Password protection methods, password verification methods, devices and terminals

By performing slow hash calculations on the password and generating ciphertext data, which includes the concatenation of fast and slow hash values, the problem of exhausting computing resources during password verification is solved, achieving efficient password verification and system stability.

CN119109592BActive Publication Date: 2026-06-30ZHEJIANG E COMMERCE BANK CO LTD

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Patents(China)
Current Assignee / Owner
ZHEJIANG E COMMERCE BANK CO LTD
Filing Date
2024-08-22
Publication Date
2026-06-30

AI Technical Summary

Technical Problem

In existing technologies, the password verification process consumes a lot of computing resources, leading to system resource exhaustion and affecting the normal user access experience.

Method used

Password protection is achieved by using a slow hash algorithm. The correct plaintext password is slowly hashed to generate and store ciphertext data. The ciphertext data contains the concatenation of the fast hash value and the slow hash value, which is used for two consistency comparisons during password verification, reducing the consumption of computing resources.

Benefits of technology

It significantly reduces the computational resource consumption during password verification, improves verification efficiency, and can quickly intercept a large number of erroneous passwords, ensuring system stability and security.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN119109592B_ABST
    Figure CN119109592B_ABST
Patent Text Reader

Abstract

This specification discloses a password protection method, password verification method, apparatus, and terminal. In response to a storage request for a correct plaintext password, a slow hash calculation is performed on the correct plaintext password; a first hash value and a second hash value are determined after the first hash calculation of the correct plaintext password; the first hash value and the second hash value are concatenated to obtain the ciphertext data corresponding to the correct plaintext password, and the ciphertext data is stored; wherein, the first hash value is used for a first consistency comparison with the target password; the ciphertext data is used for a second consistency comparison with the target password after the first consistency comparison. While ensuring that the ciphertext data still has a relatively high degree of difficulty in cracking, the two-stage verification comparison reduces the computational resources consumed during password verification.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] The embodiments in this specification relate to the field of computer technology, and in particular to a password protection method, password verification method, apparatus, and terminal. Background Technology

[0002] In information security protection scenarios, verifying the identity of data access users before disclosing data content based on the verification result has become a common information protection technique. By entering the correct account and password, the system can confirm the user's identity and allow them to access corresponding resources or services accordingly. The security of account and password is directly related to the risk of leakage of user privacy data and internal data. Therefore, account and password are often protected by a series of complex calculations. As encryption protection strategies become more complex, password verification also requires corresponding complex calculations. This leads to a situation where a large number of verification requests consume a lot of computing resources, causing other services within the system to become unavailable. Summary of the Invention

[0003] This specification provides a password protection method, password verification method, device, and terminal, which can solve the technical problem in related technologies where a large amount of computing resources are consumed due to attack defense.

[0004] Firstly, embodiments of this specification provide a password protection method, which includes:

[0005] In response to a storage request for a valid plaintext password, a slow hash calculation is performed on the valid plaintext password.

[0006] Determine the first hash value of the correct plaintext password after the first hash calculation in the above slow hash calculation, and determine the second hash value of the correct plaintext password after the above slow hash calculation;

[0007] The first hash value and the second hash value are concatenated to obtain the ciphertext data corresponding to the correct plaintext password, and the ciphertext data is stored.

[0008] The first hash value is used for the first consistency comparison with the first hash value to be verified obtained after the first hash calculation of the target password during password verification; the ciphertext data is used for the second consistency comparison with the ciphertext data to be verified obtained after the first consistency comparison of the target password and the slow hash calculation of the target password.

[0009] The beneficial effects of the technical solution described in the first aspect include at least the following: During the slow hash calculation of the correct plaintext password, the values ​​of the first and last hashes are concatenated, and the final result is stored as ciphertext data, ensuring that the ciphertext data still has a relatively high degree of difficulty in cracking. During password verification, after the input target password is hashed for the first time, it is directly compared with the first hash value of the corresponding ciphertext data. If they match, the complete slow hash result is then compared; if they do not match, a verification failure result is returned directly. This allows most erroneous passwords to be detected with only one hash calculation, significantly reducing the occupation and consumption of terminal computing resources during password verification and improving password verification efficiency.

[0010] In some possible implementations, determining the first hash value after the first hash calculation in the slow hash calculation of the correct plaintext password includes: determining the first calculation result after the first hash calculation of the correct plaintext password in the slow hash calculation, and selecting the first hash value from the first calculation result based on a preset selection logic.

[0011] Through the technical solutions in the above possible implementation methods, the first hash value used in the first verification can be a selection of the first hash result, which reduces the amount of data compared in the first stage of verification while ensuring that the difficulty of cracking the final ciphertext data remains unchanged, thus making the first stage verification process faster.

[0012] Secondly, embodiments of this specification provide a password verification method, which includes:

[0013] In response to a password verification request for a target password, ciphertext data for verifying the target password is determined, which is obtained by slow hashing a correct plaintext password.

[0014] The first hash calculation in the above-mentioned slow hash calculation is performed on the above-mentioned target password to obtain the first hash value to be verified corresponding to the above-mentioned target password. The first hash value to be verified is verified to be consistent with the first hash value in the above-mentioned ciphertext data. The calculation method of the first hash value is the same as that of the first hash value to be verified.

[0015] If they match, the above slow hash calculation is performed on the target password to obtain the ciphertext data to be verified corresponding to the target password, and the legality of the target password is verified based on the ciphertext data to be verified and the ciphertext data.

[0016] If they do not match, the verification result corresponding to the above target password is determined to be unsuccessful.

[0017] The beneficial effects of the technical solution in the second aspect mentioned above include at least the following: During password verification, after the first hash calculation, the target password entered by the user is directly compared with the first hash value of the correct ciphertext data corresponding to the correct plaintext password. If they match, the complete slow hash result is then compared. If they do not match, it means that the target password is definitely different from the correct plaintext password, and the verification failure result can be returned directly. This makes it possible for a large number of incorrect passwords to be detected with only one hash calculation in the first stage, greatly reducing the occupation and consumption of computing resources by slow hash calculation during password verification.

[0018] In some possible implementations, the above verification of the legality of the target password based on the ciphertext data to be verified and the ciphertext data includes: verifying whether the ciphertext data to be verified is consistent with the ciphertext data; if consistent, then determining the verification success result corresponding to the target password; if inconsistent, then determining the verification failure result corresponding to the target password.

