[0040] In order to make the objectives, technical solutions, and advantages of the embodiments of the present invention clearer, the technical solutions in the embodiments of the present invention will be described clearly and completely in conjunction with the accompanying drawings in the embodiments of the present invention. Obviously, the described embodiments It is a part of the embodiments of the present invention, not all of the embodiments. Based on the embodiments of the present invention, all other embodiments obtained by those of ordinary skill in the art without creative work belong to the protection of the present invention. range.
[0041] The embodiment of the present invention provides a two-way identity authentication method based on a dynamic password, see figure 1 , The method includes:
[0042] Step 101: The application unit receives an externally input user ID and a first dynamic password;
[0043] Step 102: The application unit sends the user ID, the first dynamic password, and pre-stored verification information for verifying the application unit to the authentication unit;
[0044] Step 103: The authentication unit receives the user ID, the first dynamic password and the verification information;
[0045] Step 104: The authentication unit verifies the first dynamic password according to the user ID;
[0046] Step 105: After the first dynamic password is verified, the authentication unit performs identity verification on the application unit according to the verification information. If the verification is passed, steps 106, 107, 108, and 109 are executed in sequence. Pass, go to step 110;
[0047] Step 106: The authentication unit generates a second dynamic password according to the user ID;
[0048] Step 107: The authentication unit sends the second dynamic password to the application unit;
[0049] Step 108: The application unit receives the second dynamic password;
[0050] Step 109: The application unit outputs the second dynamic password;
[0051] Step 110: The authentication unit does not generate a second dynamic password.
[0052] Through the method provided by the above-mentioned embodiment, after the authentication unit passes the identity verification of the application unit, the second dynamic password can be generated, and the generated second dynamic password can be output to the user, so that the user can verify the application unit, which improves The security of the application system.
[0053] The application unit in this embodiment may be a website, application software, application server, etc., and the authentication unit in this embodiment may be an authentication server, authentication software, authentication module, etc.
[0054] In step 109, the application unit may display the second dynamic password, or output it through a voice signal. After the user learns the second dynamic password, he compares it with the verification dynamic password used to verify the second dynamic password on his own dynamic password terminal. If they are the same, it proves that the application unit has passed the verification of the authentication unit and the application unit is safe. , To avoid phishing websites and other network dangers. Wherein, the first dynamic password and the verification dynamic password for verifying the second dynamic password are both in the same dynamic password terminal. The user's dynamic password terminal can be in the form of hardware, APP (Application, application software), and so on.
[0055] In the above embodiment, the authentication unit informs the user of the message that the application unit has passed the verification through a dynamic password, which prevents the application unit that has not passed the verification from outputting a false verification message to the user. For example, if the authentication unit informs the user that the authentication is passed through a text message, the application unit that has not passed the authentication can easily forge a text message to inform the user that the authentication is passed; if a dynamic password is used to inform the user, the authentication is not passed. The application unit is difficult to forge, which improves the security of the application system.
[0056] In a possible implementation manner, the step 104 includes step 1041, step 1042, step 1043 not shown in the figure:
[0057] Step 1041: The authentication unit determines the seed of the first dynamic password verification according to the corresponding relationship between the user ID and the preset user ID and the seed of the first dynamic password verification;
[0058] Step 1042: The authentication unit generates a first verification dynamic password through a hash algorithm according to the seed and time of the first verification dynamic password;
[0059] Step 1043: The authentication unit judges whether the first dynamic password for verification is the same as the first dynamic password. If yes, the verification is passed and step 105 is executed; otherwise, the verification fails, and the authentication unit sends a verification failure message to The application unit to enable the application unit to output the verification failure message.
[0060] In step 106, the authentication unit generates a second dynamic password according to the user ID, including steps 1061 and 1062 not shown in the figure:
[0061] Step 1061: The authentication unit determines the second seed of the second dynamic password according to the user ID and the correspondence between the preset user ID and the seed of the second dynamic password;
[0062] Step 1062: The authentication unit generates the second dynamic password through a hash algorithm according to the second seed and time.
[0063] The S7 includes:
[0064] The application unit outputs the second dynamic password, so that the outside verifies the second dynamic password according to the second verification dynamic password in the dynamic password terminal, wherein the first dynamic password and the second verification dynamic password All are in the dynamic password terminal.
[0065] For example, the external verification of the second dynamic password according to the second verification dynamic password in the dynamic password terminal specifically includes: obtaining the second dynamic password output by the application terminal and the second verification dynamic password in the dynamic password terminal; Comparing the second dynamic password and the second verification dynamic password, if they are the same, the verification is passed, otherwise the verification fails.
