• 专利附录
  • 专利说明
  • 权利要求
  • 类似技术
  • 同族专利
  • 引用文献
  • 法律状态
  • 优先权
    • 专利摘要:
    METHOD AND DEVICE TO VERIFY DYNAMIC PASSWORD. The present invention relates to a method and a device for verifying a dynamic password. In the method and in the device, some algorithm parameters can be publicly exchanged using a DH algorithm, and thus the same key is shared securely between two entities in order to implement dynamic password verification and further improve security of identity verification. Furthermore, the method and device can be easy to use. Additionally with the above technical solution, no message exchange is required between a mobile device and a verification server, and a user does not need to pay for additional flow in order to decrease user bus and verification costs.
    公开号:BR112012004151B1
    申请号:R112012004151-7
    申请日:2010-07-06
    公开日:2021-05-04
    发明作者:Huibao Lin;Zhijian Qian;Xusheng HU;Ruiqiang Liu
    申请人:Tencent Technology (Shenzhen) Company Limited;
    IPC主号:
    专利说明:

    FIELD OF THE INVENTION
    [0001] The present invention relates to network communication technologies, and more particularly to a method and a device to verify a dynamic password. BACKGROUND OF THE INVENTION
    [0002] Currently, password verification is a common technology for verifying network identity, and generally includes static password verification and dynamic password verification. Compared to a static password, a dynamic password is typically used only once and becomes invalid after being used. In this way, the security of the dynamic password is much greater than that of the static password. Dynamic password can be implemented through hardware or software. The dynamic password implemented through hardware has high security and is easy to use, although it has high costs. Compared to hardware-implemented dynamic password, software-implemented dynamic password has less security and is not easy to use, although it has lower costs. Since a personal mobile device, for example a mobile phone and a Personal Digital Assistant (PDA), can be easy to use and have greater security, most dynamic passwords implemented through software are based on the personal mobile device. .
    [0003] A system for implementing dynamic software password based on a personal mobile device typically includes token software and a verification server. One issue for this type of system to be addressed is how a token seed is securely shared by the token software and the verification server. Here, the token seed is secretly shared by the token software and the verification server, and can cause the token software and the verification server to synchronously generate the same dynamic password.
    [0004] In a conventional method, a user can first install token software on a mobile device, then obtain a file containing a token seed and forward the file to the token software. In another method, each token software contains a single token seed, and the user can directly install and use the token seed after downloading the token software; or the mobile device negotiates with the verification server through a series of real-time messages to obtain the token seed.
    [0005] As can be seen from the conventional technical solutions above, security cannot be guaranteed. If a hacker obtains the token software during the token software download procedure, the hacker can obtain the token seed, and thus the dynamic password generated using the token seed will be meaningless. If the mobile device does not support the communication network, it will be difficult for the mobile device to exchange messages in real time with the verification server. Furthermore, when the mobile device exchanges messages in real time with the verification server, the user will need to pay for the generated stream, which increases the user's burden and verification costs. SUMMARY OF THE INVENTION
    [0006] Examples of the present invention provide a method and a device for verifying a dynamic password. The method and device can enhance the security of identity verification and can be easy to use. Furthermore, with the method and the device, no message exchange is necessary between a mobile device and a verification server, and thus a user does not need to pay for additional flow, in order to reduce the user's burden and verification costs.
    [0007] An example of the present invention provides a method to verify a dynamic password, which includes: the generation, by a mobile device, of an initial code according to the token software, and the transmission of the initial code to a server of verification via a web page; generating, by the mobile device, a current dynamic password using the Diffie-Hellman (DH) algorithm after the initial code passes verification, and transmitting the current dynamic password to the verification server via a web page ; the generation, by the verification server, of a dynamic verification server password according to the received initial code and using the same Diffie-Hellman algorithm as that used by the mobile device; and comparing, by the verification server, the dynamic password of the verification server with the dynamic password generated by the mobile device, and verifying whether the dynamic password generated by the mobile device is correct.
    [0008] An example of the present invention provides a device for verifying a dynamic password, which includes: an initial code generation unit, configured on a mobile device, and configured to generate an initial code according to the token software, where the initial code is transmitted to the verification server via a web page; a dynamic password generation unit, configured on the mobile device, and configured to generate a current dynamic mobile device password using a Diffie-Hellman (DH) algorithm after the initial code passes verification, where the current dynamic password is transmitted for verification via a web page; and a dynamic password verification unit, configured in the verification server, and configured to generate a dynamic password from the verification server according to the received initial code and using a DH algorithm like that used by the password generation unit. dynamic password, compare the dynamic password of the verification server with the dynamic password of the mobile device, and verify that the dynamic password generated by the dynamic password generation unit is correct.
    [0009] As can be seen from the above technical solution, the mobile device generates the initial code using token software and transmits the initial code to the verification server through a web page; when the initial code passes verification, the mobile device will generate the current dynamic password using a Diffie-Hellman (DH) algorithm, and transmit the current dynamic password to the verification server via a web page; the verification server generates the dynamic password of the verification server according to the received initial code and using the same DH algorithm as that used by the mobile device; the verification server compares the dynamic password generated by the verification server with the dynamic password transmitted by the mobile device to verify that the dynamic password generated by the mobile device is correct. The above technical solution can improve the security of identity verification and can be easy to use. Furthermore, through the technical solution, no message exchange is required between the mobile device and the verification server, and the user does not need to pay for additional flow, in order to reduce the user's burden and verification costs. BRIEF DESCRIPTION OF THE DRAWINGS
    [00010] Figure 1 is a flowchart illustrating a method for verifying a dynamic password according to a first example of the present invention.
    [00011] Figure 2 is a schematic diagram illustrating the signaling interaction to verify a dynamic password between a mobile device and a verification server according to the first example.
    [00012] Figure 3 is a schematic diagram that illustrates the signaling interaction between a mobile device and a verification server, when the verification server generates a challenge strategy according to a specific example.
