CN103347018A - Long-distance identity authentication method based on intelligent card and under multiple-service environment - Google Patents
Long-distance identity authentication method based on intelligent card and under multiple-service environment Download PDFInfo
- Publication number
- CN103347018A CN103347018A CN2013102731971A CN201310273197A CN103347018A CN 103347018 A CN103347018 A CN 103347018A CN 2013102731971 A CN2013102731971 A CN 2013102731971A CN 201310273197 A CN201310273197 A CN 201310273197A CN 103347018 A CN103347018 A CN 103347018A
- Authority
- CN
- China
- Prior art keywords
- smart card
- server
- verification
- new
- identity
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Landscapes
- Financial Or Insurance-Related Operations Such As Payment And Settlement (AREA)
Abstract
The invention discloses a long-distance identity authentication method based on an intelligent card and under a multiple-service environment. The long-distance identity authentication method comprises the steps that a user registers for a registration center; the user logs in a server registered for the registration center through the intelligent card; local legitimacy verification is carried out by the intelligent card according to information provided by the user, and if the verification is passed, first verification data are generated and sent to the server; the server carries out the legitimacy verification on the identity of the intelligent card, and if the verification is passed, second verification data are generated and sent to the intelligent card; the intelligent card carries out the legitimacy verification on the identity of the server according to the received second verification data, and if the verification is passed, third verification data are generated and sent to the server; the server carries out secondary verification on the identity of the intelligent card according to the received third verification data, and if the verification is passed, a server-side session key is generated. The long-distance identity authentication method resolves the problems that denial of service attacks and internal attacks exist, and a working server cannot be selected.
Description
Technical field
The present invention relates to information security and networking technology area, particularly the long-distance identity-certifying method based on smart card that registration center does not participate in authenticating under a kind of many service environments.
Background technology
Network communications technology development makes increasing people that the service of using network to provide is provided, such as ecommerce, E-Government, electronic logistics etc. rapidly.The user will or enjoy the service that server provides from the server acquired information, at first will sign in to server.Therefore, we need a long-distance identity-certifying scheme that is applied to network, with checking user's legitimacy.But the Internet is a public environment, and anyone can tackle the message between user and the server, so how to protect user profile, prevent that illegal communication is extremely important.
2004, people such as Das proposed one based on the method for dynamic I D, had solved the user tracking problem.But people such as Liao in 2005 point out that people's such as Das method can not resist guessing attack, can not finish both sides' checking.2009, Liao and Wang proposed to have under the multiserver method of anonymity, and their method only uses one-way Hash function to raise the efficiency.The same year, Hsiang and Shih but point out the method for Liao and Wang can not resist internal attack, spoof attack, server impersonation attack and registration center's impersonation attack, in order to overcome the weakness of Liao and Wang method, Hsiang and Shih have proposed their method.Yet in 2011, people such as Lee found that the method for Hsiang and Shih can not overcome spoof attack and server impersonation attack, and in addition, they have proposed to overcome the improvement project of Hsiang and Shih scheme weakness.A secret value is shared by registration center in people's such as Lee the method with legal server, to calculate the secret value of validated user, in article, their method for expressing is available in the future, but in 2012, the method that people such as Lee propose before finding to find again still can not realize anonymity, and the safety defect that has smart card to copy, in order to solve the problem of anonymous authentication, they have proposed a kind of improvement project again, and claim that this scheme is more effective than other schemes, safety.
On the one hand, the step that does not have local verification in people's such as Lee the design.If the assailant obtains a sheet smart card by any way, then can be by sending logging request to server continuously, make the system can't operate as normal, thus can the successful implementation Denial of Service attack.On the other hand, if the person of internaling attack has obtained smart card in some way, people's such as Lee method just might be subjected to internal attack, and step is as follows:
Step1: the person of internaling attack records the CID that calculates when last user logins
NewAnd B
i, and by the differential power analysis (Differential Power Analysis, DPA) (Simple Power Analysis SPA) obtains storage information b from smart card with the simple energy analysis
New
Step2: the assailant calculates h (ID
i⊕ PW
i)=CID
New⊕ b
New, select b then at random
*, N
i *, calculate CID
*=h (ID
i⊕ PW
i) ⊕ b
*,
Last assailant will
Send to server S
j
Step3: continue to finish remaining verification step of former scheme, the assailant just can produce the reply key smoothly by checking, and imitation user and server communicate.
Also have, Servers-all all has only an identical hush values h (x) in people's such as Lee the method, can think that Servers-all is all identical.In the case, Servers-all all can receive the logging request signal that the user sends, if each idle server participates in work, will cause the confusion in the communication, causes normally login authentication.
Summary of the invention
At above defective, the object of the present invention is to provide a kind of long-distance identity-certifying method based on smart card, can resist Denial of Service attack that people's method such as Lee exists better, internal attack, and can solve the identical problem of server that people's method such as Lee causes because of design defect.