[0019] Using the technical solutions in the above possible implementation methods, when verifying the complete slow hash result, if the slow hash result is consistent with the ciphertext data in the database, then it is considered successful; if they are inconsistent, it means that the target password is different from the correct plaintext password. In this case, the verification failure result can be returned directly. Through the fast verification in the first stage, a large number of malicious accesses can be quickly intercepted. Then, a slow but accurate verification is performed to ensure the accuracy of the verification result.

[0020] In some possible implementations, the above method further includes: recording the number of consecutive password verification failures corresponding to the above encrypted data; when the number of consecutive failures reaches a preset number, the password verification request for the above encrypted data is ignored within a preset time period.

[0021] The technical solutions described above can be used to record the number of consecutive password verification failures for the same account. If multiple failures occur consecutively, the account's requests will be locked for a period of time to prevent responses to malicious requests from affecting the stability and security of the system.

[0022] Thirdly, embodiments of this specification provide a password protection device, which includes:

[0023] The storage request receiving module is used to perform slow hash calculation on the correct plaintext password in response to a storage request for the correct plaintext password.

[0024] The first-stage calculation module is used to determine the first hash value of the correct plaintext password after the first hash calculation in the above-mentioned slow hash calculation, and to determine the second hash value of the correct plaintext password after the above-mentioned slow hash calculation.

[0025] The second-stage calculation module is used to concatenate the first hash value and the second hash value to obtain the ciphertext data corresponding to the correct plaintext password, and to store the ciphertext data.

[0026] The first hash value is used for the first consistency comparison with the first hash value to be verified obtained after the first hash calculation of the target password during password verification; the ciphertext data is used for the second consistency comparison with the ciphertext data to be verified obtained after the first consistency comparison of the target password and the slow hash calculation of the target password.

[0027] Fourthly, embodiments of this specification provide a password verification device, which includes:

[0028] The verification request receiving module is used to respond to a password verification request for a target password and determine the ciphertext data used to verify the target password. The ciphertext data is obtained by slow hashing the correct plaintext password.

[0029] The first-stage verification module is used to perform the first hash calculation in the slow hash calculation on the target password to obtain the first hash value to be verified corresponding to the target password, and to verify whether the first hash value to be verified is consistent with the first hash value in the ciphertext data. The calculation method of the first hash value is the same as that of the first hash value to be verified.

[0030] The second-stage verification module is used to, if consistent, continue to perform the above slow hash calculation on the above target password to obtain the ciphertext data to be verified corresponding to the above target password, and verify the legality of the above target password based on the above ciphertext data to be verified and the above ciphertext data.

[0031] The verification result return module is used to determine the verification failure result corresponding to the above target password if there is a discrepancy.

[0032] Fifthly, embodiments of this specification provide a computer program product containing instructions that, when run on a computer or processor, cause the computer or processor to perform the steps of the method described above.

[0033] Sixthly, embodiments of this specification provide a computer storage medium storing a plurality of instructions adapted for loading by a processor and executing the steps of the method described above.

[0034] In a seventh aspect, embodiments of this specification provide a terminal including a memory, a processor, and a computer program stored in the memory and executable on the processor, the computer program being adapted to be loaded by the processor and to execute the steps of the method described above. Attached Figure Description

[0035] To more clearly illustrate the technical solutions in the embodiments or prior art of this specification, the drawings used in the description of the embodiments or prior art will be briefly introduced below. Obviously, the drawings described below are only some embodiments of this specification. For those skilled in the art, other drawings can be obtained based on these drawings without creative effort.

[0036] Figure 1 An exemplary system architecture diagram of a password protection method provided in the embodiments of this specification;

[0037] Figure 2 A flowchart illustrating a password protection method provided in an embodiment of this specification;

[0038] Figure 3 A logical step example diagram of a password protection method provided in the embodiments of this specification;

[0039] Figure 4 A flowchart illustrating a password verification method provided in an embodiment of this specification;

[0040] Figure 5 A logical step example diagram of a password verification method provided in the embodiments of this specification;

[0041] Figure 6 A structural block diagram of a password protection device provided in the embodiments of this specification;

[0042] Figure 7 A structural block diagram of a password verification device provided in the embodiments of this specification;

[0043] Figure 8 This is a schematic diagram of the structure of a terminal provided in an embodiment of this specification;

[0044] Figure 9 This is a schematic diagram of the structure of a terminal provided in an embodiment of this specification. Detailed Implementation

[0045] To make the features and advantages of the embodiments of this specification more apparent and understandable, the technical solutions of the embodiments of this specification will be clearly and completely described below with reference to the accompanying drawings. Obviously, the described embodiments are only some embodiments of this specification, and not all embodiments. Based on the embodiments in this specification, all other embodiments obtained by those skilled in the art without creative effort are within the scope of protection of the embodiments of this specification.

[0046] In the following description, when referring to the accompanying drawings, the same numbers in different drawings denote the same or similar elements unless otherwise indicated. The embodiments described in the following exemplary embodiments do not represent all embodiments consistent with those described in this specification. Rather, they are merely examples of apparatuses and methods consistent with some aspects of the embodiments described in this specification as detailed in the appended claims.

[0047] In the digital age, information on websites, applications, and systems, as well as users' personal information, transaction records, and communication content—all private data—needs to be properly protected. Therefore, in information security scenarios, verifying the identity of data access users before disclosing data content has become a common information protection technique. User accounts and passwords have become the first line of defense for network security and personal privacy protection. Technically, accounts and passwords are the most direct and widespread method of identity verification. By entering the correct account and password, the system can confirm the user's identity and allow them access to corresponding resources or services. Especially in confidential systems, this mechanism ensures that only legitimate users can access sensitive information or perform critical operations. As the key to user data access, the security of accounts and passwords directly relates to the risk of leakage of user privacy data and internal data. If accounts and passwords are maliciously cracked, attackers may perform malicious operations, such as stealing data, damaging systems, or engaging in fraudulent activities, posing a significant danger to network security and information security. Therefore, effective measures must be taken to ensure that accounts and passwords are not maliciously cracked or misused.

