Java uses OTP dynamic password (changed every minute) for login authentication

Git address: https://github.com/suyin58/otp-demo

Screenshot of dynamic code:

In the background management system open to the Internet, there may be the following problems when using static password for authentication:

(1) In order to facilitate memory, users often choose features as passwords. Compared with dynamic passwords, all static passwords are easy to guess and crack;

(2) Hackers can intercept the static password from the Internet or telephone line. If it is transmitted in non encrypted mode, the user authentication information can be easily obtained;

(3) Internal staff can obtain user password through legal authorization and use it illegally;

Static password can not determine the user's identity at all. As a result, individuals can easily forge a false identity or steal the identity of an existing user, causing huge economic and reputation losses to the enterprise. This paper mainly introduces and implements an implementation of dynamic password (OTP).

One-time password (OTP, one time password), also known as one-time password, is an authentication technology that uses password technology to share secrets between the client and the server. It is a strong authentication technology. It is a very convenient technical means to enhance the current static password authentication. It is an important two factor authentication technology. Dynamic password authentication technology includes the generation port used by the client The dynamic token of the command generator is a hardware device and a background dynamic password authentication system for managing token and password authentication.

OTP can be divided into three forms: time synchronization, event synchronization and challenge / response.

(1) Time synchronization

The principle is to verify the time comparison of the server based on the dynamic token and the dynamic password. The token based on time synchronization generally generates a new password every 60 seconds, which requires the server to maintain the correct clock very accurately, and has strict requirements for the crystal frequency of the token. The terminal corresponding to this technology is the hardware token.

(2) Event synchronization

The principle of token based on event synchronization is to calculate a consistent password through hash algorithm through a specific event sequence and the same seed value as input.

(3) Challenge / response

It is commonly used for online business. Enter the challenge code issued by the server on the website / response, and enter the challenge code on the dynamic token. A 6 / 8-bit random number is generated through the built-in algorithm, and the password is valid at one time. This technology is most widely used at present, including scratch card, SMS password and dynamic token. It also has the form of challenge / response.

Use Alibaba cloud identity treasure (or Google authenticator) time synchronization to realize OTP dynamic password

As shown in the figure above, it is an OTP calculation method based on time synchronization. The client and server hold the same key and use the same hash algorithm to calculate a six bit check code based on the time base. If the check codes calculated by the client and the server are the same, the verification passes.

Since the client needs a carrier for storing keys and calculating verification codes, Alibaba cloud's identity treasure (or Google's authenticator) provides an app on the mobile terminal for key storage and verification code calculation. Let's take these two clients as examples to realize OTP permission verification in applications. The main process is as follows:

The key codes of the process are as follows. (for more detailed codes, please download git: https://github.com/suyin58/otp-demo ）

1. User registration:

1.1 generate OTP key:

String secretBase32 = TotpUtil.getRandomSecretBase32(64);
oper.setOtpSk(secretBase32);

1.2 generate string for OTP scanning:

The agreed string format is as follows:

otpauth://totp/ [account information displayed by the client]? secret=[secretBase32]

String totpProtocalString = TotpUtil.generateTotpString(operCode,host,secretBase32);

1.3 generate a QR code from the string generated in 1.2 and send it to the user by mail

String host = "otptest@wjs.com"; // 自定义

   String totpProtocalString = TotpUtil.generateTotpString(operCode,secretBase32);

   String filePath = f_temp;
   String fileName = Long.toString(System.currentTimeMillis()) + ".png";

   try{
    QRUtil.generateMatrixPic(totpProtocalString,150,filePath,fileName);
   }catch (Exception e){
    throw new RuntimeException("生成二维码图片失败:" + e.getMessage());
   }

   String content = "用户名："+operCode+"</br>"
     +"系统使用密码 + 动态口令双因素认证的方式登录。</br>请按以下方式激活手机动态口令：</br>安卓用户请点击<a href='http://otp.aliyun.com/updates/shenfenbao.apk'>下载</a>，"
     +"</br>苹果手机在AppStore中搜索【身份宝】（Alibaba）。下载安装后，通过扫描以下二维码激活动态口令。</br>"
     +"<img src=\"cid:image\">";
   EmailBaseLogic emailBaseLogic = new EmailBaseLogic();
//   String to,String title,String content,String imagePath
   emailBaseLogic.sendWithPic(email,"账户开立通知",content,filePath + "/" + fileName);

1.4 store the user registration information and OTP key in the database

Data storage code (omitted)

2. Use of client tools

2.1 download app

Android user download address: http://otp.aliyun.com/updates/shenfenbao.apk

Apple searches the app store for Alibaba or Google authenticator

2.2 scanning QR code

Using the downloaded app, scan the QR code in the 1.3 email, and the client obtains the key. App uses the key to calculate the 6-digit check code based on time (change every minute).

1 user login

The client enters the login user name, user password, and the 6-digit verification code in the 2.2 client tool.

1.1 the server obtains the user information and key according to the user name and user password

Code reference omitted

1.2 the server uses the key to calculate the 6-bit check code based on time

String secretHex = "";
  try {
   secretHex = HexEncoding.encode(Base32String.decode(secretBase32));
  } catch (Base32String.DecodingException e) {
   LOGGER.error("解码" + secretBase32 + "出错，",e);
   throw new RuntimeException("解码Base32出错");
  }

  long X = 30;

  String steps = "0";
  DateFormat df = new SimpleDateFormat("yyyy-MM-dd HH:mm:ss");
  df.setTimeZone(TimeZone.getTimeZone("UTC"));

  long currentTime = System.currentTimeMillis() / 1000L;
  try {
   long t = currentTime / X;
   steps = Long.toHexString(t).toUpperCase();
   while (steps.length() < 16) steps = "0" + steps;

   return generateTOTP(secretHex,steps,"6","HmacSHA1");
  } catch (final Exception e) {
   LOGGER.error("生成动态口令出错：" + secretBase32,e);
   throw new RuntimeException("生成动态口令出错");
  }

1.3 compare whether the client and client check codes are consistent

Code reference omitted

In addition, the examples in demo can use identity + password, first conduct password verification, and then conduct secondary verification through dynamic password to make the system login more secure and reliable.

The above is the whole content of this article. I hope it will help you in your study, and I hope you will support us a lot.