For achieving the above object, the present invention adopts following technical scheme:
A kind of described method comprises: the user submits application for registration to registration center based on long-distance identity-certifying method under many service environments of smart card, and after succeeding in registration, will there be the smart card of customizing messages in registration center and issues the user; The user is by the smart card logon server, and described server was registered in described registration center; Described smart card carries out local legitimate verification according to the information that the user provides, if smart card checking user is legal, then generates the first verification data that comprises server selection information, and first verification data is sent to server; Described server carries out legitimate verification according to received first verification data to smart card identity, and judge whether to be the smart card selected server, if selected server checking smart card identity is legal, then generate second verification msg that is used for the authentication server identity, and second verification msg is sent to smart card; Described smart card carries out legitimate verification according to second verification msg that receives to server identity, if smart card authentication server identity is legal, then generate smart card end session key and be used for the 3rd verification msg that secondary is verified, and the 3rd verification msg is sent to server; Described server carries out the secondary checking according to the 3rd verification msg that receives to smart card identity, if the server authentication smart card identity is legal, then generates the server end session key.
Further, a kind of based on long-distance identity-certifying method under many service environments of smart card, also comprise before the step before the user registers: a secret value x selects in described registration center, calculate its cryptographic Hash h (x), and by safe lane the value of h (x) is shared with the legal server that each was registered in this registration center.
Further, a kind of based on long-distance identity-certifying method under many service environments of smart card, the user further comprises in the step that registration center registers: when registration phase began, the user selected the password PW of oneself by smart card
i, smart card produces random number b, calculates User Identity CID=h (ID
i⊕ PW
i) ⊕ b, wherein ID
iBe user's user name, the value that will calculate back CID then sends to registration center; After User Identity CID receives in described registration center, calculate B
i=h (CID||h (x)), described result of calculation B
iComprise the shared key information of subscriber identity information and described legal server simultaneously, registration center is with B then
iIssue the user with hash function h (); The user calculates BPW=B
i⊕ h (PW
i), T
i=h (h (ID
i⊕ PW
i)), C
i=b ⊕ h (PW
i), and with described result of calculation BPW, T
i, C
iDeposit smart card in described hash function h (.).
Further, a kind of based on long-distance identity-certifying method under many service environments of smart card, login step further comprises: described user is by the user name ID of smart card input oneself
i, password PW
iWith server identification SID
j, smart card calculates T
i *=h (h (ID
i⊕ PW
i)), checking result of calculation T
i *T with smart cards for storage
iWhether equate that if equate, then the user is by local legitimate verification.
Further, a kind of based on long-distance identity-certifying method under many service environments of smart card, the step that generates and sends first verification data further comprises: smart card calculates CID=h (ID
i⊕ PW
i) ⊕ C
i⊕ h (PW
i), B
i=BPW ⊕ h (PW
i); Described smart card produces two random number b
NewAnd N
i, calculate CID
New=h (ID
i⊕ PW
i) ⊕ b
New, V
i=CID
New⊕ h (B
i|| N
i), Q
i=h (CID
New|| B
i|| N
i|| SID
j), then, smart card is with aided verification data CID, V
i, N
iWith first verification data Q
iSend to server.
Further, a kind of based on long-distance identity-certifying method under many service environments of smart card, the step of server authentication smart card identity legitimacy further comprises: server is verified verification msg after receiving the verification msg of smart card transmission; Described server calculates B
i=h (CID||h (x)), CID
New=V
i⊕ h (B
i|| N
i), and by judging described verification msg Q
iWith server calculated value h (CID
New|| B
i|| N
i|| SID
j) whether equate to verify the legitimacy of smart card identity.
Further, a kind of described first verification data has not only comprised the authentication information of smart card based on long-distance identity-certifying method under many service environments of smart card, and has comprised server selection information.
Further, a kind of based on long-distance identity-certifying method under many service environments of smart card, the step that generates and sends second verification msg further comprises: server generates random number N
j, and calculate aided verification data B
New=h (CID
New|| h (x)), V
j=B
New⊕ h (B
i|| N
j), and the second verification msg Q
j=h (CID||B
New|| N
j); Described server is with verification msg V
j, N
j, Q
jSend to smart card.
Further, a kind of based on long-distance identity-certifying method under many service environments of smart card, the step of smart card authentication server identity legitimacy further comprises: smart card is verified verification msg after receiving the verification msg of server transmission; Described smart card calculates B
New=V
j⊕ h (B
i|| N
j), and by judging described verification msg Q
jWith smart card calculated value h (CID||B
New|| N
j) whether equate to come the legitimacy of authentication server identity.
