CN115022057A - Security authentication method, device and equipment and storage medium - Google Patents
Security authentication method, device and equipment and storage medium Download PDFInfo
- Publication number
- CN115022057A CN115022057A CN202210661332.9A CN202210661332A CN115022057A CN 115022057 A CN115022057 A CN 115022057A CN 202210661332 A CN202210661332 A CN 202210661332A CN 115022057 A CN115022057 A CN 115022057A
- Authority
- CN
- China
- Prior art keywords
- client
- key
- password
- information
- private key
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 58
- 238000004590 computer program Methods 0.000 claims description 11
- 230000004044 response Effects 0.000 claims description 11
- 230000008569 process Effects 0.000 abstract description 21
- 230000005540 biological transmission Effects 0.000 abstract description 2
- 238000010586 diagram Methods 0.000 description 20
- 238000004891 communication Methods 0.000 description 5
- 238000005516 engineering process Methods 0.000 description 5
- 238000012545 processing Methods 0.000 description 5
- 230000000694 effects Effects 0.000 description 4
- 230000006870 function Effects 0.000 description 4
- 230000008859 change Effects 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 239000000835 fiber Substances 0.000 description 1
- 230000002427 irreversible effect Effects 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000012795 verification Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/083—Network architectures or network communication protocols for network security for authentication of entities using passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0861—Generation of secret information including derivation or calculation of cryptographic keys or passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0861—Generation of secret information including derivation or calculation of cryptographic keys or passwords
- H04L9/0869—Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3226—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a predetermined code, e.g. password, passphrase or PIN
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Storage Device Security (AREA)
Abstract
The application provides a security authentication method, a security authentication device, security authentication equipment and a storage medium based on a cryptographic algorithm. The technical scheme of the application is completely based on the national encryption algorithm, the SM2 algorithm and the SM4 algorithm are used for encryption and decryption in the transaction process, one encryption is performed at a time, and then comparison and authentication are performed after the SM3 algorithm is used for encryption, so that the method can be used for performing security authentication on scenes such as bank customer account password login, transaction, information encryption transmission and storage, the security of the whole transaction authentication process is improved, and the efficiency and the stability of transaction authentication service are improved.
Description
Technical Field
The present application relates to the field of security technologies, and in particular, to a security authentication method, apparatus, device, and storage medium.
Background
With the development of cryptographic technology and computer technology, currently, common asymmetric cryptographic algorithms such as RSA algorithm face serious security threats, on one hand, foreign cryptographic algorithms themselves have vulnerability and are not absolutely secure, for example, the collisionable attack of MD5 algorithm in Hash algorithm and the common mode attack of RSA algorithm all expose their security defects. On the other hand, dangerous programs such as remote trojans and the like can be maliciously embedded into the uncontrollable foreign algorithm, and unknown potential safety hazards exist. The potential risk is extremely great if foreign cryptographic algorithms are used in important areas such as bank finance.
Disclosure of Invention
The application provides a security authentication method, a security authentication device, security authentication equipment and a storage medium based on a cryptographic algorithm.
In a first aspect, an embodiment of the present application provides a security authentication method, including: responding to received password information to be verified and an SM4 secret key sent by a client, wherein the password information to be verified comprises client passwords sequentially encrypted by SM4 and SM2, and querying a corresponding SM2 private key from a first database by using the received SM4 secret key; decrypting the received password information to be verified by the inquired SM2 private key and the received SM4 private key in sequence to obtain plaintext information of the client password to be verified; carrying out SM3 encryption on plaintext information of a client password to be verified to obtain an SM3 ciphertext; inquiring a client password which is preset by the client and encrypted by SM3 from a second database; and comparing and authenticating the obtained SM3 ciphertext with a client password which is preset by the client and encrypted by SM 3.
In some optional embodiments, before the step of responding to the reception of the password information to be authenticated and the SM4 key sent by the client, the method further includes: in response to receiving a request for obtaining a key sent by the client, generating a random SM4 key and a paired SM2 public key and SM2 private key; correspondingly storing the generated SM4 private key and the SM2 private key to a first database; and returning the generated SM4 key and the SM2 public key to the client.
In some optional embodiments, before the step of querying the client password encrypted by the SM3 preset by the client from the second database, the method further includes: in response to receiving to-be-set password information and an SM4 secret key sent by a client, the to-be-set password information comprises client passwords which are sequentially encrypted by SM4 and SM2, and querying a corresponding SM2 private key from the first database by using the received SM4 secret key; decrypting the received password information to be set by the inquired SM2 private key and the received SM4 private key in sequence to obtain plaintext information of the client password to be set; and encrypting the plaintext information of the client password to be set by the SM3, and storing the encrypted plaintext information in the second database.
