, TC), K being the OTP KEY, TC being the counter;

comparing whether P1 is equal to P, if not, responding the result of verification failure to the client; if equal, continuing to execute step Sd;

step Sd: calculating a client UID: modulus is taken between the temporary identity identification code TPIN and the prime number PN, and the obtained remainder is the client UID; client UID = temporary identity code TPIN mod prime number PN;

step Se: and inquiring specific identity information corresponding to the UID according to the client UID obtained in the step Sd, and responding identity identification verification information to an identification end.

Preferably, in this embodiment, the identification code verification example is as follows:

PIN=18519698523445254342

the calculation result derived by the above-mentioned check rule is as follows

NO =3, random number R =42, temporary identification code TPIN =18519698523445254

The corresponding prime number PN (this example PN = 25478448917) is found by the number NO =3, and the corresponding OTP KEY is found.

6-bit one-time password P = TPIN/PN-R

=18519698523445254/25478448917-42

=726835

And calculating P1= Totp (OTP KEY KEY) through the inquired corresponding KEY KEY, comparing whether the KEY is equal to P, P1, and if the KEY is not equal to the OTP KEY KEY, indicating that the KEYs of the two parties are inconsistent or the identification code is expired, determining that the verification fails. And if yes, continuing the UID.

UID= TPIN mod PN = 18519698523445254 mod 25478448917=10003045

The UID can inquire the specific identity information corresponding to the PIN.

Preferably, the embodiment provides a string of numbers that uniquely identifies a person or an object in the application software system). The method is based on the OTP algorithm, has time efficiency, is purely digital and supports the offline use of the network. The identification code is a set of numbers that are generated at the client using certain algorithm rules, and each code is time-sensitive (e.g., 1 minute). Because the identification code is generated at the client, the network is not required to be relied on. The pure digital and time-efficient information leakage is reduced to the greatest extent, and the use in a non-network environment is supported. The mode of generating and verifying the identification code can be widely applied to business scenes of identification such as consumption payment (payment code), access control attendance, electronic ticketing and the like.

The above description is only a preferred embodiment of the present invention, and all equivalent changes and modifications made in accordance with the claims of the present invention should be covered by the present invention.

Claims (4)