Further, a kind of based on long-distance identity-certifying method under many service environments of smart card, also comprise after smart card authentication server identity is legal: the memory contents of upgrading smart card; Smart card calculates BPW
New=B
New⊕ h (PW
i), C
New=b
New⊕ h (PW
i), and use BPW
New, C
NewBPW, the C of storage before replacing it
i
Further, a kind of based on long-distance identity-certifying method under many service environments of smart card, this method also comprises the secondary verification step except the step of mutual checking: smart card calculates the 3rd verification msg Qi
j=h (N
i|| B
i|| N
j|| B
New), and send it to server; Server receives described the 3rd verification msg Q
IjAfter, judge Q
IjWith server calculated value h (N
i|| B
i|| N
j|| B
New) whether equate.
Further, a kind of based on long-distance identity-certifying method under many service environments of smart card, smart card and server also comprise after verifying step: smart card is according to formula S K=h (N
i|| N
j|| B
i) session key; Server is according to formula S K=h (N
i|| N
j|| B
i) session key.
Further, a kind of based on long-distance identity-certifying method under many service environments of smart card, use multiple checking means to carry out long-distance identity-certifying, comprise bi-directional verification and the secondary checking of local verification, communicating pair.
In technical scheme of the present invention, increased the local verification step, if mistake appears in the user when the input username and password, method stops reply this time with this locality, can not submit request to server, so can effectively resist the Denial of Service attack that assailant's malice invalidation request causes.In addition, owing to no longer store random number b in the intelligent memory card, according to meeting with the analysis of internaling attack in people's such as above-mentioned Lee the method, the assailant can't obtain h (ID by calculating
i⊕ PW
i), also just can't carry out following computing, even the person of internaling attack has stored the CID that calculates when last user logins
NewAnd B
i, and in smart card, having extracted memory contents, the assailant still can not imitate the user and communicate, so the present invention can resist and internals attack.Also have, the present invention introduces SID in the login authentication stage
jCalculate Q
i=h (CID
New|| B
i|| N
i|| SID
j), after non-user-selected server has been received logging request, carrying out Q
iCalculating the time can use oneself
*, thereby checking can't be passed through, stop reply, therefore can avoid because of the identical communication confusion phenomenon that causes of server.
Description of drawings
Fig. 1 is the schematic diagram of a specific embodiment registration phase step of the present invention;
Fig. 2 is the schematic diagram of a specific embodiment entry stage step of the present invention.
Embodiment
In order to make purpose of the present invention, technical scheme and advantage clearer, below in conjunction with drawings and Examples, the present invention is further elaborated.Should be appreciated that specific embodiment described herein only in order to explaining the present invention, and be not used in restriction the present invention.
In the technical scheme that the present invention announces, comprise three participants, user U
i, the RC of registration center and server S
jComprise three phases, registration phase, entry stage and Qualify Phase.
A kind of based on long-distance identity-certifying method under many service environments of smart card, method comprises: as shown in Figure 1, the user submits application for registration to registration center, after succeeding in registration, will there be the smart card of customizing messages in registration center and issue the user, wherein not comprise random number b in the customizing messages; As shown in Figure 2, the user is by the smart card logon server, and server was registered in registration center; Smart card carries out local legitimate verification according to the information that the user provides, if smart card checking user is legal, then generates the first verification data that comprises server selection information, and first verification data is sent to server; Server carries out legitimate verification according to received first verification data to smart card identity, and judge whether to be the smart card selected server, if selected server checking smart card identity is legal, then generate second verification msg that is used for the authentication server identity, and second verification msg is sent to smart card; Smart card carries out legitimate verification according to second verification msg that receives to server identity, if smart card authentication server identity is legal, then generate smart card end session key and be used for the 3rd verification msg that secondary is verified, and the 3rd verification msg is sent to server; Server carries out the secondary checking according to the 3rd verification msg that receives to smart card identity, if the server authentication smart card identity is legal, then generates the server end session key.
In technical scheme of the present invention, increased the local verification step, if mistake appears in the user when the input username and password, method stops reply this time with this locality, can not submit request to server, so can effectively resist the Denial of Service attack that assailant's malice invalidation request causes.In addition, owing to no longer store random number b in the intelligent memory card, according to meeting with the analysis of internaling attack in people's such as above-mentioned Lee the method, the assailant can't obtain h (ID by calculating
i⊕ PW
i), wherein, ID
iFor the user logins identity information, PW
iBe password, also just can't carry out following computing, even the person of internaling attack has stored the CID that calculates when last user logins
NewAnd B
i, wherein, B
i=h (CID||h (x)), and extracted memory contents in smart card, the assailant still can not imitate the user and communicate, so the present invention can resist and internals attack.Also have, the present invention introduces server identification SID in the login authentication stage
jCalculate Q
i=h (CID
New|| B
i|| N
i|| SID
j), wherein, N
iBe the random number that smart card produces, after non-user-selected server has been received logging request, carrying out Q
iCalculating the time can use oneself
*, thereby checking can't be passed through, stop reply, therefore can avoid because of the identical communication confusion phenomenon that causes of server.
