CN101217549A - A SSH transport layer certification protocol of high efficiency, non-forging and without digital signature - Google Patents
A SSH transport layer certification protocol of high efficiency, non-forging and without digital signature Download PDFInfo
- Publication number
- CN101217549A CN101217549A CNA2008100327728A CN200810032772A CN101217549A CN 101217549 A CN101217549 A CN 101217549A CN A2008100327728 A CNA2008100327728 A CN A2008100327728A CN 200810032772 A CN200810032772 A CN 200810032772A CN 101217549 A CN101217549 A CN 101217549A
- Authority
- CN
- China
- Prior art keywords
- sid
- server
- client
- agreement
- pub
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Landscapes
- Computer And Data Communications (AREA)
Abstract
The invention belongs to the technical field of cryptographic protocol, in particular to an efficient SSH transport layer authentication protocol which can not be forged and needs no digital signature. The protocol of the invention is based on that a server is provided with a discrete logarithm public key that B is equal to g<b>, and the public key is suitable for the digital signature standard. A conversion key is exported by that X<db plus ey> is equal to B<dx>Y<ex>, wherein, e commits to bind the public information related with the protocol operation, and d is 1 or the input of d excludes Y; or, the conversion key is exported by (g<xy>, g<xb>). The protocol of the invention provides better (online) computer complication and communication complication than the industrial standard of the current SSH transport layer authentication protocol.
Description
Technical field
The invention belongs to cipher protocol, be specifically related to a kind of efficient, SSH (SecureShell) transport layer (Transport Layer) authentication protocol (Authentication Protocol) that can not forge, not need digital signature.
Background technology
SSH transport layer authentication protocol is a protection internet information safety, particularly in the core authentication password agreement based on the information security under the distributed clients-server environment of UNIX or (SuSE) Linux OS.SSH transport layer authentication protocol is with so that a client logins safely to a long-range server, so that safely at file in download on the remote server or operating instruction on remote server safely.
Present SSH transport layer authentication protocol industrial standard is that IETF (Internet Engineering Task Force) announced in September, 2002, by the internet draft (INTERNET-DRAFT) that T.Ylonen proposed: draft-ietf-transport-15.txt.
Present SSH transport layer authentication protocol industrial standard is based on the Diffie-Hellman cipher key change, and remote server uses digital signature to the authenticated client identity.SSH transport layer authentication protocol industrial standard core cipher protocol is as follows at present:
The first round: client " A " sends X=g to server
x
Second takes turns: server " B " sends { B, Y=g to the client
y, sig}.Wherein, B=g
bBe the PKI of server " B ", b is the private key of server " B "; Sig is that server " B " utilizes private key b to information Hash (pub, sid, B, X, Y, X
y) Applied Digital signature standard (Digital Signature Standard) the resulting digital signature of algorithm; Wherein Hash is a hash function, sid is session indications (sid is actually the series connection of two random numbers that client and server exchanged before the agreement operation), pub is other and the relevant information (generally comprising: protocol version, the cryptographic algorithm that client and server are supported, security parameter etc.) of agreement operation.Session key is made as K=H
K(X
y)=H
K(g
Xy).
Receive that server " B " returns second take turns information after, the validity of the PKI B of client " A " authentication server " B ", whether checking sig is that server is to Hash (pub, sid, B, X, Y, Y
x) signature; If authentication failed, client " A " terminate agreement; Be proved to be successful client " A " session key K=H
K(Y
x)=H
K(g
Xy).
The weak point of present SSH transport layer authentication protocol industrial standard is: because use data signature mechanism to authenticate the identity of remote server, cause the communication complexity of agreement and computational complexity higher, not ideal enough.Such as, with present DSS (Digital Signature Standard) is that example is (because DSS is based on discrete logarithm, therefore the PKI of server " B " also is based on discrete logarithm naturally), its communication complexity (i.e. Qian Ming length) is 2q, signer (being server " B ") needs to do an exponent arithmetic, and signature verifier (that is: client " A ") needs to do at least 1.5 exponent arithmetics, and no matter is that the checking of signing or signing all can not the off-line calculated in advance.If add the calculating of DH key composition and the calculating of session key, the total computational complexity of client " A " is 3.5 exponent arithmetics, and the total computational complexity of server " B " is 3 exponent arithmetics.
Summary of the invention
The object of the present invention is to provide a kind of efficient, SSH transport layer authentication protocol that can not forge, not need digital signature, with (online on-line) computational complexity (computational complexity) and the communication complexity (communication complexity) that reduces present SSH transport layer authentication protocol.
Agreement of the present invention has following characteristics:
The invention provides two kinds of different SSH transport layer authentication protocol implementation methods that do not need digital signature, provide than more excellent (online) computational complexity and the communication complexity of present SSH transport layer authentication protocol industrial standard.
First kind does not need the implementation method of digital signature to be: session key K and MAC-key K
mBy K
B=X
Db+ey=B
DxY
Ex=K
ADerive.The crucial part of this method is that e must promise to undertake binding and all relevant public informations of agreement operation, that is: e=H (sid, I
A, I
B, B, X, Y, pub), d be 1 or its input do not comprise Y.The advantage of this method is: except the calculating of necessary DH-key component X, Y (DH-key component X, Y be calculated off-line in advance), server " B " can only be made exponent arithmetic, that is: a K
B=X
Db+eyThereby, alleviate the amount of calculation of server greatly, avoid occurring calculating and " bottleneck " of communication at server end; Client " A " is calculated off-line B in advance
DxWith DH-key component X, so client " A " also only needs online work exponent arithmetic, that is: a Y
ExFor total computational complexity, notice K
A=B
DxY
ExCalculating be equivalent to 1.5 (this computation complexity with the signature verification algorithm of DSS is consistent), therefore total computational complexity of client " A " is 2.5 exponent arithmetics, and total computation complexity of server " B " to be 2 indexes do not need computing (the rank q that does not carry out X when server checks) or 2.5 exponent arithmetics (the rank q that carries out X when server checks).Attention: K
B=X
Db+eyWith X
qCan parallel computation, its computation complexity is 1.5 exponent arithmetics.For communication complexity, except necessary DH-key composition transmission, server sends MAC
Km(0) to confirm session key (that is: the server affirmation phase is known b and y really).Therefore, this method only increases the transmission information of extra q-position, that is: MAC
Km(0).Notice that the extra communication complexity (that is: digital signature) of SSH transport layer authentication protocol is at least the 2q position at present.Obviously, this implementation method of digital signature that do not need provides than more excellent (online) computational complexity and the communication complexity of present SSH transport layer authentication protocol industrial standard, thereby and the amount of calculation that is more suitable for alleviating server avoid calculating " bottleneck " and occur at server end.
Second kind does not need the implementation method of digital signature to be: session key is by g
Xy, g
XbDerive.For this reason, except the calculating of necessary DH-key component X, Y (DH-key component X, Y be calculated off-line in advance), client " A " needs to calculate B
xAnd Y
xBecause B
xWith DH-key component X calculated off-line in advance, client " A " in fact only needs online work exponent arithmetic, that is: a Y
xServer " B " needs at line computation X
bAnd X
y, note: X
bAnd X
yParallel computation be equivalent to 1.5 exponent arithmetics, so the online computational complexity of server " B " is 1.5 exponent arithmetics.For total computational complexity, client " A " needs to do 3 exponent arithmetics, and server " B " needs to do 2.5 exponent arithmetics.Compare with present SSH transport layer authentication protocol industrial standard, second method still provides more excellent computational complexity.
