Shulou(Shulou.com)06/01 Report--

Dynamic password, also known as dynamic token, dynamic password. Its main principle is: before the user logs in, according to the user's personal identity information, and introduces the random number to produce the random change password, makes the password information transmitted in each login process is different, in order to improve the security of user identity authentication in the login process.

Banks usually provide users with two kinds of OTP: one is a fixed number of OTP, the most common is the scratch card. Users can get a password every time they scrape off the coating on the corresponding area of the card according to the prompts of the bank. The scraping card is cheap and easy to use, so many banks use this method, such as the Industrial and Commercial Bank of China; the other is the hardware form of dynamic password, that is, electronic token, which uses special hardware. each time you can use your own password generation chip to get a currently available one-time dynamic password, Bank of Communications and so on. Generally speaking, the electronic token of each client has a unique key, which is stored on the server at the same time, and each authentication token and the server are based on the same key, the same random number and the same algorithm to calculate the dynamic password for authentication, so as to ensure the consistency of the password and the success of authentication. Because the parameters of the random number are different in each authentication, the dynamic password generated each time is also different. The randomness of the parameters in each calculation ensures that each password is unpredictable to ensure the security of the system.

How do these random numbers come into being? OTP random numbers are divided into the following categories.

1. The password is an one-way before-and-after related sequence, and the system records only the Nth password. When the user logs in with the N1st password, the system uses the one-way algorithm to calculate that the Nth password matches the Nth password saved by himself, in order to judge the legitimacy of the user. Because N is limited, the user must reinitialize the password sequence after logging in for N times.

two。 Time synchronization: take the user login time as a random factor. This method requires high time accuracy on both sides, and generally adopts the compromise method of taking minutes as the time unit. In this kind of dynamic password, the tolerance of time error can reach ±1 minute.

3. Event synchronization: through a specific event order and the same seed value as input, using the same algorithm to calculate the same password, its operation mechanism determines that the whole workflow is clock-independent and not affected by the clock. It saves users the trouble of entering challenge information every time, but when the user's challenge sequence deviates from the server, it needs to be resynchronized.

4. Challenge / response: also known as asynchronous authentication. Compared with time / event synchronization, its operation is relatively cumbersome and its implementation is relatively complex. It is generally used in situations with higher security requirements, such as logging in to online banks, where additional authentication is needed. When the user needs to access the system, the remote authentication server generates a random number string, namely "challenge code", according to the user's electronic token data, and the user inputs the number string into the electronic token. Electronic tokens use built-in seed keys and algorithms to calculate the corresponding number of responses (usually a string of numbers).

5. The user enters the response into the system. The system calculates the number of responses according to the saved corresponding electronic token information (seed key and algorithm) of the user, and compares it with the number of responses entered by the user. If the two are the same, the authentication is passed. Because the seed key of each electronic token is different, the electronic tokens of different users calculate different responses to the same number of challenges. Only if the user holds the specified electronic token can the correct number of responses be calculated to pass the system authentication. Thus, it is guaranteed that the user is a legitimate user holding a specified electronic token.

Because the password changes every time, it is useless to get the password, and this dynamic password is generated by a special algorithm, which is highly random and not easy to crack. Traditional * programs have expired even if they steal users' personal information and log on to the bank's web page. Therefore, OTP greatly improves the security of user identity authentication.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.