Further, a kind of based on long-distance identity-certifying method under many service environments of smart card, also comprise before the step before the user registers: a secret value x selects in described registration center, calculate its cryptographic Hash h (x), and by safe lane the value of h (x) is shared with the legal server that each was registered in this registration center, in entry stage, whether the user is by holding the legitimacy that h (x) judges server to server.
Further, a kind of based on long-distance identity-certifying method under many service environments of smart card, the user further comprises in the step that registration center registers: when registration phase began, the user selected the password PW of oneself by smart card
i, smart card produces random number b, calculates User Identity CID=h (ID
i⊕ PW
i) ⊕ b, wherein ID
iBe user's user name, the value that will calculate back CID then sends to registration center; After User Identity CID receives in described registration center, calculate B
i=h (CID||h (x)), described result of calculation B
iComprise the shared key information of subscriber identity information and described legal server simultaneously, registration center is with B then
iIssue the user with hash function h (); The user calculates BPW=B
i⊕ h (PW
i), T
i=h (h (ID
i⊕ PW
i)), C
i=b ⊕ h (PW
i), and with described result of calculation BPW, T
i, C
iDeposit smart card in described hash function h (.).
Further, a kind of based on long-distance identity-certifying method under many service environments of smart card, login step further comprises: described user is by the user name ID of smart card input oneself
i, password PW
iWith server identification SID
j, smart card calculates T
i *=h (h (ID
i⊕ PW
i)), checking result of calculation T
i *T with smart cards for storage
iWhether equate that if equate, then the user is by local legitimate verification.
Further, a kind of based on long-distance identity-certifying method under many service environments of smart card, the step that generates and sends first verification data further comprises: smart card calculates CID=h (ID
i⊕ PW
i) ⊕ C
i⊕ h (PW
i), B
i=BPW ⊕ h (PW
i); Described smart card produces two random number b
NewAnd N
i, calculate CID
New=h (ID
i⊕ PW
i) ⊕ b
New, V
i=CID
New⊕ h (B
i|| N
i), Q
i=h (CID
New|| B
i|| N
i|| SID
j), then, smart card is with aided verification data CID, V
i, N
iWith first verification data Q
iSend to server.
Further, a kind of based on long-distance identity-certifying method under many service environments of smart card, the step of server authentication smart card identity legitimacy further comprises: server is verified verification msg after receiving the verification msg of smart card transmission; Described server calculates B
i=h (CID||h (x)), CID
New=V
i⊕ h (B
i|| N
i), and by judging described verification msg Q
iWith server calculated value h (CID
New|| B
i|| N
i|| SID
j) whether equate to verify the legitimacy of smart card identity.
Further, a kind of described first verification data has not only comprised the authentication information of smart card based on long-distance identity-certifying method under many service environments of smart card, and has comprised server selection information.
Further, a kind of based on long-distance identity-certifying method under many service environments of smart card, the step that generates and sends second verification msg further comprises: server generates random number N
j, and calculate aided verification data B
New=h (CID
New|| h (x)), V
j=B
New⊕ h (B
i|| N
j), and the second verification msg Q
j=h (CID||B
New|| N
j); Described server is with verification msg V
j, N
j, Q
jSend to smart card.
Further, a kind of based on long-distance identity-certifying method under many service environments of smart card, the step of smart card authentication server identity legitimacy further comprises: smart card is verified verification msg after receiving the verification msg of server transmission; Described smart card calculates B
New=V
j⊕ h (B
i|| N
j), and by judging described verification msg Q
jWith smart card calculated value h (CID||B
New|| N
j) whether equate to come the legitimacy of authentication server identity.
Further, a kind of based on long-distance identity-certifying method under many service environments of smart card, also comprise after smart card authentication server identity is legal: the memory contents of upgrading smart card; Smart card calculates BPW
New=B
New⊕ h (PW
i), C
New=b
New⊕ h (PW
i), and use BPW
New, C
NewBPW, the C of storage before replacing it
i
Further, a kind of based on long-distance identity-certifying method under many service environments of smart card, this method also comprises the secondary verification step except the step of mutual checking: smart card calculates the 3rd verification msg Qi
j=h (N
i|| B
i|| N
j|| B
New), and send it to server; Server receives described the 3rd verification msg Qi
jAfter, judge Qi
jWith server calculated value h (N
i|| B
i|| N
j|| B
New) whether equate.
Further, a kind of based on long-distance identity-certifying method under many service environments of smart card, smart card and server also comprise after verifying step: smart card is according to formula S K=h (N
i|| N
j|| B
i) session key; Server is according to formula S K=h (N
i|| N
j|| B
i) session key.