[0048] To maintain the security of accounts and passwords, passwords are typically hashed before being stored in the database. A hash is a process that transforms an input of arbitrary length into a fixed-length output using a hash algorithm; this output is the hash value. A hash algorithm is a compression mapping that can compress a message of arbitrary length into a message digest of a fixed length. Furthermore, hash algorithms are a one-way transformation encryption method; reversing the hash value to derive the original plaintext password is technically almost impossible. Therefore, by hashing the plaintext password before storing it, even if the database is compromised, attackers cannot directly obtain the user's plaintext password, thus effectively protecting the user's plaintext password. However, while traditional single-hash algorithms effectively protect passwords from direct reading, they are vulnerable to brute-force attacks. Brute-force attacks involve trying all possible password combinations, converting each combination into a hash value, and comparing it with the hash values ​​stored in the database to find a match. With the improvement of computing power, the computational efficiency of brute-force methods is constantly increasing, making some simple or common password combinations easy to crack.

[0049] To counter malicious brute-force attacks, slow hashing algorithms were developed. Slow hashing algorithms significantly increase the difficulty of password cracking by increasing computational complexity and time required. Specifically, slow hashing algorithms intentionally introduce computational delays in their design, such as through multiple iterations, increased memory usage, or the use of complex mathematical operations, thus drastically increasing the time cost of generating a hash value. If a slow hashing algorithm increases the computation time by 10,000 times, then theoretically, the time an attacker would need to obtain the password through brute-force attacks would also increase by 10,000 times, greatly increasing the difficulty and cost of cracking the password.

[0050] However, the most significant drawback of slow hashing algorithms lies in their high consumption of system resources. Every time a user logs in, the system needs to perform a slow hash calculation to verify the password's correctness. If an attacker uses automated tools to launch a large number of login attempts (i.e., a password guessing attack), the website server will have to allocate a significant amount of computing resources to verify each password attempt. This can lead to a rapid depletion of server resources, impacting the access experience for legitimate users, and even causing the service to become completely unavailable.

[0051] Therefore, this specification provides a password protection method to solve the aforementioned technical problem of consuming a large amount of computing resources due to attack defense.

[0052] Please see Figure 1 , Figure 1 This is an exemplary system architecture diagram of a password protection method provided in the embodiments of this specification.

[0053] like Figure 1 As shown, the system architecture may include a terminal 101, a network 102, and a server 103. The network 102 serves as the medium for providing a communication link between the terminal 101 and the server 103. The network 102 may include various types of wired or wireless communication links, such as wired communication links including fiber optic cables, twisted-pair cables, or coaxial cables, and wireless communication links including Bluetooth communication links, Wireless-Fidelity (Wi-Fi) communication links, or microwave communication links, etc.

[0054] Terminal 101 can interact with server 103 via network 102 to receive messages from or send messages to server 103. Alternatively, terminal 101 can interact with server 103 via network 102 to receive messages or data sent to server 103 by other users. Terminal 101 can be hardware or software. When terminal 101 is hardware, it can be various electronic devices, including but not limited to smartwatches, smartphones, tablets, laptops, and desktop computers. When terminal 101 is software, it can be installed in the aforementioned electronic devices and can be implemented as multiple software programs or software modules (e.g., to provide distributed services) or as a single software program or software module; no specific limitation is made here.

[0055] In the embodiments of this specification, terminal 101 first responds to a storage request for a correct plaintext password by performing a slow hash calculation on the correct plaintext password; then terminal 101 determines the first hash value of the correct plaintext password after the first hash calculation in the slow hash calculation, and determines the second hash value of the correct plaintext password after the slow hash calculation; further, terminal 101 concatenates the first hash value and the second hash value to obtain the ciphertext data corresponding to the correct plaintext password, and stores the ciphertext data; wherein, the first hash value is used for a first consistency comparison with the first hash value to be verified obtained after the first hash calculation of the target password during password verification; the ciphertext data is used for a second consistency comparison with the ciphertext data to be verified obtained after the target password passes the first consistency comparison and is then compared with the ciphertext data to be verified obtained after the target password passes the slow hash calculation.

[0056] Server 103 can be a business server providing various services. It should be noted that server 103 can be either hardware or software. When server 103 is hardware, it can be implemented as a distributed server cluster consisting of multiple servers, or as a single server. When server 103 is software, it can be implemented as multiple software programs or software modules (e.g., used to provide distributed services), or as a single software program or software module; no specific limitations are made here.

[0057] Alternatively, the system architecture may not include server 103. In other words, server 103 may be an optional device in the embodiments of this specification. That is, the method provided in the embodiments of this specification can be applied to a system structure that only includes terminal 101. The embodiments of this specification do not limit this.

[0058] It should be understood that Figure 1The number of terminals, networks, and servers shown is merely illustrative; any number of terminals, networks, and servers can be used as needed. It should be noted that, in the embodiments of this specification, a similar system architecture can also be used to implement password verification methods; therefore, exemplary system architecture diagrams for password verification methods are not described in detail.

[0059] Please see Figure 2 , Figure 2 This is a flowchart illustrating a password protection method provided in an embodiment of this specification. The execution entity in this embodiment can be a terminal performing password protection, a processor within the terminal performing the password protection method, or a password protection service within the terminal performing the password protection method. For ease of description, the following example uses a processor within the terminal as the execution entity to illustrate the specific execution process of the password protection method.

[0060] like Figure 2 As shown, password protection methods can include at least:

[0061] S202. In response to a storage request for a correct plaintext password, perform a slow hash calculation on the correct plaintext password.

[0062] Optionally, in applications where passwords are encrypted for protection, slow hashing algorithms have emerged to counter malicious attacks that attempt to brute-force ordinary hash calculations. The "slowness" of slow hashing algorithms is not due to technical flaws, but rather a deliberate strategy. By increasing computational complexity and time, slow hashing algorithms significantly increase the difficulty of cracking passwords. Specifically, slow hashing algorithms are designed with a series of carefully crafted computational obstacles, intentionally introducing computational delays, such as implementing multiple iterative loops, deliberately increasing memory access complexity, or incorporating highly specialized mathematical problems, such as prime factorization of large numbers or solving discrete logarithms, to substantially extend the time required to generate hash values. If a slow hash algorithm increases the computation time by 10,000 times, then theoretically, the time it would take for an attacker to obtain a password through brute-force attacks would also increase by 10,000 times. This greatly increases the difficulty and cost of cracking the password. This process forces any cracking tool that attempts to crack the password quickly to extend the password cracking speed. In addition to reducing the possibility of the password being cracked from the perspective of cracking time, the more complex calculations also greatly reduce the probability of the password being cracked by chance due to hash collisions.