The system works environment of agreement of the present invention is:
(1). system parameters: system parameters: (p, q, g, H, H
KMAC), wherein p and q are big prime number, and q aliquot p-1, and g is a Z
* pScala media (order) is the element of q, makes at Z
* pIn by discrete logarithm (discrete logarithm DL) on the subgroup of g definition and to calculate Diffie-Hellman (computational Diffie-Hellman CDH) problem be difficult.Generally speaking, the length of p is 1024 or 2048, and the length of q is 160 or 1024.All exponent arithmetics and (not on index) multiplying be mould (mod) p computing, and the multiplication on addition and the index is that mould (mod) q computing is (such as g
DbExpression g
Db mod qModp).Here, Z
* pRefer to all than p little and with the set of the coprime positive integer of p, i.e. Z
* p=1,2 ..., p-1}.Defined function DL:Z
q→ Z
* p, make X=DL (x)=g
xMod p.X is called the discrete logarithm of X.We require the given X that calculates at random, do not have polynomial time algorithm to calculate the discrete logarithm x of X, and this is called discrete logarithm problem.Calculating the Diffie-Hellman problem refers to: given X=g at random
xWith Y=g
y, do not have polynomial time algorithm to calculate g
XyGenerally speaking, for the people who is familiar with this area, discrete logarithm problem and calculating Diffie-Hellman problem also can be defined in by elliptic curve or bilinearity on the group to (bilineartity) definition.H be from 0,1}
*→ 0,1,2 ..., the hash function of q-1}.For increasing computational speed, the output length of H can be l=( log
2Q +1)/2.H
KBe from 0,1}
*→ 0,1}
kHash function, k is the length of session key, such as k=128 or 160.For character string s
1..., s
m, m>1, H (s
1, s
2..., s
m) expression be: with s
1..., s
mRepresent that with Binary Zero-1 string then all 0-1 polyphones are connect (that is, series connection) and get up, the string that will obtain after will connecting at last is as the input (series sequence of element can change) of H.MAC is a message authentication code calculation.
(2). system operates in distributed client-server (Client-Server) network.Unless otherwise specified, has identity ID I
AUser " A " represent a client (Client), the client not necessarily has PKI.Has ID I
BUser " B " representative server (Server), server " B " has a PKI based on discrete logarithm to be designated as B=g
bMod p, wherein private key b by server " B " from Z
q=0,1 ..., picked at random among the q-1}.We suppose that client " A " has obtained the PKI of server " B " by certain mode.
(3). agreement is based on the Diffie-Hellman IKE.Note X=g
xMod p is client's a " A " DH key composition, and x is the discrete logarithm of DH key component X, x by client " A " from Z
q=0,1 ..., picked at random among the q-1}; Note Y=g
yMod p is the DH key composition of server " B ", and y is the discrete logarithm of DH key composition Y, y by server " B " from Z
q=0,1 ..., picked at random among the q-1}.Suppose that client " A " is the promoter of agreement, server " B " is the respondent of agreement; That is: client " A " sends X in the first round; Server after receiving X " B " checks that X is Z
* pIn non-1 element and take turns second and to send Y; After receiving Y, client " A " checks that Y is Z
* pIn non-1 element.
(4). the execution each time of agreement is called a session (session).We suppose that the execution each time (that is, session each time) of agreement has one to indicate number (session-identifier): sid, and the agreement that is used for the mark concurrent running is carried out.The formulation of sid with consult can be with the running environment of agreement different and change to some extent: such as sid can be that the merging of two random trains of agreement operation two sides transmission is connected.Generally speaking, sid is included in the information of agreement operation user's exchange before or the Ha Xi value of exchange message.Sid can produce in the agreement running in some environment; Sid also can omit when session can be indicated automatically by linguistic context in some environment, for example in the Diffie-Hellman cipher key change is used, and DH key composition (X=g
x, Y=g
y) can hold concurrently indicates number when session.
(5). carry out relevant out of Memory pub with agreement: except (sid, I
A, I
B, B=g
b, X=g
x, Y=g
y) outside, other is carried out relevant information with agreement and represents with pub.Pub is a character string, generally is the series connection of the Ha Xi value, user's IP address, timestamp etc. of user's institute's exchange message or exchange message before protocol version, agreement are carried out.Pub can be sky.In all agreements with MAC realize, in order to improve computational efficiency, can be only with the input part of pub as MAC, and not as H, H
KInput.
The agreement implementation method:
According to the various computing mode of session key, two kinds of agreement implementation methods are arranged:
(1). agreement implementation method-1: client " A " sends X=g in the first round
xModp.After receiving X, server " B " checks that X is Z
* pIn rank be non-1 element of q; Check and get nowhere that server " B " terminate agreement is carried out; Check that successfully server " B " is taken turns second and sent B=g
bMod p, Y=g
yMod p, calculating K
B=X
Db+ey mod qMod p and K
m=H
K(e, K
B) and by sending MAC
Km(0) comes to prove that to client " A " it knows b and y.Wherein, d=H (sid, I
A, I
B, B, X, pub) or 1, e=H (sid, I
A, I
B, B, X, Y, pub).Server " B " session key K=H
K(K
B, e).
After receiving that information is taken turns in second of server " B " transmission, client " A " calculating K
A=B
Dx mod qY
Ex mod qMod p and K
m=H
K(e, K
A) and verify that second takes turns the validity of information (that is: the validity of verification public key B, Y are Z
* pIn non-1 element and MAC
Km(0) validity).Any checking is unsuccessful, client " A " terminate agreement; Be proved to be successful client " A " session key K=H
K(K
A, e).In order to confirm that further client " A " knows session key, client " A " can send MAC in third round
Km(1) or E
K(w), wherein E is an encrypted private key algorithm (such as DES or an AES block cipher), and w is the secret password that client and server are set up in advance.
Attention: the input of function d does not comprise Y, so client " A " can calculated in advance X, d and B
Dx mod qMod p.Server " B " can calculated in advance Y.If server " B " is not checked the rank q of X, in view of the groupuscule risk of attacks, then y must be kept in the safe module and at calculating K when the Y calculated in advance
B=X
Db+ey mod qDeletion at once behind the mod p.
(2). agreement implementation method-2: client " A " sends X=g in the first round
xMod p and H
K(sid, I
A, I
B, B, X, B
x); Client " A " can calculated in advance X and B
xAfter receiving the first round information of client " A " transmission, server " B " checks that X is Z
* pIn non-1 element and utilize X
bWhether check H
K(sid, I
A, I
B, B, X, B
x, pub)=H
K(sid, I
A, I
B, B, X, X
b, pub).Checking is unsuccessful, and server " B " terminate agreement moves or return a random number; Be proved to be successful, server " B " is taken turns second and is sent H
K(sid, I
B, B, I
A, Y, X, X
y, X
b).Session key K is by H
K(g
Xy) or H
K(g
Xy, g
Xb) derive.In order to confirm that further client " A " knows session key, client " A " can send H in third round
K(sid, I
A, I
B, B, X, Y, Y
x) or E
K(w), wherein E is an encrypted private key algorithm (such as DES or an AES block cipher), and w is the secret password that client and server are set up in advance.
