Shulou(Shulou.com)06/01 Report--

Password-based authentication is a commonly used technology. In the initial stage, users first register their username and login password in the system. The system stores the user name and password in the internal database. Note that this password is generally valid for a long time, so it is also called a static password. When logging in, the user system generates something similar to a timestamp, encrypts the timestamp with a password and a fixed password algorithm, and sends it to the business platform together with the user name. The business platform looks for the user password according to the user name and decrypts it. If the platform can recover or receive the encrypted timestamp, the decryption results are compared to determine whether the authentication is passed. If the business platform cannot know the encrypted timestamp, it will determine whether the authentication is passed according to certain rules (such as whether the timestamp is within the valid range) after decryption. The application cases of static passwords can be seen everywhere, such as local login to Windows system, online blog, instant messaging software and so on.

Identity authentication technology based on static password has been widely used because of its simplicity and low cost. However, there are serious security problems in this way, security only depends on the password, once the password is leaked, the user may be impersonated. Simple passwords are easy to be cracked by dictionaries, brute force and even violent calculations. In particular, some business platforms do not correctly implement the authentication process of using passwords, allowing users' passwords to be transmitted on the open network. After receiving the password, the authenticator compares it with the user password stored in the system to confirm whether the object is a legitimate visitor. There are many hidden dangers in this implementation. Once the file recording the user information is leaked, the user account information of the whole system together with the corresponding password will be completely leaked. The phenomenon that a series of network user information has been made public on the Internet reflects the disadvantages of this way of implementation. In addition, this unscientific implementation also has the security hidden danger that the password is intercepted in the process of transmission. With the deepening of network applications and the diversification of network means, password authentication technology is constantly changing, resulting in a variety of new technologies. In order to prevent some computer process simulators from logging in automatically, many business platforms also add fuzzy graphics that are difficult for computers to recognize.

Password-based authentication is vulnerable to the following security.

(1) Dictionary. The user can list all the passwords that the user may choose to generate a file, which is called a "dictionary". When the user gets the verifiable information related to the password, he can perform a series of operations with the dictionary to guess the possible password of the user, and use the information to verify the correctness of the guess.

(2) violent cracking. Also known as "brute force cracking" or "exhaustion", it is a special dictionary. The dictionary used in brute force cracking is a complete set of strings, guessing all possible combinations until you get the correct information.

(3) keyboard monitoring. After the keystroke recording software is implanted into the user's computer in a * way, it can secretly record every keystroke action of the user, thereby stealing the password entered by the user and sending the collected information through e-mail and other means according to the predetermined plan.

(4) wiretapping. Get the password by sniffing the network and eavesdropping on the network communication data. At present, many common network communication protocols, such as Telnet, FTP, HTTP and so on, use plaintext to transmit passwords, which means that all information (including plaintext passwords and user data) transmitted between the client and the server may be stolen.

(5) snooping. * users take advantage of the opportunity of being close to the user to install surveillance equipment or personally snoop on accounts and passwords entered by legitimate users. Snooping also includes implanting * into the user's computer.

(6) Social Engineering (Social Engineering) This is a way to obtain secret information by setting psychological traps such as deception and injury to the victim's psychological weakness, instinctive reaction, curiosity, trust, greed and so on.

(7) spam search. Users get password-related information by searching for the waste of the victim (such as hard disk, U disk, CD, etc.).

In order to be as secure as possible, you usually need to pay attention to the following points when using passwords:

(1) use a password long enough, not the default password

(2) do not use simple letters or numbers, and try to increase the combination complexity of passwords.

(3) avoid using the same password on different platforms and change the password regularly.

In order to overcome the security risks caused by static passwords, dynamic password authentication has gradually become the mainstream technology of password authentication. As the name implies, dynamic password means that every time the user logs in to the system, the password is different, and each password is used only once, so it is also called one-time password (OTP, One Time Password). It has the characteristic of "one password at a time" and effectively ensures the security of the user's identity. However, if the time or number of times between the client and the server cannot be well synchronized, unusable problems may occur. The principle of OTP is to use a kind of special algorithm (such as one-way hash function change) to convert the user password and uncertainty factors (such as random numbers) to generate an one-time password, and the user will submit the one-time password together with authentication data to the server. After receiving the request, the server uses the same algorithm to compare the result with the data submitted by the user, and if the comparison is consistent, it will pass the authentication; otherwise, the authentication will fail. In this way, the password submitted by the user is different each time. Even if the user can eavesdrop on the network and steal login information, the data stolen by the user is only valid once, and the user's password cannot be released through an one-time password, thus greatly improving the security of the authentication process. Technically, OTP can be divided into three forms: challenge-response, time synchronization and event synchronization.

Three ways of dynamic password

(1) Challenge-response. In the Challenge-response authentication mechanism, the user usually carries a corresponding Challenge-response token. The token has a built-in seed key and encryption algorithm. When the user accesses the system, the server randomly generates a challenge and sends the challenge number to the user. The user enters the challenge number into the Challenge-reply token manually, and the Challenge-reply token calculates the corresponding response number using the built-in seed key and encryption algorithm, uploads the response number to the server, and the server calculates the corresponding verification number according to the stored copy of the seed key and the encryption algorithm. Compare with the number of responses uploaded by the user to implement authentication. However, this method requires users to enter the number of challenges, which is easy to cause input errors, and the operation process is more cumbersome. In recent years, the implementation of OTP CAPTCHA through SMS is widely used. It is the mainstream OTP verification method at present, and it is widely used in transaction system and management system with high security requirements.

(2) time synchronization. The principle is based on dynamic tokens and dynamic passwords to verify the time comparison of the server. based on time synchronous tokens, a new password is generally generated every 60 seconds, which requires the server to maintain the correct clock very accurately. at the same time, there are strict requirements for the crystal frequency of its tokens, and the corresponding terminal of this technology is a hardware token. At present, most bank login systems use this dynamic token login mode, the user holds a hardware dynamic token, login to the system need to enter the current dynamic password in order to achieve authentication in the background. In recent years, software dynamic tokens based on smart phones are becoming more and more popular. Users complete the process of login and transaction payment by installing special client software on the smartphone and generating dynamic passwords from the software.

(3) event synchronization. The dynamic password principle of event synchronization mechanism is to calculate the same password through a specific algorithm through a specific event order and the same seed value as input. The event dynamic password allows the user's password to change dynamically according to the number of times it is used. Each time the user logs in (as an event), the user presses the key on the event synchronization token to generate a password, while the system also generates a password based on the login event, and the two are verified. Unlike clock-synchronized dynamic tokens, event synchronization tokens do not require precise time synchronization, but rely on login events to keep synchronized with the server. Therefore, compared with time synchronization tokens, event synchronization tokens are suitable for very harsh environments, even if they fall into the water.

Password-based authentication is the most widely used identity authentication technology at present. Static password authentication is mainly used for system login authentication such as portal website and online bank login. However, the combination of static password and dynamic password is generally used for authentication in bank payment, online bank transfer and transaction. For example, when trading in Alipay, the Alipay system requires users to enter both a payment password and a dynamic software token bound to the account. China Merchants Bank uses static password and SMS dynamic verification code when carrying out low-quota transactions and money transfers, which can greatly improve the security of use.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.