CN104125199B - A kind of anonymous authentication method and system based on attribute - Google Patents

Abstract

The invention discloses a kind of anonymous authentication methods based on attribute, the method include the steps that 1) trusted party TP generates a master key x and system public parameter according to the security parameter of setting；2) user U is registered to TP and is submitted attribute, is initiated attribute credential and is signed and issued request；3) TP verifies the attribute that user U is possessed, and issues attribute credential according to the attribute of U, master key x and system public parameter for it；4) user U initiates access request to service provider SP；5) SP searches the corresponding access strategy of the access request and returns to the user U；6) user U selects attribute to be used according to the access strategy, then calculates an anonymous credentials using the attribute credential and private key r, and be sent to SP；7) SP verifies the anonymous credentials, if being verified and meeting the access strategy, receives the access request, provides corresponding service and gives the user.This invention ensures that the privacy of user, supports more flexible thresholding Attributions selection to show scheme.

Description

A kind of anonymous authentication method and system based on attribute

Technical field

The invention belongs to computer technology and information security field, it is related under cloud computing environment accessing service behavior to user The privacy method of being protected and prevented privacy leakage, be embodied in a kind of anonymous authentication method based on attribute and be System.

Background technique

With the development of internet and mobile Internet, daily life is more next to the degree of dependence of network service Higher, network service starts the various aspects for being related to clothing, food, lodging and transportion -- basic necessities of life.The especially proposition of cloud computing concept in recent years, so that network Service is pooled on internet, E-Government, e-commerce, electron medical treatment, and various enterprise-level application management systems are widely applied, Online reading, shopping is social, and the personal consumption behaviors such as game are also more and more.Real-life many activities do not need Proof of identification is provided, and the identity management system in network application requires user to carry out authentication, and hard constraints and prison It controls user and accesses system or application.Therefore behavior of the user in network activity, the privacy informations such as hobby may be in certification bodies It is revealed when part, is tracked by the audit function of service provider and even analyze, so that the interests of user is come to harm, had more next How more people avoids privacy leakage from becoming current network development urgently, it is realized that this has seriously threatened the privacy of user Problem to be solved.

One important technology of authentication at present is the digital certificate system based on X.509 system, but with X.509 public There are many risks in terms of secret protection for key Certification system and network ID authentication technology: first, it is needed in the registration RA stage User submits identity information；Second, public key certificate can be disclosed and be obtained, wherein including user information；Third, public key catalogue and is removed Pin list can reveal certain privacy informations of user；4th, identity is full disclosure when being authenticated.Traditional authenticated The combination of journey, actually identification and certification thus has excessive user information to be supplied to service provider, causes The leakage of privacy of user, to user brings security threat.And in practical application scene, service provider needs know it is user The qualification that whether there is access to service, rather than the specific identity information of user.

Therefore the research of the secret protection for user, anonymous credentials and its authentication techniques becomes a hot spot, and anonymity is recognized The core concept of card is to separate the qualification of user and identification in verification process, i.e., user is only verified in verification process It is the member in a certain set, without revealing its specific identity.Traditional anonymous authentication scheme such as ring signatures, group ranking etc. is Refer to that user can prove that the identity documents that it possesses belong to some specific use to ISP according to the requirement of concrete scene Family set (set of qualified access service), but it is in specific user set that ISP, which can not identify user actually, Which particular user, therefore the technology is by realizing personal privacy protection to the hiding of user identity.However as Based on emergence and development with secret protection property signature technology such as attribute signatures, proposed for the design of anonymous authentication scheme A kind of new thinking.Include in the key of user in signature (Atrribute Based Signature, ABS) based on attribute Several attribute informations, its private key can be used to sign message for user later.It is similar with ring signatures, the label of ABS schemes generation Name, which can be verified to be, to be met the user of association attributes combination and is generated, but can not determine the specific generator of signature.ABS scheme is User role, relationship, personal information etc., are abstracted into attribute by anonymous credentials and authentication system framework centered on attribute, clothes Business can formulate resource access control policy according to user property；And customer-side also can establish the security strategy of oneself, if Whether allow attributes extraction, realize the user anonymity access based on attribute in this way if setting.Due to ABS signature scheme itself User anonymity and the proof to attribute are had been realized in, therefore can be relatively easy to be converted into anonymous authentication scheme.With biography The anonymous authentication scheme of system is compared, and (thresholding ABS scheme can realize constant to ABS scheme efficiency with higher under certain condition The signature length and checking procedure of complexity, similar anonymous authentication side will be far smaller than by calculating cost with message-length Case), and can prove more complicated security strategy (thresholding etc.).In conclusion research hideing based on New Signature Schemes such as ABS Name voucher scheme and anonymous authentication demonstrate,prove the feasible research direction of system.