    [00013] Figure 4 is a schematic diagram that illustrates the signaling interaction between a mobile device and a verification server, when the verification server generates a challenge strategy according to another specific example.
    [00014] Figure 5 is a schematic diagram illustrating the signaling interaction between a mobile device and a verification server, when the verification server generates a challenge strategy according to another specific example.
    [00015] And Figure 6 is a schematic diagram illustrating the structure of a mobile device for verifying a dynamic password according to a second example of the present invention. DETAILED DESCRIPTION OF THE INVENTION
    [00016] Examples of the present invention provide a method and a device for verifying a dynamic password. In the method and in the device, some algorithm parameters can be publicly exchanged using a DH algorithm, and thus the same key is securely shared between two entities in order to implement dynamic password verification and further improve the security of identity verification. Also, the method and device can be easy to use. Additionally, through the above technical solution, no message exchange is required between a mobile device and a verification server, and a user does not need to pay for additional flow, in order to decrease the user burden and verification costs.
    [00017] In order to describe the examples of the present invention more clearly, the examples of the present invention are described with reference to the attached drawings. Figure 1 is a flowchart illustrating a method for verifying a dynamic password according to a first example of the present invention. As shown in Figure 1, the method includes the following steps:
    [00018] Step 11: An initial code is generated and transmitted to a verification server.
    [00019] In this step, a mobile device generates the start code using the token software download, and transmits the start code to the verification server via a web page.
    [00020] The initial code generated by the mobile device using the token software is composed of a series of numerals and letters, a series of numerals or a series of letters. Specifically, the initial code can be a DH public key generated by the mobile device, and the DH public key can be obtained in the following way: the mobile device first generates a DH private key using token software, then generating the key DH public key according to the DH private key and using a DH algorithm.
    [00021] Furthermore, the initial code may additionally include the version number information, where the version number information refers to a version number that is hardware-encoded in the mobile device in an initialization procedure.
    [00022] In a specific example, the initial code can be represented with a multi-band code. For example, the initial code is represented with a 32-band code. In this way, the characters of the initial code to be introduced can be shortened, in order to facilitate the introduction of the initial code through a web page.
    [00023] Step 12: After the initial code passes verification, a current dynamic password is generated using a DH algorithm and is transmitted to the verification server.
    [00024] In this step, after the initial code passes verification, the mobile device generates the current dynamic password using the DH algorithm and transmits the current dynamic password to the verification server via a web page.
    [00025] In a specific example, the procedure of verifying the initial code includes having the verifying server perform pre-set algorithm processing for the received initial code and generate an ACK code; the mobile device obtains the ACK code generated by the verification server, and generates an ACK code of the mobile device according to the initial code and using the same algorithm as that used by the verification server; the mobile device compares the ACK code generated by the mobile device with the ACK code generated by the verification server, and check that the start code entered by the mobile device is correct. For example, if the ACK code generated by the mobile device is the same as the ACK code generated by the verification server, the start code entered by the mobile device will be correct; otherwise, the initial code entered by the mobile device will be incorrect. The pre-set algorithm processing above can be an algorithm strategy predefined by an operator, for example, the previous four bits of the start code can be set as the ACK code, or the last two bits of the start code can be set as the ACK code .
    [00026] In addition, in the procedure of generating the ACK code by the verification server, the verification server can generate a random series of numerals, perform the preset algorithm processing for the generated random numeral series and the received initial code to generate a verification code, and generating the ACK code with the combination of the verification code and the generated random series of numerals. This way, the procedure of verifying the initial code is more secure.
    [00027] Or, in the procedure of generating the ACK code by the verification server, the verification server generates a random DH private key, generates a DH public key according to the DH private key and using a DH algorithm, executes pre-established algorithm processing for the DH public key and the received initial code to obtain a verification code, and generate the ACK code with the combination of the verification code and the DH public key. This way, the procedure of verifying the initial code is more secure.
    [00028] In a specific example, the mobile device causes the token software and the verification server to obtain the same token seed during an initialization procedure, and stores the token seed. In the procedure of generating the dynamic password, the mobile device generates the dynamic password using the token seed and current time. Specifically, the procedure of generating the dynamic password by the mobile device using the DH algorithm includes having the mobile device generate a DH key according to the mobile device's DH private key and using the DH algorithm, generate the token seed according to the DH key and using a Hash algorithm, and store the token seed; the mobile device performs preset algorithm processing for the token seed and current time and generates the current dynamic password. Similarly, preset algorithm processing can be an operator-predefined algorithm strategy. For example, the mobile device performs Hash algorithm processing for the token seed and current time, and takes specific values from a Hash result in order to get the dynamic password.
    [00029] Step 13: Verification server generates dynamic verification server password according to received initial code.
    [00030] In this step, the verification server can generate the dynamic password of the verification server according to the received initial code and using the same DH algorithm as that used by the mobile device.
    [00031] In a specific example, the procedure of generating the dynamic password of the verification server includes that the verification server obtains the DH public key of the mobile device with the analysis of the received initial code, generates the DH key of the mobile device accordingly with the obtained DH public key, generate the token seed according to the obtained DH key and using the same algorithm as that used by the mobile device, and store the token seed. In the procedure of always generating dynamic password, the verification server generates the dynamic password of the verification server using the stored token seed and using the same algorithm as that used by the mobile device.
    [00032] Step 14: The verification server compares the dynamic password generated by the verification server with the dynamic password generated by the mobile device, and verifies that the dynamic password generated by the mobile device is correct.
    [00033] In this step, the verification server compares the dynamic password generated by the verification server with the dynamic password generated by the mobile device, and checks whether the dynamic password generated by the mobile device is correct. In a specific example, since there may be a small difference between the time displayed by the mobile device and the time provided by the verification server, it can be pre-established that the dynamic password generated by the mobile device will be correct, if the dynamic password generated by the server verification is equal to the dynamic password generated by the mobile device in a predefined time difference, so as to improve verification reliability.
