Method for updating seeds of dynamic password token
A dynamic password and seed technology, applied in the field of information security, can solve the problems of token security loopholes, inability to update seeds, and no ability to change hardware interfaces, etc., to achieve the effect of increasing security
Active Publication Date: 2011-04-20
FEITIAN TECHNOLOGIES
3 Cites 38 Cited by
AI-Extracted Technical Summary
Problems solved by technology
Among them, a lot of use includes a challenge-response dynamic password system. This method uses a small intelligent security device with buttons, which can also be called a dynamic password token. The token has a built-in security algorithm, and each token is set There is a unique seed (used to calculate the static parameters of the dynamic password), usually, the token is provided with buttons and a display screen, the buttons are used as an input device to input challenge codes, etc. The seed in the token is confidential and stored in the token and cannot be read out. Hackers cannot crack the user's dynamic password if they cannot obtain the seed.
[0004] However, there are stil...
Abstract
The invention discloses a method for updating seeds of a dynamic password token. The method comprises the following steps: firstly, a user performs mutual authentication by using a dynamic password token and a server, and seeds in the dynamic password token are updated if legal; the server generates a seed updating identification and transmits the seed updating identification to a client; the dynamic password token uses the seed updating identification to generate a temporary seed and authenticates a dynamic password again by using the temporary seed, and updates the seeds stored inside if the authentication is successful; and the server also updates the seeds to be stored by the dynamic password token. The invention prevents token manufacturers from knowing the condition of seeds in eachtoken by updating seeds in the dynamic password token, therefore the safety is improved.
Application Domain
Key distribution for secure communicationUser identity/authority verification
Technology Topic
Client-sideMutual authentication +1
Image
Examples
- Experimental program(4)
Example Embodiment
[0054] Example 1
[0055] This embodiment provides a method for updating the seed of a dynamic password token. figure 1 ,Specific steps are as follows:
[0056] Step 101, the user sends a request for updating the seed in the dynamic password token to the server through the client;
[0057] In this embodiment, the dynamic password token used by the user is a challenge-response type dynamic password token, and an input and output device is installed on the token. Preferably, the input device adopts a keyboard, and the output device adopts display output or audio broadcast. way to output;
[0058] The user sends a request to update the seed in the dynamic password token through the client. Specifically, the user accesses the server through the browser installed in the client, and the server returns the function of updating the seed to the dynamic password token through the browser. page, the user enters the number of the dynamic password token that needs to update the seed, selects the update seed, and sends a request to the server to update the seed;
[0059] In this embodiment, the seed stored in the dynamic password token before the seed update is defined as the initial seed;
[0060] Step 102, the server receives the request to update the seed, generates a first challenge code, and returns the first challenge code to the client;
[0061] In this embodiment, generating the first challenge code by the server may further include that the server searches the dynamic password token information and the seed information corresponding to the dynamic password token according to the received dynamic password token number, and generates the first challenge code, and determine whether the first challenge code is the same as the challenge code used in the last dynamic password verification, if the same, regenerate a challenge code, and then compare with the challenge code used in the last dynamic password verification. Yes, if they are not the same, return the first challenge code to the client;
[0062] Step 103, the client outputs the first challenge code, the user inputs the first challenge code into the dynamic password token, and the dynamic password token generates the first dynamic password according to the initial seed and the first challenge code after receiving the first challenge code;
[0063] In this embodiment, after the dynamic password token generates the first dynamic password, it is output through the liquid crystal display device, and the algorithm for generating the first dynamic password from the dynamic password token may be HMAC-SHA1, MD5, SHA-1, SHA-256, etc. ;
[0064] Step 104, the client receives the first dynamic password input by the user, and sends a request for verifying the first dynamic password to the server;
[0065] Step 105, the server receives the request for verifying the first dynamic password and the first dynamic password, verifies the first dynamic password, if it is legal, executes step 106, if not, returns the first dynamic password to the client. right wrong;
[0066] In this embodiment, when the server verifies the first dynamic password, the server uses the first challenge code and the initial seed to generate the second dynamic password, and compares the second dynamic password with the first dynamic password. If they are the same, the first dynamic password is legal; if they are not the same, the first dynamic password is illegal;
