dynamic password background
Dynamic password, also known as dynamic password, also known as One Time Password (OTP for short), is an efficient, simple and relatively safe password generation algorithm. As one of the most secure identity authentication technologies, it has been increasingly used Applied in many industries. Because it is easy to use and has nothing to do with the platform, with the development of mobile Internet, dynamic password technology has become the mainstream of identity authentication technology, and is widely used in enterprises, online games, finance and other fields. It is engaged in the research and development and production of dynamic passwords at home and abroad. There are more and more enterprises. Its advantage lies in the rapid and seamless interoperability with various business systems. Its completely self-developed command dynamic password identity authentication software system is stable, efficient, and supports multiple authentication modes. Its solutions can serve different scale enterprises.
A dynamic password refers to a password that is regenerated with the occurrence of a certain event (password is used, a certain period of time, etc.), because the biggest advantage of a dynamic password itself is to prevent replay attacks, which can well avoid Similar to the defects that static passwords may be cracked by brute force, in practical applications, two-factor authentication combining "static password + dynamic password" is generally used, which we also call two-step verification.
Dynamic passwords have actually appeared in our lives a long time ago. Before the development of mobile payment, online banking was the most popular online payment channel at that time. At that time, banks would distribute dynamic passwords to online banking customers in order to ensure the payment security of everyone’s online banking accounts. password card.
For example, Bank of China’s electronic password card (new passwords are generated regularly according to the time difference, and the password card has a built-in battery, which can guarantee continuous use for several years), or ICBC’s electronic banking password card (the online banking payment webpage generates different serial numbers each time, and the user according to Scratch the coating on the password card to obtain the password by specifying the combination of ranks and columns, and the password will become invalid after use), or the SMS verification code mandatory by the bank, all of which can be included in the category of dynamic passwords.
With the development of the mobile Internet and the continuous improvement of the intelligence of mobile devices, the synchronization ability between devices has been greatly improved. The dynamic password generation technology that used to rely on independent devices has quickly evolved into dynamic password generation software on mobile phones. The method of generating a dynamic password in the form of a dynamic password greatly improves the portability of the dynamic password. One user and one mobile phone can manage the generation of any number of dynamic passwords, which also reduces a lot of resistance to promote two-step verification on the website. Maybe because it is too troublesome to use the password card, they refuse to open the two-step verification mechanism, thus exposing their own accounts to risks. The most well-known dynamic password generation software is Google's Authenticator APP.
Dynamic password principle
Algorithms involved:
1. Digest Algorithm
Classification according to different factors:
1. Temporal tokens
2. Challenge token
3. SMS
Classification of dynamic passwords
There are two types of common dynamic passwords:
Counted use: After the OTP used for counting is produced, it can be used for an unlimited time. After the next successful use, the counter will be incremented by 1 to generate a new password. The algorithm used to realize the use of dynamic passwords is called HOTP;
Timing use: The OTP used for timing can set the valid time of the password, ranging from 30 seconds to two minutes, and the OTP will be discarded after authentication, and a new password must be used for the next authentication. The algorithm used to realize timing using dynamic password is called TOTP.
The basic authentication principle of dynamic password is to share the secret key between the authentication parties, also known as the seed key, and use the same seed key to calculate the cryptographic algorithm for a certain event count or time value. The algorithms used include symmetric algorithm, HASH , HMAC, etc., this is the basis for all dynamic cryptographic algorithms.
Realization method of dynamic password
A dynamic password is a password that changes at any time. Since the password entered each time is not fixed, even if the password is stolen once, there will be no loss. For online banking users who have not applied for certificates, banks usually use dynamic passwords to ensure the security of user accounts. When the user needs to operate the funds in the account, a dynamic password is required.
Dynamic passwords include dynamic password cards, dynamic password tokens and mobile phone dynamic passwords in 3 ways.
dynamic password card
Dynamic password card, also known as scratch card, is similar in shape to a bank card, with several strings printed in matrix form. When customers use e-banking for payment transactions such as external transfers, B2C shopping, and payment, the e-banking system will randomly give a set of code card coordinates, and the customer finds the password combination from the card according to the coordinates and enters it into the e-banking system. Only the password combination is entered. Only the correct customer can complete the relevant transaction. The password combination is valid once and becomes invalid after the transaction is completed.
dynamic token
The appearance of the OTP token is the size of a USB flash drive. It is a special hardware with built-in power supply, password generation chip and display screen, and automatically updates the OTP at regular intervals according to a special algorithm. The dynamic password changes every 60s, just follow the system prompts and enter the password displayed by the current password. Bank of China uses this method, which is called Bank of China e-order.