    [00034] In a specific example, the verification server can additionally generate challenge strategies according to different representations of dynamic password generated by the mobile device, so as to further improve the security of the dynamic password. Specifically, when the mobile device generates, using the DH algorithm, the current dynamic password represented with a series of numerals, the verification server will generate a challenge strategy, and will prompt the mobile device to input specific numerals of the current dynamic password . The mobile device transmits the specific numerals to the verification server via a web page according to the challenge strategy. The verification server checks, according to the challenge strategy, whether the dynamic password generated by the mobile device is correct.
    [00035] Except for the representations above, when the mobile device generates, using the DH algorithm, the current dynamic password represented with multiple series of numerals, the verification server will generate a challenge strategy, and prompt the mobile device to input a certain series of numerals of the current dynamic password. The mobile device transmits the current dynamic password series of numerals to the verification server via a web page according to the challenge strategy. The verification server checks, according to the challenge strategy, whether the dynamic password generated by the mobile device is correct.
    [00036] Except for the representations above, when the mobile device generates, by the DH algorithm, the current dynamic password represented with an array of numerals, the verification server will generate a challenge strategy, and will induce the mobile device to enter a series of numerals corresponding to a certain matrix coordinate of the current dynamic password. The mobile device transmits the series of numerals corresponding to the current dynamic password matrix coordinate to the verification server via a web page according to the challenge strategy. The verification server checks, according to the challenge strategy, whether the dynamic password generated by the mobile device is correct.
    [00037] The technical solution provided by the first example can improve the security of identity verification, and the method can be easy to use. Furthermore, through the above technical solution, no message exchange is required between the mobile device and the verification server, and a user does not need to pay for additional flow, in order to decrease the user burden and verification costs .
    [00038] Figure 2 is a schematic diagram illustrating the signaling interaction to verify the dynamic password between the mobile device and the verification server according to the first example. The signaling interaction, as shown in Figure 2, includes the following steps:
    [00039] Step 1): An initialization procedure.
    [00040] The verification server determines a Diffie-Hellman global public constant, randomly selects a Diffie-Hellman private key from the verification server, generates a Diffie-Hellman public key from the verification server according to the Diffie-Hellman private key, and hardware-encrypts the Diffie-Hellman global public constant and the Diffie-Hellman public key of the verification server on the mobile device. In order to be convenient for management, a version number is provided for the verification server's Diffie-Hellman public key via hardware encryption on the mobile device.
    [00041] Step 2): The mobile device generates a start code. When performing an initialization operation, the mobile device generates the initial code represented with a series of numerals and letters. The start code is represented as follows: the start code = the version number + the mobile device's Diffie-Hellman public key, which is represented with a 32-band code.
    [00042] Version number refers to the version number that is hardware-encoded on the mobile device in the boot procedure. The mobile device's Diffie-Hellman public key is obtained by the following way: generating the mobile device's Diffie-Hellman private key using a DH algorithm and generating the Diffie-Hellman public key according to the Diffie-Hellman private key.
    [00043] In the initialization procedure of step 1), the verification server cannot generate the verification server's private key and public key in advance, and also cannot hardware-encrypt the verification server's public key on the mobile device, and cancels the version number obtained by encoding to the hardware. At this time, the initial code generated by the mobile device can be represented as follows: the initial code = the mobile device's Diffie-Hellman public key, which is represented with a 32-band code.
    [00044] After the above generated start code, the start code can be represented with a 32-band code, so that it is convenient for a user to input the start code through a web page. For example, if the 32-band representation is as shown in Table 1, Table 1
    the initial code may be represented with a 32-band code as follows: (14803)10 = (39D3)16 = (EEJ)32.
    [00045] Naturally, the initial code can be represented with an n-band code, where n is an integer greater than 32, so as to decrease characters of the initial code to be introduced and to be additionally convenient for operation.
    [00046] Step 3): The mobile device transmits the generated start code to the verification server via a web page. In a specific example, the initial code can be introduced by a user, and it can also be introduced by a designated device according to a strategy.
    [00047] Step 4): In order to verify that the received initial code is correct, the verification server generates an ACK code, and displays the ACK code on the mobile device. The ACK code can be represented as follows: the ACK code = processing algorithm (initial code)
    [00048] Specifically, preset algorithm processing is performed for the user-entered initial code to obtain a series of short numerals. Here, preset algorithm processing can be an operator-predefined algorithm strategy. For example, the previous four bits of the start code can be set as the ACK code, or the last two bits of the start code can be set as the ACK code. In order to facilitate the introduction of the ACK code, the ACK code is generally defined as a series of four-bit numerals.
    [00049] In order to improve security, the procedure of generating the ACK code can be improved. Specifically, the ACK code can be defined as: the ACK code = a random series of numerals from the verification server + a verification code, and the verification code = processing algorithm (the initial code entered by the user + the series of numerals check server random).
    [00050] The verification server random numeral series is a series of numerals having more than 6 bits, and is used to increase the security of generating a token seed. The verification code is used to verify the accuracy of the user-entered start code and the random series of numerals of the verification server, and is usually a series of numerals having 2 to 4 bits.
    [00051] Or, the ACK code can be defined as: the ACK code = the verification server's Diffie-Hellman public key + the verification code, which is represented with a 32-band code, and the verification code = processing algorithm (the user-entered initial code + the verification server's Diffie-Hellman public key).
    [00052] The verification server's Diffie-Hellman public key is obtained as follows: the verification server generates a random Diffie-Hellman private key and then generates the Diffie-Hellman public key using a Diffie-Hellman algorithm .
    [00053] Also, the verification code is used to verify the accuracy of the initial code entered by the user and the random series of numerals of the verification server, and is usually a series of numerals having 2 to 4 bits.
    [00054] Step 5): The generated ACK code is transmitted to the mobile device.