Further, a kind of based on long-distance identity-certifying method under many service environments of smart card, use multiple checking means to carry out long-distance identity-certifying, comprise bi-directional verification and the secondary checking of local verification, communicating pair.
As another one specific embodiment of the present invention, registration phase is finished user U
iRegistration work in registration center, communication is carried out in safe lane.Concrete steps are as described below:
Step1: user U
iProduce a random number b and select his/her password PW
iWith identify label ID
iU then
iCalculate its dynamic identify label CID=h (ID
i⊕ PW
i) ⊕ b, and the value of CID sends to the RC of registration center after will calculating.
Step2: the RC of registration center receives the U from the user
iThe value of CID after, registration center utilizes has unidirectional hash function h () calculating parameter B
i=h (CID||h (x)), RC is with { B then
i, h () } and send to U
i
Step3: work as U
iReceive { B
i, h (.) } time, U
iCalculating parameter BPW=B
i⊕ h (PW
i), T
i=h (h (ID
i⊕ PW
i)), C
i=b ⊕ h (PW
i).At last, U
iWith { BPW, T
i, C
i, h (.) } exist in the smart card.
Login and Qualify Phase will be finished bi-directional verification and the secondary checking of local verification, user and server.Concrete steps are as follows:
Step1:U
iImport the user name ID of oneself
i, password PW
iWith server identification SID
j, smart card utilizes input value calculating parameter T
i *=h (h (ID
i⊕ PW
i)), and checking T
i *With depositing parameter T
iWhether equate, if equate, the step below then continuing, otherwise interrupt session.
Step2: smart card calculates { CID, B
iValue, CID=h (ID wherein
i⊕ PW
i) ⊕ C
i⊕ h (PW
i), B
i=BPW ⊕ h (PW
i).Then, smart card produces two random number b
NewAnd N
i, continue to calculate { V
i, CID
New, Q
i, V parameter wherein
i=CID
New⊕ h (B
i|| N
i), CID
New=h (ID
i⊕ PW
i) ⊕ b
New, first verification data Q
i=h (CID
New|| B
i|| N
i|| SID
j).At last, smart card is with { CID, V
i, Q
i, N
iSend to server S
j
Step3: work as server S
jReceive information { CID, V that smart card sends over
i, Q
i, N
i, S
jCalculate B
i=h (CID||h (x)), CID
New=V
i⊕ h (B
i|| N
i), and checking Q
iWith h (CID
New|| B
i|| N
i|| SID
j) whether equate.If Q
iWith h (CID
New|| B
i|| N
i|| SID
j) equate, U is described
iPassed through S
jAuthentication, and can determine S
jBe user-selected server.Verified U
iIdentity after, S
jGenerate random number N
j, and calculate { B
New, V
j, Q
j, B parameter wherein
New=h (CID
New|| h (x)), V
j=B
New⊕ h (B
i|| N
j), the second verification msg Q
j=h (CID||B
New|| N
j).At last, S
jWith { V
j, Q
j, N
jValue return to smart card.
Step4: smart card calculates B
New=V
j⊕ h (B
i|| N
j) and verify Q
jWith h (CID||B
New|| N
j) whether equate.If Q
jAnd h (CID||B
New|| N
j) equate, S is described
jPassed through U
iAuthentication.Then, smart card calculating parameter BPW
New=B
New⊕ h (PW
i), C
New=b
New⊕ h (PW
i), and the memory contents { BPW in the renewal smart card
New, C
New.At last, smart card calculates this U
iAnd S
jSession key SK=h (the N that communication is used
i|| N
j|| B
i) and be used for the 3rd verification msg Qi of double authentication
j=h (N
i|| B
i|| N
j|| B
New), and with Qi
jValue send to S
j
Step5:S
jReceive Qi
jAfter, checking Qi
jWith h (N
i|| B
i|| N
j|| B
New) whether equate.If equate S
jSession key SK=h (N
i|| N
j|| B
i).So far, finish login and proof procedure.
In sum, the present invention adds methods such as authorization information by local verification, encrypted random number, server identity sign, the problem that has solved the Denial of Service attack that exists in the method that people such as Lee propose, internaled attack and can't select workspace server.Have that password can be revised, the secret key of session can be changed, do not have registration table, have forward-backward algorithm safely, have a beneficial effect such as anonymity, anti-man-in-the-middle attack completely.
The above is preferred embodiment of the present invention only, is not to limit practical range of the present invention; If do not break away from the spirit and scope of the present invention, the present invention is made amendment or is equal to replacement, all should be encompassed in the middle of the protection range of claim of the present invention.