[0067] Wherein, the algorithm that the server generates the second dynamic password is the same as the algorithm that the dynamic password token generates the first dynamic password in step 103;
[0068] Step 106, the server generates the second challenge code, and generates the third dynamic password according to the second challenge code and the initial seed, returns the third dynamic password and the second challenge code to the client, and the client outputs the third dynamic password and the third dynamic password. Second challenge code, and wait for the confirmation information sent by the user through the client to confirm that the server is legal;
[0069] Step 107, the user inputs the second challenge code into the dynamic password token, the dynamic password token generates and displays the fourth dynamic password according to the second challenge code and the initial seed, and compares whether the fourth dynamic password and the third dynamic password are the same , if they are the same, input the confirmation information to confirm the legality of the server through the client, and execute step 108. If they are not the same, it means that the server is illegal, and cancel the operation of updating the seed for the dynamic password token;
[0070] Wherein, the algorithm that the dynamic password token generates the fourth dynamic password is the same as the algorithm that the server generates the third dynamic password in step 106;
[0071] In this embodiment, step 107 can also be implemented according to another method:
[0072] The user inputs the second challenge code into the dynamic password token, the dynamic password token generates the fourth dynamic password according to the second challenge code and the initial seed, and the user then inputs the third dynamic password into the dynamic password token, and the dynamic password token inside Compare the third dynamic password and the fourth dynamic password. If they are the same, the third dynamic password is correct, and the dynamic password token outputs the legal confirmation information of the server. If they are not the same, the third dynamic password is incorrect and the dynamic password The token input server is illegal information;
[0073] The advantage of using the above method is that the fourth dynamic password will not be exposed;
[0074] Step 108, the server generates a first value, generates a temporary seed for the server according to the first value and the initial seed and saves it, generates a third challenge code, and returns the third challenge code and the first value to the client;
[0075] In this embodiment, the algorithm for generating the first value by the server is kept secret, and only the server can know it, which can be randomly generated. Preferably, the first value and the data length of the initial seed are the same;
[0076] When generating a temporary seed according to the first numerical value and the initial seed, the first numerical value and the initial seed are used as parameters that must be involved in the operation, preferably, the first numerical value and the initial seed can be used to perform XOR to obtain the server-side temporary seed;
[0077] Step 109, the client outputs the third challenge code and the first value;
[0078] In step 110, the user inputs the first value into the dynamic password token, and the dynamic password token receives and uses the first value and the initial seed to generate the temporary seed at the dynamic password token end using the same algorithm as the temporary seed generated in step 108, and saves the dynamic password token. password token end temporary seed;
[0079] Step 111, the user inputs the third challenge code into the dynamic password token, the dynamic token receives the third challenge code, and uses the dynamic password token terminal temporary seed and the third challenge code to generate the fifth dynamic password;
[0080] Step 112, the user inputs the fifth dynamic password to the client, the client receives the fifth dynamic password, and sends the fifth dynamic password and a request for verifying the fifth dynamic password to the server;
[0081] Step 113, the server verifies the fifth dynamic password, if it is correct, executes step 114, if it is incorrect, returns to the user an error of failure to update the seed;
[0082] In this embodiment, the specific verification of the fifth dynamic password by the server is that the server will generate the sixth dynamic password according to the temporary seed and the third challenge code, and compare the fifth dynamic password with the sixth dynamic password. , then the fifth dynamic password is correct, if not, then the fifth dynamic password is incorrect;
[0083] Step 114, the server replaces the initial seed with the temporary seed of the server, saves the temporary seed of the server as a new seed, and sends the information of the success of updating the seed to the client;
[0084] In step 115, the user enters the confirmation information of the successful update of the seed by the server into the dynamic password token, the dynamic password token receives the confirmation information, replaces the initial seed with the temporary seed of the dynamic password token end, and uses the temporary seed of the dynamic password token end as the new one. The seed is saved, and the dynamic password token update seed is successful.