Mobile phone dynamic password
The mobile phone dynamic password is to bind the online banking with the mobile phone number when applying for online banking. When the user performs online payment or fund transfer operations, the system will automatically generate a password and send it to the bound mobile phone in the form of a short message, and enter it on the payment page Mobile phone password to complete the transaction.
Dynamic password application technology
The mainstream terminals used to generate dynamic passwords are: hardware tokens, SMS passwords, and mobile phone tokens.
SMS password
SMS password requests a dynamic password containing 6-digit random numbers in the form of mobile phone text messages, and the identity authentication system sends a random 6/8-digit password to the customer's mobile phone in the form of SMS, and the customer enters this dynamic password when logging in or transaction authentication, so as to ensure For the security of system identity authentication, SMS dynamic password authentication technology is considered to be one of the most effective ways to solve user identity authentication. It can effectively prevent hackers and Trojan horses from stealing user account passwords, fake websites and other network problems, resulting in user property or Loss of Data.
hardware token
Currently the most mainstream is the hardware token based on time synchronization, which changes the dynamic password every 60 seconds, and the dynamic password is valid once, and it generates 6-digit/8-digit dynamic numbers.
Dynamic password card/dynamic token -- KingKey1000 is a handheld terminal based on two-factor dynamic password generation. The terminal randomly generates a new password every minute according to the hardware password seed, time and event, which has strong randomness and cannot speculative. KingKey1000 needs to be used in conjunction with corresponding server software, and is widely used in online games, financial software systems, ERP software systems, government e-government systems, military systems, VPN virtual private network systems, financial systems and other software systems that require high password security .
mobile token
Mobile phone token, also known as mobile phone token, is a mobile phone client software used to generate dynamic passwords. During the process of generating dynamic passwords, no communication and fees will be generated, and there is no possibility of being intercepted in the communication channel. Mobile phones are used as The carrier of dynamic password generation, arrears and no signal will not have any impact on it. Due to its advantages of high security, zero cost, no need to carry, obtain and no logistics, it is more in line with the spirit of the Internet than hardware tokens , due to the above advantages, mobile phone tokens may become the mainstream form of dynamic password identity authentication tokens in the 3G era.
The essence of the mobile phone token is to implement the dynamic password technology with mobile phone software. After the software is started, it will be calculated by the mobile phone and displayed on the mobile phone LCD screen every minute. An unguessable dynamic password. Mobile phone dynamic passwords can run on Windows Mobile, iPhone, android, symbian and other mobile phone operating systems. The key can be bundled with the mobile phone. The same as the hardware token form of the dynamic token, taking Haiyue communication mobile phone token as an example, from a technical point of view, there are two mainstream forms based on time synchronization and challenge\response.
Features of Dynamic Password
no memory required
Forgotten passwords are a headache for many people. With the popularization of network applications, more and more passwords need to be memorized by people. The dynamic password card eliminates the need for users to memorize multiple passwords.
double insurance
DKEY dynamic password authentication system adopts two-factor authentication mechanism. Even if the user loses the dynamic password card and the account at the same time, there will be no loss.
Get to know quickly
Under the traditional authentication mechanism, user passwords are often lost or stolen without knowing it, and the harm is only noticed after the harm occurs, so it can only be repaired after the disaster. Once the dynamic password token is lost, the user will immediately find out and report the loss in time to prevent problems before they happen.
Inside and outside and "fixed"
Among the intruders of information systems, internal intruders account for more than 80%. As far as e-commerce sites are concerned, the weakest link in information security is internal defense. For example, network administrators can also obtain user confidential information through normal authorization, which is undoubtedly a threat to user information security. The dynamic password authentication system completely entrusts the key generation and management to the system to complete automatically, which minimizes human factors, effectively prevents insiders from committing crimes, and makes the system security protection both internal and external.
simple and easy
IC card authentication, CA authentication, and fingerprint authentication all require the cooperation of dedicated terminal authentication equipment, and the scope of application is greatly limited. The commonly used USKKEY also needs to be inserted into a computer, which cannot be used for telephone transactions with a large number of users. Dynamic password tokens can be implemented on any device that can input decimal numbers, and are easy to use.
The system is relatively independent, the interface is simple, and it is easy to connect with the existing e-commerce site authentication system. It uses a dedicated dynamic password authentication server for authentication to ensure the integrity of the existing application system and protect system resources.