    [00055] Step 6): The ACK code is verified and a dynamic password is generated.
    [00056] Specifically, the mobile device obtains the ACK code generated by the verification server, generates an ACK code from the mobile device according to the initial code and using the same DH algorithm as that used by the verification server, and compares the ACK code generated by the mobile device with the ACK code generated by the verification server. If the ACK code generated by the mobile device is not the same as the ACK code generated by the verification server, the ACK code will not pass verification, it is indicated that the initial code entered is incorrect, and the procedure will be terminated. If the ACK code generated by the mobile device is equal to the ACK code generated by the verification server, the ACK code will pass verification, and the mobile device can generate the token seed using the Diffie-Hellman algorithm and generate the current dynamic password .
    [00057] Specifically, the procedure for generating the dynamic password is as follows.
    [00058] The DH key of the mobile device is first generated. Specifically, the Diffie-Hellman key = Diffie-Hellman algorithm (the mobile device's Diffie-Hellman private key + the verification server's Diffie-Hellman public key that was pre-encoded by hardware). That is, the Diffie-Hellman key is obtained by performing processing for the mobile device's Diffie-Hellman private key and the verification server's Diffie-Hellman public key which has been hardware-encoded in advance according to the Diffie-Hellman algorithm. In other words, the mobile device's Diffie-Hellman private key and the verification server's Diffie-Hellman public key that was pre-encoded by hardware are assumed to be two input values, and are calculated using the Diffie-Hellman algorithm for get the Diffie-Hellman key.
    [00059] And then, the token seed = a Hash algorithm (the Diffie-Hellman key). That is, the token seed is obtained by executing the processing for the Diffie-Hellman key according to the Hash algorithm.
    [00060] The Hash algorithm above can be a standard Hash algorithm, for example MD5 and SHA256.
    [00061] If a verification server generates a random series of numerals in step 4), the mobile device will first verify the verification code to ensure that the initial code and the verification server's random series of numerals are exchanged between the mobile device. and the verification server are correct. After the verification code passes verification, the algorithm of generating the token seed is modified as follows.
    [00062] The token seed = the Hash algorithm (Diffie-Hellman key + random number series from the verification server). That is, the token seed is obtained by performing processing for the Diffie-Hellman key and the verification server's random numeral series according to the Hash algorithm.
    [00063] If the verification server generates a DH public key from the verification server in step 4), the mobile device will first verify the verification code to ensure that the initial code and Diffie-Hellman public key of the verification server are exchanged between the mobile device and the verification server is correct. After the verification code passes verification, the algorithm of generating the token seed is modified, as follows:
    [00064] The Diffie-Hellman key = Diffie-Hellman algorithm (the mobile device's Diffie-Hellman private key + the verification server's Diffie-Hellman public key). That is, the Diffie-Hellman key is obtained by performing processing for a string of characters combined with the mobile device's Diffie-Hellman private key and the verification server's Diffie-Hellman public key according to the Diffie-Hellman algorithm .
    [00065] The token seed = Hash algorithm (the Diffie-Hellman key).
    [00066] Once the token seed is obtained using any of the above modes, the dynamic mobile device password can be generated. The dynamic password can be a series of numerals ranging from 6 to 8 bits.
    [00067] Specifically, dynamic password = processing algorithm (the token seed + current time). That is, the token seed is obtained by performing a processing algorithm for the token seed and the current time.
    [00068] Specifically, preset algorithm processing can be performed for token seed and current time to get a series of numerals. Preset algorithm processing can be an algorithm strategy predefined by an operator. For example, Hash algorithm processing is performed for token seed and current time, and dynamic password is obtained by assuming specific values from the Hash result.
    [00069] Step 7): The dynamic password generated by the mobile device is transmitted to the verification server via a web page.
    [00070] Step 8): Verification server verifies that the dynamic password is correct.
    [00071] The verification server obtains the DH public key of the mobile device with the analysis of the received initial code, and generates the Diffie-Hellman key which is equal to the Diffie-Hellman key generated by the mobile device in step 6). After generating the Diffie-Hellman key, the verification server generates the token seed and dynamic password of the verification server using the same DH algorithm as the one used by the mobile device in step 6), and compares the dynamic password of the Verification server with the dynamic password generated by the mobile device, and verifies that the dynamic password generated by the mobile device is correct.
    [00072] Since there may be a small difference between the time displayed by the mobile device and the time provided by the verification server, it can be pre-established that the dynamic password generated by the mobile device is correct, if the dynamic password generated by the verification server is equal to the dynamic password generated by the mobile device in a predefined time difference. This time difference can be set as 1~2 minutes, which can be set by an operator.
    [00073] Furthermore, in the first example, the verification server can generate challenge strategies according to different representations of the dynamic password generated by the mobile device, so as to improve the security of the dynamic password.
    [00074] Figure 3 is a schematic diagram illustrating the signaling interaction between a mobile device and a verification server, when the verification server generates a challenge strategy according to a specific example. As shown in Figure 3, the signaling interaction includes the following steps:
    [00075] In a first step, the mobile device generates a dynamic password. The dynamic password usually has 6 bits of numerals, for example 528639.
    [00076] In a second step, the verification server generates a challenge strategy, and induces a user to input some numerals displayed by the mobile device. For example, if the mobile device displays 528639, the verification server will generate a "please enter the 1st, 3rd, 5th and 6th numerals" challenge issue. The verification will not be successful unless the user enters "5839".
    [00077] In a third step, the user introduces the dynamic password according to the prompting of the verification server.
    [00078] In a fourth step, the verification server checks if the dynamic password entered by the user is correct according to the challenge strategy and using the method provided by the first example.
    [00079] In a fifth step, a verification result is displayed.