In some optional embodiments, the storing the generated SM4 key and SM2 private key correspondence to a first database comprises: and storing the generated SM4 secret key and the SM2 private key into a remote dictionary service cache database in a form of 'key-value'.
In a second aspect, an embodiment of the present application provides a security authentication apparatus, including: the system comprises a first query module, a second query module and a third query module, wherein the first query module is configured to respond to the received password information to be verified and SM4 secret keys sent by a client, the password information to be verified comprises client passwords sequentially encrypted by SM4 and SM2, and the received SM4 secret keys are used for querying corresponding SM2 private keys from a first database; the decryption module is configured to decrypt the received password information to be verified sequentially by the inquired SM2 private key and the received SM4 private key to obtain plaintext information of the client password to be verified; the encryption module is configured to perform SM3 encryption on plaintext information of the client password to be verified to obtain an SM3 ciphertext; a second query module configured to query a client password preset by the client and encrypted by SM3 from a second database; and the comparison authentication module is configured to compare and authenticate the obtained SM3 ciphertext with a client password preset by the client and encrypted by the SM 3.
In some optional embodiments, the apparatus further comprises: a generating module configured to generate a random SM4 key and a pair of an SM2 public key and an SM2 private key in response to receiving a request sent by the client to obtain the key; a first storage module configured to store the generated SM4 key and SM2 private key in a first database; and a sending module configured to return the generated SM4 key and SM2 public key to the client.
In some optional embodiments, the apparatus further includes a second storage module, wherein the first query module is further configured to, in response to receiving to-be-set password information and an SM4 key sent by the client, the to-be-set password information including a client password sequentially encrypted by an SM4 and an SM2, query the first database for a corresponding SM2 private key using the received SM4 key; the decryption module is further configured to decrypt the received password information to be set with the queried SM2 private key and the received SM4 private key in sequence to obtain plaintext information of the client password to be set; the encryption module is further configured to encrypt plaintext information of a client password to be set in SM 3; and the second storage module is configured to store the plaintext information of the client password to be set in the second database after being encrypted by SM 3.
In some optional embodiments, the first storage module is further configured to store the generated SM4 key and SM2 private key in a "key-value" form in a remote dictionary service cache database.
In a third aspect, an embodiment of the present application provides a computer device, including: one or more processors; a storage device having one or more programs stored thereon that, when executed by the one or more processors, cause the one or more processors to implement the secure authentication method of the first aspect.
In a fourth aspect, embodiments of the present application provide a computer-readable storage medium on which a computer program is stored, the computer program, when executed by one or more processors, implementing the secure authentication method according to the first aspect.
In order to solve the problem that a common encryption algorithm is unsafe, the application provides a security authentication method, a security authentication device, security authentication equipment and a storage medium based on a cryptographic algorithm. The technical scheme of the application is completely based on the national encryption algorithm, the SM2 algorithm and the SM4 algorithm are used for encryption and decryption in the transaction process, one encryption is performed at a time, and then comparison and authentication are performed after the SM3 algorithm is used for encryption, so that the security authentication can be performed on scenes such as bank customer account password login, transaction, information encryption transmission and storage, the security of the whole transaction authentication process is improved, and the efficiency and the stability of transaction authentication service are improved.
Drawings
Other features, objects and advantages of the present application will become more apparent upon reading of the following detailed description of non-limiting embodiments thereof, made with reference to the accompanying drawings. The drawings are only for purposes of illustrating the particular embodiments and are not to be construed as limiting the invention. In the drawings:
FIG. 1 is a system architecture diagram of one embodiment of a security authentication system according to the present application;
FIG. 2 is a timing diagram for one embodiment of a secure authentication method according to the present application;
FIG. 3 is a timing diagram for one embodiment of a set client password process according to the present application;
fig. 4 is a schematic structural diagram of an embodiment of a security authentication device applied to a server according to the present application;
FIG. 5 is a schematic diagram of an embodiment of a secure authentication apparatus applied to a client according to the present application;
FIG. 6 is a block diagram illustrating one embodiment of a computer device for implementing a server according to the present application.
Detailed Description
So that the manner in which the features and elements of the present embodiments can be understood in detail, a more particular description of the embodiments, briefly summarized above, may be had by reference to embodiments, some of which are illustrated in the appended drawings.
To facilitate understanding of the present application, some terms referred to in the present application will be described first.
And (3) a national secret algorithm: the national commercial cipher algorithm is a cipher algorithm standard and an application specification thereof which are recognized and published by the national cipher administration, wherein part of the cipher algorithm becomes an international standard. Like the SM family of passwords, SM stands for a trade secret, i.e., a commercial password, refers to a cryptographic technique for commerce that does not involve national secrets.