The specific implementation step of agreement of the present invention:
In following protocol description, the information that the value representation in the braces sends.The PKI of noting server " B " is B=g
bAnd we suppose that client " A " has obtained the PKI B of server by certain safe mode.Suppose that client " A " is agreement operation initiator, server " B " is agreement operation respondent.
Agreement-1:
Calculated in advance: client " A " can calculated in advance X=g
xMod p, d=H (sid, I
A, I
B, B, X, pub) or 1, B
Dx mod qMod p.Server " B " can calculated in advance Y=g
yMod p.Wherein, x and y are from Z
qIn picked at random, e=H (d, Y) or e=H (sid, I
A, I
B, B, X, Y, pub), X is called the DH key composition of " A ", and Y is called the DH key composition of " B ".If server " B " is not checked the rank q of X, in view of the groupuscule risk of attacks, then y must be kept in the safe module and deletion at once after calculating db+ey when the Y calculated in advance.
The first round, from " A " to " B ": { sid, I
A, X=g
x(mod p) }.
After receiving the information of client " A " transmission, the identity of server " B " checking " A ", X are Z
* pIn rank be non-1 element (that is: the checking X ∈ Z of q
* pAnd X ≠ 1 and X
q=1 mod p).Checking is unsuccessful, and server " B " refusal continues to carry on an agreement; Be proved to be successful server " B " calculating K
B=X
Db+ey mod qMod p also deletes y and db+ey; Calculate the MAC-key K
m=H
K(e, K
B) and session key K=H
K(K
B, e), delete K then
BAnd enter next round.
Second takes turns, from " B " to " A ": { sid, I
B, B, Y=g
y, MAC
Km(0) }.
After receiving the information of server " B " transmission, the identity and the PKI of client " A " checking " B ", Y are Z
* pIn non-1 element.Checking is unsuccessful, client " A " terminate agreement; Be proved to be successful client " A " calculating K
A=B
Dx mod qY
Ex mod qMod p and K
m=H
K(e, K
A) and verify MAC
Km(0) validity.MAC
Km(0) is proved to be successful client " A " session key K=H
K(K
A, e), delete x, B
Dx, Y
Ex, K
A
Agreement-2:
Calculated in advance: client " A " can calculated in advance X=g
xMod p and B
xMod p; Server " B " can calculated in advance Y=g
yMod p.Wherein, x and y are from Z
qMiddle picked at random, X is called the DH key composition of " A ", and Y is called the DH key composition of " B ".
The first round, from " A " to " B ": { sid, I
A, X=g
xMod p, H
K(sid, I
A, I
B, B, X, B
x, pub) }.
After receiving the information of " A " transmission, the identity of " B " checking " A ", X are Z
* pIn non-1 element.Checking is unsuccessful, and " B " refusal continues to carry on an agreement; Be proved to be successful, server " B " calculates X
b, X
y, checking H
K(sid, I
A, I
B, B, X, B
x, whether validity pub) promptly verify H
K(sid, I
A, I
B, B, X, B
x, pub)=H
K(sid, I
A, I
B, B, X, X
b, pub).H
K(sid, I
A, I
B, B, X, B
x, pub) checking is unsuccessful, and server " B " terminate agreement moves or returns one and H
K(sid, I
B, B, I
A, Y, X, X
y, X
b, pub) the identical random number of length; H
K(sid, I
A, I
B, B, X, B
x, pub) being proved to be successful, server " B " calculates H
K(sid, I
B, B, I
A, Y, X, X
y, X
b, pub), session key K=H
K(sid, I
B, B, I
A, Y, X, X
y, pub), delete y, X
b, X
y, and enter next round.
Second takes turns, from " B " to " A ": { sid, I
B, B, Y=g
y, H
K(sid, I
B, B, I
A, Y, X, X
y, X
b, pub) }.
After receiving the information of server " B " transmission, the identity and the PKI of client " A " checking " B ", Y are Z
* pIn non-1 element.Checking is unsuccessful, " A " terminate agreement; Be proved to be successful, client " A " calculates Y
x, checking H
K(sid, I
B, B, I
A, Y, X, X
y, X
b, pub)=H
K(sid, I
B, B, I
A, Y, X, Y
x, B
x, pub). Checking is unsuccessful, and client " A " terminate agreement is carried out; Be proved to be successful client " A " session key K=H
K(sid, I
B, B, I
A, Y, X, Y
x, pub), delete x, B
x, Y
x
Among the present invention, agreement-1 and agreement-2 has following variant:
(1). other computational methods of function d, e in the agreement-1: make c=H (sid, I
A, I
B, B, pub) or H (I
A, I
B, B), calculate d=H (c, X) or H (I
A, I
B, B, X) or 1, e=H (c, X, Y) or H (d, Y).
Perhaps, d=H (sid, I
A, I
B, B, X, Y, pub) or H (c, X, Y) or H (e) or 1, e=H (d).
Perhaps, the order with the element in the input of hash function H changes; With sid or pub not as the input of H.
(2). in agreement-1, other form of calculation of session key and MAC-key: K=H
K(K
A)=H
K(K
B) or K=H
K(K
A, 1)=H
K(K
B, 1); K
m=H
K(K
A, 0)=H
K(K
B, 0).
With c, d, e and sid and pub partly or entirely as H
KThe part of input.
Session key is realized by different hash functions that with the MAC-key at this moment, the order of elements in the input of different hash functions can be consistent.
With the key of K as a pseudo-random function, with 0,1, c, d, e and sid and pub partly or entirely derive session key and MAC-key as the input of pseudo-random function.
With hash function H
KInput in the order of element change.
(3). in agreement-1, take turns MAC with second
Km(0) is changed to MAC
Km(I
B); MAC with third round
Km(1) is changed to MAC
Km(I
A).With c, d, e and sid and pub partly or entirely as the input of MAC, its key point is: the input of the MAC in the input of the MAC in second takes turns and the third round is necessary different.
H is being put in the input of MAC simultaneously
KThe prerequisite of input under, part or all of MAC is removed, only use hash function H
KBind.
(4). in agreement-1 and agreement-2, user " A " or " B " do not carry out calculated in advance.At this moment, the internal state that was kept before session key and MAC cipher key calculation only comprises x or y, in case and session-key computation finishes, the internal state data that all except that private key for user and session key are generated in this agreement is carried out is deleted immediately.
In agreement-1, as d=1 and when not carrying out calculated in advance, K
A=B
DxY
ExComputation sequence be: calculate earlier BY
eCalculate (BY again
e)
x
(5). in agreement-2, client " A " does not send H in the first round
K(sid, I
A, I
B, B, X, B
x, pub).At this moment, take turns, when server " B " finds that X is not Z second
* pIn non-1 element of rank q the time, terminate agreement is carried out, rather than returns a random number.
(6). in the practical application of agreement-2, the group of definition DH-key composition is designated as (p
*, g
*, q
*), with the group of definition server public key B may be different, that is: (p
*, g
*, q
*) ≠ (p, g, q).At this moment, X=g
* xMod p
*, Y=g
* yMod p
*, wherein x and y are at Z
Q*Middle picked at random.For this situation, client " A " is defined in (p in the first round except transmission
*, g
*) on DH-key component X outside, client " A " is at the extra C=g that sends of the first round
cMod p, and with H
K(sid, I
A, I
B, B, X, B
x, pub) be changed to H
K(sid, I
A, I
B, B, X, C, B
c, pub) or not send H
K(sid, I
A, I
B, B, X, C, B
c, pub); X in taking turns second
bBe changed to C
bMod p.In this situation, do not need DH-key component X and Y are carried out rank q inspection.