    [00080] Figure 4 is a schematic diagram illustrating the signaling interaction between a mobile device and a verification server, when the verification server generates a challenge strategy according to another specific example. As shown in Figure 4, the signaling interaction includes the following steps:
    [00081] In a first step, the mobile device generates a dynamic password represented with n rows of series of numerals, instead of generating the dynamic password represented with 6 bits of numerals, for example, 1) 298570 2) 985570 3) 255378 4) 018373.
    [00082] In a second step, the verification server generates a challenge strategy, and prompts the user to input a series of numerals from the xthline, for example, "please input the numeral series from the 2nd line of dynamic password ".
    [00083] In a third step, the user introduces the series of numerals of the xth line according to the induction of the verification server. For example, assuming the induction in the second step is "please enter the numeral series of the 2nd line of the dynamic password", the user would enter "985570".
    [00084] In a fourth step, the verification server checks if the dynamic password entered by the user is correct according to the challenge strategy and using the method provided by the first example.
    [00085] In a fifth step, a verification result is displayed.
    [00086] Figure 5 is a schematic diagram that illustrates the signaling interaction between a mobile device and a verification server, when the verification server generates a challenge strategy according to another specific example. As shown in Figure 5, the signaling interaction includes the following steps:
    [00087] In a first step, the mobile device generates a dynamic password represented with an n * m matrix according to a token seed and a current time, for example, generates a dynamic password represented with a 4 * 4 matrix, such as Follow:

    [00088] In a second step, the verification server generates a challenge strategy, and induces a user to input series of numerals corresponding to some coordinates, for example, "please input numerals corresponding to A2, C3 and D1".
    [00089] In a third step, the user introduces the numerals corresponding to the coordinates according to the induction of the verification server. For example, the user enters "90 89 01" according to the induction in the second step.
    [00090] In a fourth step, the verification server checks if the dynamic password entered by the user is correct according to the challenge strategy and using the method provided by the first example.
    [00091] In a fifth step, a verification result is displayed.
    [00092] With the use of the challenge strategy, dynamic password security can be further improved.
    [00093] With the technical solution provided by the above examples, the dynamic password can be verified, the security of the identity verification can be improved, and the method can be easily used. Furthermore, since the start code, ACK code and dynamic password are transmitted to the verification server via a web page, no message exchange is necessary between the mobile device and the verification server, and the user does not need to pay for additional flow, so as to decrease user burden and verification costs.
    [00094] A second example provides a device for verifying a dynamic password. Figure 6 is a schematic diagram illustrating the structure of the device for verifying a dynamic password. The device includes an initial code generation unit, a dynamic password generation unit and a dynamic password verification unit.
    [00095] The initial code generation unit is configured on a mobile device, and is configured to generate an initial code according to the token software, where the initial code is transmitted to a verification server via a web page . The method for generating the initial code and transmitting the initial code to the verification server can refer to the one described in the first example.
    [00096] The dynamic password generation unit is configured on the mobile device, and is configured to generate a current dynamic mobile device password using a Diffie-Hellman algorithm after the initial code passes verification. The current dynamic password can be transmitted for verification via a web page. The method of generating the dynamic password and passing the dynamic password to the verification server can refer to the one described in the first example.
    [00097] The dynamic password verification unit is configured on the verification server, and is configured to generate a dynamic password from the verification server according to the received initial code and using the same DH algorithm as that used by the verification unit. dynamic password generation, and compare the verification server dynamic password with the mobile device dynamic password, and check whether the mobile device dynamic password generated by the dynamic password generation unit is correct.
    [00098] In addition, the above device additionally includes an ACK code generation unit and an ACK code verification unit.
    [00099] The ACK code generation unit is configured in the verification server, and is configured to perform algorithm processing for the initial code received by the verification server, and generate an ACK code. The method for generating the ACK code can refer to the one described in the first example.
    [000100] The ACK code verification unit is configured on the mobile device, and is configured to obtain the ACK code generated by the ACK code generation unit, and generate an ACK from the mobile device according to the initial code generated by the initial code generation and using the same algorithm as that used by the ACK code generation unit, and compare the ACK code generated by the ACK code verification unit with the ACK code generated by the code generation unit, and verify that the start code received by the verification server is correct. The method for checking the dynamic password can refer to the one described in the first example.
    [000101] It should be noted that the units included in the above device are differentiated according to the logic functions, but are not limited to the above structure, as long as the logic functions can be performed. Furthermore, the respective unit names are only used to differentiate from each other, and are not used to limit the scope of protection of the present invention.
    [000102] Those skilled in the art will understand that all or part of the steps in the method provided by the first example can be implemented with the hardware instruction by a program, the program can be stored in a computer readable memory. Memory includes a ROM/RAM, a disk, a Compact Disk (CD), and so on.
    [000103] In short, the technical solution provided by the examples of the present invention can improve the security of identity verification and can be easy to use. Furthermore, with the technical solution, no message exchange is required between the mobile device and the verification server, and the user does not need to pay for additional flow, so as to decrease the user burden and verification costs.
    [000104] The foregoing are only preferred embodiments of the present invention, and the scope of protection of the present invention is not limited thereto. Any improvement and replacement may be made within the technical scope described by the present invention by those skilled in the art, if they are covered in the protection scope of the invention. And thus, the scope of protection of the present invention must be defined by the embodiments.
    权利要求:
    Claims (13)
    [0001]
    1. Method for verifying a dynamic password, comprising the steps of: (11) generating, by a mobile device, an initial code according to token software, and transmitting the initial code to a verification server; (12) generate, by the mobile device, a current dynamic password using a Diffie-Hellman (DH) algorithm after the initial code passes verification, and transmit the current dynamic password to the verification server; characterized in that it comprises the steps of: (13) obtaining, by the verification server, a Diffie-Hellman public key of the mobile device by analyzing the received initial code; generate the mobile device's Diffie-Hellman key according to the Diffie-Hellman public key, and generate the dynamic verification server password according to the Diffie-Hellman key and using the same Diffie-Hellman algorithm as the one used by the device mobile; and (14) comparing, by the verification server, the dynamic password of the verification server with the dynamic password generated by the mobile device, and verifying that the dynamic password generated by the mobile device is correct.