Several commonly used cryptographic algorithms are presented one by one below:
(1) the SM2 algorithm:
SM2 is an elliptic curve asymmetric encryption algorithm. The asymmetric encryption algorithm needs to generate a pair of secret keys in advance for encryption and decryption, one of the secret keys is a public key for short and the other secret key for short, and if the public key is used for encrypting data, only the corresponding private key can be used for decryption; if data is encrypted with a private key, it can only be decrypted with the corresponding public key. The SM2 algorithm is a more advanced secure asymmetric encryption algorithm used to replace the RSA algorithm.
(2) The SM4 algorithm:
the SM4 algorithm is a symmetric encryption algorithm based on an iterative block cipher algorithm and composed of an encryption and decryption algorithm and a key expansion algorithm, and is published in 2006. The symmetric encryption algorithm uses only one key, and symmetric encryption (also called private key encryption) refers to an encryption algorithm using the same key for encryption and decryption. Sometimes called a traditional cryptographic algorithm, it is the encryption key that can be derived from the decryption key, and the decryption key can also be derived from the encryption key. In most symmetric algorithms, the encryption key and the decryption key are the same, so the encryption algorithm is also called a secret key algorithm or a single key algorithm. It requires the sender and receiver to agree on a key before secure communication. The security of symmetric algorithms relies on keys, and revealing a key means that anyone can decrypt messages they send or receive, so the confidentiality of the key is critical to the security of the communication. The algorithm of the SM4 encryption and decryption process is the same but the order of use of the round keys is reversed. The SM4 algorithm has the functional characteristics of safety and high efficiency, and has certain advantages in design and implementation.
(3) The SM3 algorithm:
SM3 is a hash algorithm, which is a commercial standard for hash algorithms and can be applied to the generation of digital signatures and authentication codes for verification messages and the generation of pseudo-random numbers. Irreversible means that x cannot be found if you know the value of x encrypted by the SM3 algorithm; the "collision-free" means that when x is known, one y cannot be obtained, and x and y are identical to each other in value encrypted by the SM3 algorithm.
The present application will be described in detail with reference to examples.
Referring to fig. 1, fig. 1 shows a system architecture diagram of one embodiment of a security authentication system according to the present application.
As shown in fig. 1, the secure authentication system 100 may include at least one client 101 and a server 102 and a network 103. Network 103 is the medium used to provide communication links between clients 101 and servers 102. Network 103 may include various types of connections, such as wire, wireless communication links, or fiber optic cables, to name a few.
Various client applications, such as a banking and finance application, may be installed on the client 101. The client 101 may be hardware or software. When the client 101 is hardware, it can be various electronic devices with a display screen, including but not limited to smart phones, tablet computers, laptop portable computers, desktop computers, and the like. When the client 101 is software, it can be installed in the electronic devices listed above. It may be implemented as multiple pieces of software or software modules (e.g., to provide distributed services) or as a single piece of software or software module. And is not particularly limited herein.
The server 102 may be a server providing various services, such as a background server providing support for banking and finance type applications displayed on the client 101. The server 102 may be hardware or software. When the server 102 is hardware, it may be implemented as a distributed server cluster composed of multiple servers, or may be implemented as a single server. When the server is software, it may be implemented as multiple pieces of software or software modules (e.g., to provide distributed services), or as a single piece of software or software module. And is not particularly limited herein.
Referring to fig. 2, fig. 2 is a timing diagram of one embodiment of a secure authentication method according to the present application. The security authentication method of the present application can be applied to a security authentication system as shown in fig. 1.
As shown in fig. 2, on the client side, the secure authentication method includes the following steps:
step S11, the client sends a request for obtaining secret keys such as a national secret SM4 secret key and a national secret SM2 public key to the server;
step S12, receiving a national secret SM4 secret key and a national secret SM2 public key returned by the server;
step S13, the client password is encrypted by SM4 with the received SM4 secret key, and then encrypted by SM2 with the received SM2 public key; the client password may be a client password to be set, which is input by the client, or a client password to be authenticated, which is input by the client;
and step S14, transmitting the encrypted ciphertext information obtained in the previous step and a random SM4 secret key to the server side together so that the server side can carry out password setting or password authentication. The ciphertext information may be the password information to be set or the password information to be verified.
