添加的内容 删除的内容
(我来啦, replaced: 馬 → 马, 亞 → 亚, 紅 → 红, 驗 → 验, 證 → 证, 遜 → 逊) |
小 (机器人:清理不当的来源、移除无用的模板参数) |
||
(未显示同一用户的4个中间版本) | |||
第2行: | 第2行: | ||
|G1=IT |
|G1=IT |
||
}} |
}} |
||
'''基于时间的一次性密码算法(TOTP)'''是一种根据预共享的密钥与当前时间计算[[一次性密码]]的[[算法]]。它已被[[互联网工程任务组]]接纳为RFC 6238标准<ref name="RFC6238">{{cite web|url=http://tools.ietf.org/html/rfc6238|title=RFC 6238 - TOTP: Time-Based One-Time Password Algorithm|accessdate=2011-07-13 |
'''基于时间的一次性密码算法(TOTP)'''是一种根据预共享的密钥与当前时间计算[[一次性密码]]的[[算法]]。它已被[[互联网工程任务组]]接纳为RFC 6238标准<ref name="RFC6238">{{cite web|url=http://tools.ietf.org/html/rfc6238|title=RFC 6238 - TOTP: Time-Based One-Time Password Algorithm|accessdate=2011-07-13}}</ref>,成为{{le|主动开放认证|Initiative For Open Authentication}}(OATH)的基石,并被用于众多[[多重要素验证]]系统当中。 |
||
TOTP是[[散列消息认证码]](HMAC)当中的一个例子。它结合一个私钥与当前时间戳,使用一个[[密码散列函数]]来生成一次性密码。由于网络延迟与时钟不同步可能导致密码接收者不得不尝试多次遇到正确的时间来进行身份验证,[[时间戳]]通常以30秒为间隔,从而避免反复尝试。 |
TOTP是[[散列消息认证码]](HMAC)当中的一个例子。它结合一个私钥与当前时间戳,使用一个[[密码散列函数]]来生成一次性密码。由于网络延迟与时钟不同步可能导致密码接收者不得不尝试多次遇到正确的时间来进行身份验证,[[时间戳]]通常以30秒为间隔,从而避免反复尝试。 |
||
第22行: | 第22行: | ||
* 协商加密哈希算法(默认为[[SHA-1]]) |
* 协商加密哈希算法(默认为[[SHA-1]]) |
||
* 协商密码长度(默认6位) |
* 协商密码长度(默认6位) |
||
尽管RFC 6238标准允许使用不同的参数,Google开发的验证应用不允许不同于默认的T0、TI值、哈希方法和密码长度。RFC 3548也同时鼓励K密钥以base-32编码输入(或以[[QR碼|QR码]]的形式提供)。<ref>{{Cite web| |
尽管RFC 6238标准允许使用不同的参数,Google开发的验证应用不允许不同于默认的T0、TI值、哈希方法和密码长度。RFC 3548也同时鼓励K密钥以base-32编码输入(或以[[QR碼|QR码]]的形式提供)。<ref>{{Cite web||title=KeyUriFormat|accessdate=2014-08-05}}</ref> |
||
一旦参数协商完毕,密码开始按照如下方法生成: |
一旦参数协商完毕,密码开始按照如下方法生成: |
||
第37行: | 第37行: | ||
不限制登录尝试的TOTP实现容易被暴力破解,因此尝试次数限制必须非常少。 |
不限制登录尝试的TOTP实现容易被暴力破解,因此尝试次数限制必须非常少。 |
||
窃取到预共享密钥的攻击者可以随意生成新的非法的TOTP代号。如果攻击者攻破大型的认证数据库,这就会是个问题。<ref>{{Cite news|url=https://www.wired.com/2011/06/rsa-replaces-securid-tokens/|title=RSA Agrees to Replace Security Tokens After Admitting Compromise|last=Zetter|first=Kim|newspaper=WIRED|accessdate=2017-02-17|language=en-US |
窃取到预共享密钥的攻击者可以随意生成新的非法的TOTP代号。如果攻击者攻破大型的认证数据库,这就会是个问题。<ref>{{Cite news|url=https://www.wired.com/2011/06/rsa-replaces-securid-tokens/|title=RSA Agrees to Replace Security Tokens After Admitting Compromise|last=Zetter|first=Kim|newspaper=WIRED|accessdate=2017-02-17|language=en-US}}</ref> |
||
由于TOTP设备可能会发生电力用尽、时钟不同步等情况,用户手机上的软件也可能丢失或失窃,所有现存的实现都可以绕开相应保护(如:打印的代码、电子邮件重置等),这对于大型用户群支持来说是个负担,并给了欺诈用户更多的操作空间。 |
由于TOTP设备可能会发生电力用尽、时钟不同步等情况,用户手机上的软件也可能丢失或失窃,所有现存的实现都可以绕开相应保护(如:打印的代码、电子邮件重置等),这对于大型用户群支持来说是个负担,并给了欺诈用户更多的操作空间。 |
||
第48行: | 第48行: | ||
== 历史 == |
== 历史 == |
||
TOTP草案由数位OATH成员合作开发,目的是创建一个行业通用标准。它完善了基于事件的一次性标准HOTP,并为终端用户组织和企业在选择最适合的应用要求与安全规范技术提供了更多选择。2008年,OATH向IETF提交了一份草案规范。这一版本的草案以之前提交的版本为基础,包含作者从技术社区收到的全部反馈与评论。<ref>{{Cite web|url=http://www.openauthentication.org/news/20080408|title=OATH Submits TOTP: Time-Based One Time Password Specification to IETF|accessdate=2010-02-22|last=Alexander|first=Madison|work=Open Authentication |