    [0002]
    2. Method according to claim 1, characterized in that a procedure for verifying the initial code comprises: executing, by the verification server, pre-established algorithm processing for the received initial code, and generating an ACK code; obtain, by the mobile device, the ACK code generated by the verification server, and generate an ACK code of the mobile device according to the initial code and using the same algorithm as that used by the verification server, and compare, by the mobile device, the ACK code generated by the mobile device with the ACK code generated by the verification server, and check if the start code is correct.
    [0003]
    3. Method according to claim 2, characterized in that generating, by the verification server, an ACK code comprises one of: generating, by the verification server, a series of random numerals, generating a verification code when executing prearranged algorithm processing for the random series of numerals and the received start code, and generating the ACK code by combining the verification code and the random series of numerals; and generating, by the verification server, a random DH private key, and generating a DH public key according to the DH private key and using the DH algorithm, generating a verification code by performing the current algorithm processing for the public key DH is the received initial code, and generate the ACK code by combining the verification code and the DH public key.
    [0004]
    4. Method according to claim 1, characterized in that transmitting the initial code to a verification server comprises: performing multiband encoding for the initial code, and transmitting the initial code to the verification server through a web page.
    [0005]
    5. Method according to claim 4, characterized in that coding multiple bands comprises a 32-band coding tooth, and n-band coding, where n is an integer greater than 32.
    [0006]
    6. Method according to claim 1, characterized in that (12) generating, by the mobile device, a current dynamic password using the Diffie-Hellman algorithm comprises: generating, by the mobile device, a Diffie-Hellman key the mobile device according to the mobile device's Diffie-Hellman private key and using the Diffie-Hellman algorithm; generate a token seed according to the mobile device's Diffie-Hellman key and using a Hash algorithm; and generate the current dynamic password by performing preset algorithm processing for token seed and current time.
    [0007]
    7. Method according to claim 6, characterized in that generating the dynamic password of the verification server according to the Diffie-Hellman key and using the same Diffie-Hellman algorithm that the one used by the mobile device comprises: generate the token seed according to the Diffie-Hellman key and using the Hash algorithm, and storing the token seed; and generate the dynamic password of the verification server according to the token seed and using the Diffie-Hellman algorithm like the one used by the mobile device in a procedure of always generating the dynamic password.
    [0008]
    8. Method according to claim 6, characterized in that, in a procedure to verify that the dynamic password generated by the mobile device is correct, it further comprises the step of: determining that the dynamic password generated by the mobile device is correct if the dynamic password generated by the verification server is equal to the dynamic password generated by the mobile device within a defined time difference.
    [0009]
    9. Method according to claim 2, characterized in that performing, by the verification server, the pre-established algorithm processing for the received initial code and generating an ACK code comprises: generating, by the verification server, a series of random numerals, and generating a verification code by performing preset algorithm processing for the random series of numerals and the received initial code; and generating the ACK code by combining the verification code and the random series of numerals.
    [0010]
    10. Method according to claim 2, characterized in that performing, by the verification server, the pre-established algorithm processing for the received initial code and generating an ACK code comprises: generating, by the verification server, a private key Diffie-Hellman, and generate a Diffie-Hellman public key according to the Diffie-Hellman private key using the Diffie-Hellman algorithm; generate a verification code by performing preset algorithm processing for the Diffie-Hellman public key and received initial code; and generating the ACK code by combining the verification code and the Diffie-Hellman public key.
    [0011]
    11. Method according to claim 1, characterized in that (12) generating, by the mobile device, a current dynamic password using a Diffie-Hellman algorithm and transmitting the current dynamic password to the verification server comprises: generate, by the mobile device, the current dynamic password represented with a series of numerals using the Diffie-Hellman algorithm, generate, by the verification server, a challenge strategy, and induce the mobile device to input specific numerals of the current dynamic password; transmit, by the mobile device, the specific numerals of the current dynamic password to the verification server through a web page according to the challenge strategy; generate, by the mobile device, the current dynamic password represented with multiple series of numerals using the Diffie-Hellman algorithm, generate, by the verification server, a challenge strategy, and induce the mobile device to input a series of numerals of the dynamic password current; transmit, by the mobile device, the series of numerals of the current dynamic password to the verification server via the web page according to the challenge strategy; or generate, by the mobile device, the current dynamic password represented with an array of numerals using the Diffie-Hellman algorithm, generate, by the verification server, a challenge strategy, and induce the mobile device to input a series of numerals corresponding to an array coordinate of the current dynamic password; transmit, by the mobile device, the series of numerals corresponding to the matrix coordinate of the current dynamic password to the verification server via the web page according to the challenge strategy.
    [0012]
    12. Device for verifying a dynamic password, comprising: an initial code generation unit, configured on a mobile device, and configured to generate an initial code according to token software, wherein the initial code is transmitted to a server verification; a dynamic password generation unit, configured on the mobile device, and configured to generate a current dynamic mobile device password using a Diffie-Hellman (DH) algorithm after the initial code passes verification, where the current dynamic password is transmitted for verification; characterized in that it comprises: a dynamic password verification unit, configured in the verification server, and configured to obtain a public Diffie-Hellman key from the mobile device by analyzing the received initial code, generating the Diffie-Hellman key from the mobile device according to the Diffie-Hellman public key, generate the dynamic password of the verification server according to the Diffie-Hellman key and using the same Diffie-Hellman algorithm as the one used by the mobile device, compare, by the verification server, the verify server dynamic password with the dynamic password generated by the mobile device, and verify that the dynamic password generated by the mobile device is correct.