As shown in fig. 2, on the server side, the security authentication method may include the following steps:
step S21, in response to receiving a request for obtaining a key sent by a client, generating a random SM4 key and a paired SM2 public key and SM2 private key;
step S22, correspondingly storing the generated SM4 private Key and SM2 private Key into a first database, where the first database may be, for example, a remote dictionary service (Redis) cache database, and this step may be storing the generated SM4 private Key and SM2 private Key into the Redis cache database in the form of "Key-Value (K-V, Key-Value)";
step S23, returning the generated random SM4 secret key and the SM2 public key to the client;
step S24, responding to the received ciphertext information and SM4 secret Key sent by the client, wherein the ciphertext information is to-be-verified password information and comprises client passwords encrypted by SM4 and SM2 in sequence, and the received SM4 secret Key is used as a Key to query and obtain a corresponding SM2 private Key from the first database;
step S25, for the received ciphertext information transmitted by the client, decrypting the ciphertext information by the searched SM2 private key and the received SM4 private key in sequence, namely, decrypting the ciphertext information by using the SM2 private key and then decrypting the ciphertext information by using the SM4 private key to obtain the plaintext information of the client password to be verified;
step S26, carrying out SM3 encryption on the plaintext information of the decrypted client password to obtain an SM3 ciphertext;
step S27, inquiring the client password which is stored when the client setting password is acquired and encrypted by SM3 from the second database;
step S28, comparing the obtained SM3 ciphertext with a client password which is preset by the client and encrypted by SM3, authenticating, and returning an authentication result to the client; if the comparison is consistent, the authentication is returned successfully; if the comparison is not consistent, the authentication is returned to fail.
In some optional embodiments, the security authentication method of the server may further include a process of setting a client password. Referring to fig. 3, fig. 3 is a timing diagram of one embodiment of a process for setting a client password according to the present application. As shown in fig. 3, the process of setting the client password may include:
step S31, in response to receiving a request for obtaining a key sent by a client, generating a random SM4 key and a paired SM2 public key and SM2 private key;
step S32, correspondingly storing the generated SM4 private Key and SM2 private Key into a first database, where the first database may be, for example, a remote dictionary service (Redis) cache database, and this step may be storing the generated SM4 private Key and SM2 private Key into the Redis cache database in the form of "Key-Value (K-V, Key-Value)";
and step S33, returning the generated random SM4 key and the SM2 public key to the client.
The above steps S21-S31 are the same as steps S21-S23. It should be noted that, the principle of one-time pad is followed in generating the keys in the present application, and the keys (including the SM2 public key, the SM2 private key, and the SM4 key) generated by the server each time a request is received are all different, that is, the keys generated at any two times are different keys.
Step S34, responding to the received ciphertext information and SM4 secret Key sent by the client, wherein the ciphertext information is to-be-set password information and comprises client passwords encrypted by SM4 and SM2 in sequence, and the received SM4 secret Key is used as a Key to query and obtain a corresponding SM2 private Key from the first database;
step S35, for the received ciphertext information transmitted by the client, decrypting the ciphertext information by the searched SM2 private key and the received SM4 private key in sequence, namely, decrypting the ciphertext information by using the SM2 private key and then decrypting the ciphertext information by using the SM4 private key to obtain the plaintext information of the client password to be set;
step S36, carrying out SM3 encryption on the plaintext information of the decrypted client password to obtain an SM3 ciphertext;
the above steps S34-S36 are substantially the same as steps S24-S26, except that the cipher text information included in the cipher text information in step S34 is the client password to be set, and the cipher text information included in the cipher text information in step S24 is the client password to be authenticated.
And step S37, storing the SM3 ciphertext obtained in step S36 into a second database, where the second database may be, for example, a MySQL database.
As described above, the present application is technically divided into 2 parts, that is, (1) the client sets the encryption and decryption process and (2) the server sets the information encryption and decryption security authentication process, which is further explained below.
(1) And the client sets an encryption and decryption process.
The client flow modification related to the application mainly comprises the following steps: the client requests the server to obtain a public key SM2 and a secret key SM 4; and then the client password is encrypted by using the secret key SM4 and the public key SM2 and returned to the server. Which comprises the following steps:
the client requests the server to obtain an interface of a national secret SM2 public key and a national secret SM4 secret key, and a national secret SM2 public key and a national secret SM4 secret key returned by the server are obtained;
and encrypting the client password by using the SM4 secret key to obtain a ciphertext, encrypting the ciphertext by using the SM2 public key to obtain the ciphertext encrypted by the SM2 public key, and returning the obtained ciphertext information to the server. Here, the client password in this step is a client password to be set, which is input by the client, if the initial process of setting the client password is used, and the client password in this step is a client password to be authenticated, which is input by the client, if the initial process of setting the client password is used.
(2) And the server sets an information encryption and decryption security authentication flow.