TOTP草案由数位OATH成员合作开发,目的是创建一个行业通用标准。它完善了基于事件的一次性标准HOTP,并为终端用户组织和企业在选择最适合的应用要求与安全规范技术提供了更多选择。2008年,OATH向IETF提交了一份草案规范。这一版本的草案以之前提交的版本为基础,包含作者从技术社区收到的全部反馈与评论。<ref>{{Cite web|url=http://www.openauthentication.org/news/20080408|title=OATH Submits TOTP: Time-Based One Time Password Specification to IETF|accessdate=2010-02-22|last=Alexander|first=Madison|work=Open Authentication}}</ref>2011年5月,TOTP正式成为[[RFC]] 6238标准的一部分。 |
||
== 服务器实现 == |
== 服务器实现 == |
||
第55行: | 第55行: | ||
!产品 / 实现的部分 |
!产品 / 实现的部分 |
||
|- |
|- |
||
|[ |
|[https://www.onelogin.com/ OneLogin]|[https://www.onelogin.com/product/one-time-password OneLogin 保护] |
||
|- |
|- |
||
|[[微软]] |
|[[微软]] |
||
|多重因素验证<ref>{{Cite web|url=http://blogs.technet.com/b/microsoft_blog/archive/2013/04/17/microsoft-account-gets-more-secure.aspx|title=Microsoft Account Gets More Secure|accessdate=2013-04-17|publisher=The Official Microsoft Blog |
|多重因素验证<ref>{{Cite web|url=http://blogs.technet.com/b/microsoft_blog/archive/2013/04/17/microsoft-account-gets-more-secure.aspx|title=Microsoft Account Gets More Secure|accessdate=2013-04-17|publisher=The Official Microsoft Blog}}</ref> |
||
|- |
|- |
||
|[[Salesforce.com]] |
|[[Salesforce.com]] |
||
第64行: | 第64行: | ||
|- |
|- |
||
|Authy |
|Authy |
||
|账号访问、加强认证<ref>{{Cite web|url=https://authy.com/blog/enable-two-factor-auth-on-your-vpn/|title=Spend 1 Day To 2FA Your VPN – Authy|accessdate=2017-04-26 |
|账号访问、加强认证<ref>{{Cite web|url=https://authy.com/blog/enable-two-factor-auth-on-your-vpn/|title=Spend 1 Day To 2FA Your VPN – Authy|accessdate=2017-04-26}}</ref> |
||
|- |
|- |
||
|ServiceNow |
|ServiceNow |
||
|<ref>{{Cite web|url=https://docs.servicenow.com/integrate/authentication/concept/c_MultifactorAuthentication.html|title=Multifactor authentication|access-date=2017-11-24 |
|<ref>{{Cite web|url=https://docs.servicenow.com/integrate/authentication/concept/c_MultifactorAuthentication.html|title=Multifactor authentication|access-date=2017-11-24}}</ref> |
||
|- |
|- |
||
|[[Google]] |
|[[Google]] |
||
|[[Google身份验证器]]<ref>{{Cite web| |
|[[Google身份验证器]]<ref>{{Cite web||title=google-authenticator – Project Hosting on Google Code|accessdate=2010-02-22}}</ref> |
||
|- |
|- |
||
|[[Facebook]] |
|[[Facebook]] |
||
|登录许可、代号生成器<!-- removed_ref site148 by WaitSpring-bot (template) --> |
|||
|登录许可、代号生成器<ref>{{Cite web|url=https://www.facebook.com/help/413023562082171/|title=Extra security feature|accessdate=2014-01-30|archive-date=2019-10-31|archive-url=https://web.archive.org/web/20191031204242/https://www.facebook.com/help/413023562082171|dead-url=no}}</ref> |
|||
|- |
|- |
||
|[[Mozilla]] |
|[[Mozilla]] |
||
|Firefox 浏览器同步账号访问<ref>{{Cite web|url=https://blog.mozilla.org/services/2018/05/22/two-step-authentication-in-firefox-accounts/|title=Two-step authentication in Firefox Accounts|accessdate=2018-08-01|work=Mozilla Services|language=en-US |
|Firefox 浏览器同步账号访问<ref>{{Cite web|url=https://blog.mozilla.org/services/2018/05/22/two-step-authentication-in-firefox-accounts/|title=Two-step authentication in Firefox Accounts|accessdate=2018-08-01|work=Mozilla Services|language=en-US}}</ref> |
||
|- |
