Shulou(Shulou.com)06/03 Report--

This article mainly introduces Java how to use OTP dynamic password for login authentication, the article is very detailed, has a certain reference value, interested friends must read it!

In the background management system where the public network is open, there may be the following problems in using static passwords for authentication:

(1) in order to facilitate memory, users often choose characteristic passwords as passwords, and all static passwords are easier to guess and crack than dynamic passwords.

(2) hackers can intercept static passwords from the Internet or telephone lines. If transmitted in an unencrypted manner, user authentication information can be easily obtained.

(3) Internal staff can use it illegally through legal authorization to obtain a user's password.

Static passwords can not determine the identity of users at all. As a result, individuals can easily forge a false identity or steal the identity of an existing user, causing huge economic and reputation losses to the enterprise. This paper mainly introduces and implements an implementation of dynamic password (OTP).

Dynamic password (OTP,One-Time Password), also known as one-time password, is an authentication technology realized by using password technology to share secrets between the client and the server. It is a strong authentication technology, a very convenient technical means to enhance the current static password authentication, and an important two-factor authentication technology. Dynamic password authentication technology includes dynamic tokens used by the client to generate password generators. It is composed of a hardware device and a background dynamic password authentication system for managing token and password authentication.

In terms of technology, otp can be divided into three forms: time synchronization, event synchronization, challenge / response.

(1) time synchronization

The principle is based on dynamic tokens and dynamic passwords to verify the time comparison of the server. based on the time synchronous tokens, a new password is generally generated every 60 seconds, which requires the server to maintain the correct clock very accurately. at the same time, there are strict requirements for the crystal frequency of its tokens, and the corresponding terminal of this technology is a hardware token.

(2) event synchronization

Based on the token of event synchronization, the principle is that through a specific event order and the same seed value as input, through the HASH algorithm to calculate a consistent password.

(3) Challenge / response

For the commonly used online business, enter the challenge code issued by the server on the website / response, enter the challenge code by the dynamic token, and generate a random number of 8 digits on the built-in algorithm. The password is valid at one time. This technology is the most widely used at present, including scratch cards, SMS passwords, dynamic tokens also have challenge / response forms.

Using Aliyun ID Bao (or Google Authenticator) time synchronization to implement OTP OTP

As shown in the figure above, it is an OTP calculation method based on time synchronization, in which the client and the server hold the same key and based on the time base, and the server and the client use the same Hash algorithm to calculate the six-digit check code. When the client and the server calculate the same check code, the verification is passed.

Because the client needs the carrier to store keys and calculate the verification code, Aliyun's identity treasure (or Google's Authenticator) provides the APP on the mobile side for key storage and verification code calculation. Let's take these two clients as examples to implement permission verification using OTP in the application. The main process is shown below:

The key code of the process is as follows. (for more details, please download from Git: https://github.com/suyin58/otp-demo)

1 user registration:

1.1 generate OTP key:

String secretBase32 = TotpUtil.getRandomSecretBase32 (64); oper.setOtpSk (secretBase32)

1.2 generate a string for OTP scanning:

The format of the convention string is as follows:

Otpauth://totp/ [account information displayed by the client]? secret= [secretBase32]

String totpProtocalString = TotpUtil.generateTotpString (operCode, host, secretBase32)

1.3 generate a QR code for the string generated in 1.2 and send it to the user by mail

String host = "otptest@wjs.com"; / / Custom String totpProtocalString = TotpUtil.generateTotpString (operCode, host, secretBase32); String filePath = fancitemp; String fileName = Long.toString (System.currentTimeMillis ()) + ".png"; try {QRUtil.generateMatrixPic (totpProtocalString, 150150, filePath, fileName);} catch (Exception e) {throw new RuntimeException ("failed to generate QR code picture:" + e.getMessage ()) } String content = "user name:" + operCode+ "+" the system logs in using password + dynamic password two-factor authentication. Please activate your phone's dynamic password in the following ways: Android users click to download, and "+" iPhone searches AppStore for [Alibaba]. After downloading and installing, activate the OTP by scanning the QR code below. " + "

"; EmailBaseLogic emailBaseLogic = new EmailBaseLogic (); / / String to, String title, String content, String imagePath emailBaseLogic.sendWithPic (email," account opening Notification ", content, filePath +" / "+ fileName)

1.4.Store the user registration information and the OTP key of 1.1in the database

Data storage code (abbreviated)

2 use of client tools

2.1 download APP

Download address for Android users: http://otp.aliyun.com/updates/shenfenbao.apk

IPhone searches AppStore for [Alibaba] or Google Authenticator

2.2 scan QR code

Using the downloaded APP, scan the QR code in the 1.3e-mail, and the client gets the key. APP uses the key to calculate a 6-digit check code based on time (changes per minute).

1 user login

The client enters the login user name, user password, and the 6-digit check code in the 2.2 client tool.

1.1 the server obtains user information and key based on user name and user password

Code reference

1.2 the server uses the key to calculate the 6-bit check code based on time.

String secretHex = ""; try {secretHex = HexEncoding.encode (Base32String.decode (secretBase32));} catch (Base32String.DecodingException e) {LOGGER.error ("decoding" + secretBase32 + "error,", e); throw new RuntimeException ("error decoding Base32");} long X = 30; String steps = "0"; DateFormat df = new SimpleDateFormat ("yyyy-MM-dd HH:mm:ss"); df.setTimeZone (TimeZone.getTimeZone ("UTC")); long currentTime = System.currentTimeMillis () / 1000L Try {long t = currentTime / X; steps = Long.toHexString (t). ToUpperCase (); while (steps.length () < 16) steps = "0" + steps; return generateTOTP (secretHex, steps, "6", "HmacSHA1");} catch (final Exception e) {LOGGER.error ("error generating OTP:" + secretBase32, e); throw new RuntimeException ("error generating OTP");}

1.3 compare whether the client and client check codes are consistent

Code reference

In addition, the example in Demo can use identity + password, first verify the password, and then verify it twice through the dynamic password to make the system login more secure and reliable.

The above is all the contents of the article "how to use the OTP dynamic password for login authentication by Java". Thank you for reading! Hope to share the content to help you, more related knowledge, welcome to follow the industry information channel!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.