Currently, having there is some research projects using anonymous authentication the relevant technologies as the key content of research, including Oasis Shibboleth project and the Liberty project of Liberty Alliance of tissue etc., but the core technology of these projects is to communicate Pseudonymity in journey makes third party that can not obtain the personal information of user, however service provider can still obtain user's True identity, and user behavior can be associated, to destroy the individual privacy of user., the present invention in service provider Attribute needed for service can only be obtained, and obtain less than other attributes, so that activity association can not be carried out, and then use can not be obtained Family true identity.

Summary of the invention

It is an object of the present invention to overcoming problems of the prior art, a kind of anonymity based on attribute is provided and is recognized Demonstrate,prove method and system.Specifically, the present invention includes the important aspect of following two: first devises a kind of label based on attribute The anonymous authentication algorithm of name；Second devises a kind of anonymous authentication system based on attribute.

One, based on the anonymous authentication method of attribute

The purpose of the present invention is to provide a kind of anonymous authentication systems based on attribute to reinforce the secret protection to user, User is authenticated by trusted party and issues attribute credential for user, and user shows attribute to service side, and is verified and belonged to by service side The mode of property voucher completes verification process.Anonymous authentication method based on attribute of the invention mainly includes one based on attribute Signature scheme, anonymous credentials show and verify system for run anonymous authentication agreement system showing for anonymous credentials is provided And authentication function, it provides anonymous credentials and shows realization with verification algorithm, can support to assert the thresholding of user property and show.

Attribute shows the fundamental property of scheme:

● anonymity

● independent

● the selection of attribute is shown: application can not obtain the attribute information unrelated with strategy

The signature scheme includes three main algorithms, and the function of each algorithm is as follows: (only simply introducing each algorithm herein The parameter and calculating process of algorithm will be described in detail in function in a specific embodiment)

A.System setup algorithm: the algorithm was calculated by the probabilistic polynomial time that attribute authority (aa) (i.e. trusted party) is completed Method, security parameter that algorithm input trusted party defines (security parameter is chosen by trusted party, and the security parameter of each operation is different, The master key then generated is different with open parameter, for example is chosen according to the time), master key and system public parameter are exported, master is close Key is saved by trusted party, system public parameter then external disclosure, its other party is made to be easy to obtain (for example being published in official website)；

B.User Grant algorithm: as shown in Fig. 2, the algorithm is multinomial by the probability of attribute authority (aa) (i.e. trusted party) completion Formula time algorithm, (attribute set of user is that user registers in trusted party to the property set of algorithm one user of input, and trusted party is logical The mode crossed under line is verified to obtain), master key and system public parameter, algorithm export the private key of corresponding attribute, composition attribute with Card, and this is sent to by hidden passageway (such as mode under line, scene handover etc.) safety between trusted party and user User；A pair of of public private key pair is generated for user in trusted party simultaneously, and is sent to user by the channel of safety.

C.User Prove algorithm: it as shown in figure 3, the algorithm is the probabilistic polynomial time algorithm completed by user, uses Family obtain first trusted party publication open parameter, algorithm input system disclose parameter (trusted party announcement), message (with to be visited The relevant message of the service asked), the attribute credential of user, secret random number r(be used to generate the private keys of anonymous credentials) and mesh Mark service request access have needed for the user of the service attribute conditions (such as the user of the service need to have it is n listed K attribute in attribute, the information are obtained from service provider), anonymous credentials are exported, then send the anonymous credentials of generation To service provider；

D.User Verify algorithm: as shown in figure 4, the algorithm is the certainty completed by verifier i.e. service provider Polynomial time algorithm, service provider obtains the open parameter of trusted party announcement first, when needing the access qualification to user When being verified, the algorithm is called, inputs that (the related of service to user to be accessed disappears for system public parameter, message Breath), attribute conditions (for example the user of the service needs to have k attribute in listed n attribute) and anonymous credentials, according to UserVerify algorithm (algorithm is described in detail in specific embodiment) is verified, and is exported judgment value " receiving " or " refused Absolutely ".

