Background technology
Along with popularizing of internet, applications, and increasing application system is moved on this public network, simultaneously, follow development of science and technology, between the more enterprise also is to interconnect by public network, it is important unusually that long-range like this identity validation just becomes, though some system provides complicated identity validation mechanism as certificate verification, most system still continues to use the authentication mode of traditional user ID encrypted code.There are many problems in this identity validation mechanism, such as: it is easy to be guessed that transmission is intercepted, and by the preservation of safety, is not stolen by the hacker, even is defrauded of by false system midway.
In order to address the above problem following solution has been proposed:
(1), just is based on the diploma system and the smart card of PKI system for a kind of safest possible alternative of static password based on the certificate system of PKI.And smart card is not represented PKI, the function that in fact a lot of smart cards is not encrypted.The basic point of departure of PKI system is exactly its asymmetric encryption system, and each has pair of secret keys per capita, and one is privately owned key, and one is can disclosed key, and content can only be by corresponding PKI deciphering after by encrypted private key.Pass through digital certificate technique, can carry out encryption and decryption, digital signature and signature verification to the information of transmission over networks, guarantee to transmit confidentiality, the integrality of information on the net, and the authenticity of transaction entity identities etc., the non-repudiation of signing messages, thereby the fail safe of guarantee network application.For the reason of cost, this system is considered to the solution in a future.Huge authentication system is set up in its requirement, owing in use need to exchange certificate, has also limited its use occasion.
(2) the dynamic password system of double factor (Two Factor); this is a kind of identification authentication mode that is considered to comparison safety; this mode can be equipped with the intelligent terminal that can go here and there on key chain for the user usually; the built-in algorithm identical on this terminal with server end; be used to generate dynamic password; they are by time or the incident synchronization mechanism as both, generate dynamic password with Customer ID or other guide such as private key as user characteristics.When needing password, produce a dynamic password, deliver to the verification server end and carry out verification by this smart machine.But at present, as the intelligent terminal that produces dynamic password is a kind of task equipment, it is the cost height not only, and because this equipment is a separate equipment, so the time synchronization problem of itself and server end can not well solve, often need time at any time, could satisfy the requirement of time synchronized, and such time adjusting method causes very big trouble to the user with manual type adjustment task equipment.
(3) the dynamic password system of request-reply formula, the dynamic password system of request-reply formula is meant the user and needs using system, when needing authentication, request is sent to server end, generate dynamic password by server end, send to the client by specific channel then, the client imports this dynamic password then, and sending to server, to carry out identity conscientious.This kind mode is considered to a kind of safe mode, still, because it needs will reply by specific channel to send to the client, make its application be subjected to bigger limitation, simultaneously, it might not be safe sending channel, such as passing through way of short messages, whole process is the plain code transmission.
Summary of the invention
The objective of the invention is to, a kind of dynamic cipher system and method based on mobile communication terminal is provided, itself also is dynamic password a kind of of double factor, it generates the mode that becomes a kind of software algorithm with the dynamic password of client and provides, this software algorithm can be installed on user's all kinds of mobile communication terminals, as mobile phone, PDA etc., in order to solve the cost problem of using the hardware client, availability issue (available whenever and wherever possible) based on PC software, the algorithm of its use is disclosed symmetric encipherment algorithm (DES or IDEA etc.) simultaneously, use the distinctive private cipher key of each client as the client identity key element, adopt Time And Event as synchronizer, guarantee the fail safe of system.And because the correspondence between mobile communication terminal and the server, in order to solve the time synchronization problem of the two.
Technical scheme of the present invention is: a kind of dynamic cipher system based on mobile communication terminal, it comprises: mobile communication terminal and dynamic password verification server, described mobile communication terminal and described dynamic password verification server are coupled, wherein in described mobile communication terminal, have the dynamic password software algorithm, in dynamic password verification server, have dynamic password verification software algorithm;
Described mobile communication terminal has: the dynamic password generation unit, be used to gather the current time, with this current time as the dynamic password rise time and in conjunction with the event counter value of being preserved, private key by the client generates a dynamic password with disclosed symmetric encipherment algorithm, with described dynamic password output;
Described dynamic password verification server has: the dynamic password verification unit, be used to obtain described dynamic password, and the private key by the client solves dynamic password rise time and event counter value by disclosed symmetric encipherment algorithm from the dynamic password that obtains, this dynamic password rise time and current dynamic password verification server system time are compared, if two time synchronized, and the also then described synchronously dynamic password of event counter is by verification.