|- |
||
|[[亚马逊公司]] |
|[[亚马逊公司]] |
||
|Amazon Web Services<ref>{{Cite web|url=https://aws.amazon.com/mfa/|title=AWS Multi-Factor Authentication|accessdate=2012-03-06 |
|Amazon Web Services<ref>{{Cite web|url=https://aws.amazon.com/mfa/|title=AWS Multi-Factor Authentication|accessdate=2012-03-06}}</ref> |
||
|- |
|- |
||
|[[Bitbucket]] |
|[[Bitbucket]] |
||
|账号访问<ref>{{Cite web|url=http://blog.bitbucket.org/2015/09/10/two-step-verification-is-here/|title=Two-step verification is here|accessdate=2015-09-11 |
|账号访问<ref>{{Cite web|url=http://blog.bitbucket.org/2015/09/10/two-step-verification-is-here/|title=Two-step verification is here|accessdate=2015-09-11}}</ref> |
||
|- |
|- |
||
|[[Dropbox]] |
|[[Dropbox]] |
||
|账号访问<ref>{{Cite web|url=https://blog.dropbox.com/2012/08/another-layer-of-security-for-your-dropbox-account/|title=Another layer of security for your Dropbox account|accessdate=2013-05-04 |
|账号访问<ref>{{Cite web|url=https://blog.dropbox.com/2012/08/another-layer-of-security-for-your-dropbox-account/|title=Another layer of security for your Dropbox account|accessdate=2013-05-04}}</ref> |
||
|- |
|- |
||
|[[Evernote]] |
|[[Evernote]] |
||
|账号访问<ref>{{Cite web|url=https://blog.evernote.com/blog/2013/10/04/two-step-verification-available-to-all-users/|title=Two-Step Verification Available to All Users|accessdate=2015-01-05 |
|账号访问<ref>{{Cite web|url=https://blog.evernote.com/blog/2013/10/04/two-step-verification-available-to-all-users/|title=Two-Step Verification Available to All Users|accessdate=2015-01-05}}</ref> |
||
|- |
|- |
||
|Gandi |
|Gandi |
||
|账号访问<ref>{{Cite web|url=http://www.gandibar.net/post/2013/10/10/Gandi-rolls-out-2-factor-authentication|title=Gandi rolls out two-factor authentication|accessdate=2013-11-21 |
|账号访问<ref>{{Cite web|url=http://www.gandibar.net/post/2013/10/10/Gandi-rolls-out-2-factor-authentication|title=Gandi rolls out two-factor authentication|accessdate=2013-11-21}}</ref> |
||
|- |
|- |
||
|Zoho |
|Zoho |
||
|账号访问<ref>{{Cite web|url=https://www.zoho.eu/mail/help/adminconsole/two-factor-authentication.html|title=Two Factor Authentication|accessdate=2017-07-26 |
|账号访问<ref>{{Cite web|url=https://www.zoho.eu/mail/help/adminconsole/two-factor-authentication.html|title=Two Factor Authentication|accessdate=2017-07-26}}</ref> |
||
|- |
|- |
||
|[[GitHub]] |
|[[GitHub]] |
||
|账号访问<ref>{{Cite web|url=https://help.github.com/articles/about-two-factor-authentication|title=About Two-Factor Authentication|accessdate=2013-09-04 |
|账号访问<ref>{{Cite web|url=https://help.github.com/articles/about-two-factor-authentication|title=About Two-Factor Authentication|accessdate=2013-09-04}}</ref> |
||
|- |
|- |
||
|Hiveage |
|Hiveage |
||
|账号访问<ref>{{Cite web|url=https://www.hiveage.com/blog/introducing-two-step-verification/|title=Introducing Two-Step Verification|accessdate=2017-02-07 |
|账号访问<ref>{{Cite web|url=https://www.hiveage.com/blog/introducing-two-step-verification/|title=Introducing Two-Step Verification|accessdate=2017-02-07}}</ref> |