Two, the anonymous authentication system based on attribute

The main participant of system is by trusted party (Trust Provider, TP), user agent (User Agent, UA) (user is interacted by user agent and trusted party and service provider) and service provider (Service Provider, SP) three parts, wherein trusted party TP can audit user property, and be responsible for user and issue attribute credential； User agent UA represents user and is calculated accordingly, the mapping including user property, and attribute credential calculates, and voucher proves to calculate Deng.Service provider SP can define access, and it services the attribute having required for user, obtains the attribute credential of user, and verifying is used The operation such as the voucher at family.

Its framework is as shown in fig. 1, is a TP in figure, and a user U(user is communicated by UA with TP or SP), one Service provider SP, necessarily multiple user U, multiple service provider SP in application process, naturally it is also possible to there are it is multiple can Letter side TP.The main composition of system: the voucher service of signing and issuing, user agent's plug-in unit, application service three parts.Each section it is main It forms as follows:

A. the voucher service of signing and issuing

● subscriber authentication

● voucher is signed and issued

B. user agent's plug-in unit

● request for credentials

● credential management

● voucher shows

C. application service

● tactical management

● credential verification

Voucher signs and issues service operation at the end trusted party TP, wherein subscriber authentication function, using public key cryptography, really Recognizing user has legal public and private key to (public private key pair is raw for user according to the identity of user by trust authority such as public security bureau At), verify the legitimacy of user；It is to submit attribute to trusted party in user, and propose attribute credential request that voucher, which signs and issues function, Executive review and validation is carried out to the applied attribute of user by trusted party, after being verified, signs and issues correspondence for user Attribute credential, the attribute credential be to user by certification attribute carry out processing, can be used to carry out cryptographic operation.

User agent's plug-in component operation represents operation and matching that user completes some complexity in user terminal.It first can The attribute for the application authentication that user is submitted distributes an attribute-bit, and (distribution method is provided by TP first, and makes its other party It is easy to obtain, it is therefore an objective to attribute be converted to the integer that can carry out cryptographic operation, for example " age=1 " is mapped as " 1 "), generation The application request for proposing attribute credential to trusted party for user, is sent to TP for the corresponding value of attribute that user to be applied.Voucher Management function is that all attribute credentials applied of user are safeguarded a list, executes the lookup to attribute credential, add Add, deletes, the operation such as replacement.Voucher, which shows function, to be selected after getting service provider SP and requiring the attribute provided Corresponding attribute credential out is hidden after carrying out the hiding attribute calculating of selectivity according to content of the requirement of SP to voucher as one Name voucher is presented to service provider.According to the difference of challenging value after challenge (the random number challenge) issued to service provider Response is calculated, proves that user possesses hiding attribute to SP.

Application service is mainly the end SP, property policy required for policy management capability, mainly maintenance access service；With Results card is the attribute credential sended over to user terminal, and according to the access strategy of corresponding with service, (service is different, and access strategy is not Together, be maintained in the end SP) and TP parameter is disclosed to verifying, (specific verification algorithm is in embodiments specifically It is bright), judge whether the requirement for meeting access strategy.If by verifying, the certification that user passes through the service.

Compared with prior art, the advantages of the present invention are mainly reflected in:

1) using the anonymous credentials algorithm signed based on attribute, compared with existing general anonymous credentials system, user can be with The hiding attribute of selectivity, more flexible thresholding Attributions selection can be supported to show scheme.

2) the attribute signature length in the present invention is constant, therefore the message-length of anonymous authentication agreement transmission is constant, Improve the communication efficiency of agreement.

3) while guaranteeing privacy, it ensure that the unforgeable and not of voucher using the signature technology based on attribute Property can be lent, to realize that the certification of high privacy high security of user-center provides guarantee with access control process.

4) relatively independent with frame to being realized based on specific algorithm in attribute anonymous credentials scheme, can under Unified frame into Row easily extension, to support a greater variety of algorithms.

5) unlinkability, that is service or multiple services the activity association of user is got up together be calculate it is tired Difficult, that is to say, that no matter it accesses a service how many times to a user, will all keep anonymity.