[0063] Optionally, whenever a user sets a correct plaintext password for their account, the terminal can receive and respond to a storage request for the correct plaintext password. At this time, the terminal will initiate a slow hash calculation process to perform a slow hash calculation on the correct plaintext password. This process ensures that even if the password information stored in the system is stolen, it is difficult to quickly restore it to its original plaintext, thereby effectively curbing the chain reaction after a password leak.

[0064] S204. Determine the first hash value of the correct plaintext password after the first hash calculation in the slow hash calculation, and determine the second hash value of the correct plaintext password after the slow hash calculation.

[0065] Optionally, as described above, the password verification process requires a calculation process consistent with the encryption method. The final result is compared with the pre-stored encryption result to verify the user's identity. This leads to a situation where, with a large number of verification requests, the verification process consumes a lot of computing resources, causing the system's services to become unavailable. Therefore, in this embodiment, when calculating the ciphertext data corresponding to the correct plaintext password, the ciphertext data includes not only the slow hash result corresponding to the correct plaintext password but also a fast hash value, which is calculated quickly and is easy to compare. This hash value obtained through fast hash calculation can be used for the first fast verification of the target password entered by the user. After this fast verification is successful, a second precise verification is performed by combining the complete slow hash value of the target password with the final ciphertext data. In this way, in the password verification scenario, the first fast verification can quickly identify some incorrect target passwords with less computing resources, reducing the computing resources consumed in the overall password verification process and improving verification efficiency while ensuring password security.

[0066] Specifically, the slow hash value is obtained through multiple hash calculations. Therefore, the fast hash value in the ciphertext data can be obtained based on the first few hash calculations of the slow hash process. For example, the fast hash could be the first hash calculation or the third hash calculation in the slow hash process. The earlier the fast hash occurs in the slow hash process, the shorter the calculation process for the fast hash value in the ciphertext data, and thus the faster the first-stage fast verification. Based on this, in a preferred embodiment, please refer to... Figure 3 , Figure 3 This diagram illustrates the logical steps of a password protection method provided in an embodiment of this specification. Figure 3As shown, during the slow hash calculation of a correct plaintext password, the first hash value of the correct plaintext password after the first hash calculation is determined, and then the second hash value of the correct plaintext password is determined after the complete slow hash calculation. The first hash value is used for the first consistency comparison with the first hash value to be verified obtained after the first hash calculation of the target password during password verification. The ciphertext data is used for the second consistency comparison with the ciphertext data to be verified obtained after the slow hash calculation of the target password after the first consistency comparison. If the first consistency comparison fails, the target password can be directly determined to be incorrect, and a verification failure result is returned. This means that most incorrect passwords can be detected with only one hash calculation, significantly reducing the consumption of terminal computing resources by hash calculation during password verification and improving password verification efficiency.

[0067] Furthermore, the first hash value can be the complete hash result after the first hash calculation, or it can be just a selection of the first hash result. Specifically, the process for determining the first hash value is as follows: determine the first calculation result after the first hash calculation in the slow hash calculation for the correct plaintext password, and select the first hash value from the first calculation result based on a preset selection logic. This selection operation reduces the amount of data in the first hash value, significantly speeding up the verification comparison process. This improvement in verification efficiency is particularly pronounced when receiving a large number of verification requests simultaneously.

[0068] Optionally, there are several feasible options for setting the preset selection logic. For example, taking the first calculation result as "sn83ygh9isj9wjy8" as an example, the preset selection logic can be the last half of the first calculation result, that is, the first hash value is "isj9wjy8"; the preset selection logic can also be the first half of the first calculation result, that is, the first hash value is "sn83ygh9"; the preset selection logic can also be the last five digits of the first calculation result, that is, the first hash value is "9wjy8", and so on. The embodiments in this specification do not limit the specific settings of the preset selection logic.

[0069] S206. Concatenate the first hash value and the second hash value to obtain the ciphertext data corresponding to the correct plaintext password, and store the ciphertext data.

[0070] Optionally, please refer to Figure 3 After obtaining the first hash value and the second hash value, all hash calculations are completed. Then, concatenating the first hash value and the second hash value yields the ciphertext data corresponding to the correct plaintext password. The ciphertext data is then stored in the database so that it can be used for password verification in subsequent verification requests.

[0071] This specification provides a password protection method that, in response to a storage request for a correct plaintext password, performs a slow hash calculation on the correct plaintext password; determines a first hash value and a second hash value after the first hash calculation of the correct plaintext password; concatenates the first and second hash values ​​to obtain ciphertext data corresponding to the correct plaintext password, and stores the ciphertext data; wherein, the first hash value is used for a first consistency comparison with the first unverified hash value obtained after the first hash calculation of the target password during password verification; the ciphertext data is used for a second consistency comparison with the unverified ciphertext data obtained after the first consistency comparison of the target password and the slow hash calculation of the target password. During the slow hash calculation of the correct plaintext password, the first hash value and the last hash value are concatenated, and the final result is stored as ciphertext data, ensuring that the ciphertext data still has a relatively high difficulty to crack. During password verification, the input target password is hashed once and then directly compared with the first hash value of the corresponding ciphertext data. If they match, the complete slow hash result is compared. If they do not match, the verification failure result is returned directly. This means that most erroneous passwords can be detected with only one hash calculation, which greatly reduces the occupation and consumption of terminal computing resources by hash calculation during password verification and improves password verification efficiency.

[0072] Please see Figure 4 , Figure 4 This is a flowchart illustrating a password verification method provided in an embodiment of this specification.

[0073] like Figure 4 As shown, a password verification method may include at least:

[0074] S402. In response to a password verification request for a target password, determine ciphertext data for verifying the target password, the ciphertext data being obtained by slow hashing a correct plaintext password.

[0075] Optionally, when a password verification request initiated by a user after inputting a target password is received, in response to the password verification request for the target password, the encrypted data used to verify the target password can be determined through the user account corresponding to the request. This encrypted data is obtained by slow hashing the correct plaintext password corresponding to the user account and stored in the database.

[0076] S404. Perform the first hash calculation in the slow hash calculation on the target password to obtain the first hash value to be verified corresponding to the target password. Verify whether the first hash value to be verified is consistent with the first hash value in the ciphertext data. The calculation method of the first hash value is the same as that of the first hash value to be verified.