The change of the server-side process related by the application mainly comprises the following steps: step one, generating a public-private key pair based on the SM2 algorithm, and generating one public-private key based on the SM4 algorithm, wherein the public-private key and the secret key generated in each request are different and are one-time-key. And step two, corresponding to the flow of setting the client password by the user, after receiving the ciphertext information sent by the client, the server decrypts the ciphertext by using the private key SM2 generated in the step one, decrypts the ciphertext by using the private key SM4 generated in the step one to obtain the plaintext information of the client password, encrypts the plaintext information by using the private key SM3, and stores the obtained ciphertext information into the MySQL database to complete the setting of the client password. And step three, corresponding to the process of security authentication, after receiving the ciphertext information sent by the client, the server decrypts the ciphertext information by using the private key SM2 generated in the step one, decrypts the ciphertext information by using the private key SM4 generated in the step one to obtain the plaintext information of the user password, encrypts the plaintext information by using the secret SM3, and compares the obtained ciphertext information with the ciphertext information encrypted by the secret SM3 algorithm stored when the user sets the password in the MySQL database. Which comprises the following steps:
the method comprises the following steps: the client requests to generate a public-private Key pair based on a national secret SM2 algorithm, one secret Key based on the national secret SM4 algorithm is used, the public-private Key and the secret Key generated in each request are different, one secret is used for one time, the generated secret Key of the national secret SM4 algorithm and the private Key of the national secret SM2 algorithm are stored in a Redis cache database in a Key-Value mode, and the generated secret Key of the national secret SM4 algorithm and the generated public Key of the national secret SM2 algorithm are returned to the client.
Step two: the user sets a password, the client encrypts the password set by the client through a secret Key of a national password SM4 algorithm generated in the first step, encrypts a ciphertext by using a public Key of the national password SM2 algorithm generated in the first step, transmits the obtained ciphertext information and a secret Key request of the national password SM4 algorithm generated in the first step to the server, the server acquires a private Key of the national password SM2 algorithm generated in the first step from the Redis cache database by using the secret Key of the national password SM4 algorithm transmitted from the client as a Key, decrypts the ciphertext information transmitted from the client, decrypts the secret Key of the national password SM4 algorithm transmitted from the client, obtains plaintext information of the client password, encrypts the plaintext information by using the national password SM3 algorithm and stores the encrypted plaintext information into the MySQL database.
Step three: and (2) performing security authentication, namely encrypting the password input by the client by using the secret Key of the national secret SM4 algorithm generated in the first step to obtain a ciphertext, encrypting the ciphertext by using the public Key of the national secret SM2 algorithm generated in the first step, transmitting the ciphertext information and the secret Key request of the national secret SM4 algorithm generated in the first step to the server, acquiring the private Key of the national secret SM2 algorithm generated in the first step from Redis by using the secret Key of the national secret SM4 algorithm transmitted from the client as a Key by the server, decrypting the ciphertext transmitted from the client, decrypting the secret Key of the national secret SM4 algorithm transmitted from the client to obtain plaintext information of the password of the client, and encrypting the secret SM3 algorithm by the server to obtain an SM3 ciphertext. And comparing and authenticating the obtained SM3 ciphertext with the ciphertext encrypted by the SM3 password stored in the MySQL database when the password is set by the user in the step two, judging whether the obtained SM3 ciphertext is consistent with the ciphertext encrypted by the SM3 password stored in the MySQL database when the user is set by the user in the step two, if the obtained SM3 ciphertext is consistent with the ciphertext encrypted by the SM3 password, judging that the security authentication is passed, and if the obtained SM3 ciphertext is inconsistent with the password, the security authentication is not passed.
The embodiment of the application discloses a security authentication method. Compared with the prior art, the technical effects realized by the application include but are not limited to:
(1) the safety of the whole process of the bank customer transaction is improved.
Compared with the prior art: and using foreign encryption technology to perform transaction authentication of the bank client. According to the method, all foreign algorithms in the original technical scheme are abandoned, the national cipher algorithm is used in the whole process, SM2+ SM4 is used for encryption and decryption in the transaction process, one cipher is used at a time, an SM2 public private key and an SM4 secret key are different when the SM3 encryption algorithm is used, encrypted ciphertext data and a password set by a primary user are encrypted through the SM3 algorithm and then are maintained in the mysql database table for comparison, and the effect of safety certification is achieved.
Therefore, the method and the device can effectively reduce the potential safety hazard of the original bank user transaction authentication, are more advanced and safer in use, and ensure the safety of user information; and the excessive dependence on foreign technologies and products is eliminated, a network security environment is built, and the 'security controllable' capability of the industry information system in China is enhanced.
(2) Efficient service performance enhancement
The method and the system have the advantages that the bank user transaction authentication is carried out through the whole process by using the national secret algorithm, the response speed and performance of transaction authentication are greatly improved, and therefore the efficiency and the stability of transaction authentication service are improved.
Referring to fig. 4, fig. 4 is a schematic structural diagram of an embodiment of a security authentication device applied to a server according to the present application. As shown in fig. 4, the security authentication apparatus 400 applied to the server side of the present application may include:
the first query module 401 is configured to respond to receiving password information to be verified and an SM4 secret key sent by a client, wherein the password information to be verified comprises client passwords encrypted by SM4 and encrypted by SM2 in sequence, and query a corresponding SM2 private key from a first database by using the received SM4 secret key;
a decryption module 402 configured to decrypt the received password information to be verified with the queried SM2 private key and the received SM4 private key in sequence, and obtain plaintext information of the client password to be verified;
the encryption module 403 is configured to perform SM3 encryption on plaintext information of the client password to be verified to obtain an SM3 ciphertext;
a second query module 404 configured to query a client password encrypted by SM3 and preset by the client from a second database;
and the comparison authentication module 405 is configured to compare and authenticate the obtained SM3 ciphertext with a client password preset by the client and encrypted by the SM 3.