[0085] In this embodiment, a method for updating the seed of the dynamic password token is provided, so that after purchasing the dynamic password token, the user can update the dynamic password token written by the manufacturer through the network through the network. seed, so that the seed is only owned by the dynamic password token owned by the user and the server that verifies the dynamic password, which ensures the secrecy of the seed and enhances the security of the user account. It is convenient to use and update seeds.
Example Embodiment
[0086] Example 2
[0087] This embodiment provides a method for updating the seed of a dynamic password token. figure 2 ,Specific steps are as follows:
[0088] Step 201, the user sends a request for updating the seed in the dynamic password token to the server through the client;
[0089] In this embodiment, the dynamic password token used by the user is a challenge-response type dynamic password token, and an input and output device is installed on the token. Preferably, the input device adopts a keyboard, and the output device adopts display output or audio broadcast. way to output;
[0090] The user sends a request to update the seed in the dynamic password token through the client. Specifically, the user accesses the server through the browser installed in the client, and the server returns the dynamic password token through the browser to update the seed. On the function page, the user enters the number of the dynamic password token that needs to update the seed, selects the update seed, and sends a request to the server to update the seed;
[0091] In this embodiment, the seed stored in the dynamic password token before the seed update is defined as the initial seed;
[0092] Step 202, the server receives the request to update the seed, generates a first challenge code, and returns the first challenge code to the client;
[0093]In this embodiment, generating the first challenge code by the server may further include that the server searches the dynamic password token information and the seed information corresponding to the dynamic password token according to the received dynamic password token number, and generates the first challenge code, and determine whether the first challenge code is the same as the challenge code used in the last dynamic password verification, if the same, regenerate a challenge code, and then compare with the challenge code used in the last dynamic password verification. Yes, if they are not the same, return the first challenge code to the client;
[0094] Step 203, the client outputs the first challenge code, the user inputs the first challenge code into the dynamic password token, and the dynamic password token generates the first dynamic password according to the initial seed and the first challenge code after receiving the first challenge code;
[0095] In this embodiment, after the dynamic password token generates the first dynamic password, it is output through the liquid crystal display device, and the algorithm for generating the first dynamic password from the dynamic password token may be HMAC-SHA1, MD5, SHA-1, SHA-256, etc. ;
[0096] Step 204, the client receives the first dynamic password input by the user, and sends a request for verifying the first dynamic password to the server;
[0097] Step 205, the server receives the request for verifying the first dynamic password and the first dynamic password, verifies the first dynamic password, if it is legal, executes step 206, if not, returns the first dynamic password to the client. right wrong;
[0098] In this embodiment, when the server verifies the first dynamic password, the server uses the first challenge code and the initial seed to generate the second dynamic password, and compares the second dynamic password with the first dynamic password. If they are the same, the first dynamic password is legal; if they are not the same, the first dynamic password is illegal;
[0099] Wherein, the algorithm that the server generates the second dynamic password is the same as the algorithm that the dynamic password token generates the first dynamic password in step 203;
[0100] Step 206, the server generates a second challenge code, and generates a third dynamic password according to the second challenge code and the initial seed, returns the third dynamic password and the second challenge code to the client, and the client outputs the third dynamic password and the third dynamic password. The second challenge code, waiting for the confirmation information sent by the user through the client to confirm that the server is legal;
[0101] Step 207, the user inputs the second challenge code into the dynamic password token, the dynamic password token generates and displays the fourth dynamic password according to the second challenge code and the initial seed, and the user compares whether the fourth dynamic password and the third dynamic password are If they are the same, enter the confirmation information for confirming the validity of the server through the client, and execute step 208. If they are not the same, it means that the server is not valid, and the operation of updating the seed for the dynamic password token is canceled;