[0077] Optionally, when verifying the consistency between the target password and the correct plaintext password, the same calculation steps are required for converting the target password into ciphertext data as when converting the correct plaintext password. That is, please refer to [link to relevant documentation]. Figure 5 , Figure 5 An example diagram illustrating the logical steps of a password verification method provided in this specification is shown below. Figure 5 As shown, during the slow hash calculation of the target password, a first hash value to be verified is obtained for the first consistency verification. The calculation method of the first hash value to be verified is the same as that of the first hash value in the ciphertext data. Therefore, if the first hash value in the ciphertext data is based on the first hash calculation, then the first hash value to be verified should also be obtained after the first hash calculation for the target password. At this point, other hash calculations in the slow hash process are temporarily suspended. Instead, the first hash value to be verified is verified to see if it is consistent with the first hash value in the ciphertext data, thereby determining whether the target password and the correct plaintext password are possibly the same or definitely different.

[0078] S406. If they match, continue to perform slow hash calculation on the target password to obtain the ciphertext data to be verified corresponding to the target password, and verify the legality of the target password based on the ciphertext data to be verified and the ciphertext data.

[0079] Optionally, please refer to Figure 5 If the first hash value to be verified matches the first hash value in the ciphertext data, it means that the target password and the correct plaintext password have obtained the same result after the first hash and the same segmentation and other processing. However, considering that different values ​​have a certain probability of obtaining the same hash result due to hash collisions during hash calculation, it means that the target password and the correct plaintext password may be the same or different. Therefore, it is necessary to perform a complete slow hash to obtain the final ciphertext data to be verified, and then perform a second consistency comparison to further accurately determine whether the target password and the correct plaintext password are truly consistent. In other words, it is necessary to continue to perform slow hash calculation on the target password to obtain the corresponding ciphertext data to be verified, and then verify the legality of the target password based on the ciphertext data to be verified and the ciphertext data.

[0080] Specifically, please refer to Figure 5 When verifying the validity of a target password based on the ciphertext data to be verified and the ciphertext data, it directly verifies whether the ciphertext data to be verified and the ciphertext data are consistent. Similarly, if they are consistent, the target password is determined to be valid, and a successful verification result corresponding to the target password can be returned to the user. If they are inconsistent, the target password is determined to be invalid, and a failed verification result corresponding to the target password can be returned to the user.

[0081] S408. If they do not match, then determine the verification failure result corresponding to the target password.

[0082] Optionally, please refer to Figure 5 If the first hash value to be verified does not match the first hash value in the ciphertext data, then the target password must be different from the correct plaintext password, meaning the target password is definitely invalid. In this case, a verification failure result corresponding to the target password can be returned to the user. This allows a large number of incorrect passwords to be detected with only one hash calculation in the first stage, greatly reducing the computational resource consumption and slow hash calculations during password verification.

[0083] S410. Record the number of consecutive password verification failures corresponding to the encrypted data; when the number of consecutive failures reaches a preset number, ignore the password verification request for the encrypted data within a preset time period.

[0084] Optionally, if the same account experiences multiple consecutive verification failures within a certain period, it may indicate that it has encountered malicious attacks. In this case, the number of consecutive password verification failures corresponding to the encrypted data can be recorded when a password verification failure occurs. When the number of consecutive failures reaches a preset number, in order to avoid unnecessary consumption of computing resources by a large number of requests and to maintain the stable operation of the internal system, password verification requests for encrypted data can be ignored for a preset period of time, thereby locking the account and preventing the response to malicious requests from affecting the stability and security of the system.

[0085] In the embodiments of this specification, a password verification method is provided. In response to a password verification request for a target password, ciphertext data for verifying the target password is determined. The ciphertext data is obtained by performing a slow hash calculation on a correct plaintext password. The first hash calculation in the slow hash calculation is performed on the target password to obtain a first hash value to be verified corresponding to the target password. The first hash value to be verified is verified to see if it is consistent with the first hash value in the ciphertext data. The calculation method of the first hash value is the same as that of the first hash value to be verified. If they are consistent, the slow hash calculation is performed on the target password to obtain the ciphertext data to be verified corresponding to the target password. The legality of the target password is verified based on the ciphertext data to be verified and the ciphertext data. If they are inconsistent, the verification failure result corresponding to the target password is determined. During password verification, the target password entered by the user is directly compared with the first hash value of the correct ciphertext data corresponding to the correct plaintext password after the first hash calculation. If they match, the complete slow hash result is then compared. If they do not match, it means that the target password is definitely different from the correct plaintext password, and the verification failure result can be returned directly. This means that a large number of incorrect passwords can be detected with only one hash calculation in the first stage, which greatly reduces the occupation and consumption of computing resources by slow hash calculation during password verification.

[0086] Please see Figure 6 , Figure 6This is a structural block diagram of a password protection device provided as an embodiment of this specification. Figure 6 As shown, the password protection device 600 includes:

[0087] The storage request receiving module 610 is used to perform slow hash calculation on the correct plaintext password in response to a storage request for the correct plaintext password.

[0088] The first-stage calculation module 620 is used to determine the first hash value of the correct plaintext password after the first hash calculation in the slow hash calculation, and to determine the second hash value of the correct plaintext password after the slow hash calculation.

[0089] The second-stage calculation module 630 is used to concatenate the first hash value and the second hash value to obtain the ciphertext data corresponding to the correct plaintext password, and to store the ciphertext data.

[0090] The first hash value is used for the first consistency comparison with the first hash value to be verified obtained after the first hash calculation of the target password during password verification; the ciphertext data is used for the second consistency comparison with the ciphertext data to be verified obtained after the target password passes the first consistency comparison and undergoes a slow hash calculation.

[0091] Optionally, the first-stage calculation module 620 is also used to determine the first calculation result after the first hash calculation in the slow hash calculation of the correct plaintext password, and select the first hash value from the first calculation result based on the preset selection logic.