(7). in agreement-2, make K
m=H
K(sid, I
B, B, I
A, Y, X, X
y, X
b) or K
m=H
K(X
y, X
b), with second H that takes turns
K(sid, I
B, B, I
A, Y, X, X
y, X
b) be changed to MAC
Km(0) or MAC
Km(sid, I
B, B, I
A, Y, X, pub); H with third round
K(sid, I
A, I
B, B, X, Y, Y
x) be changed to MAC
Km(1); With the H in the first round
K(sid, I
A, I
B, B, X, B
x, pub) be changed to MAC
HK (Bx)(sid, I
A, I
B, B, X, pub).With 0,1 and sid, I
A, I
B, B, X, Y, pub partly or entirely as MAC and H
KInput, its main points are: at first round B
xOr B
cMust be as H
KInput, take turns X second
yAnd X
bMust be as H
KInput, at third round X
yMust be as H
KInput; Take turns when using identical MAC-key with third round when second, the input of the MAC in second input and the third round of MAC in taking turns is necessary different.
With hash function H
KInput in the order of element change.
(8). in agreement-2, other account form of session key: K=H '
K(sid, I
B, B, I
A, Y, X, X
y, X
b), H ' wherein
KBe one and H
KDifferent hash functions.With H
K(g
Xy) or H
K(g
Xy, g
Xb) as the key of a pseudo-random function, with 0,1 and sid, I
A, I
B, B, X, Y, pub partly or entirely derives session key and MAC-key as the input of pseudo-random function; With 0,1 and sid, I
A, I
B, B, X, Y, pub partly or entirely as H
KInput.
With hash function H
KInput in the order of element change.
(9) if. client " A " and server " B " have been shared a password w, the X=g of the first round so in advance
xCan be changed to X '=XB
wMod p, wherein X=g
xTake turns second, server calculates X=X '/B
wMod p, other calculating is constant.
(10). in agreement-1 and agreement-2, the DH-key composition Y of client's " A " DH-key component X or server " B " (such as several weeks or some months) within a certain period of time remains unchanged.At this moment, client's " A " x and DH-key component X are stored in the memory device of a safety (in the special storage medium of, safety independent such as the USB flash disk of a safety or other and tool computing function).The y of server " B " is stored in the security module of server or is stored together with the private key b of server " B ".
Embodiment
In the concrete enforcement of following agreement, the information that the value representation in the braces sends; The PKI of noting server " B " is B=g
bAnd we suppose that client " A " has obtained the PKI B of server by certain safe mode; Suppose that client " A " is agreement operation initiator, server " B " is agreement operation respondent;
In the concrete enforcement of following agreement, No. 2104 the Internet suggestion that message authentication code MAC employing is announced by IETF (Internet Engineering TaskForce) solicited the HMAC authentication code described in the document (Internet RFC 2104).HMAC only need do two and breathe out western computings, and be proved to be message authentication code be again pseudo-random function.In the concrete enforcement of agreement, HMAC and hash function H, H
KRealize by the SHA-1 hash function.
In the concrete enforcement of following agreement, connecting of two random trains that session indications sid client " A " and server " B " send, pub be the protocol version (we suppose the backward compatible lower protocol version of higher protocol version) of client " A " and server " B ".This causes agreement actual motion 4 to be taken turns.
Agreement-1:
Calculated in advance: client " A " can calculated in advance X=g
xMod p, d=H (I
A‖ I
B‖ B ‖ X) or 1, B
Dx mod qMod p.Server " B " can calculated in advance Y=g
yModp.Here, what " || " represented is being linked in sequence of character string, and x and y are from Z
qMiddle picked at random, X is called the DH key composition of " A ", and Y is called the DH key composition of " B ".If server " B " is not checked the rank q of X, in view of the groupuscule risk of attacks, then y must be kept in the safe module and deletion at once after calculating db+ey when the Y calculated in advance.
The first round, from " A " to " B ": { R
A, V
A.
R wherein
ABe one 32 0-1 strings at random, V
AIt is the protocol version of client " A ".After receiving the information of client " A " transmission, server " B " checking R
AValidity (that is: R
ABe 32 0-1 string) and check the protocol version of client " A ".
Second takes turns, from " B " to " A ": { R
B, V
B.
R wherein
BBe one 32 0-1 strings at random, V
BIt is the protocol version of server " B ".After receiving the information of server " B " transmission, client " A " verifies R
BValidity (that is: R
BBe 32 0-1 string) and check the protocol version of client " B ".The protocol version of real operation is R
AAnd R
BSmaller value, make client " A " and server " B " all can move this protocol version.Session indications sid is made as R
A‖ R
BPub is made as V
A‖ V
B
Third round, from " A " to " B ": { R
A‖ R
B, I
A, X=g
x(mod p) }.
After receiving the information of client " A " transmission, the identity of server " B " checking " A ", X are Z
* pIn rank be that non-1 element of q (is X ∈ Z
* pAnd X ≠ 1 and X
q=1 mod p).Checking is unsuccessful, and server " B " refusal continues to carry on an agreement; Be proved to be successful server " B " calculating K
B=X
Db+ey mod qMod p also deletes y and db+ey, wherein e=H (R
A‖ R
B‖ d ‖ Y ‖ V
A‖ V
B) or e=H (R
A‖ R
B‖ I
A‖ I
B‖ B ‖ X ‖ Y ‖ V
A‖ V
B); Calculate the MAC-key K
m=H
K(e ‖ K
B) and session key K=H
K(K
B‖ e), delete K then
BAnd enter next round.
Four-wheel, from " B " to " A ": { R
A‖ R
B, I
B, B, Y=g
y, HMAG
Km(0) }.
After receiving the information of server " B " transmission, the identity and the PKI of client " A " checking " B ", Y are Z
* pIn non-1 element.Checking is unsuccessful, client " A " terminate agreement; Be proved to be successful client " A " calculating K
A=B
Dx mod qY
Ex mod qMod p and K
m=H
K(e ‖ K
A) and verify HMAC
Km(0) validity.HMAC
Km(0) is proved to be successful client " A " session key K=H
K(K
A‖ e), delete x, B
Dx, Y
Ex, K
A
Agreement-2:
Calculated in advance: client " A " can calculated in advance X=g
xMod p and B
xMod p; Server " B " can calculated in advance Y=g
yMod p.Wherein, x and y are from Z
qMiddle picked at random, X is called the DH key composition of " A ", and Y is called the DH key composition of " B ".
The first round, from " A " to " B ": { R
A, V
A.
R wherein
ABe one 32 0-1 strings at random, V
AIt is the protocol version of client " A ".After receiving the information of client " A " transmission, server " B " checking R
AValidity (that is: R
ABe 32 0-1 string) and check the protocol version of client " A ".
Second takes turns, from " B " to " A ": { R
B, V
B.