||
|- |
|- |
||
|[[LastPass]] |
|[[LastPass]] |
||
|账号访问<ref>{{Cite web|url=http://blog.lastpass.com/2011/11/introducing-support-for-google.html|title=Introducing Support for Google Authenticator|accessdate=2011-11-04 |
|账号访问<ref>{{Cite web|url=http://blog.lastpass.com/2011/11/introducing-support-for-google.html|title=Introducing Support for Google Authenticator|accessdate=2011-11-04}}</ref> |
||
|- |
|- |
||
|[[Linode]] |
|[[Linode]] |
||
|账号访问<ref>{{Cite web|url=https://blog.linode.com/2013/05/02/linode-manager-two-step-auth/|title=Linode Manager Two-Step Authentication|accessdate=2013-05-02 |
|账号访问<ref>{{Cite web|url=https://blog.linode.com/2013/05/02/linode-manager-two-step-auth/|title=Linode Manager Two-Step Authentication|accessdate=2013-05-02}}</ref> |
||
|- |
|- |
||
|[[WordPress.com]] |
|[[WordPress.com]] |
||
|账号访问<ref>{{Cite web|url=http://en.support.wordpress.com/security/two-step-authentication|title=Two Step Authentication|accessdate=2014-01-29|publisher=WordPress |
|账号访问<ref>{{Cite web|url=http://en.support.wordpress.com/security/two-step-authentication|title=Two Step Authentication|accessdate=2014-01-29|publisher=WordPress}}</ref> |
||
|- |
|- |
||
|Hover |
|Hover |
||
|账号访问<ref>{{Cite web|url=http://www.hover.com/blog/two-step-signin-is-here/|title=Two-step Signin is Here|accessdate=2014-02-25 |
|账号访问<ref>{{Cite web|url=http://www.hover.com/blog/two-step-signin-is-here/|title=Two-step Signin is Here|accessdate=2014-02-25}}</ref> |
||
|- |
|- |
||
|LinOTP |
|LinOTP |
||
第120行: | 第120行: | ||
|- |
|- |
||
|[[ownCloud]] |
|[[ownCloud]] |
||
|账号访问<ref>{{Cite web|url=https://marketplace.owncloud.com/apps/twofactor_totp|title=A Two-Factor-Auth Provider for TOTP (e.g. Google Authenticator)|accessdate=2017-04-30 |
|账号访问<ref>{{Cite web|url=https://marketplace.owncloud.com/apps/twofactor_totp|title=A Two-Factor-Auth Provider for TOTP (e.g. Google Authenticator)|accessdate=2017-04-30}}</ref> |
||
|- |
|- |
||
|Nextcloud |
|Nextcloud |
||
|TOTP多重因素认证<ref>{{Cite web|url=https://nextcloud.com/blog/nextcloud-11-sets-new-standard-for-security-and-scalability|title=Nextcloud 11 sets new standard for security and scalability|accessdate=2016-12-23|publisher=Nextcloud |
|TOTP多重因素认证<ref>{{Cite web|url=https://nextcloud.com/blog/nextcloud-11-sets-new-standard-for-security-and-scalability|title=Nextcloud 11 sets new standard for security and scalability|accessdate=2016-12-23|publisher=Nextcloud}}</ref> |
||
|- |
|- |
||
|multiOTP |
|multiOTP |
||
第132行: | 第132行: | ||
|- |
|- |
||
|Token2 |
|Token2 |
||
|Token2 TOTPRadius - 针对多重因素验证设计的RADIUS服务器<ref>{{Cite web|url=https://token2.com/?content=totpradius|title=Token2 TOTPRadius - a RADIUS server designed for two-factor authentication|accessdate=2017-05-13|publisher=Token2 |
|Token2 TOTPRadius - 针对多重因素验证设计的RADIUS服务器<ref>{{Cite web|url=https://token2.com/?content=totpradius|title=Token2 TOTPRadius - a RADIUS server designed for two-factor authentication|accessdate=2017-05-13|publisher=Token2}}</ref> |