Translated fromChinese

1.一种基于OTP算法的身份识别码生成及校验方法，其特征在于：包括以下步骤：1. a kind of identification code generation and verification method based on OTP algorithm is characterized in that: comprise the following steps:步骤S1：在客户端登录成功后，与服务端进行时间同步，确保客户端和服务端时间一致；Step S1: After the client logs in successfully, perform time synchronization with the server to ensure that the time between the client and the server is consistent;步骤S2：服务端生成10组固定不重复的质数PN[]，依次进行编号，编号从0-9；生成10组固定不重复的OTP算法密钥KEY[]，依次进行编号，编号从0-9；Step S2: The server generates 10 sets of fixed and non-repeating prime numbers PN[], and numbers them in sequence, from 0 to 9; generates 10 sets of fixed and non-repetitive OTP algorithm keys KEY[], and numbers them in sequence, and the numbers range from 0- 9;步骤S3：客户端向服务端发起参数请求，服务端根据客户端的UID获取对应质数及密钥；Step S3: the client initiates a parameter request to the server, and the server obtains the corresponding prime number and key according to the UID of the client;步骤S4：客户端将质数、密钥、编号存储在本地；Step S4: the client stores the prime number, key and serial number locally;步骤S5：客户端生成身份识别码；Step S5: the client generates an identification code;步骤S6：客户端根据步骤S1至步骤S5生成识别码后，以二维码或条形码形式展示；识别端扫描二维码或条形码，将识别到的识别码上传到服务端进行校验。Step S6: After the client generates an identification code according to steps S1 to S5, it is displayed in the form of a two-dimensional code or barcode; the identification terminal scans the two-dimensional code or barcode, and uploads the identified identification code to the server for verification.2.根据权利要求1所述的一种基于OTP算法的身份识别码生成及校验方法，其特征在于：步骤S3中所述获取对应质数及密钥包括以下步骤：2. a kind of identification code generation and verification method based on OTP algorithm according to claim 1, is characterized in that: obtaining corresponding prime number and key described in step S3 comprises the following steps:步骤SA：用10对客户端UID取模，得到余数；Step SA: modulo the client UID with 10 to get the remainder;步骤SB：将余数作为编号查找步骤S2生成的对应编号的质数PN；Step SB: use the remainder as the number to search for the prime number PN of the corresponding number generated in step S2;步骤SC：将余数作为编号查找步骤S2生成的对应编号的密钥KEY；Step SC: use the remainder as the number to search for the key KEY of the corresponding number generated in step S2;步骤SD：将查找到的质数PN、OTP密钥KEY、编号NO返回给客户端。Step SD: Return the found prime number PN, OTP key KEY, and serial number NO to the client.3.根据权利要求1所述的一种基于OTP算法的身份识别码生成及校验方法，其特征在于：步骤S5中所述生成身份识别码的具体内容为：3. a kind of identification code generation and verification method based on OTP algorithm according to claim 1, is characterized in that: the concrete content of generating identification code described in step S5 is:生成6位一次性动态口令：To generate a 6-digit one-time dynamic password:P = Totp(K,TC)， K即OTP密钥KEY，TC为计数器， TC = (T - T0) / T1；T为当前的时间戳，T0起始时间一般为0，T1时间间隔；P = Totp(K,TC), K is the OTP key KEY, TC is the counter, TC = (T - T0) / T1; T is the current timestamp, the start time of T0 is generally 0, and the time interval of T1;生成2位随机数：Generate a 2-digit random number:R = Random(2)，2位随机数，1分钟内不重复；R = Random(2), 2-digit random number, not repeated within 1 minute;身份识别码PIN =[质数PN*(6位一次性动态口令P+2位随机数R)+ 身份标识UID]||编号NO||2位随机数RIdentification code PIN = [prime number PN*(6-digit one-time dynamic password P+2-digit random number R)+ ID UID]||Number NO||2-digit random number R其中， ||表示拼接，将随机数、编号拼接在后面。Among them, || means splicing, splicing random numbers and numbers at the back.4.根据权利要求1所述的一种基于OTP算法的身份识别码生成及校验方法，其特征在于：步骤S6中所述的服务端将收到的身份识别码进行校验具体包括以下步骤：4. a kind of identification code generation and verification method based on OTP algorithm according to claim 1, is characterized in that: the identification code that the server described in the step S6 will receive is checked and specifically comprises the following steps :步骤Sa：选择身份识别码的倒数第三位作为编号NO，根据此编号获取到服务端保存的对应的质数PN，OTP密钥KEY；选择倒数第一第二位作为2位随机数R；Step Sa: select the penultimate third digit of the identification code as the number NO, obtain the corresponding prime number PN and OTP key KEY saved by the server according to this number; select the penultimate first and second digit as the 2-digit random number R;步骤Sb：截取掉身份识别码PIN最后3位，剩余数字作为临时身份识别码TPIN；Step Sb: intercept the last 3 digits of the identification code PIN, and use the remaining digits as the temporary identification code TPIN;步骤Sc：获取6位一次性动态口令：Step Sc: Obtain a 6-digit one-time dynamic password:P =临时身份识别码TPIN / 质数PN-2位随机数R；P = temporary identification code TPIN / prime number PN-2-digit random number R;服务端使用Totp算法计算出6位一次性动态口令：The server uses the Totp algorithm to calculate the 6-digit one-time dynamic password:P1 = Totp(K,TC)， K即OTP密钥KEY，TC为计数器；P1 = Totp(K,TC), K is the OTP key KEY, TC is the counter;比较P1是否等于P，如果不相等校验失败，向客户端响应校验失败结果；如果相等继续执行步骤Sd；Compare whether P1 is equal to P, if the inequality check fails, respond to the client with the result of the check failure; if it is equal, continue to step Sd;步骤Sd：计算客户端UID：将临时身份识别码TPIN与质数PN取模，得的余数即为客户端UID；客户端UID = 临时身份识别码TPIN mod 质数PN；Step Sd: Calculate the client UID: modulo the temporary identification code TPIN and the prime number PN, and the remainder is the client UID; client UID = temporary identification code TPIN mod prime number PN;步骤Se：根据步骤Sd获取的客户端UID查询出该UID对应的具体身份信息，并向识别端响应身份识别验证信息。Step Se: according to the client UID obtained in step Sd, the specific identity information corresponding to the UID is queried, and the identity verification information is responded to the identification terminal.

Images