Claims (13)
1. one kind based on long-distance identity-certifying method under many service environments of smart card, it is characterized in that described method comprises:
The user submits application for registration to registration center, and after succeeding in registration, will there be the smart card of customizing messages in registration center and issues the user;
The user is by the smart card logon server, and described server was registered in described registration center;
Described smart card carries out local legitimate verification according to the information that the user provides, if smart card checking user is legal, then generates the first verification data that comprises server selection information, and first verification data is sent to server;
Described server carries out legitimate verification according to received first verification data to smart card identity, and judge whether to be the smart card selected server, if selected server checking smart card identity is legal, then generate second verification msg that is used for the authentication server identity, and second verification msg is sent to smart card;
Described smart card carries out legitimate verification according to second verification msg that receives to server identity, if smart card authentication server identity is legal, then generate smart card end session key and be used for the 3rd verification msg that secondary is verified, and the 3rd verification msg is sent to server;
Described server carries out the secondary checking according to the 3rd verification msg that receives to smart card identity, if the server authentication smart card identity is legal, then generates the server end session key.
2. method according to claim 1 is characterized in that, also comprises before the step before the user registers:
A secret value x selects in described registration center, calculates its cryptographic Hash h (x), and by safe lane the value of h (x) is shared with the legal server that each was registered in this registration center.
3. method according to claim 1 and 2 is characterized in that, the user further comprises in the step that registration center registers:
When registration phase began, the user selected the password PW of oneself by smart card
i, smart card produces random number b, calculates User Identity CID=h (ID
i⊕ PW
i) ⊕ b, wherein ID
iBe user's user name, the value that will calculate back CID then sends to registration center;
After User Identity CID receives in described registration center, calculate B
i=h (CID||h (x)), described result of calculation B
iComprise the shared key information of subscriber identity information and described legal server simultaneously, registration center is with B then
iIssue the user with hash function h ();
The user calculates BPW=B
i⊕ h (PW
i), T
i=h (h (ID
i⊕ PW
i)), C
i=b ⊕ h (PW
i), and with described result of calculation BPW, T
i, C
iDeposit smart card in described hash function h ().
4. method according to claim 1 and 2 is characterized in that, login step further comprises:
Described user is by the user name ID of smart card input oneself
i, password PW
iWith server identification SID
j, smart card calculates T
i *=h (h (ID
i⊕ PW
i)), checking result of calculation T
i *T with smart cards for storage
iWhether equate that if equate, then the user is by local legitimate verification.
5. method according to claim 4 is characterized in that, the step that generates and sends first verification data further comprises:
Smart card calculates CID=h (ID
i⊕ PW
i) ⊕ C
i⊕ h (PW
i), B
i=BPW ⊕ h (PW
i);
Described smart card produces two random number b
NewAnd N
i, calculate CID
New=h (ID
i⊕ PW
i) ⊕ b
New, V
i=CID
New⊕ h (B
i|| N
i), Q
i=h (CID
New|| B
i|| N
i|| SID
j), then, smart card is with aided verification data CID, V
i, N
iWith first verification data Q
iSend to server.
6. method according to claim 4 is characterized in that, the step of server authentication smart card identity legitimacy further comprises:
Server is verified verification msg after receiving the verification msg of smart card transmission;
Described server calculates B
i=h (CID||h (x)), CID
New=V
i⊕ h (B
i|| N
i), and by judging described verification msg Q
iWith server calculated value h (CID
New|| B
i|| N
i|| SID
j) whether equate to verify the legitimacy of smart card identity.
7. method according to claim 6 is characterized in that,
Described first verification data has not only comprised the authentication information of smart card, and has comprised server selection information.
8. method according to claim 6 is characterized in that, the step that generates and sends second verification msg further comprises:
Server generates random number N
j, and calculate aided verification data B
New=h (CID
New|| h (x)), V
j=B
New⊕ h (B
i|| N
j), and the second verification msg Q
j=h (CID||B
New|| N
j);
Described server is with verification msg V
j, N
j, Q
jSend to smart card.
9. method according to claim 8 is characterized in that, the step of smart card authentication server identity legitimacy further comprises:
Smart card is verified verification msg after receiving the verification msg of server transmission;
Described smart card calculates B
New=V
j⊕ h (B
i|| N
j), and by judging described verification msg Q
jWith smart card calculated value h (CID||B
New|| N
j) whether equate to come the legitimacy of authentication server identity.
10. method according to claim 9 is characterized in that, also comprises after smart card authentication server identity is legal:
Upgrade the memory contents of smart card;
Smart card calculates BPW
New=B
New⊕ h (PW
i), C
New=b
New⊕ h (PW
i), and use BPW
New, C
NewBPW, the C of storage before replacing it
i
11. method according to claim 8 is characterized in that, this method also comprises the secondary verification step except the step of mutual checking:
Smart card calculates the 3rd verification msg Qi
j=h (N
i|| B
i|| N
j|| B
New), and send it to server;
Server receives described the 3rd verification msg Q
IjAfter, judge Q
IjWith server calculated value h (N
i|| B
i|| N
j|| B
New) whether equate.