R wherein
BBe one 32 0-1 strings at random, V
BIt is the protocol version of server " B ".After receiving the information of server " B " transmission, client " A " verifies R
BValidity (that is: R
BBe 32 0-1 string) and check the protocol version of client " B ".The protocol version of real operation is R
AAnd R
BSmaller value, make client " A " and server " B " all can move this protocol version.Session indications sid is made as R
A‖ R
BPub is made as V
A‖ V
B
Third round, from " A " to " B ": { R
A‖ R
B, I
A, X=g
xMod p, H
K(R
A‖ R
B‖ I
A‖ I
B‖ B ‖ X ‖ B
x‖ V
A‖ V
B);
After receiving the information of " A " transmission, the identity of " B " checking " A ", X are Z
* pIn non-1 element.Checking is unsuccessful, and " B " refusal continues to carry on an agreement; Be proved to be successful, server " B " calculates X
b, X
y, checking H
K(R
A‖ R
B‖ I
A‖ I
B‖ B ‖ X ‖ B
x‖ V
A‖ V
B) validity, whether promptly verify H
K(R
A‖ R
B‖ I
A‖ I
B‖ B ‖ X ‖ B
x‖ V
A‖ V
B)=H
K(R
A‖ R
B‖ I
A‖ I
B‖ B ‖ X ‖ X
b‖ V
A‖ V
B).H
K(R
A‖ R
B‖ I
A‖ I
B‖ B ‖ X ‖ B
x‖ V
A‖ V
B) verify and get nowhere that server " B " terminate agreement moves or return one and H
K(R
A‖ R
B‖ I
B‖ B ‖ I
A‖ Y ‖ X ‖ X
y‖ X
b‖ V
A‖ V
B) random number that length is identical; H
K(R
A‖ R
B‖ I
A‖ I
B‖ B ‖ X ‖ B
x‖ V
A‖ V
B) be proved to be successful, server " B " calculates H
K(R
A‖ R
B‖ I
B‖ B ‖ I
A‖ Y ‖ X ‖ X
y‖ X
b‖ V
A‖ V
B), session key K=H
K(R
A‖ R
B‖ I
B‖ B ‖ I
A‖ Y ‖ X ‖ X
y‖ V
A‖ V
B), delete y, X
b, X
y, and enter next round.
Four-wheel, from " B " to " A ": { R
A‖ R
B, I
B, B, Y=g
y, H
K(R
A‖ R
B‖ I
B‖ B ‖ I
A‖ Y ‖ X ‖ X
y‖ X
b‖ V
A‖ V
B).
After receiving the information of server " B " transmission, the identity and the PKI of client " A " checking " B ", Y are Z
* pIn non-1 element.Checking is unsuccessful, " A " terminate agreement; Be proved to be successful, client " A " calculates Y
x, checking H
K(R
A‖ R
B‖ I
B‖ B ‖ I
A‖ Y ‖ X ‖ X
y‖ X
b‖ V
A‖ V
B)=H
K(R
A‖ R
B‖ I
B‖ B ‖ I
A‖ Y ‖ X ‖ Y
x‖ B
x‖ V
A‖ V
B).Checking is unsuccessful, and client " A " terminate agreement is carried out; Be proved to be successful client " A " session key
K=H
K(R
A‖ R
B‖ I
B‖ B ‖ I
A‖ Y ‖ X ‖ X
y‖ V
A‖ V
B), delete x, B
x, Y
x
The embodiment of protocol variations:
(1). other computational methods of function d, e in the agreement-1: make c=H (sid ‖ I
A‖ I
B‖ B ‖ pub) or H (I
A‖ I
B‖ B), calculate d=H (c ‖ X) or H (I
A‖ I
B‖ B ‖ X) or 1, e=H (c ‖ X ‖ Y) or H (d ‖ Y).
Perhaps, d=H (sid ‖ I
A‖ I
B‖ B ‖ X ‖ Y ‖ pub) or H (c ‖ X ‖ Y) or H (e) or 1, e=H (d).
Perhaps, the order with the element in the input of hash function H changes; With sid or pub not as the input of H.
(2). in agreement-1, other form of calculation of session key and MAC-key: K=H
K(K
A)=H
K(K
B) or K=H
K(K
A‖ 1)=H
K(K
B‖ 1); K
m=H
K(K
A‖ 0)=H
K(K
B‖ 0).
With c, d, e and sid and pub partly or entirely as H
KThe part of input.
Session key is realized by different hash functions that with the MAC-key at this moment, the order of elements in the input of different hash functions can be consistent.
With the key of K as a pseudo-random function, with 0,1, c, d, e and sid and pub partly or entirely derive session key and MAC-key as the input of pseudo-random function.
With hash function H
KInput in the order of element change.
(3). in agreement-1, take turns MAC with second
Km(0) is changed to MAC
Km(I
B); MAC with third round
Km(1) is changed to MAC
Km(I
A).With the part or all of input as MAC of c, d, e and sid and pub, its key point is:
The input of MAC in the input of MAC in second takes turns and the third round must be different.
H is being put in the input of MAC simultaneously
KThe prerequisite of input under, part or all of MAC is removed, only use hash function H
KBind.
(4). in agreement-1 and agreement-2, user " A " or " B " do not carry out calculated in advance.At this moment, the internal state that was kept before session key and MAC cipher key calculation only comprises x or y, in case and session-key computation finishes, the internal state data that all except that private key for user and session key are generated in this agreement is carried out is deleted immediately.
In agreement-1, as d=1 and when not carrying out calculated in advance, K
A=B
DxY
ExComputation sequence be: calculate earlier BY
eModp calculates (BY again
e)
x
(5). in agreement-2, client " A " does not send H in the first round
K(sid ‖ I
A‖ I
B‖ B ‖ X ‖ B
x‖ pub).At this moment, take turns, when server " B " finds that X is not Z second
* pIn non-1 element of rank q the time, terminate agreement is carried out, rather than returns a random number.
(6). in the practical application of agreement-2, the group of definition DH-key composition is designated as (p
*, g
*, q
*), with the group of definition server public key B may be different, that is: (p
*, g
*, q
*) ≠ (p, g, q).At this moment, X=g
* xMod p
*, Y=g
* yModp
*, wherein x and y are at Z
Q*Middle picked at random.For this situation, client " A " is defined in (p in the first round except transmission
*, g
*) on DH-key component X outside, client " A " is at the extra C=g that sends of the first round
cMod p, and with H
K(sid ‖ I
A‖ I
B‖ B ‖ X ‖ B
x‖ pub) is changed to H
K(sid ‖ I
A‖ I
B‖ B ‖ X ‖ C ‖ B
c‖ pub) or not send H
K(sid ‖ I
A‖ I
B‖ B ‖ X ‖ C ‖ B
c‖ pub); X in taking turns second
bBe changed to C
bMod p.In this situation, do not need DH-key component X and Y are carried out rank q inspection.
(7). in agreement-2, make K
m=H
K(sid ‖ I
B‖ B ‖ I
A‖ Y ‖ X ‖ X
y‖ X
b) or K
m=H
K(X
y‖ X
b), with second H that takes turns
K(sid ‖ I
B‖ B ‖ I
A‖ Y ‖ X ‖ X
y‖ X
b) be changed to MAC
Km(0) or MAC
Km(sid ‖ I
B‖ B ‖ I
A‖ Y ‖ X ‖ pub); H with third round
K(sid ‖ I
A‖ I
B‖ B ‖ X ‖ Y ‖ Y
x) be changed to MAC
Km(1); With the H in the first round
K(sid ‖ I
A‖ I
B‖ B ‖ X ‖ B
x‖ pub) is changed to MAC
HK (Bx)(sid ‖ I
A‖ I
B‖ B ‖ X ‖ pub).With 0,1 and sid, I
A, I
B, B, X, Y, pub partly or entirely as MAC and H
KInput, its main points are: at first round B
xOr B
cMust be as H
KInput, take turns X second
yAnd X
bMust be as H
KInput, at third round X
yMust be as H
KInput; Take turns when using identical MAC-key with third round when second, the input of the MAC in second input and the third round of MAC in taking turns is necessary different.