[0092] In this embodiment, a password protection device is provided, comprising: a storage request receiving module, used to perform slow hash calculation on the correct plaintext password in response to a storage request for the correct plaintext password; a first-stage calculation module, used to determine a first hash value and a second hash value of the correct plaintext password after the first hash calculation in the slow hash calculation; and a second-stage calculation module, used to concatenate the first hash value and the second hash value to obtain ciphertext data corresponding to the correct plaintext password and store the ciphertext data. The first hash value is used for a first consistency comparison with the first hash value to be verified obtained after the first hash calculation of the target password during password verification; the ciphertext data is used for a second consistency comparison with the ciphertext data to be verified obtained after the first consistency comparison of the target password and the slow hash calculation of the target password. During the slow hash calculation of the correct plaintext password, the value of the first hash and the value of the last hash are concatenated, and the final result is stored as ciphertext data, ensuring that the ciphertext data still has a relatively high difficulty of cracking. During password verification, the input target password is hashed once and then directly compared with the first hash value of the corresponding ciphertext data. If they match, the complete slow hash result is compared. If they do not match, the verification failure result is returned directly. This means that most erroneous passwords can be detected with only one hash calculation, which greatly reduces the occupation and consumption of terminal computing resources by hash calculation during password verification and improves password verification efficiency.

[0093] Please see Figure 7 , Figure 7 This is a structural block diagram of a password verification device provided in an embodiment of this specification. Figure 7 As shown, the password verification device 700 includes:

[0094] The verification request receiving module 710 is used to respond to a password verification request for a target password and determine the ciphertext data used to verify the target password. The ciphertext data is obtained by slow hashing the correct plaintext password.

[0095] The first-stage verification module 720 is used to perform the first hash calculation in the slow hash calculation of the target password to obtain the first hash value to be verified corresponding to the target password, and to verify whether the first hash value to be verified is consistent with the first hash value in the ciphertext data. The calculation method of the first hash value is the same as that of the first hash value to be verified.

[0096] The second-stage verification module 730 is used to perform slow hash calculation on the target password if they match, to obtain the ciphertext data to be verified corresponding to the target password, and to verify the legality of the target password based on the ciphertext data to be verified and the ciphertext data.

[0097] The verification result return module 740 is used to determine the verification failure result corresponding to the target password if there is a discrepancy.

[0098] Optionally, the second-stage verification module 730 is also used to verify whether the ciphertext data to be verified is consistent with the ciphertext data; if they are consistent, the verification success result corresponding to the target password is determined; if they are inconsistent, the verification failure result corresponding to the target password is determined.

[0099] Optionally, the password verification device 700 further includes: a verification attempt limit module, used to record the consecutive number of password verification failures corresponding to the encrypted data; when the consecutive number reaches a preset number, the password verification request for the encrypted data is ignored within a preset time period.

[0100] In this embodiment of the specification, a password verification device is provided, wherein: a verification request receiving module is used to respond to a password verification request for a target password, determine ciphertext data for verifying the target password, the ciphertext data being obtained by slow hashing a correct plaintext password; a first-stage verification module is used to perform a first hash calculation in the slow hashing process on the target password to obtain a first hash value to be verified corresponding to the target password, and verify whether the first hash value to be verified is consistent with the first hash value in the ciphertext data, the calculation method of the first hash value being the same as that of the first hash value to be verified; a second-stage verification module is used to, if consistent, continue to perform slow hashing on the target password to obtain the ciphertext data to be verified corresponding to the target password, and verify the legality of the target password based on the ciphertext data to be verified and the ciphertext data; and a verification result return module is used to, if inconsistent, determine a verification failure result corresponding to the target password. During password verification, the target password entered by the user is directly compared with the first hash value of the correct ciphertext data corresponding to the correct plaintext password after the first hash calculation. If they match, the complete slow hash result is then compared. If they do not match, it means that the target password is definitely different from the correct plaintext password, and the verification failure result can be returned directly. This means that a large number of incorrect passwords can be detected with only one hash calculation in the first stage, which greatly reduces the occupation and consumption of computing resources by slow hash calculation during password verification.

[0101] This specification provides a computer program product containing instructions that, when run on a computer or processor, cause the computer or processor to perform the steps of any of the methods described above.

[0102] This specification also provides a computer storage medium that can store multiple instructions adapted for loading by a processor and executing the steps of any of the methods described in the above embodiments.

[0103] Please see Figure 8 , Figure 8 This is a schematic diagram of the structure of a terminal provided in an embodiment of this specification. Figure 8 As shown, terminal 800 may include: at least one terminal processor 801, at least one network interface 804, user interface 803, memory 805, and at least one communication bus 802.

[0104] The communication bus 802 is used to enable communication between these components.

[0105] The user interface 803 may include a display screen and a camera. Optionally, the user interface 803 may also include a standard wired interface and a wireless interface.

[0106] The network interface 804 may optionally include a standard wired interface or a wireless interface (such as a Wi-Fi interface).

[0107] The terminal processor 801 may include one or more processing cores. The terminal processor 801 connects to various parts within the terminal 800 using various interfaces and lines, and performs various functions and processes data by running or executing instructions, programs, code sets, or instruction sets stored in the memory 805, and by calling data stored in the memory 805. Optionally, the terminal processor 801 may be implemented using at least one hardware form of Digital Signal Processing (DSP), Field-Programmable Gate Array (FPGA), or Programmable Logic Array (PLA). The terminal processor 801 may integrate one or more of the following: Central Processing Unit (CPU), Graphics Processing Unit (GPU), and modem. The CPU primarily handles the operating system, user interface, and applications; the GPU is responsible for rendering and drawing the content to be displayed on the screen; and the modem handles wireless communication. It is understood that the modem may also not be integrated into the terminal processor 801 and may be implemented as a separate chip.

[0108] The memory 805 may include random access memory (RAM) or read-only memory (ROM). Optionally, the memory 805 may include a non-transitory computer-readable storage medium. The memory 805 can be used to store instructions, programs, code, code sets, or instruction sets. The memory 805 may include a program storage area and a data storage area, wherein the program storage area may store instructions for implementing an operating system, instructions for at least one function (such as touch function, sound playback function, image playback function, etc.), instructions for implementing the above-described method embodiments, etc.; the data storage area may store data involved in the above-described method embodiments, etc. Optionally, the memory 805 may also be at least one storage device located remotely from the aforementioned terminal processor 801. Figure 8 As shown, the memory 805, which serves as a computer storage medium, may include an operating system, a network communication module, a user interface module, and a password protection program.

[0109] exist Figure 8 In the terminal 800 shown, the user interface 803 is mainly used to provide an input interface for the user and to obtain the user's input data; while the terminal processor 801 can be used to call the password protection program stored in the memory 805 and specifically perform the following operations:

[0110] In response to a storage request for a valid plaintext password, perform a slow hash calculation on the valid plaintext password;

[0111] Determine the first hash value of the correct plaintext password after the first hash calculation in the slow hash calculation, and determine the second hash value of the correct plaintext password after the slow hash calculation;

[0112] The first hash value and the second hash value are concatenated to obtain the ciphertext data corresponding to the correct plaintext password, and the ciphertext data is stored.