    [0013]
    13. Device according to claim 12, characterized in that it further comprises: an ACK code generation unit, configured in the verification server, and configured to perform the pre-established algorithm processing for the initial code received by the verification server. verification, and generating an ACK code; and an ACK code verification unit, configured on the mobile device, and configured to obtain the ACK code generated by the ACK code generation unit, and generate an ACK of the mobile device according to the initial code generated by the code generation unit and using the same algorithm as that used by the ACK code generation unit, compare the ACK code generated by the ACK code verification unit with the ACK code generated by the ACK code generation unit, and check whether the received initial code by the verification server is correct.
    类似技术:
    公开号 | 公开日 | 专利标题
    BR112012004151B1|2021-05-04|method and device to check dynamic password
    ES2822997T3|2021-05-05|Method to satisfy a cryptographic request that requires a value of a private key
    ES2818199T3|2021-04-09|Security verification method based on a biometric characteristic, a client terminal and a server
    CN106416124B|2018-08-28|Semidefiniteness digital signature generates
    US9077710B1|2015-07-07|Distributed storage of password data
    US10341119B2|2019-07-02|Apparatuses and methods for trusted module execution
    JP2016111687A|2016-06-20|Privacy preserving set-based biometric authentication
    CN103765811B|2017-05-31|Method and apparatus for sharing image across not trusted channel safety
    WO2016053729A1|2016-04-07|Method and system for secure management of computer applications
    JP2015531138A|2015-10-29|Device, method and system for controlling access to web objects of web pages or web browser applications
    CN109313690B|2021-10-26|Self-contained encrypted boot policy verification
    US9465943B2|2016-10-11|Extension of a platform configuration register with a known value
    ES2774487T3|2020-07-21|Method to verify the integrity of an application's execution on a target device
    EP2867815A1|2015-05-06|Techniques for user-validated close-range mutual authentication
    CN105721390A|2016-06-29|Encrypted storage method and encrypted storage device
    CN104732159B|2019-01-25|A kind of document handling method and device
    CN103853943B|2017-01-18|program protection method and device
    US20170244568A1|2017-08-24|Provisioning authentication keys in computer processor
    CN106330817A|2017-01-11|Webpage access method, device and terminal
    Bakker et al.2010|GPU-based password cracking
    JP2015026892A|2015-02-05|Information processing system
    JP2015015542A|2015-01-22|Information processing system
    CN107070648A|2017-08-18|A kind of cryptographic key protection method and PKI system
    TWI717907B|2021-02-01|Method and system for secure memory
    CN107360183A|2017-11-17|A kind of method and device of hiding checking information
    同族专利:
    公开号 | 公开日
    MX2012002367A|2012-03-29|
    BR112012004151A2|2017-05-30|
    HK1144504A1|2011-02-18|
    RU2506637C2|2014-02-10|
    CN101662465B|2013-03-27|
    WO2011023039A1|2011-03-03|
    CN101662465A|2010-03-03|
    RU2012110323A|2013-10-10|
    US20120151566A1|2012-06-14|
    US8850540B2|2014-09-30|
    引用文献:
    公开号 | 申请日 | 公开日 | 申请人 | 专利标题
    US5319735A|1991-12-17|1994-06-07|Bolt Beranek And Newman Inc.|Embedded signalling|
    US5394508A|1992-01-17|1995-02-28|Massachusetts Institute Of Technology|Method and apparatus for encoding decoding and compression of audio-type data|
    AT198114T|1996-06-05|2000-12-15|Siemens Ag|METHOD FOR NEGOTIATING A SECURITY POLICY BETWEEN A FIRST COMPUTER UNIT AND A SECOND COMPUTER UNIT|
    US7120797B2|2002-04-24|2006-10-10|Microsoft Corporation|Methods for authenticating potential members invited to join a group|
    US20030204732A1|2002-04-30|2003-10-30|Yves Audebert|System and method for storage and retrieval of a cryptographic secret from a plurality of network enabled clients|
    US7600118B2|2002-09-27|2009-10-06|Intel Corporation|Method and apparatus for augmenting authentication in a cryptographic system|
    US8924728B2|2004-11-30|2014-12-30|Intel Corporation|Apparatus and method for establishing a secure session with a device without exposing privacy-sensitive information|
    US20060149676A1|2004-12-30|2006-07-06|Sprunk Eric J|Method and apparatus for providing a secure move of a decrpytion content key|
    NO20050152D0|2005-01-11|2005-01-11|Dnb Nor Bank Asa|Method of generating security code and programmable device therefor|
    US20070136581A1|2005-02-15|2007-06-14|Sig-Tec|Secure authentication facility|
    US9143323B2|2005-04-04|2015-09-22|Blackberry Limited|Securing a link between two devices|
    US9137012B2|2006-02-03|2015-09-15|Emc Corporation|Wireless authentication methods and apparatus|
    ES2530715T3|2006-03-09|2015-03-04|Vasco Data Security Int Gmbh|Method and system to authenticate a user|
    KR101376700B1|2006-06-19|2014-03-24|인터디지탈 테크날러지 코포레이션|Method and apparatus for security protection of an original user identity in an initial signaling message|
    CN101051908B|2007-05-21|2011-05-18|北京飞天诚信科技有限公司|Dynamic cipher certifying system and method|
    CN101459513B|2007-12-10|2011-09-21|联想有限公司|Computer and transmitting method of security information for authentication|
    CN101304315B|2008-06-30|2010-11-03|北京飞天诚信科技有限公司|Method for improving identification authentication security based on password card|
    CN101500011A|2009-03-13|2009-08-05|北京华大智宝电子系统有限公司|Method and system for implementing dynamic password security protection|