With hash function H
KInput in the order of element change.
(8). in agreement-2, other account form of session key: K=H '
K(sid ‖ I
B‖ B ‖ I
A‖ Y ‖ X ‖ X
y‖ X
b), H ' wherein
KBe one and H
KDifferent hash functions.With H
K(g
Xy) or H
K(g
Xy‖ g
Xb) as the key of a pseudo-random function, with 0,1 and sid, I
A, I
B, B, X, Y, pub partly or entirely derives session key and MAC-key as the input of pseudo-random function; With 0,1 and sid, I
A, I
B, B, X, Y, pub partly or entirely as H
KInput.
With hash function H
KInput in the order of element change.
(9) if. client " A " and server " B " have been shared a password w, the X=g of the first round so in advance
xCan be changed to X '=XB
wMod p, wherein X=g
xTake turns second, server calculates X=X '/B
W mod qMod p, other calculating is constant.
(10). in agreement-1 and agreement-2, the DH-key composition Y of client's " A " DH-key component X or server " B " (such as several weeks or some months) within a certain period of time remains unchanged.At this moment, client's " A " x and DH-key component X are stored in the memory device of a safety (in the special storage medium of, safety independent such as the USB flash disk of a safety or other and tool computing function).The y of server " B " is stored in the security module of server or is stored together with the private key b of server " B ".
Claims (3)
1. efficient, as can not to forge, not need digital signature SSH transport layer authentication protocol is characterized in that:
The system works environment is:
(1). system parameters: (p, q, g, H, H
K, MAC), wherein p and q are big prime number, and q aliquot p-1, g is a Z
* pScala media is the element of q, makes at Z
* pIn by discrete logarithm DL on the subgroup of g definition and to calculate Diffie-Hellman CDH problem be difficult; MAC is a message authentication code calculation; It is mod p computing that all exponent arithmetics reach the not multiplying on index, and the multiplication on addition and the index is mod q computing; Here, Z
* p=1,2 ..., p-1}; H be 0,1}
*→ 0,1,2 ..., (q-1)/and the hash function of 2}, H
KBe 0,1}
*→ 0,1}
kHash function, k is the length of session key; For character string s
1..., s
m, m>1, H (s
1, s
2..., s
m) expression be: with s
1..., s
mRepresent that with Binary Zero-1 string all 0-1 strings are linked in sequence is together in series then, the 0-1 string that will obtain after will connecting at last is as the input of H;
(2). system operates in the distributed client-server network; Unless otherwise specified, has identity ID I
AUser " A " represent a client, the client not necessarily has PKI; Has ID I
BUser " B " representative server, server " B " has a PKI based on discrete logarithm to be designated as B=g
bModp, wherein private key b by server " B " from Z
q=0,1 ..., picked at random among the q-1}; Suppose that client " A " has obtained the PKI of server " B " by certain mode;
(3). agreement is based on the Diffie-Hellman IKE; Note X=g
xMod p is client's a " A " DH key composition, and x is the discrete logarithm of DH key component X, x by client " A " from Z
q=0,1 ..., picked at random among the q-1}; Note Y=g
yMod p is the DH key composition of server " B ", and y is the discrete logarithm of DH key composition Y, y by server " B " from Z
q=0,1 ..., picked at random among the q-1}; Suppose that client " A " is the promoter of agreement, server " B " is the respondent of agreement; That is: client " A " sends X in the first round; Server after receiving X " B " checks that X is Z
* pIn non-1 element and take turns second and to send Y; After receiving Y, client " A " checks that Y is Z
* pIn non-1 element;
(4). the execution each time of supposition agreement has one to indicate number: sid; Sid is a character string, and the agreement that is used for the mark concurrent running is carried out; The formulation of sid with consult can be with the running environment of agreement different and variation to some extent; Sid is included in the information of agreement operation user's exchange before or the Ha Xi value of exchange message;
(5). carrying out relevant out of Memory pub:pub with agreement is a character string, is the series connection of protocol version, the agreement Ha Xi value of carrying out user's institute's exchange message before or exchange message, user's IP address, timestamp;
The agreement implementation method is:
According to the various computing mode of session key, two kinds of agreement implementation methods are arranged:
(1). agreement implementation method-1: client " A " sends X=g in the first round
xMod p; After receiving X, server " B " checks that X is Z
* pIn rank be non-1 element of q; Check that successfully server " B " is taken turns second and sent B, Y=g
yModp, calculating K
B=X
Db+eyAnd K
m=H
K(e, K
B), and by sending MAC
Km(0) comes to prove that to client " A " it knows b and y; Wherein, d=H (sid, I
A, I
B, B, X, pub) or 1, e=H (sid, I
A, I
B, B, X, Y, pub); Server " B " session key K=H
K(K
B, e); After receiving that information is taken turns in second of server " B " transmission, client " A " calculating K
A=B
DxY
ExAnd K
m=H
K(e, K
A), and verify that second takes turns the validity of information; Client " A " session key K=H
K(K
A, e); In order to confirm that further client " A " knows session key, client " A " sends MAC in third round
Km(1) or E
K(w), wherein E is an encrypted private key algorithm, and w is the secret password that client and server are set up in advance;
(2). agreement implementation method-2: client " A " sends X=g in the first round
xMod p and H
K(sid, I
A, I
B, B, X, B
x); Client " A " calculated in advance X and B
xServer " B " checks that X is Z
* pIn non-1 element and utilize X
bWhether check H
K(sid, I
A, I
B, B, X, B
x, pub)=H
K(sid, I
A, I
B, B, X, X
b, pub); Checking is unsuccessful, and server " B " terminate agreement moves or return a random number; Be proved to be successful, server " B " is taken turns second and is sent H
K(sid, I
B, B, I
A, Y, X, X
y, X
b); Session key K is by H
K(g
Xy) or H
K(g
Xy, g
Xb) derive; In order to confirm that further client " A " knows session key, client " A " can send H in third round
K(sid, I
A, I
B, B, X, Y, Y
x) or E
K(w), wherein E is an encrypted private key algorithm, and w is the secret password that client and server are set up in advance.