In some optional embodiments, the security authentication apparatus 400 of the present application further includes:
a generating module 406 configured to generate a random SM4 key and a pair of an SM2 public key and an SM2 private key in response to receiving a request sent by a client to obtain the key;
a first storage module 407 configured to store the generated SM4 key and SM2 private key in a first database; and
a sending module 408 configured to return the generated SM4 key and SM2 public key to the client.
In some optional embodiments, the security authentication apparatus 400 of the present application further includes a second storage module 409, wherein,
the first query module 401 is further configured to respond to receiving password information to be set and an SM4 secret key sent by the client, wherein the password information to be set comprises client passwords sequentially encrypted by SM4 and encrypted by SM2, and query a corresponding SM2 private key from the first database by using the received SM4 secret key;
the decryption module 402 is further configured to decrypt the received password information to be set with the queried SM2 private key and the received SM4 private key in sequence to obtain plaintext information of the client password to be set;
an encryption module 403, further configured to encrypt the plaintext information of the client password to be set in SM 3;
the second storage module 409 is configured to store the plaintext information of the client password to be set in the second database after being encrypted by the SM 3.
In some optional embodiments, the first storage module 407 is further configured to store the generated SM4 key and SM2 private key in a "key-value" form in a remote dictionary service cache database.
For details of implementation and technical effects of each module in the apparatus of this embodiment, reference may be made to descriptions of other embodiments in this application, and details are not described herein again. The implementation scheme in each module of the device has diversity, as long as the purpose of the module can be achieved, and the actual deployment is not limited to a specific implementation scheme.
Referring to fig. 5, fig. 5 is a schematic structural diagram of an embodiment of a secure authentication apparatus applied to a client according to the present application. As shown in fig. 5, the security authentication apparatus 500 applied to the server side of the present application may include:
a sending module 501 configured to send a request for obtaining keys, such as a national key SM4 key and a national key SM2 public key, to a server;
the receiving module 502 is configured to receive a secret SM4 key and a public SM2 key returned by the server;
an encryption module 503 configured to perform SM4 encryption on the client password using the received SM4 key and then perform SM2 encryption using the received SM2 public key; the client password may be a client password to be set, which is input by the client, or a client password to be authenticated, which is input by the client;
the sending module 501 is further configured to transmit the encrypted ciphertext information and the random SM4 key to the server side, so that the server side performs password setting or password authentication. The ciphertext information may be the password information to be set or the password information to be verified.
Details of implementation and technical effects of each module in the apparatus of this embodiment may refer to descriptions of other embodiments in this application, and are not described herein again. The implementation scheme in each module of the device has diversity, as long as the purpose of the module can be achieved, and the actual deployment is not limited to a specific implementation scheme.
Referring to fig. 6, fig. 6 is a schematic structural diagram of an embodiment of a computer device for implementing a server according to the present application. As shown in fig. 6, a computer device 600 for implementing a server according to the present application may include:
one or more processors 601;
a memory 602 having one or more programs 603 stored thereon;
components such as the processor 601 and the memory 602 may be coupled together by a bus system 604; the bus system 604 is used to enable connection communication between these components;
the one or more programs 603, when executed by the one or more processors 601, cause the one or more processors 601 to implement a secure authentication method as disclosed in the above method embodiments.
The bus system 604 may include a power bus, a control bus, and a status signal bus, in addition to a data bus. The memory 602 may be either volatile memory or nonvolatile memory, and may also include both volatile and nonvolatile memory. The Processor 601 may be an integrated circuit chip with Signal processing capabilities, and may be a general purpose Processor, a Digital Signal Processor (DSP), or other programmable logic device, discrete gate or transistor logic device, discrete hardware components, or the like.
Embodiments of the present application also provide a computer-readable storage medium, on which a computer program is stored, where the computer program, when executed by one or more processors, implements the flow arrangement access method as disclosed in the above method embodiments.
The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems) and computer program products according to embodiments of the application. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
It should be understood that the terms "system" and "network" are often used interchangeably herein in this application. The term "and/or" in this application is only one kind of association relationship describing the associated object, and means that there may be three kinds of relationships, for example, a and/or B, which may mean: a exists alone, A and B exist simultaneously, and B exists alone. In addition, the character "/" in this application generally indicates that the former and latter related objects are in an "or" relationship.
The above description is only for the purpose of illustrating the preferred embodiments of the present application and is not intended to limit the scope of the present application, which is to be accorded the widest scope consistent with the principles and spirit of the present application.
