The Research And Implementation Of The Dynamic Password Authentication System Based On Android Token

With the continuous development of IT, people’s daily production activities have been inseparable from the computer network, due to the openness of the computer network, various types of security threats have appeared, when the important information stored in the system is revealed, the user will have a great loss. As the foundation and core of network security, identity authentication is of great significance to establish a perfect security mechanism, and is the current research focus. Password authentication is the most common form of identity authentication, with its simple and easy-to-use features, password authentication based on static passwords has become the first choice for the most information systems. However, due to its own security flaws, the probability of attack to static password is high, this can not meet the high safety requirements of system. The dynamic password authentication technology can effectively solve the shortcomings, however, due to the lack of communication module for the token in the existing dynamic password authentication system, its internal data can not be updated, the loss of synchronization problem is difficult to solve effectively, the user’s right to operate the token autonomously is also limited, the expansion is rather poor. With the advent of mobile internet, as the representative of smart mobile terminals, Android greatly improved data transmission rates, can be a good solution to the problem.Based on this, this article studies and realizes a kind of dynamic password authentication system based on the Android token and using it in employee salary query authentication of enterprise information system. According to the system design requirements, combined with the research on the principle of dynamic password authentication and the analysis on its characteristics and safety, this article choose dynamic password authentication mechanism based on time-synchronous for the program prototype to design. In the article, using message digest algorithm as the core in the dynamic password generation algorithm based on the HMAC-SHA-1, using the RSA asymmetric encryption algorithm for key distribution management, using error adjustment mechanism to achieve time synchronization between client and server based on NTP protocol, because of the software token can real-time communicate with the authentication server, so that the work can be initiated from the token, the user’s right to autonomous operation has improved. Based on the features of Android smart mobile terminals, this article add geographic information authentication mechanism in the program, add the hardware feature code IMEI number as the one of the parameters in the password generation algorithm, and realize the PIN two-factor authentication in client. The software token data exchange using the HTTP protocol and XML technology, the XML data analysis using PULL way what is faster than Pull way in the client. For the vulnerability of communication on the software token, this article use the improved S/Key program to optimize in channel. For the authentication server, the article using enterprise-class application development framework J2EE to realize, and choose WebService technology to develop authentication interface, in order to achieve the independence of the authentication system. The relevant test and analysis on features, performance and safety aspects show that the system can work steadily and reliably, and meet the design requirements for authentication system and employee salary query authentication requirements in the article basically.