2. efficient, the SSH transport layer authentication protocol that can not forge, not need digital signature according to claim 1 is characterized in that the performing step of agreement is:
In following protocol description, the information that the value representation in the braces sends; The PKI of noting server " B " is B=g
b, and hypothesis client " A " has obtained the PKI B of server by certain safe mode; Suppose that client " A " is agreement operation initiator, server " B " is agreement operation respondent;
Agreement-1:
Calculated in advance: client " A " calculated in advance X=g
xMod p, d=H (sid, I
A, I
B, B, X, pub) or 1, B
Dxmod qModp; Server " B " calculated in advance Y=g
yMod p; Wherein, x and y are from Z
qIn picked at random, e=H (d, Y) or e=H (sid, I
A, I
B, B, X, Y, pub), X is called the DH key composition of " A ", and Y is called the DH key composition of " B "; If server " B " is not checked the rank q of X, in view of the groupuscule risk of attacks, then y must be kept in the safe module and deletion at once after calculating db+ey when the Y calculated in advance;
The first round, from " A " to " B ": { sid, I
A, X=g
x(mod p) };
After receiving the information of client " A " transmission, the identity of server " B " checking " A ", X are Z
* pIn rank be non-1 element of q; Checking is unsuccessful, and server " B " refusal continues to carry on an agreement; Be proved to be successful server " B " calculating K
B=X
Db+eymod qMod p also deletes y and db+ey; Calculate the MAC-key K
m=H
K(e, K
B) and session key K=H
K(K
B, e), delete K then
BAnd enter next round;
Second takes turns, from " B " to " A ": { sid, I
B, B, Y=g
y, MAC
Km(0) };
After receiving the information of server " B " transmission, the identity and the PKI of client " A " checking " B ", Y are Z
* pIn non-1 element; Checking is unsuccessful, client " A " terminate agreement; Be proved to be successful client " A " calculating K
A=B
DxY
ExAnd K
m=H
K(e, K
A) and verify MAC
Km(0) validity; MAC
Km(0) is proved to be successful client " A " session key K=H
K(K
A, e), delete x, B
Dx, Y
Ex, K
A
Agreement-2:
Calculated in advance: client " A " calculated in advance X=g
xMod p and B
xMod p; Server " B " calculated in advance Y=g
yMod p; Wherein, x and y are from Z
qMiddle picked at random, X is called the DH key composition of " A ", and Y is called the DH key composition of " B ";
The first round, from " A " to " B ": { sid, I
A, X=g
xMod p, H
K(sid, I
A, I
B, B, X, B
x, pub) }; After receiving the information of " A " transmission, the identity of " B " checking " A ", X are Z
* pIn non-1 element; Checking is unsuccessful, and " B " refusal continues to carry on an agreement; Be proved to be successful, server " B " calculates X
b, X
y, checking H
K(sid, I
A, I
B, B, X, B
x, validity pub), i.e. H whether
K(sid, I
A, I
B, B, X, B
x, pub)=H
K(sid, I
A, I
B, B, X, X
b, pub); H
K(sid, I
A, I
B, B, X, B
x, pub) checking is unsuccessful, and server " B " terminate agreement moves or returns one and H
K(sid, I
B, B, I
A, Y, X, X
y, X
b, pub) the identical random number of length; H
K(sid, I
A, I
B, B, X, B
x, pub) being proved to be successful, server " B " calculates H
K(sid, I
B, B, I
A, Y, X, X
y, X
b, pub), session key K=H
K(sid, I
B, B, I
A, Y, X, X
y, pub), delete y, X
b, X
y, and enter next round;
Second takes turns, from " B " to " A ": { sid, I
B, B, Y=g
y, HK (sid, I
B, B, I
A, Y, X, X
y, X
b, pub) };
After receiving the information of server " B " transmission, the identity and the PKI of client " A " checking " B ", Y are Z
* pIn non-1 element; Checking is unsuccessful, " A " terminate agreement; Be proved to be successful, client " A " calculates Y
x, checking H
K(sid, I
B, B, I
A, Y, X, X
y, X
b, pub)=H
K(sid, I
B, B, I
A, Y, X, Y
x, B
x, pub); Checking is unsuccessful, and client " A " terminate agreement is carried out; Be proved to be successful client " A " session key K=H
K(sid, I
B, B, I
A, Y, X, Y
x, pub), volume is removed x, B
x, Y
x
3. efficient, the SSH transport layer authentication protocol that can not forge, not need digital signature according to claim 1 and 2 is characterized in that agreement-1 and agreement-2 has following variant:
(1). other computational methods of function d, e in the agreement-1: make c=H (sid, I
A, I
B, B, pub) or H (I
A, I
B, B), calculate d=H (c, X) or H (I
A, I
B, B, X) or 1, e=H (c, X, Y) or H (d, Y);
Perhaps, d=H (sid, I
A, I
B, B, X, Y, pub) or H (c, X, Y) or H (e) or 1, e=H (d);
Perhaps, the order with the element in the input of hash function H changes; With sid or pub not as the input of H;
(2). in agreement-1, other form of calculation of session key and MAC-key: K=H
K(K
A)=H
K(K
B) or K=H
K(K
A, 1)=H
K(K
B, 1); K
m=H
K(K
A, 0)=H
K(K
B, 0);
With c, d, e and sid and pub partly or entirely as H
KThe part of input;
Session key is realized by different hash functions that with the MAC-key at this moment, the order of elements in the input of different hash functions can be consistent;
With the key of K as a pseudo-random function, with 0,1, c, d, e and sid and pub partly or entirely derive session key and MAC-key as the input of pseudo-random function;
With hash function H
KInput in the order of element change;
(3). in agreement-1, take turns MAC with second
Km(0) is changed to MAC
Km(I
B); MAC with third round
Km(1) is changed to MAC
Km(I
A); With c, d, e and sid and pub partly or entirely as the input of MAC, its key point is: the input of the MAC in the input of the MAC in second takes turns and the third round is necessary different;
H is being put in the input of MAC simultaneously
KThe prerequisite of input under, part or all of MAC is removed, only use hash function H
KBind;
(4). in agreement-1 and agreement-2, user " A " or " B " do not carry out calculated in advance; At this moment, the internal state that was kept before session key and MAC cipher key calculation only comprises x or y, in case and session-key computation finishes, the internal state data that all except that private key for user and session key are generated in this agreement is carried out is deleted immediately;
In agreement-1, as d=1 and when not carrying out calculated in advance, K
A=B
DxY
ExComputation sequence be: calculate earlier BY
eCalculate (BY again
e)
x
(5). in agreement-2, client " A " does not send H in the first round
K(sid, I
A, I
B, B, X, B
x, pub); At this moment, take turns, when server " B " finds that X is not Z second
* pIn non-1 element of rank q the time, terminate agreement is carried out, rather than returns a random number;
(6). in the practical application of agreement-2, the group of definition DH-key composition is designated as (p
*, g
*, q
*), with the group of definition server public key B may be different, that is: (p
*, g
*, q
*) ≠ (p, g, q); At this moment, X=g
* xMod p
*, Y=g
* yMod p
*, wherein x and y are at Z
Q*Middle picked at random; For this situation, client " A " is defined in (p in the first round except transmission
*, g
*) on DH-key component X outside, client " A " is at the extra C=g that sends of the first round
cMod p, and with H
K(sid, I
A, I
B, B, X, B
x, pub) be changed to H
K(sid, I
A, I
B, B, X, C, B
c, pub) or not send H
K(sid, I
A, I
B, B, X, C, B
c, pub); X in taking turns second
bBe changed to C
bMod p; In this situation, do not need DH-key component X and Y are carried out rank q inspection;
(7). in agreement-2, make K
m=H
K(sid, I
B, B, I
A, Y, X, X
y, X
b) or K
m=H
K(X
y, X
b), with second H that takes turns
K(sid, I
B, B, I
A, Y, X, X
y, X
b) be changed to MAC
Km(0) or MAC
Km(sid, I
B, B, I
A, Y, X, pub); H with third round
K(sid, I
A, I
B, B, X, Y, Y
x) be changed to MAC
Km(1); With the H in the first round
K(sid, I
A, I
B, B, X, B
x, pub) be changed to MAC
HK (Bx)(sid, I
A, I
B, B, X, pub);
With 0,1 and sid, I
A, I
B, B, X, Y, pub partly or entirely as MAC and H
KInput, its main points are: at first round B
xOr B
cMust be as H
KInput, take turns X second
yAnd X
bMust be as H
KInput, at third round X
yMust be as H
KInput; Take turns when using identical MAC-key with third round when second, the input of the MAC in second input and the third round of MAC in taking turns is necessary different;
With hash function H
KInput in the order of element change;
(8). in agreement-2, other account form of session key: K=H '
K(sid, I
B, B, I
A, Y, X, X
y, X
b), H ' wherein
KBe one and H
KDifferent hash functions;
With H
K(g
Xy) or H
K(g
Xy, g
Xb) as the key of a pseudo-random function, with 0,1 and sid, I
A, I
B, B, X, Y, pub partly or entirely derives session key and MAC-key as the input of pseudo-random function; With 0,1 and sid, I
A, I
B, B, X, Y, pub partly or entirely as H
KInput;
With hash function H
KInput in the order of element change;
(9) if. client " A " and server " B " have been shared a password w, the X=g of the first round so in advance
xCan be changed to X '=XB
wMod p, wherein X=g
xTake turns second, server calculates X=X '/B
wMod p, other calculating is constant;
(10). in agreement-1 and agreement-2, the DH-key composition Y of client's " A " DH-key component X or server " B " remains unchanged within a certain period of time; At this moment, client's " A " x and DH-key component X are stored in the memory device of a safety; The y of server " B " is stored in the security module of server or is stored together with the private key b of server " B ".