12. method according to claim 11 is characterized in that, smart card and server also comprise after verifying step:
Smart card is according to formula S K=h (N
i|| N
j|| B
i) session key;
Server is according to formula S K=h (N
i|| N
j|| B
i) session key.
13. method according to claim 1 is characterized in that,
Use multiple checking means to carry out long-distance identity-certifying, comprise bi-directional verification and the secondary checking of local verification, communicating pair.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2013102731971A CN103347018A (en) | 2013-07-02 | 2013-07-02 | Long-distance identity authentication method based on intelligent card and under multiple-service environment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2013102731971A CN103347018A (en) | 2013-07-02 | 2013-07-02 | Long-distance identity authentication method based on intelligent card and under multiple-service environment |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN103347018A true CN103347018A (en) | 2013-10-09 |
Family
ID=49281792
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2013102731971A Pending CN103347018A (en) | 2013-07-02 | 2013-07-02 | Long-distance identity authentication method based on intelligent card and under multiple-service environment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN103347018A (en) |
Cited By (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104809823A (en) * | 2015-03-13 | 2015-07-29 | 东方通信股份有限公司 | ATM (Automatic Teller Machine) encryption authorization hub and method |
| CN104821941A (en) * | 2015-04-21 | 2015-08-05 | 南京邮电大学 | Smart card password authentication and password changing method |
| CN105939197A (en) * | 2016-03-17 | 2016-09-14 | 天地融科技股份有限公司 | Identity authentication method and system |
| CN106911657A (en) * | 2015-12-22 | 2017-06-30 | 广达电脑股份有限公司 | Combining wireless and the method for smart card login authentication and server and computer-readable recording medium |
| CN107171903A (en) * | 2017-05-02 | 2017-09-15 | 青岛海尔空调器有限总公司 | A kind of household electrical appliances distribution method and device |
| CN107248997A (en) * | 2017-07-03 | 2017-10-13 | 暨南大学 | Authentication method based on smart card under environment of multi-server |
| CN109327313A (en) * | 2018-11-07 | 2019-02-12 | 西安电子科技大学 | A kind of Bidirectional identity authentication method with secret protection characteristic, server |
| CN110572800A (en) * | 2019-08-14 | 2019-12-13 | 中国人民解放军战略支援部队信息工程大学 | equipment identity authentication method and device in machine-to-machine environment |
| CN114900288A (en) * | 2022-05-23 | 2022-08-12 | 科大天工智能装备技术(天津)有限公司 | Industrial environment authentication method based on edge service |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101902476A (en) * | 2010-07-27 | 2010-12-01 | 浙江大学 | Method for authenticating identity of mobile peer-to-peer user |
| CN102377573A (en) * | 2011-12-08 | 2012-03-14 | 华东师范大学 | Double-factor authentication method capable of securely updating password |
| CN102571359A (en) * | 2012-04-06 | 2012-07-11 | 上海凯卓信息科技有限公司 | Method for certificating cloud desktop based on smart card |
-
2013
- 2013-07-02 CN CN2013102731971A patent/CN103347018A/en active Pending
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101902476A (en) * | 2010-07-27 | 2010-12-01 | 浙江大学 | Method for authenticating identity of mobile peer-to-peer user |
| CN102377573A (en) * | 2011-12-08 | 2012-03-14 | 华东师范大学 | Double-factor authentication method capable of securely updating password |
| CN102571359A (en) * | 2012-04-06 | 2012-07-11 | 上海凯卓信息科技有限公司 | Method for certificating cloud desktop based on smart card |
Non-Patent Citations (5)
| Title |
|---|
| DEBASIS GIRI等: ""Cryptanalysis and improvement of a remote user authentication scheme using smart cards"", 《IEEE》, 5 August 2008 (2008-08-05), pages 355 - 361 * |
| 吴修锋: ""基于智能卡的远程口令认证***的研究与设计"", 《中国优秀硕士学位论文全文数据库信息科技辑》, no. 12, 15 December 2006 (2006-12-15), pages 139 - 336 * |
| 李雄: ""多种环境下身份认证协议的研究与设计"", 《中国博士学位论文全文数据库信息科技辑》, no. 1, 15 January 2013 (2013-01-15), pages 139 - 16 * |
| 胡兰兰: ""安全协议和方案的研究与设计"", 《中国博士学位论文全文数据库信息科技辑》, no. 10, 15 October 2008 (2008-10-15), pages 139 - 7 * |
| 胡荣磊等: ""对一种远程用户口令认证方案的改进"", 《北京航空航天大学学报》, vol. 34, no. 9, 15 September 2008 (2008-09-15), pages 1037 - 1040 * |
Cited By (15)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104809823A (en) * | 2015-03-13 | 2015-07-29 | 东方通信股份有限公司 | ATM (Automatic Teller Machine) encryption authorization hub and method |
| CN104821941A (en) * | 2015-04-21 | 2015-08-05 | 南京邮电大学 | Smart card password authentication and password changing method |
| CN104821941B (en) * | 2015-04-21 | 2017-12-05 | 南京邮电大学 | Smart card password authentication and Modify password method |