The dynamic password generation unit of described dynamic password software algorithm also has: event counter is used to write down the generation number of times of described dynamic password; Its initial value produces when server end generates this client at random, after this, dynamic password of the every generation of dynamic password software algorithm adds one to this Counter Value automatically, described dynamic password generation unit, be used to gather the value of current time and current event counter, the value of this current time as dynamic password rise time, this current event counter generated number of times and generate a dynamic password in conjunction with symmetric encipherment algorithm as dynamic password, with described dynamic password output; Described dynamic password verification server also has: event counter is used to write down described dynamic password verification number of times; Described dynamic password verification unit, be used to obtain described dynamic password, and from the dynamic password that obtains, solve dynamic password rise time and dynamic password and generate number of times, this dynamic password rise time and current dynamic password verification server system time are compared, if two time synchronized then further generate dynamic password number of times with current dynamic password verification number of times compares, as if two then described synchronously dynamic passwords of number of times by verification.
System of the present invention also comprises the application system server; This application system server has: the application system client is used to accept the input of described dynamic password; The dynamic password interface is used for setting up the connection of communicating by letter with described dynamic password verification server, initiates the dynamic password check request to described dynamic password verification server.
System of the present invention also comprises: dynamic password management server and dynamic password information bank, wherein said dynamic password management server, be used for setting up the connection of communicating by letter with described dynamic password interface, and have a B/S structure: service management unit, be used to finish the dynamic password terminal client generation, delete, freeze, thaw and information inquiry; Operator's administrative unit is used to finish to Systems Operator's the management and the inquiry of authentication daily record; The audit management unit.
Described dynamic password information bank is set up the connection of communicating by letter with described dynamic password verification server, dynamic password management server respectively; Be used for system informations such as storing subscriber information, Administrator Info, system's setting, running log, wherein key message (as user key) is stored with cipher mode.
If described two time synchronized are meant: dynamic password rise time and current dynamic password verification server system time compared, if the difference of twice is in the time error scope of presetting, and two time synchronized then.
If described two number of times are meant synchronously: dynamic password is generated number of times with current dynamic password verification number of times compares, if the difference of two number of times is in the number of times error range of presetting, then two number of times are synchronous.
Described mobile communication terminal comprises: mobile phone, PDA, laptop computer.
The present invention also provides a kind of dynamic cipher method based on mobile communication terminal, with the generation end of mobile communication terminal as dynamic password, with the checkout terminal of server as dynamic password, wherein in described mobile communication terminal, have the dynamic password software algorithm, in dynamic password verification server, have dynamic password verification software algorithm;
The dynamic password software algorithm that operates in mobile communication terminal may further comprise the steps:
Gather the current time and the event counter value of mobile communication terminal, should the current time as dynamic password rise time and binding events Counter Value, generate a dynamic password by symmetric encipherment algorithm, described dynamic password is exported;
The dynamic password verification software algorithm that operates in the dynamic password verification server may further comprise the steps:
Server with described dynamic password input dynamic password checkout terminal;
From the dynamic password that obtains, solve dynamic password rise time and event counter value by symmetric encipherment algorithm, this dynamic password rise time and current server system time are compared, if two time synchronized, then further whether the verification event counter synchronous, if event counter synchronously described dynamic password by verification.
The inventive method also comprises following concrete steps:
The number of times that in described mobile communication terminal, adopts event counter record dynamic password to generate;
Gather the current time of described mobile communication terminal and the value of current event counter, the value of this current time as dynamic password rise time, this current event counter generated number of times and generate a dynamic password in conjunction with symmetric encipherment algorithm as dynamic password, with described dynamic password output;
In described server, adopt the number of times of event counter record dynamic password verification;
Server with described dynamic password input dynamic password checkout terminal;
And from the dynamic password that obtains, solve dynamic password rise time and dynamic password and generate number of times, this dynamic password rise time and current dynamic password verification server system time are compared, if two time synchronized then further generate dynamic password number of times with current dynamic password verification number of times compares, as if two then described synchronously dynamic passwords of number of times by verification.
Beneficial effect of the present invention is, it generates the mode that becomes a kind of software algorithm with the dynamic password of client and provides, this software algorithm can be installed on user's all kinds of mobile communication terminals, as mobile phone, PDA etc., he had both solved the cost problem of using the hardware client, also solved availability issue (available) whenever and wherever possible based on PC software, the algorithm of its use is disclosed symmetric encipherment algorithm (DES or IDEA etc.) simultaneously, use the distinctive private cipher key of each client as the client identity key element, adopt Time And Event as synchronizer, guarantee the fail safe of system.And, also solved the time synchronization problem of the two owing to the correspondence between mobile communication terminal and the server.