[0102] Wherein, the algorithm that the dynamic password token generates the fourth dynamic password is the same as the algorithm that the server generates the third dynamic password in step 206;
[0103] In this embodiment, step 207 can also be implemented according to another method:
[0104] The user inputs the second challenge code into the dynamic password token, the dynamic password token generates the fourth dynamic password according to the second challenge code and the initial seed, and the user then inputs the third dynamic password into the dynamic password token, and the dynamic password token inside Compare the third dynamic password and the fourth dynamic password. If they are the same, the third dynamic password is correct, and the dynamic password token outputs the legal confirmation information of the server. If they are not the same, the third dynamic password is incorrect and the dynamic password The token input server is illegal information;
[0105] The advantage of using the above method is that the fourth dynamic password will not be exposed;
[0106] Step 208, the server generates a random number R, the random number R generates a temporary seed on the server side according to a predetermined algorithm and saves it, and generates a third challenge code, returns the random number R and the third challenge code to the client, and sends it out again. Dynamic password verification instructions;
[0107] In this embodiment, the preset algorithm can be any encryption algorithm, such as HMAC-SHA1, MD5, SHA-1, SHA-256, etc. For example, an 8-bit random number is generated as 12345678, and the random number is processed by the MD5 algorithm. Digest calculation, get the hash value 25D55AD283AA400AF464C76D713C07AD, take the fixed number of digits of the hash value as the temporary seed of the server;
[0108] When the server uses the preset algorithm to generate the server-side temporary seed, in order to increase the security, you can also increase the parameters for generating the server-side temporary seed, including adding time factor and event factor, for example, you can add a timer in the token, in When generating the server-side temporary seed, combine the current time with the random number R, and then calculate the server-side temporary seed according to the preset algorithm. The event factor can generate the number of dynamic passwords for the dynamic password token, which can prevent the random number R. In the process of transmission on the network, it is intercepted by hackers, and the user's seed is calculated;
[0109] Step 209, the client outputs the random number R and the third challenge code;
[0110] Step 210, the user inputs the random number R to the dynamic password token, and after the dynamic password token receives the random number R, the dynamic password token terminal temporary seed is generated using the same algorithm as the temporary seed generated by the server in step 208, and saved;
[0111] Step 211, the user inputs the third challenge code into the dynamic password token, and after the dynamic password token receives the third challenge code, the dynamic password token terminal temporary seed and the third challenge code are used to generate the fifth dynamic password;
[0112] Step 212, the user inputs the fifth dynamic password to the client, the client receives the fifth dynamic password, and sends the fifth dynamic password and a request for verifying the fifth dynamic password to the server;
[0113] Step 213, the server verifies the fifth dynamic password, if it is correct, executes step 214, if it is incorrect, returns to the user an error of failure to update the seed;
[0114] In this embodiment, the server verifies the fifth dynamic password, which specifically includes: after the server receives the fifth dynamic password, according to the server temporary seed and the third challenge code, using the dynamic password token in step 211 to generate the first The algorithm with the same five dynamic passwords generates the sixth dynamic password, and compares the fifth dynamic password with the sixth dynamic password, if they are the same, then the fifth dynamic password is correct, if not, then the fifth dynamic password is incorrect;
[0115] Step 214, the server replaces the initial seed with the temporary seed of the server, saves the temporary seed of the server as a new seed, and sends the information of the success of updating the seed to the client;
[0116] In step 215, the user inputs the confirmation information of the successful update of the seed by the server into the dynamic password token, the dynamic password token receives the confirmation information, replaces the initial seed with the temporary seed of the dynamic password token end, and uses the temporary seed of the dynamic password token end as the new one. The seed is saved, and the dynamic password token update seed is successful.
[0117] The method for updating the seed of a dynamic password token provided by this embodiment overcomes the problem that in the traditional dynamic password technology, the seed is written by the dynamic password token producer, because the producer knows each dynamic password token The dynamic password security risk caused by the torrent has stronger security.
