A method for protecting account security based on asynchronous dynamic password technology

Abstract

The invention provides a method for protecting account security based on an asynchronous dynamic password technology. The method is characterized by including the steps that a user and a service provider agree on the encryption mode of challenge codes and the calculation formula of dynamic codes; after a log-in request of the user is verified successfully, an authentication server generates the challenge code A, the challenge code B and the dynamic code C, the challenge code A is encrypted to obtain the challenge code B, and the challenge code A is calculated through the calculation formula to obtain the dynamic code C; the authentication server sends a feedback message containing the challenge code B to a mobile phone of the user; the user decrypts the challenge code B according to the encryption mode and then substitutes the decrypted challenge code B into the calculation formula to obtain the dynamic code D; the user inputs the dynamic code D and an account name in the log-in interface on the client side to log in. A system is high in reliability, the secrecy degree for transmitting the challenge codes and other information is high, leakage of code information of the user can be effectively avoided, and moreover user operation is safe and reliable.

Description

technical field [0001] The invention relates to the operation and application technology combining short message transmission and computer database, in particular to a method for protecting account security based on asynchronous dynamic password technology. Background technique [0002] At present, the known mobile phone dynamic password and asynchronous dynamic password technologies mainly have the following methods: [0003] The first one is the asynchronous dynamic password technology, also called the challenge-response method. As the name implies, the identity authentication system based on the challenge / response method means that the authentication server sends a different "challenge" string to the client every time the authentication is performed, and the client program After receiving the "challenge" word string, make a corresponding "response", a system developed by this mechanism. The verification steps are: 1. Enter the application login interface, enter the accou...

AI Technical Summary

Problems solved by technology

Its disadvantages are: the dynamic password is sent in clear text, does not have confidentiality, cannot prevent criminals from using phishing websites to swindle attacks, and cannot prevent criminals from using mobile Trojan horses such as "Stealth Thief" to intercept and forward the dynamic password used by users to log in. It is also impossible to prevent the "renewal card attack" of criminals, that is, to report the loss of the user's mobile phone card maliciously through the user information obtained in advance, and to reissue the user's mobile phone card to defraud the user's dynamic password

Its disadvantages are: the dynamic password is sent in plain text, which does not have confidentiality. The identification code is sent in plain text before the user logs in, which gives the criminals time to put the identification code into the phishing website, and the user cannot effectively judge the authenticity of the server. It is impossible to prevent criminals from using mobile phone Trojan horses such as "Stealth Thief" to intercept and forward the dynamic passwords used by users to log in to invade users' accounts

[0007] The above-mentioned methods can neither prevent "replacement card attack" and hacking Trojan attack, nor prevent criminals from using phishing websites to defraud users, and the security of accounts cannot be guaranteed.

Images