||
|- |
|- |
||
|XenForo |
|XenForo |
||
|<ref>{{Cite web|url=http://xenforo.com/community/resources/freddyshouse-two-factor-authentication.1663/|title=[FreddysHouse] Two-factor Authentication|accessdate=2014-02-10|publisher=FreddysHouse |
|<ref>{{Cite web|url=http://xenforo.com/community/resources/freddyshouse-two-factor-authentication.1663/|title=[FreddysHouse] Two-factor Authentication|accessdate=2014-02-10|publisher=FreddysHouse}}</ref> |
||
|- |
|- |
||
|[[赛门铁克]] |
|[[赛门铁克]] |
||
|VIP访问 <ref>{{Cite web|url=https://www.cyrozap.com/2014/09/29/reversing-the-symantec-vip-access-provisioning-protocol/|title=Reversing the Symantec VIP Access Provisioning Protocol|date=2014-09-29|accessdate=2017-11-24 |
|VIP访问 <ref>{{Cite web|url=https://www.cyrozap.com/2014/09/29/reversing-the-symantec-vip-access-provisioning-protocol/|title=Reversing the Symantec VIP Access Provisioning Protocol|date=2014-09-29|accessdate=2017-11-24}}</ref> |
||
|- |
|- |
||
|HashiCorp |
|HashiCorp |
||
|密码库<ref>{{Cite web|url=https://www.hashicorp.com/blog/vault-0-7-1/|title=Vault 0.7.1|date=2017-05-05|accessdate=2017-11-24 |
|密码库<ref>{{Cite web|url=https://www.hashicorp.com/blog/vault-0-7-1/|title=Vault 0.7.1|date=2017-05-05|accessdate=2017-11-24}}</ref><ref>{{Cite web|url=https://www.vaultproject.io/docs/secrets/totp/index.html|title=Vault TOTP Secret Backend|accessdate=2017-07-07}}</ref><ref>{{Cite web|url=https://www.vaultproject.io/api/secret/totp/index.html|title=Vault TOTP Secret Backend HTTP API|accessdate=2017-07-07}}</ref> |
||
|- |
|- |
||
|[[网易游戏]] |
|[[网易游戏]] |
||
|网易将军令<ref>{{Cite web|url=http://ekey.163.com/|title=网易将军令:动态密码账号保护器|accessdate=2020-02-29 |
|网易将军令<ref>{{Cite web|url=http://ekey.163.com/|title=网易将军令:动态密码账号保护器|accessdate=2020-02-29}}</ref> |
||
|- |
|- |
||
|[[Yandex]] |
|[[Yandex]] |
||
|账号访问 <ref>{{Cite web|url=https://yandex.com/support/passport/authorization/twofa.html|title=Yandex.Passport|date=2015-01-01|accessdate=2017-11-24 |
|账号访问 <ref>{{Cite web|url=https://yandex.com/support/passport/authorization/twofa.html|title=Yandex.Passport|date=2015-01-01|accessdate=2017-11-24}}</ref><ref>{{Cite web|url=https://meduza.io/en/news/2015/02/03/yandex-now-lets-you-log-in-without-a-login-or-a-password|title=Yandex now lets you log in without a login (or a password)|date=2015-02-03|accessdate=2017-11-24}}</ref> |
||
|} |
|} |
||
第161行: | 第161行: | ||
|[[微软]]开发,可为微软系网站生成8位字符令牌,或为其他网站生成6位字符令牌 |
|[[微软]]开发,可为微软系网站生成8位字符令牌,或为其他网站生成6位字符令牌 |
||
|- |
|- |
||
| [[FreeOTP]]<ref>{{Cite web |url=https://freeotp.github.io/ |title=FreeOTP |accessdate=2021-01-20 |
| [[FreeOTP]]<ref>{{Cite web |url=https://freeotp.github.io/ |title=FreeOTP |accessdate=2021-01-20 }}</ref> |
||
| FreeOTP基于Google Authenticator开发而来,由[[红帽公司]](RedHat)维护 |
| FreeOTP基于Google Authenticator开发而来,由[[红帽公司]](RedHat)维护 |
||
|} |
|} |
||
== 参考文献 == |
== 参考文献 == |
||
{{reflist |
{{reflist}} |
||
[[Category:计算机访问控制]] |
[[Category:计算机访问控制]] |