Embodiment
Below, in conjunction with the accompanying drawings the present invention is carried out following detailed description.As shown in Figure 1, the present invention is: a kind of dynamic cipher system based on mobile communication terminal, and it comprises: mobile communication terminal and dynamic password verification server, described mobile communication terminal and described dynamic password verification server are coupled; Wherein in described mobile communication terminal, have the dynamic password software algorithm, in dynamic password verification server, have dynamic password verification software algorithm;
Described mobile communication terminal has: the dynamic password generation unit, be used to gather the current time, and should the current time generate a dynamic password, with described dynamic password output as the dynamic password rise time and in conjunction with symmetric encipherment algorithm (DES or IDEA etc.);
Described dynamic password verification server has: the dynamic password verification unit, be used to obtain described dynamic password, and from the dynamic password that obtains, solve dynamic password rise time and event counter value, this dynamic password rise time and current dynamic password verification server system time are compared, if two time synchronized, further verification event counter value synchronously, if synchronously described dynamic password by verification.
Described mobile communication terminal also has: event counter is used to write down the generation number of times of described dynamic password; Described dynamic password generation unit, be used to gather the value of current time and current event counter, the value of this current time as dynamic password rise time, this current event counter generated number of times and generate a dynamic password in conjunction with symmetric encipherment algorithm (DES or IDEA etc.) as dynamic password, with described dynamic password output;
Described dynamic password verification server also has: event counter is used to write down described dynamic password verification number of times; Described dynamic password verification unit, be used to obtain described dynamic password, and from the dynamic password that obtains, solve dynamic password rise time and dynamic password and generate number of times, this dynamic password rise time and current dynamic password verification server system time are compared, if two time synchronized then further generate dynamic password number of times with current dynamic password verification number of times compares, as if two then described synchronously dynamic passwords of number of times by verification.
System of the present invention also comprises the application system server; This application system server has: the application system client is used to accept the input of described dynamic password; The dynamic password interface is used for setting up the connection of communicating by letter with described dynamic password verification server, initiates the dynamic password check request to described dynamic password verification server.
Be illustrated in figure 2 as specific embodiments of the invention, dynamic password wherein of the present invention (password) system is made up of dynamic password (password) program of client and dynamic password verification server and dynamic password management system and application programming interfaces (API) four parts.
Dynamic password generates client (mobile phone end):
Dynamic password (password) generator (that is: run in the mobile communication terminal dynamic password software algorithm) is the program that can run on mobile phone or other mobile communication terminal device, its built-in cover dynamic password (password) generating algorithm, when needing to generate password at every turn, the user moves this program, program is according to set algorithm, generate dynamic password, a dynamic password generates client and can support the dynamic password of a plurality of systems to generate.Wherein,
Passwd=P
k(seed), Passwd is a dynamic password; P
kFor using client private key to carry out symmetric encipherment algorithm;
Seed=CurrentTime+counter, Seed are synchronizer, and CurrentTime is the current time, and counter is a Counter Value;
Dynamic password verification server end:
Dynamic password verification server is the core of whole system, links to each other by local area network (LAN) with the application system server, and comprehensive authentication, mandate and auditing service are provided.The Security Authentication Service device has perfect its data safety protection function, and all customer data is stored in the database after encrypting, and has safe, complete data base administration, backup functionality.In dynamic password verification server, has dynamic password verification software algorithm.
It realizes the verifying function of dynamic password, and writes down detailed running log by generating the same authenticated algorithm of client with dynamic password, realizes and the docking of application interface.
It is by system informations such as database storage user profile, Administrator Info, system's setting, running logs simultaneously, and wherein key message (as user key) is stored with cipher mode.Wherein:
Seed=P
k(Passwd);
Adopt time window to add the correctness of count window verification dynamic password.
Time should satisfy: current-n<time<current+n, n=is the time synchronization error scope of default.
Counter is answered code character: currentCounter<counter<currentCounter+n, n=are the event synchronization error range of default.
Dynamic password Tomcat-AdminPortal end:
The dynamic password management system provides all system management functions such as the user management, operator's management, audit management of B/S structure.Finish management to the Systems Operator, and the authentication daily record functions such as inquiry, finish the dynamic password terminal client generation, delete, freeze and thaw; Finish the essential information inquiry of dynamic password card user.