[0113] The first hash value is used for the first consistency comparison with the first hash value to be verified obtained after the first hash calculation of the target password during password verification; the ciphertext data is used for the second consistency comparison with the ciphertext data to be verified obtained after the target password passes the first consistency comparison and undergoes a slow hash calculation.

[0114] In some embodiments, when the terminal processor 801 executes the following steps to determine the first hash value after the first hash calculation in the slow hash calculation of the correct plaintext password: determine the first calculation result after the first hash calculation of the correct plaintext password in the slow hash calculation, and select the first hash value from the first calculation result based on the preset selection logic.

[0115] Please see Figure 9 , Figure 9 This is a schematic diagram of the structure of a terminal provided in an embodiment of this specification. Figure 9 As shown, terminal 900 may include: at least one terminal processor 901, at least one network interface 904, user interface 903, memory 905, and at least one communication bus 902.

[0116] The communication bus 902 is used to enable communication between these components.

[0117] The user interface 903 may include a display screen and a camera. Optionally, the user interface 903 may also include a standard wired interface and a wireless interface.

[0118] The network interface 904 may optionally include a standard wired interface or a wireless interface (such as a Wi-Fi interface).

[0119] The terminal processor 901 may include one or more processing cores. The terminal processor 901 connects to various parts within the terminal 900 using various interfaces and lines, and performs various functions and processes data by running or executing instructions, programs, code sets, or instruction sets stored in the memory 905, and by calling data stored in the memory 905. Optionally, the terminal processor 901 may be implemented using at least one hardware form selected from Digital Signal Processing (DSP), Field-Programmable Gate Array (FPGA), and Programmable Logic Array (PLA). The terminal processor 901 may integrate one or more of the following: a Central Processing Unit (CPU), a Graphics Processing Unit (GPU), and a modem. The CPU primarily handles the operating system, user interface, and applications; the GPU is responsible for rendering and drawing the content to be displayed on the screen; and the modem handles wireless communication. It is understood that the modem may also be implemented as a separate chip without being integrated into the terminal processor 901.

[0120] The memory 905 may include random access memory (RAM) or read-only memory (ROM). Optionally, the memory 905 may include a non-transitory computer-readable storage medium. The memory 905 can be used to store instructions, programs, code, code sets, or instruction sets. The memory 905 may include a program storage area and a data storage area. The program storage area may store instructions for implementing an operating system, instructions for at least one function (such as touch functionality, sound playback functionality, image playback functionality, etc.), instructions for implementing the various method embodiments described above, etc.; the data storage area may store data involved in the various method embodiments described above, etc. Optionally, the memory 905 may also be at least one storage device located remotely from the aforementioned terminal processor 901. Figure 9 As shown, the memory 905, which serves as a computer storage medium, may include an operating system, a network communication module, a user interface module, and a password verification program.

[0121] exist Figure 9 In the terminal 900 shown, the user interface 903 is mainly used to provide an input interface for the user and to obtain the user's input data; while the terminal processor 901 can be used to call the password verification program stored in the memory 905 and specifically perform the following operations:

[0122] In response to a password verification request for a target password, determine the ciphertext data to be used to verify the target password. The ciphertext data is obtained by slow hashing the correct plaintext password.

[0123] The first hash calculation in the slow hash calculation of the target password is performed to obtain the first unverified hash value corresponding to the target password. The first unverified hash value is verified to be consistent with the first hash value in the ciphertext data. The calculation method of the first hash value is the same as that of the first unverified hash value.

[0124] If they match, the target password is then subjected to slow hash calculation to obtain the ciphertext data to be verified corresponding to the target password, and the legality of the target password is verified based on the ciphertext data to be verified and the ciphertext data.

[0125] If they do not match, the verification failure result corresponding to the target password is determined.

[0126] In some embodiments, when the terminal processor 901 performs the verification of the legality of the target password based on the ciphertext data to be verified and the ciphertext data, it specifically performs the following steps: verifying whether the ciphertext data to be verified is consistent with the ciphertext data; if they are consistent, then determining the verification success result corresponding to the target password; if they are inconsistent, then determining the verification failure result corresponding to the target password.

[0127] In some embodiments, the terminal processor 901 further performs the following steps: recording the number of consecutive password verification failures corresponding to the encrypted data; when the number of consecutive failures reaches a preset number, the password verification request for the encrypted data is ignored within a preset time period.

[0128] In the several embodiments provided in this specification, it should be understood that the disclosed apparatus and methods can be implemented in other ways. For example, the apparatus embodiments described above are merely illustrative; for instance, the division of modules is only a logical functional division, and in actual implementation, there may be other division methods. For example, multiple modules or components may be combined or integrated into another system, or some features may be ignored or not executed. Furthermore, the mutual coupling or direct coupling or communication connection shown or discussed may be through some interfaces; the indirect coupling or communication connection between apparatuses or modules may be electrical, mechanical, or other forms.

[0129] The modules described as separate components may or may not be physically separate. Similarly, the components shown as modules may or may not be physical modules; they may be located in one place or distributed across multiple network modules. Some or all of the modules can be selected to achieve the purpose of this embodiment, depending on actual needs.

[0130] In the above embodiments, implementation can be achieved, in whole or in part, through software, hardware, firmware, or any combination thereof. When implemented in software, it can be implemented, in whole or in part, as a computer program product. The computer program product includes one or more computer instructions. When these computer program instructions are loaded and executed on a computer, all or part of the processes or functions described in the embodiments of this specification are generated. The computer can be a general-purpose computer, a special-purpose computer, a computer network, or other programmable device. The computer instructions can be stored in or transmitted through a computer-readable storage medium. The computer instructions can be transmitted from one website, computer, server, or data center to another website, computer, server, or data center via wired (e.g., coaxial cable, fiber optic, Digital Subscriber Line (DSL)) or wireless (e.g., infrared, wireless, microwave, etc.) means. The computer-readable storage medium can be any available medium accessible to a computer or a data storage device such as a server or data center that integrates one or more available media. The aforementioned available media can be magnetic media (e.g., floppy disks, hard disks, magnetic tapes), optical media (e.g., Digital Versatile Discs (DVDs)), or semiconductor media (e.g., Solid State Disks (SSDs)).