| CN106911657A (en) * | 2015-12-22 | 2017-06-30 | 广达电脑股份有限公司 | Combining wireless and the method for smart card login authentication and server and computer-readable recording medium |
| CN106911657B (en) * | 2015-12-22 | 2019-12-10 | 广达电脑股份有限公司 | method and server for login authentication by combining wireless and smart card and readable medium |
| CN105939197A (en) * | 2016-03-17 | 2016-09-14 | 天地融科技股份有限公司 | Identity authentication method and system |
| CN105939197B (en) * | 2016-03-17 | 2019-02-12 | 天地融科技股份有限公司 | A kind of identity identifying method and system |
| CN107171903A (en) * | 2017-05-02 | 2017-09-15 | 青岛海尔空调器有限总公司 | A kind of household electrical appliances distribution method and device |
| CN107248997A (en) * | 2017-07-03 | 2017-10-13 | 暨南大学 | Authentication method based on smart card under environment of multi-server |
| CN107248997B (en) * | 2017-07-03 | 2020-04-14 | 暨南大学 | Authentication method based on intelligent card under multi-server environment |
| CN109327313A (en) * | 2018-11-07 | 2019-02-12 | 西安电子科技大学 | A kind of Bidirectional identity authentication method with secret protection characteristic, server |
| CN110572800A (en) * | 2019-08-14 | 2019-12-13 | 中国人民解放军战略支援部队信息工程大学 | equipment identity authentication method and device in machine-to-machine environment |
| CN110572800B (en) * | 2019-08-14 | 2022-04-05 | 中国人民解放军战略支援部队信息工程大学 | Equipment identity authentication method and device in machine-to-machine environment |
| CN114900288A (en) * | 2022-05-23 | 2022-08-12 | 科大天工智能装备技术(天津)有限公司 | Industrial environment authentication method based on edge service |
| CN114900288B (en) * | 2022-05-23 | 2023-08-25 | 北京科技大学 | Industrial environment authentication method based on edge service |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Son et al. | Design of blockchain-based lightweight V2I handover authentication protocol for VANET | |
| CN103347018A (en) | Long-distance identity authentication method based on intelligent card and under multiple-service environment | |
| Chen et al. | Mobile device integration of a fingerprint biometric remote authentication scheme | |
| CN109327313A (en) | A kind of Bidirectional identity authentication method with secret protection characteristic, server | |
| CN107360571B (en) | Method for anonymous mutual authentication and key agreement protocol in mobile network | |
| CN103338201B (en) | The remote identity authentication method that under a kind of environment of multi-server, registration center participates in | |
| CN109412790A (en) | A kind of user authentication of internet of things oriented and key agreement system and method | |
| CN105871553A (en) | Identity-free three-factor remote user authentication method | |
| CN109639426B (en) | Bidirectional self-authentication method based on identification password | |
| CN103346887A (en) | Low-complexity identity authentication method based on intelligent card and under multiserver environment | |
| CN103338202B (en) | A kind of long-distance user's password double verification method based on smart card | |
| CN105119721B (en) | A kind of three factor remote identity authentication methods based on smart card | |
| CN104901809B (en) | Remote authentication protocol method based on password and smart card | |
| KR20120007509A (en) | Method for authenticating identity and generating share key | |
| CN105072110A (en) | Two-factor remote identity authentication method based on smart card | |
| CN103346888A (en) | Remote identity authentication method based on password, smart card and biological features | |
| CN105187405A (en) | Reputation-based cloud computing identity management method | |
| CN104767624A (en) | Remote protocol authentication method based on biological features | |
| CN113572765B (en) | Lightweight identity authentication key negotiation method for resource-limited terminal | |
| Cui et al. | Chaotic map-based authentication scheme using physical unclonable function for internet of autonomous vehicle | |
| CN107248997A (en) | Authentication method based on smart card under environment of multi-server | |
| Hussain et al. | An improved authentication scheme for digital rights management system | |
| Xie | Improvement of a security enhanced one-time two-factor authentication and key agreement scheme | |
| CN104618113A (en) | Method for authenticating identity of mobile terminal and constructing safety channel | |
| CN101867587B (en) | A kind of method and system of anonymous authentication |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| WD01 | Invention patent application deemed withdrawn after publication | ||
| WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20131009 |