Claims (10)
1. A method of secure authentication, comprising:
responding to received password information to be verified and an SM4 secret key sent by a client, wherein the password information to be verified comprises client passwords sequentially encrypted by SM4 and SM2, and querying a corresponding SM2 private key from a first database by using the received SM4 secret key;
decrypting the received password information to be verified by the inquired SM2 private key and the received SM4 private key in sequence to obtain plaintext information of the client password to be verified;
carrying out SM3 encryption on plaintext information of a client password to be verified to obtain an SM3 ciphertext;
inquiring a client password preset by the client and encrypted by SM3 from a second database;
and comparing and authenticating the obtained SM3 ciphertext with a client password which is preset by the client and encrypted by SM 3.
2. The method of claim 1, wherein prior to the step of responding to the receipt of the cryptographic information to be authenticated and the SM4 key sent by the client, the method further comprises:
in response to receiving a request for obtaining a key sent by the client, generating a random SM4 key and a paired SM2 public key and SM2 private key;
correspondingly storing the generated SM4 private key and the SM2 private key to a first database; and
and returning the generated SM4 key and the SM2 public key to the client.
3. The method of claim 2, wherein before the step of querying the client password encrypted by the SM3 preset by the client from the second database, the method further comprises:
in response to receiving to-be-set password information and an SM4 secret key sent by a client, the to-be-set password information comprises client passwords which are sequentially encrypted by SM4 and SM2, and querying a corresponding SM2 private key from the first database by using the received SM4 secret key;
decrypting the received password information to be set by the inquired SM2 private key and the received SM4 private key in sequence to obtain plaintext information of the client password to be set;
and encrypting the plaintext information of the client password to be set by the SM3, and storing the encrypted plaintext information in the second database.
4. The method of claim 2, wherein storing the generated SM4 key and SM2 private key correspondence to a first database comprises: and storing the generated SM4 secret key and the SM2 private key into a remote dictionary service cache database in a form of 'key-value'.
5. A security authentication apparatus, comprising:
the system comprises a first query module, a second query module and a third query module, wherein the first query module is configured to respond to the received password information to be verified and SM4 secret keys sent by a client, the password information to be verified comprises client passwords sequentially encrypted by SM4 and SM2, and the received SM4 secret keys are used for querying corresponding SM2 private keys from a first database;
the decryption module is configured to decrypt the received password information to be verified sequentially by the inquired SM2 private key and the received SM4 private key to obtain plaintext information of the client password to be verified;
the encryption module is configured to perform SM3 encryption on plaintext information of a client password to be verified to obtain an SM3 ciphertext;
a second query module configured to query a client password preset by the client and encrypted by SM3 from a second database;
and the comparison authentication module is configured to compare and authenticate the obtained SM3 ciphertext with a client password preset by the client and encrypted by the SM 3.
6. The apparatus of claim 5, further comprising:
a generating module configured to generate a random SM4 key and a pair of an SM2 public key and an SM2 private key in response to receiving a request sent by the client to obtain the key;
a first storage module configured to store the generated SM4 key and SM2 private key in a first database; and
a sending module configured to return the generated SM4 key and SM2 public key to the client.
7. The apparatus of claim 6, further comprising a second storage module, wherein,
the first query module is further configured to respond to the received to-be-set password information and an SM4 secret key sent by the client, wherein the to-be-set password information comprises a client password which is sequentially encrypted by SM4 and SM2, and the received SM4 secret key is used for querying a corresponding SM2 private key from the first database;
the decryption module is further configured to decrypt the received password information to be set with the queried SM2 private key and the received SM4 private key in sequence to obtain plaintext information of the client password to be set;
the encryption module is further configured to encrypt plaintext information of a client password to be set in SM 3;
and the second storage module is configured to store the plaintext information of the client password to be set in the second database after being encrypted by SM 3.
8. The apparatus of claim 6, wherein the first storing module is further configured to store the generated SM4 key and SM2 private key in a "key-value" form in a remote dictionary service cache database.
9. A computer device, comprising:
one or more processors;
a storage device having one or more programs stored thereon,
the one or more programs, when executed by the one or more processors, cause the one or more processors to implement the secure authentication method of any of claims 1-4.