[0131] It should be noted that, for the sake of simplicity, the foregoing method embodiments are all described as a series of actions. However, those skilled in the art should understand that the embodiments in this specification are not limited to the described order of actions, because according to the embodiments in this specification, some steps can be performed in other orders or simultaneously. Furthermore, those skilled in the art should also understand that the embodiments described in this specification are all preferred embodiments, and the actions and modules involved are not necessarily essential to the embodiments in this specification.

[0132] Furthermore, it should be noted that all information (including but not limited to user device information, user personal information, etc.), data (including but not limited to data used for analysis, stored data, displayed data, etc.), and signals involved in the embodiments of this specification are authorized by the user or fully authorized by all parties, and the collection, use, and processing of related data must comply with the relevant laws, regulations, and standards of the relevant countries and regions. For example, the correct plaintext password, target password, encrypted data, and encrypted data to be verified involved in this specification were all obtained under fully authorized circumstances.

[0133] The foregoing has described specific embodiments of this specification. Other embodiments are within the scope of the appended claims. In some cases, the actions or steps recited in the claims may be performed in a different order than that shown in the embodiments and may still achieve the desired result. Furthermore, the processes depicted in the drawings do not necessarily require the specific or sequential order shown to achieve the desired result. In some embodiments, multitasking and parallel processing are possible or may be advantageous.

[0134] In the above embodiments, the descriptions of each embodiment have different focuses. For parts not described in detail in a certain embodiment, please refer to the relevant descriptions of other embodiments.

[0135] The above is a description of a password protection method, password verification method, device, and terminal provided in the embodiments of this specification. For those skilled in the art, based on the ideas of the embodiments of this specification, there will be changes in the specific implementation methods and application scope. Therefore, the content of this specification should not be construed as a limitation on the embodiments of this specification.

Claims

1. A password protection method, the method comprising: In response to a storage request for a correct plaintext password, a slow hash calculation is performed on the correct plaintext password; Determine the first hash value of the correct plaintext password after the first hash calculation in the slow hash calculation, and determine the second hash value of the correct plaintext password after the slow hash calculation; The first hash value and the second hash value are concatenated to obtain the ciphertext data corresponding to the correct plaintext password, and the ciphertext data is stored. Wherein, the first hash value is used to perform a first consistency comparison with the first hash value to be verified obtained after the first hash calculation of the target password during password verification; the ciphertext data is used to perform a second consistency comparison with the ciphertext data to be verified obtained after the target password passes the first consistency comparison. Determining the first hash value of the correct plaintext password after the first hash calculation in the slow hash calculation includes: The first calculation result after the first hash calculation in the slow hash calculation is determined by the correct plaintext password. Based on the preset selection logic, a portion of the data in the first calculation result is selected as the first hash value.

2. A password verification method, the method comprising: In response to a password verification request for a target password, ciphertext data for verifying the target password is determined, the ciphertext data being obtained by slow hashing a correct plaintext password; The first hash calculation in the slow hash calculation is performed on the target password to obtain the first hash value to be verified corresponding to the target password. The first hash value to be verified is verified to be consistent with the first hash value in the ciphertext data. The calculation method of the first hash value is the same as that of the first hash value to be verified. If they match, the slow hash calculation is performed on the target password to obtain the ciphertext data to be verified corresponding to the target password, and the legality of the target password is verified based on the ciphertext data to be verified and the ciphertext data. If they do not match, the verification result corresponding to the target password is determined to be unsuccessful.

3. The method according to claim 2, wherein verifying the legality of the target password based on the ciphertext data to be verified and the ciphertext data includes: Verify whether the ciphertext data to be verified is consistent with the ciphertext data; If they match, the verification result corresponding to the target password is determined to be successful; If they do not match, the verification result corresponding to the target password is determined to be unsuccessful.

4. The method according to claim 2, further comprising: Record the number of consecutive password verification failures corresponding to the encrypted data; When the number of consecutive attempts reaches a preset number, the password verification request for the encrypted data is ignored for a preset duration.

5. A password protection device, the device comprising: A storage request receiving module is used to perform a slow hash calculation on the correct plaintext password in response to a storage request for the correct plaintext password; The first-stage calculation module is used to determine the first hash value of the correct plaintext password after the first hash calculation in the slow hash calculation, and to determine the second hash value of the correct plaintext password after the slow hash calculation. The second-stage calculation module is used to concatenate the first hash value and the second hash value to obtain the ciphertext data corresponding to the correct plaintext password, and to store the ciphertext data; Wherein, the first hash value is used to perform a first consistency comparison with the first hash value to be verified obtained after the first hash calculation of the target password during password verification; the ciphertext data is used to perform a second consistency comparison with the ciphertext data to be verified obtained after the target password passes the first consistency comparison. The first-stage calculation module is further configured to determine the first calculation result after the first hash calculation in the slow hash calculation of the correct plaintext password, and select a portion of the data from the first calculation result as the first hash value based on a preset selection logic.

6. A password verification device, the device comprising: The verification request receiving module is used to respond to a password verification request for a target password and determine ciphertext data for verifying the target password, wherein the ciphertext data is obtained by slow hashing a correct plaintext password. The first-stage verification module is used to perform the first hash calculation in the slow hash calculation on the target password to obtain the first hash value to be verified corresponding to the target password, and to verify whether the first hash value to be verified is consistent with the first hash value in the ciphertext data. The calculation method of the first hash value is the same as that of the first hash value to be verified. The second-stage verification module is used to, if consistent, continue to perform the slow hash calculation on the target password to obtain the ciphertext data to be verified corresponding to the target password, and verify the legality of the target password based on the ciphertext data to be verified and the ciphertext data. The verification result return module is used to determine the verification failure result corresponding to the target password if there is a discrepancy.

7. A computer program product comprising instructions that, when run on a computer or processor, cause the computer or processor to perform the steps of the method as claimed in claim 1 or any one of claims 2-4.

8. A computer storage medium storing a plurality of instructions adapted for loading by a processor and performing the steps of the method as claimed in any one of claims 1 or 2-4.

9. A terminal comprising a memory, a processor, and a computer program stored in the memory and executable on the processor, wherein the processor executes the computer program to implement the steps of the method as claimed in any one of claims 1 or 2-4.