6) it is tired that least privilege, service or multiple services calculate attribute of the user in addition to attribute needed for the service together Difficult.That is, authenticating the process of user every time, service can only obtain the session needs and user authorizes the category shown Property, and other attribute informations of user cannot be obtained.

Detailed description of the invention

Fig. 1 anonymous credentials system assumption diagram；

Fig. 2 anonymous authentication system credential signs and issues agreement；

Fig. 3 anonymous authentication system credential shows agreement；

Fig. 4 anonymous authentication system module and interface.

Specific embodiment

Below by specific embodiment, the present invention will be described in more detail.Wherein embodiment 1 is given involved by the system And the anonymous credentials algorithm based on attribute signature, embodiment 2 provides the specific function mode of anonymous credentials system.

Anonymous authentication algorithm of the embodiment 1. based on attribute

The specific example of a signature algorithm based on attribute of the invention is given below:

IfWithBe rank be p Prime Orders cyclic group (t be used to indicate, explanationWithIt is two different groups, i.e., The present invention needs to set two groups, and two different Prime Orders cyclic groups are distinguished with footmark t), g isGeneration member.ForIt arrivesOn bilinear map.

A.System setup algorithm

The algorithm is executed by trusted party, defines the maximum attribute number n that may include in voucher first, is then each possibility The user property i distributive property value ω used_i(according to the method for salary distribution predetermined), and in addition select n-1 redundant attributes d_j Redundant attributes collection D is formed, (distribution of redundant attributes needs to guarantee to repeat with user property, if will construct in voucher User property less than n when, trusted party can select redundant attributes to be supplemented to n), these redundant attributes will not be presented to Any user.Next member g, h are generated in random selection, random selection is used as private key, i.e. master key, calculates a part of the common parameter as system, then scheme TP finally gives birth to It is at common parameterThe master of TP Key is x.(common parameter includes that user property set omega and redundant attributes set D, redundant attributes set D need externally announcement)

B.User Grant algorithm

When user U application and attribute set Ω_U(wherein Ω is the set of all properties, Ω when the attribute credential of ∈ Ω_UFor User property set), TP executes following operation:

It examines first

If it is not, then refusing to execute, that is to say, that comprising redundant attributes in the attribute submitted when user's application, then refusal is held Row.

If intersection is sky, TP random selection one generates member, then to Ω_UThe attribute value ω of middle ith attribute_Ui (calculating each attribute) calculates medianCalculate output attribute voucher cre={ g_U, { U_i}(ω_Ui∈ Ω_U)}。

C.User Prove algorithm

When user will access a service, need to prove that the attribute that it possesses meets defined in SP corresponding to the service Strategy, strategy herein is thresholding strategy, i.e. an application service user property must satisfy: being belonged to k in property set A At least t attribute in property is consistent, i.e. Γ=(t, A) (1≤t≤k=| A |≤n, | A | ∩ Ω_U| >=t), user agent UA from The attribute set that can satisfy SP strategy is selected in its attribute setThen choice set Close D={ d_iIn preceding n+t-k-1 element, the set of these elements is denoted as D_n+t-k-1.User can be used in its voucher cre U_i(each attribute has a U in cre for calculating_iValue, the voucher value of corresponding each attribute):

Next, due to | D_n+t-k-1∩(A-Ω′_U) |=(n+t-k-1)+(k-t)=n-1, therefore user can be usedIt calculates(wherein A1, A2, A3 are the medians calculated).Finally, UA randomly chooses secret value, for calculating anonymous credentials (π₁, π₂, π₃, π₄) it is sent to SP.

D.User Verify algorithm

Verifier SP obtains (π₁, π₂, π₃, π₄) after, first confirm that g_U=π₄It is whether true, (g_UIt is in user anonymity voucher First element, π₄It is the last one element that UA in step C is sent in the anonymous attestation of SP), if so, explanation should The user of anonymous credentials belongs to the user's set for having signed and issued voucher, then usesIt calculatesAnd it verifies:And e (h, π₂)=e (g, π₃) whether at It is vertical, if so, then illustrate that the attribute that user is possessed meets thresholding strategy Γ.

Anonymous authentication system of the embodiment 2. based on attribute

The present embodiment is intended to provide a specific example of the anonymous authentication system the present invention is based on attribute.