10. A computer-readable storage medium, on which a computer program is stored, which computer program, when executed by one or more processors, implements the secure authentication method of any one of claims 1-4.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202210661332.9A CN115022057A (en) | 2022-06-13 | 2022-06-13 | Security authentication method, device and equipment and storage medium |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202210661332.9A CN115022057A (en) | 2022-06-13 | 2022-06-13 | Security authentication method, device and equipment and storage medium |
Publications (1)
Publication Number | Publication Date |
---|---|
CN115022057A true CN115022057A (en) | 2022-09-06 |
Family
ID=83075080
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202210661332.9A Pending CN115022057A (en) | 2022-06-13 | 2022-06-13 | Security authentication method, device and equipment and storage medium |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN115022057A (en) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN115514480A (en) * | 2022-09-30 | 2022-12-23 | 深圳奇迹智慧网络有限公司 | Data interaction method and readable storage medium |
Citations (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2016107321A1 (en) * | 2014-12-30 | 2016-07-07 | 北京奇虎科技有限公司 | Secure communication system |
CN106656476A (en) * | 2017-01-18 | 2017-05-10 | 腾讯科技(深圳)有限公司 | Password protecting method and device |
CN112637140A (en) * | 2020-12-09 | 2021-04-09 | 深圳市快付通金融网络科技服务有限公司 | Password transmission method, terminal, server and readable storage medium |
CN112738024A (en) * | 2020-12-09 | 2021-04-30 | 杭州安恒信息技术股份有限公司 | Encryption authentication method, system, storage medium and device |
CN113612797A (en) * | 2021-08-23 | 2021-11-05 | 金陵科技学院 | Kerberos identity authentication protocol improvement method based on state cryptographic algorithm |
CN114422261A (en) * | 2022-02-15 | 2022-04-29 | 北京无字天书科技有限公司 | Management method, management system, computer device, and computer-readable storage medium |
CN114548986A (en) * | 2022-01-27 | 2022-05-27 | 深圳金融电子结算中心有限公司 | Payment method, payment security code generation method, device, equipment and storage medium |
-
2022
- 2022-06-13 CN CN202210661332.9A patent/CN115022057A/en active Pending
Patent Citations (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2016107321A1 (en) * | 2014-12-30 | 2016-07-07 | 北京奇虎科技有限公司 | Secure communication system |
CN106656476A (en) * | 2017-01-18 | 2017-05-10 | 腾讯科技(深圳)有限公司 | Password protecting method and device |
CN112637140A (en) * | 2020-12-09 | 2021-04-09 | 深圳市快付通金融网络科技服务有限公司 | Password transmission method, terminal, server and readable storage medium |
CN112738024A (en) * | 2020-12-09 | 2021-04-30 | 杭州安恒信息技术股份有限公司 | Encryption authentication method, system, storage medium and device |
CN113612797A (en) * | 2021-08-23 | 2021-11-05 | 金陵科技学院 | Kerberos identity authentication protocol improvement method based on state cryptographic algorithm |
CN114548986A (en) * | 2022-01-27 | 2022-05-27 | 深圳金融电子结算中心有限公司 | Payment method, payment security code generation method, device, equipment and storage medium |
CN114422261A (en) * | 2022-02-15 | 2022-04-29 | 北京无字天书科技有限公司 | Management method, management system, computer device, and computer-readable storage medium |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN115514480A (en) * | 2022-09-30 | 2022-12-23 | 深圳奇迹智慧网络有限公司 | Data interaction method and readable storage medium |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN109347835B (en) | Information transmission method, client, server, and computer-readable storage medium | |
CN109088889B (en) | SSL encryption and decryption method, system and computer readable storage medium | |
US10142107B2 (en) | Token binding using trust module protected keys | |
US8660266B2 (en) | Method of delivering direct proof private keys to devices using an on-line service | |
EP3324572B1 (en) | Information transmission method and mobile device | |
US10938792B2 (en) | Layered encryption for end to end communication | |
CN109714176B (en) | Password authentication method, device and storage medium | |
US10601590B1 (en) | Secure secrets in hardware security module for use by protected function in trusted execution environment | |
KR20060003319A (en) | Device authentication system | |
CN110690956B (en) | Bidirectional authentication method and system, server and terminal | |
CN110868291B (en) | Data encryption transmission method, device, system and storage medium | |
CN108809633B (en) | Identity authentication method, device and system | |
US20220021529A1 (en) | Key protection processing method, apparatus, device and storage medium | |
US11956367B2 (en) | Cryptographic method for verifying data | |
CN108696518B (en) | Block chain user communication encryption method and device, terminal equipment and storage medium | |
CN113411187A (en) | Identity authentication method and system, storage medium and processor | |
US20020018570A1 (en) | System and method for secure comparison of a common secret of communicating devices | |
CN114244508A (en) | Data encryption method, device, equipment and storage medium | |
CN117081736A (en) | Key distribution method, key distribution device, communication method, and communication device | |
CN112966287A (en) | Method, system, device and computer readable medium for acquiring user data | |
CN115276978A (en) | Data processing method and related device | |
CN113630412B (en) | Resource downloading method, resource downloading device, electronic equipment and storage medium | |
CN111338841A (en) | Data processing method, device, equipment and storage medium | |
CN115022057A (en) | Security authentication method, device and equipment and storage medium | |
CN114070568A (en) | Data processing method and device, electronic equipment and storage medium |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination |