What is the principle of the bank's dynamic password token?

Others 2022-05-18 22:07:58 views: 0
Teenagers with online banking have generally received such a token from the bank, commonly known as a dynamic password. When making payment, enter their own password and the dynamic password on the dynamic password to complete the verification, and the bank will believe that you are not a bad person. , Today we will briefly describe the principle of this dynamic password token.

PS: The reading of this article may require readers to have some cryptography foundation, so be warned.

SID700.jpg

RSA SecurID SID700

The RSA SecurID SID700 as shown in the figure is a popular dynamic password token in the market. During the process of preparing the data, the author found that there are many errors in the wild blogs describing dynamic passwords in China, most of which are aimed at banks. I do not understand the structure of a set of authentication mechanisms, so the first thing to emphasize is that

the dynamic password tokens in the hands of the public do not use any symmetric or asymmetric encryption algorithms. In the entire bank's authentication system, the dynamic password tokens Just a generator of one-time passwords, the main computations running in it include only the computation of the time factor and the computation of the hash value.

The dynamic password algorithm is also called the one-time password algorithm, which is written in English as OTP (One-Time Password Algorithm), and the algorithm used by the dynamic password token is a type of OTP, TOTP (Time-Based One-Time Password Algorithm) — time synchronization type Dynamic password.

The time-synchronized dynamic password is related to the time when the password is generated. We can take a look at its working principle diagram:

Screen Shot 2016-02-08 at 5.06.00 PM.png The

diagram shows the working principle of the dynamic password , highlighting the dynamic password part of the entire authentication mechanism, we can clearly see that there are exactly the same two processes on the far left and the far right, which represent the work done by the user's token card and the bank server's verification machine. The focus of this article is on these two identical processes.

When the user gets the dynamic password token card from the bank, a seed file (that is, the seed represented by the key in the figure) has been stored in the token card, and this seed file is saved in the bank's server. Exactly the same copy, so for dynamic password tokens, this method is share secret. In addition, in the settings on the token hardware, if someone opens the token card, the seed file will be erased from the memory of the token card (to be verified).

There is a seed file in the token card and the TOTP algorithm is implemented. It can continuously generate different dynamic passwords at a preset interval and display them on the screen, and the bank server does the same calculation with the time. You will get the same password as the token card for authentication.

So what exactly does the TOTP algorithm do? There is a detailed algorithm description in RFC6238, and a brief description will also be made here.

TOTP is a variant of HOTP [RFC4226]. From the overall point of view, they all hash the data files, but the factor of HOTP is the event factor, and TOTP replaces the factor with the time factor. The specific TOTP calculation formula (which The HMAC-SHA-256 may also be HMAC-SHA-512):

TOTP = Truncate(HMAC-SHA-256(K,T))

where: K is the content of the torrent file here; T is the calculated time factor in the

formula The HMAC is a key-related hash operation message authentication code (Hash-based Message Authentication Code). The HMAC operation uses a hash algorithm to take a key and a message as input and generate a message digest as an output. The hash algorithm given in the formula is SHA-256, and there is currently no good cracking method for this hash algorithm.

The length of the password to be displayed is preset in the token card, and the Truncate operation in TOTP is cut to obtain the password.

The above is the internal principle of the dynamic password token card.

A few additions:

1. The time synchronization type dynamic password has high requirements on the time synchronization between the token card and the server, and the time error will cause the failure of the entire token. Therefore, every time the user successfully uses the token authentication, the server will correct the time error accordingly.

2. The generation of the seed file uses an algorithm transformed from AES-128, which is also the current top-level symmetric encryption technology.

3. At present, there is basically no solution to the authentication system of the entire banking mechanism in terms of encryption technology and mathematical theory.

4. Errata welcome.

http://www.techug.com/what-principle

Guess you like

Origin http://10.200.1.11:23101/article/api/json?id=326683165&siteId=291194637
Recommended
Ranking
Empire cms smart tag calls four first-level recommended articles, starting from the fourth article
Linux environment installation and configuration Elasticsearch7.17
Big Data processing architecture and Lambda Kappa architecture
Explore the top of the AI large model platform - Wenxin Qianfan
Beijing car PK10 lucky airship Guanya size and value of the odd and even tips
W3B x Sui Hacker House|In-depth understanding of Sui and Move language
Know almost Ko Chan: Chinese what any decent open source software products? (Finishing from my original answer)
Comprehensively improve AD domain security authentication | Zhuyun IDaaS
Android Update Engine Analysis (24) What happened when making the downgrade package?
Spark Architecture and Operating Mechanism (1) - System Architecture
Daily
More
2024-05-07(34)
2024-05-06(6)
2024-05-05(0)
2024-05-04(18)
2024-05-03(8)
2024-05-02(0)
2024-05-01(4)
2024-04-30(36)
2024-04-29(5)
2024-04-28(12)

Code World

© 2018 codetd.com