Example Embodiment
[0118] Example 3
[0119] This embodiment provides a method for updating the seeds of a dynamic password token. In the dynamic password token provided by this embodiment, multiple seeds are stored in the dynamic password token, and stored corresponding to the multiple seeds The list, which is called the seed list in this embodiment, is written when the dynamic password token is produced or initialized. When the dynamic password token leaves the factory, one of the multiple seeds is used as the initial seed to calculate the dynamic password. The seed is defined as the initial seed, and the same seed list is also stored on the server side for the numbered dynamic password token. image 3 , as follows:
[0120] Step 301, the user sends a request for updating the seed in the dynamic password token to the server through the client;
[0121] In this embodiment, the dynamic password token used by the user is a challenge-response type dynamic password token, and an input and output device is installed on the token. Preferably, the input device adopts a keyboard, and the output device adopts display output or audio broadcast. way to output;
[0122] The user sends a request to update the seed in the dynamic password token through the client. Specifically, the user accesses the server through the browser installed in the client, and the server returns the dynamic password token through the browser to update the seed. On the function page, the user enters the number of the dynamic password token that needs to update the seed, selects the update seed, and sends a request to the server to update the seed;
[0123] Step 302, the server receives the request to update the seed, generates a first challenge code, and returns the first challenge code to the client;
[0124] In this embodiment, generating the first challenge code by the server may further include that the server searches the dynamic password token information and the seed information corresponding to the dynamic password token according to the received dynamic password token number, and generates the first challenge code, and determine whether the first challenge code is the same as the challenge code used in the last dynamic password verification, if the same, regenerate a challenge code, and then compare with the challenge code used in the last dynamic password verification. Yes, if they are not the same, return the first challenge code to the client;
[0125] Step 303, the client outputs the first challenge code, the user inputs the first challenge code into the dynamic password token, and the dynamic password token generates the first dynamic password according to the initial seed and the first challenge code after receiving the first challenge code;
[0126] In this embodiment, after the dynamic password token generates the first dynamic password, it is output through the liquid crystal display device, and the algorithm for generating the first dynamic password from the dynamic password token may be HMAC-SHA1, MD5, SHA-1, SHA-256, etc. ;
[0127] Step 304, the client receives the first dynamic password input by the user, and sends a request for verifying the first dynamic password to the server;
[0128] Step 305, the server receives the request for verifying the first dynamic password and the first dynamic password, verifies the first dynamic password, if it is legal, executes step 306, if not, returns the first dynamic password to the client. right wrong;
[0129] In this embodiment, when the server verifies the first dynamic password, the server uses the first challenge code and the initial seed to generate the second dynamic password, and compares the second dynamic password with the first dynamic password. If they are the same, the first dynamic password is legal; if they are not the same, the first dynamic password is illegal;
[0130] Wherein, the algorithm that the server generates the second dynamic password is the same as the algorithm that the dynamic password token generates the first dynamic password in step 303;
[0131] Step 306, the server generates the second challenge code, and generates the third dynamic password according to the second challenge code and the initial seed, returns the third dynamic password and the second challenge code to the client, and the client outputs the third dynamic password and the third dynamic password. The second challenge code, waiting for the confirmation information sent by the user through the client to confirm that the server is legal;
[0132]Step 307, the user inputs the second challenge code into the dynamic password token, the dynamic password token generates and displays the fourth dynamic password according to the second challenge code and the initial seed, and the user compares whether the fourth dynamic password and the third dynamic password are If they are the same, if they are the same, enter the confirmation information to confirm the validity of the server through the client, and execute step 308. If they are not the same, it means that the server is not valid, and the operation of updating the seed for the dynamic password token is canceled;
[0133] Wherein, the algorithm that the dynamic password token generates the fourth dynamic password is the same as the algorithm that the server generates the third dynamic password in step 306;
[0134] In this embodiment, step 307 can also be implemented according to another method:
[0135] The user inputs the second challenge code into the dynamic password token, the dynamic password token generates the fourth dynamic password according to the second challenge code and the initial seed, and the user then inputs the third dynamic password into the dynamic password token, and the dynamic password token inside Compare the third dynamic password and the fourth dynamic password. If they are the same, the third dynamic password is correct, and the dynamic password token outputs the legal confirmation information of the server. If they are not the same, the third dynamic password is incorrect and the dynamic password The token input server is illegal information;
[0136] The advantage of using the above method is that the fourth dynamic password will not be exposed;
[0137] Step 308, the server randomly selects a seed in the seed list as a temporary seed for generating a dynamic password, generates a third challenge code, returns the number of the temporary seed and the third challenge code to the client, and sends out a dynamic password verification again. instructions;
[0138] Among them, the temporary seed and the initial seed cannot be the same;
[0139] Step 309, the client outputs the number of the temporary seed and the third challenge code;
[0140] Step 310, the user inputs the number of the temporary seed into the dynamic password token, after receiving the number of the temporary seed, the dynamic password token searches for the corresponding seed in the seed list according to the number, and uses the numbered seed as the dynamic password token to calculate the dynamic seed number. a temporary seed for the password;
[0141] Step 311, the user inputs the third challenge code into the dynamic password token, and after the dynamic password token receives the third challenge code input by the user, uses the temporary seed and the third challenge code to generate and output the fifth dynamic password;
[0142] Step 312, the user inputs the fifth dynamic password to the client, and after receiving the fifth dynamic password, the client sends the fifth dynamic password and a request for verifying the fifth dynamic password to the server;
[0143] Step 313, the server verifies the fifth dynamic password, if it is correct, executes step 314, if it is incorrect, returns to the user an error of failure to update the seed;
[0144] In this embodiment, the server verifies the fifth dynamic password, which specifically includes: after the server receives the fifth dynamic password, according to the temporary seed and the third challenge code, using the dynamic password token in step 311 to generate the fifth dynamic password The algorithm with the same password generates the sixth dynamic password, and compares the fifth dynamic password with the sixth dynamic password, if the same, the fifth dynamic password is correct, and if it is not the same, then the fifth dynamic password is incorrect;
[0145] Step 314, the server sets the temporary seed as the new seed, and uses the new seed as the default seed for calculating the dynamic password in the future, and sends information that the update seed is successful to the client;
[0146] In step 315, the user inputs the confirmation information of the successful update of the seed by the server into the dynamic password token. After the dynamic password token receives the confirmation information, the temporary seed is used as the default seed for the subsequent calculation of the dynamic password, and the dynamic password token is successfully updated.
[0147] In a method for updating the seed of a dynamic password token provided by this embodiment, a seed list is installed on the dynamic password token and the server, multiple seeds are saved, and after the user purchases the dynamic password token, the The seed used for calculating the dynamic password is reselected from the list, which overcomes the disadvantage of the traditional technology that the dynamic password token producer knows the seed information in the token, which may lead to insecurity.
PUM
Description & Claims & Application Information
We can also present the details of the Description, Claims and Application information to help users get a comprehensive understanding of the technical details of the patent, such as background art, summary of invention, brief description of drawings, description of embodiments, and other original content. On the other hand, users can also determine the specific scope of protection of the technology through the list of claims; as well as understand the changes in the life cycle of the technology with the presentation of the patent timeline. Login to view more.
Similar technology patents
Foodstuff monitoring method and device
Owner:XIAOMI INC
Cookie-based secure single sign-on method and unified authentication service system thereof
Owner:SICHUAN CHANGHONG ELECTRIC CO LTD
Method, device and system for carrying out service access control on third-party application
Owner:ALIBABA GRP HLDG LTD
Multifunctional carry-on power supply
Owner:NANKAI UNIV
Classification and recommendation of technical efficacy words
- improve security
Block chain system, and data storage method and apparatus
Owner:ADVANCED NEW TECH CO LTD
Pesticide micro-capsule granules and preparation method thereof
Owner:联合国南通农药剂型开发中心 +1
Method for achieving user authentication by utilizing camera
Owner:湖北微模式科技发展有限公司
Signing and decrypting method and system applied to cloud computing and based on SM2 algorithm
Owner:INST OF INFORMATION ENG CAS