| 摘要 |
In a computer system comprising a token communicatively connected to a provider, a method of authenticating a user to use a system, comprising generating, by the token, a random value, sending, by the token, the random value, a token ID, and a salt value to the provider, providing, by the user, a user password to the provider, generating, by the provider, a derived key based at least in part on the salt value and the password, applying, by the provider, a first key-based hash algorithm, using the derived key, to the token ID to provide a first hash value, generating, by the provider, a first challenge data instance based at least in part on the random value and the first hash value, sending, by the provider, the first challenge data instance to the token, generating, by the provider, a token unlock key based at least in part on the derived key, sending, by the provider, the token unlock key to the token, generating, by the token, a second challenge data instance based at least in part on the random value and a second hash value, wherein the second hash value is stored on the token and is based on the token ID, determining, by the token, whether the first and second challenge data instances match, terminating, by the token, the method, if the first and second challenge data instances are determined not to match, and if the first and second challenge data instances are determined to match, then establishing an encrypted data transfer system between the token and the provider, unlocking with the token unlock key, by the token, locked first private data stored on the token, and authenticating the user for secured use of the system based at least in part on the unlocked first private data. |