[0066] In addition, the step 105 further includes: if the verification is passed, the authentication unit sends the verification additional information to the application unit, so that the application unit outputs the verification additional information, wherein the verification additional information is Including: the identification information of the application unit.
[0067] Wherein, the identification information of the application unit includes: DNS (Domain Name System, domain name system) address, IP (Internet Protocol, network protocol) address, MAC (Media Access Control, media access control) address of the application unit, etc. The second dynamic password can be numbers, letters, symbols, or a combination of numbers, letters and symbols, and the returned second dynamic password and verification additional information can be in the form of text, image, two-dimensional code, etc.
[0068] The verification additional information may also include a verification URL (Uniform Resource Locator), the verification URL points to the verification unit, the user clicks on the verification URL, the user can view the identification information of the application unit in the verification unit, and You can view the number of verification clicks, etc.
[0069] figure 2 A two-way identity authentication system based on dynamic passwords is shown. The system includes: an application unit 201 and an authentication unit 202;
[0070] The application unit 201 is configured to receive an externally input user ID and a first dynamic password, and send the user ID, the first dynamic password, and pre-stored verification information for verifying the application unit to the authentication unit , Receiving the second dynamic password sent by the authentication unit, and outputting the second dynamic password;
[0071] The authentication unit 202 is configured to receive the user ID, the first dynamic password, and the verification information, and verify the first dynamic password according to the user ID. After the first dynamic password is verified, , Performing identity verification on the application unit according to the verification information, and if the identity verification of the application unit is passed, the authentication unit generates a second dynamic password according to the user ID, and sends the second dynamic password To the application unit, otherwise, the authentication unit does not generate a second dynamic password.
[0072] In a possible implementation manner, the authentication unit includes what is not shown in the figure:
[0073] The first determining subunit is configured to determine the seed of the first dynamic password verification according to the corresponding relationship between the user identification and the preset user identification and the seed of the first dynamic verification password;
[0074] The first generation subunit is configured to generate the first dynamic verification password through a hash algorithm according to the seed and time of the first verification dynamic password;
[0075] The judging subunit is used to judge whether the first dynamic password for verification is the same as the first dynamic password, if it is, it is judged that the verification is passed, and the application unit is authenticated according to the verification information; otherwise, it is judged to verify If it fails, send verification failure information to the application unit, so that the application unit outputs the verification failure message.
[0076] In another possible implementation manner, the authentication unit includes what is not shown in the figure:
[0077] The second determining subunit is configured to determine the second seed of the second dynamic password according to the user identification and the correspondence between the preset user identification and the seed of the second dynamic password;
[0078] The second generation subunit is used to generate the second dynamic password through a hash algorithm according to the second seed and time.
[0079] Wherein, the second generating subunit is specifically configured to generate the second dynamic password through a hash algorithm according to the second seed.
[0080] The application unit is specifically configured to output the second dynamic password, so that the outside may verify the second dynamic password according to the second verification dynamic password in the dynamic password terminal, wherein the first dynamic password and the second dynamic password The verified dynamic passwords are all in the dynamic password terminal.
[0081] In addition, the authentication unit is further configured to send verification additional information to the application unit if the identity verification of the application unit is passed, so that the application unit outputs the verification additional information, wherein the The additional verification information includes: the identity information of the application unit.
[0082] The information exchange and execution process among the units and sub-units in the above-mentioned equipment are based on the same concept as the method embodiment of the present invention. For specific content, please refer to the description in the method embodiment of the present invention, and will not be repeated here.
[0083] It should be noted that in this article, relational terms such as first and second are only used to distinguish one entity or operation from another entity or operation, and do not necessarily require or imply the relationship between these entities or operations. There is any such actual relationship or sequence. Moreover, the terms "include", "include" or any other variants thereof are intended to cover non-exclusive inclusion, so that a process, method, article or device including a series of elements not only includes those elements, but also includes those that are not explicitly listed Other elements of, or also include elements inherent to this process, method, article or equipment. Without more restrictions, the element defined by the sentence "including a..." does not exclude the existence of other same factors in the process, method, article, or equipment that includes the element.
[0084] A person of ordinary skill in the art can understand that all or part of the steps in the above method embodiments can be implemented by a program instructing relevant hardware. The foregoing program can be stored in a computer readable storage medium. When the program is executed, it is executed. Including the steps of the foregoing method embodiment; and the foregoing storage medium includes: ROM, RAM, magnetic disk, or optical disk and other media that can store program codes.
[0085] Finally, it should be noted that the above descriptions are only preferred embodiments of the present invention, which are only used to illustrate the technical solutions of the present invention, and are not used to limit the protection scope of the present invention. Any modification, equivalent replacement, improvement, etc. made within the spirit and principle of the present invention are all included in the protection scope of the present invention.