Application programming interfaces (API):
Generate client by dynamic password; dynamic password verification server and dynamic password management system have been formed the complete Verification System of a cover; but the purpose of Verification System is effectively to protect the safety of a certain application system; so the dynamic password system also provides the interface with application system; it provides interface by several modes; comprise: the TCP/IP mode of standard; the mode of API of all kinds of platforms and the mode that HTTP request response is provided are provided; the verification of user's dynamic password of realization application system and dynamic password user's management, the slitless connection of formation and user's application system.
The operation principle of dynamic password (password) system:
As shown in Figure 1, the operation principle of dynamic password (password) system is, it is to come the synchronous dynamic password to generate client and dynamic password verification server in the mode of current time and event counter, in client, when the user need generate new password, client is gathered current time and current counter, simultaneously counter is added a back storage, DES by standard or the IDEA algorithm private cipher key (generate when opening an account and set) that uses subscription client for this reason to set is encrypted this information then, form 8 and (also can be 6,7) dynamic password and be shown to the user, the user is input to this password in the authentication request of system, be delivered to application system then, application system is initiated the dynamic password check request to dynamic password verification server, dynamic password verification server uses the DES of standard or rise time and the event counter that the IDEA algorithm solves this dynamic password by this client's private cipher key, compare with the current time of system then, if the time in the error visit that allows (as 3 minutes, he is can be by customer parameterization), then further compare Counter Value, it must be the Counter Value of preserving greater than current system, but must be less than the error of an appointment (as 16, he is can be by customer parameterization), be used to prevent that the user from playing privately that dynamic password generates or owing to the reason of system is not sent to the verification server, if verification is correct by the verification of password, otherwise, coincidence counter, the refusal verification.If n time continuously (value of n can parametrization, as n=4 or 5 or 10) then do not freeze this user by verification.
The workflow of dynamic password (password) system:
1) generates user's (opening an account)
The dynamic password management system receives the request (comprising user ID) that generates the dynamic password user;
Whether dynamic password management system verification ID repeats, if repeat then refuse;
The dynamic password management system is passed through algorithm a user ID private cipher key of generation and initial event counter value for this reason;
User profile and user's private cipher key and primary event Counter Value are stored in the database after encrypting;
This key and initial counter value are returned to application system;
Application system passes to the user by the channel (as the password envelope) of safety with this private cipher key and initial counter value.
2) activate client
The client installs dynamic password and generates client software after application system is opened an account in mobile phone;
Mobile phone running client software;
Client software requires the user to set 8 passwords that enter software;
User's setting code;
The user selects to add private cipher key;
Require the user to import private cipher key;
The user imports private cipher key;
Preserve after the password encryption that client software uses the client to set private cipher key;
Require the user to import initial event counter value
The user imports initial event counter value
Preserve initial event counter value
Finish the activation of client.
Annotate:, enter client software if the client at the dynamic password of a plurality of systems of client maintenance, then can directly input password.Adopt the mode of adding Verification System then, add according to above-mentioned steps.
3) authentification of user
Flow process when application system requires authentification of user:
Application system requires the user to input password;
The user starts dynamic password and generates client;
Dynamic password generates client and requires the user to input password (whether not verification of client password is correct);
The user inputs password;
Dynamic password generates client and uses user's password to untie user's private cipher key of preservation, uses this key binding time and event counter then, generates dynamic password, is shown to the user;
The user is input to application system with this password;
Application system sends to dynamic password verification server with this password and carries out verification, if two time synchronized promptly: dynamic password rise time and current dynamic password verification server system time are compared, if the difference of twice is the (parameter of time error for setting in default time error scope, as less than 3 minutes), two time synchronized then.If two number of times are with promptly: dynamic password is generated number of times with current dynamic password verification number of times compares, if the difference of two number of times (the number of times error is the parameter that can set) in default number of times error range, then two number of times are synchronous.If verification by finish user's authentication.
Beneficial effect of the present invention is, it generates the mode that becomes a kind of software algorithm with the dynamic password of client and provides, this software algorithm can be installed on user's all kinds of mobile communication terminals, as mobile phone, PDA etc., he had both solved the cost problem of using the hardware client, also solved availability issue (available) whenever and wherever possible based on PC software, the algorithm of its use is disclosed symmetric encipherment algorithm (DES or IDEA etc.) simultaneously, use the distinctive private cipher key of each client as the client identity key element, adopt Time And Event as synchronizer, guarantee the fail safe of system.And, also solved the time synchronization problem of the two owing to the correspondence between mobile communication terminal and the server.
Above embodiment only is used to illustrate the present invention, but not is used to limit the present invention.