    CN101662465B|2009-08-26|2013-03-27|深圳市腾讯计算机系统有限公司|Method and device for verifying dynamic password|CN101662465B|2009-08-26|2013-03-27|深圳市腾讯计算机系统有限公司|Method and device for verifying dynamic password|
    CN102185838B|2011-04-21|2014-06-25|杭州驭强科技有限公司|Driving dynamic code generating and authenticating system and method based on time factors|
    US9071424B1|2013-03-29|2015-06-30|Emc Corporation|Token-based key generation|
    CN104134021B|2013-06-20|2016-03-02|腾讯科技(深圳)有限公司|The anti-tamper verification method of software and device|
    CN104468099A|2013-09-12|2015-03-25|全联斯泰克科技有限公司|Dynamic password generating method and device based on CPKand dynamic password authentication method and device based on CPK |
    CN103618717B|2013-11-28|2017-12-05|北京奇虎科技有限公司|The dynamic confirming method of more account client informations, device and system|
    US9813406B2|2014-02-20|2017-11-07|Empire Technology Development Llc|Device authentication in ad-hoc networks|
    US9332008B2|2014-03-28|2016-05-03|Netiq Corporation|Time-based one time passwordfor network authentication|
    WO2015156795A1|2014-04-09|2015-10-15|Empire Technology Development, Llc|Sensor data anomaly detector|
    US9432339B1|2014-09-29|2016-08-30|Emc Corporation|Automated token renewal using OTP-based authentication codes|
    CN105744049A|2014-12-09|2016-07-06|联芯科技有限公司|Mobile terminal management mode management method and system|
    CN104579686B|2015-01-15|2018-10-30|上海动联信息技术股份有限公司|A kind of seed matching process for handset token|
    EP3876573A1|2015-02-27|2021-09-08|Telefonaktiebolaget LM Ericsson |Security arrangements in communication between a communication device and a network device|
    US10050942B2|2015-03-17|2018-08-14|Ca, Inc.|System and method of mobile authentication|
    US10360558B2|2015-03-17|2019-07-23|Ca, Inc.|Simplified two factor authentication for mobile payments|
    US10387884B2|2015-03-18|2019-08-20|Ca, Inc.|System for preventing mobile payment|
    US10089631B2|2015-03-18|2018-10-02|Ca, Inc.|System and method of neutralizing mobile payment|
    US9842205B2|2015-03-30|2017-12-12|At&T Intellectual Property I, L.P.|Time-varying passwords for user authentication|
    US9742761B2|2015-11-10|2017-08-22|International Business Machines Corporation|Dynamic authentication for a computing system|
    US9800580B2|2015-11-16|2017-10-24|Mastercard International Incorporated|Systems and methods for authenticating an online user using a secure authorization server|
    CN110138554A|2015-12-10|2019-08-16|深圳市大疆创新科技有限公司|Data connection, transmission, reception, the method and system of interaction and aircraft|
    US9626506B1|2015-12-17|2017-04-18|International Business Machines Corporation|Dynamic password generation|
    US10216943B2|2015-12-17|2019-02-26|International Business Machines Corporation|Dynamic security questions in electronic account management|
    US9876783B2|2015-12-22|2018-01-23|International Business Machines Corporation|Distributed password verification|
    US11064358B2|2016-05-24|2021-07-13|Feitian Technologies Co., Ltd.|One-time-password authentication method and device|
    CN111800276A|2016-05-30|2020-10-20|创新先进技术有限公司|Service processing method and device|
    CN106559212B|2016-11-08|2018-04-06|北京海泰方圆科技股份有限公司|Data processing method and device|
    WO2018108062A1|2016-12-15|2018-06-21|腾讯科技(深圳)有限公司|Method and device for identity verification, and storage medium|
    CN106603574B|2017-01-23|2018-05-08|北京海泰方圆科技股份有限公司|Dynamic password generates and authentication method and device|
    US10972273B2|2017-06-14|2021-04-06|Ebay Inc.|Securing authorization tokens using client instance specific secrets|
    US10789179B1|2017-10-06|2020-09-29|EMC IP Holding Company LLC|Decentralized access management in information processing system utilizing persistent memory|
    CN108040090A|2017-11-27|2018-05-15|上海上实龙创智慧能源科技股份有限公司|A kind of system combination method of more Web|
    US11122033B2|2017-12-19|2021-09-14|International Business Machines Corporation|Multi factor authentication|
    US11012435B2|2017-12-19|2021-05-18|International Business Machines Corporation|Multi factor authentication|
    CN109146470A|2018-08-24|2019-01-04|北京小米移动软件有限公司|Generate the method and device of payment code|
    CN110400405B|2019-07-29|2021-10-26|北京小米移动软件有限公司|Method, device and medium for controlling access control|
    US11240661B2|2019-09-03|2022-02-01|Cisco Technology, Inc.|Secure simultaneous authentication of equals anti-clogging mechanism|
    CN111711628A|2020-06-16|2020-09-25|北京字节跳动网络技术有限公司|Network communication identity authentication method, device, system, equipment and storage medium|
    法律状态:
    2019-01-15| B06F| Objections, documents and/or translations needed after an examination request according [chapter 6.6 patent gazette]|
    2020-02-11| B15K| Others concerning applications: alteration of classification|Free format text: A CLASSIFICACAO ANTERIOR ERA: H04L 29/06 Ipc: H04L 9/08 (2006.01), H04L 9/30 (2006.01), H04L 29/ |
    2020-02-11| B06U| Preliminary requirement: requests with searches performed by other patent offices: procedure suspended [chapter 6.21 patent gazette]|
    2021-04-06| B09A| Decision: intention to grant [chapter 9.1 patent gazette]|
    2021-05-04| B16A| Patent or certificate of addition of invention granted|Free format text: PRAZO DE VALIDADE: 10 (DEZ) ANOS CONTADOS A PARTIR DE 04/05/2021, OBSERVADAS AS CONDICOES LEGAIS. |
    优先权:
    申请号 | 申请日 | 专利标题
    CN2009100916214A|CN101662465B|2009-08-26|2009-08-26|Method and device for verifying dynamic password|
    CN200910091621.4|2009-08-26|
    PCT/CN2010/075009|WO2011023039A1|2009-08-26|2010-07-06|Method and apparatus for dynamic password verification|
    [返回顶部]