Priority Applications (5)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNA2008100327728A CN101217549A (en) | 2008-01-17 | 2008-01-17 | A SSH transport layer certification protocol of high efficiency, non-forging and without digital signature |
| PCT/CN2008/072794 WO2009056048A1 (en) | 2007-10-23 | 2008-10-23 | Method and structure for self-sealed joint proof-of-knowledge and diffie-hellman key-exchange protocols |
| CN2008801222327A CN102017510B (en) | 2007-10-23 | 2008-10-23 | Method and structure for self-sealed joint proof-of-knowledge and Diffie-Hellman key-exchange protocols |
| US12/766,431 US8464060B2 (en) | 2007-10-23 | 2010-04-23 | Method and structure for self-sealed joint proof-of-knowledge and diffie-hellman key-exchange protocols |
| HK11110843.5A HK1156750A1 (en) | 2007-10-23 | 2011-10-12 | Method and structure for self-sealed joint proof-of-knowledge and diffie- hellman key-exchange protocols |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNA2008100327728A CN101217549A (en) | 2008-01-17 | 2008-01-17 | A SSH transport layer certification protocol of high efficiency, non-forging and without digital signature |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN101217549A true CN101217549A (en) | 2008-07-09 |
Family
ID=39623911
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CNA2008100327728A Pending CN101217549A (en) | 2007-10-23 | 2008-01-17 | A SSH transport layer certification protocol of high efficiency, non-forging and without digital signature |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101217549A (en) |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2009056048A1 (en) * | 2007-10-23 | 2009-05-07 | Yao Andrew C | Method and structure for self-sealed joint proof-of-knowledge and diffie-hellman key-exchange protocols |
| CN101834852A (en) * | 2010-04-02 | 2010-09-15 | 北京交通大学 | Realization method of credible OpenSSH for protecting platform information |
| CN101741842B (en) * | 2009-12-07 | 2012-07-04 | 北京交通大学 | Method for realizing dependable SSH based on dependable computing |
| CN101789939B (en) * | 2010-01-25 | 2013-10-30 | 北京交通大学 | Effective realization method for credible OpenSSH |
| CN113037484A (en) * | 2021-05-19 | 2021-06-25 | 银联商务股份有限公司 | Data transmission method, device, terminal, server and storage medium |
-
2008
- 2008-01-17 CN CNA2008100327728A patent/CN101217549A/en active Pending
Cited By (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2009056048A1 (en) * | 2007-10-23 | 2009-05-07 | Yao Andrew C | Method and structure for self-sealed joint proof-of-knowledge and diffie-hellman key-exchange protocols |
| US8464060B2 (en) | 2007-10-23 | 2013-06-11 | Andrew C. Yao | Method and structure for self-sealed joint proof-of-knowledge and diffie-hellman key-exchange protocols |
| CN101741842B (en) * | 2009-12-07 | 2012-07-04 | 北京交通大学 | Method for realizing dependable SSH based on dependable computing |
| CN101789939B (en) * | 2010-01-25 | 2013-10-30 | 北京交通大学 | Effective realization method for credible OpenSSH |
| CN101834852A (en) * | 2010-04-02 | 2010-09-15 | 北京交通大学 | Realization method of credible OpenSSH for protecting platform information |
| CN101834852B (en) * | 2010-04-02 | 2013-01-30 | 北京交通大学 | Realization method of credible OpenSSH for protecting platform information |
| CN113037484A (en) * | 2021-05-19 | 2021-06-25 | 银联商务股份有限公司 | Data transmission method, device, terminal, server and storage medium |
| CN113037484B (en) * | 2021-05-19 | 2021-08-24 | 银联商务股份有限公司 | Data transmission method, device, terminal, server and storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109756485B (en) | Electronic contract signing method, electronic contract signing device, computer equipment and storage medium | |
| CN108667626B (en) | Secure two-party collaboration SM2 signature method | |
| US8464060B2 (en) | Method and structure for self-sealed joint proof-of-knowledge and diffie-hellman key-exchange protocols | |
| CN108111301B (en) | Method and system for realizing SSH protocol based on post-quantum key exchange | |
| US20210367753A1 (en) | Trusted measurement and control network authentication method based on double cryptographic values and chaotic encryption | |
| CN106130716B (en) | Key exchange system and method based on authentication information | |
| US20140122888A1 (en) | Method for password based authentication and apparatus executing the method | |
| KR20140079544A (en) | Apparatus and method for anonymity-based authentication and key agreement with message binding properties | |
| CN106487786B (en) | Cloud data integrity verification method and system based on biological characteristics | |
| CN109450640B (en) | SM 2-based two-party signature method and system | |
| CN101247394A (en) | Improved cryptographic key exchanging protocol | |
| CN101626364A (en) | Method for authentication for resisting secrete data disclosure and key exchange based on passwords | |
| CN101175076B (en) | High-efficiency, deniable, safety-unforgeable cryptographic key exchanging method of on-line computation | |
| CN106209365B (en) | Method for re-signing by using backup data in cloud environment when user cancels | |
| CN105721153A (en) | System and method for key exchange based on authentication information | |
| CN101060530A (en) | Repudiation Internet key exchange protocol | |
| CN107241190A (en) | The key agreement construction method and the network platform of a kind of identity-based | |
| CN101217549A (en) | A SSH transport layer certification protocol of high efficiency, non-forging and without digital signature | |
| KR20210063378A (en) | Computer-implemented systems and methods that share common secrets | |
| CN111130758B (en) | Lightweight anonymous authentication method suitable for resource-constrained equipment | |
| Luo et al. | A security communication model based on certificateless online/offline signcryption for Internet of Things | |
| KR20100024605A (en) | A password authenticated key exchange method using the rsa | |
| WO2022116176A1 (en) | Method and device for generating digital signature, and server | |
| CN111245611B (en) | Anti-quantum computation identity authentication method and system based on secret sharing and wearable equipment | |
| CN113676448A (en) | Off-line equipment bidirectional authentication method and system based on symmetric key |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C02 | Deemed withdrawal of patent application after publication (patent law 2001) | ||
| WD01 | Invention patent application deemed withdrawn after publication |
Open date: 20080709 |