The system include three main bodys: trusted party (Trust Provider, TP), user agent (User Agent, UA), And service provider (Service Provider, SP) three parts.By network connection between three parts, trusted party is responsible for recognizing User is demonstrate,proved, and issues attribute credential for user.The groundwork of user side is completed by user agent, and mainly attribute credential connects It receives, stores, inquiry, and generate verifying and assert, assist the verifying for completing application service provider.User is before request service It needs to trusted party application attribute credential, request only needs to show what application service provider needed to be certified when service Attribute, such as network game company only need be greater than lawful age user certificate age in next year, and country origin belongs to specified country etc..Service provides Side verifies the attribute that user shows, and is verified, gives corresponding access authority.

Specific implementation process is four sections: system initialization, voucher sign and issue agreement, and voucher shows agreement and credential verification Agreement.System initialization process is that the operation of agreement generates necessary common parameter.Voucher, which signs and issues process mainly, trusted party TP It is completed with user's joint consultation.Voucher shows agreement to be completed jointly by user and service provider SP.

The present embodiment is set based on following scene: after user U obtains the attribute credential that trusted party TP is issued, access application The resource of provider SP, SP specify access strategy Γ, allow user to access if U meets the access strategy, detailed process is as follows:

1) TP runs the setup algorithm in embodiment 1, saves the master key of generation, and by system public parameter with other The mode that Fang Rongyi is obtained is issued out

2) user U initiates attribute credential to TP by user agent UA and signs and issues request, i.e. attribute is submitted in registration；

3) TP and U executes authentication protocol, verifies the attribute that user is possessed, and according to the attribute of U, master key x and system Open parameter issues attribute credential cre for it；

4) user U initiates access request to service provider SP by user agent UA, includes the service to be accessed Mark；

5) (strategy is to customize in advance to access strategy needed for application service provider SP searches the resource of user's access , and strategy needed for different services is different, SP need to only search corresponding strategy herein), and return to the agency of user U UA；

6) user agent prompts user U to select attribute to be used, and user uses the attribute credential of itself according to the attribute Calculating anonymous credentials for generating the private key r of anonymous credentials with one (is to handle the attribute credential that TP is issued, enables SP Attribute required by destination service is decrypted, and the occurrence of other attributes in attribute credential cannot be obtained, but is known that Obtain TP certification, specific algorithm C algorithm in example 1), and SP is sent to by user agent；

7) application service provider SP verifies the anonymous attestation of user, will if being verified and meeting the access strategy Resource returns to user (specific algorithm in example 1 D-algorithm).

Claims (9)

1. a kind of anonymous authentication method based on attribute, the steps include:

1) trusted party TP generates a master key x and system public parameter according to the security parameter of setting；Wherein, master key x be can The private key of letter side TP；

2) user U is registered to TP and is submitted attribute, is initiated attribute credential and is signed and issued request；

3) TP verifies the attribute that user U is possessed, and generates and issue for it according to the attribute of U, master key x and system public parameter Send out attribute credential cre；

4) user U initiates access request to service provider SP；

5) service provider SP searches the corresponding access strategy of the access request, returns to the user U；

6) user U selects attribute to be used according to the access strategy, is then hidden using attribute credential cre and one for generating The private key r of name voucher calculates an anonymous credentials, and is sent to SP；

7) service provider SP verifies the anonymous credentials, if being verified and meeting the access strategy, receives the access request, Corresponding service is provided and gives the user；

Wherein, the generation method of the master key x and system public parameter are as follows:

11) the Prime Orders cyclic group that two ranks are p is arranged in trusted partyWithG isGeneration member,ForIt arrives On bilinear map；

12) the maximum attribute number that may include in attribute credential is set as n, is then each user property i that may be used points Properties value ω_i, and in addition select n-1 redundant attributes d_jForm a redundant attributes collection D；Wherein each redundant attributes d_jNot with User property repeats；

13) it randomly choosesMiddle generation member g, h randomly choose x ∈ Z_pAs the private key of TP, i.e. master key, probabilistic polynomial is utilized Time algorithm generates common parameterΩ={ ω_i, D={ d_j}。

2. the method as described in claim 1, it is characterised in that the method for generating the attribute credential cre are as follows: trusted party utilizes Probabilistic polynomial time algorithm, the property set inputted using user, master key x and system public parameter, generate the attribute with Card.

3. the method as described in claim 1, it is characterised in that the method for generating the anonymous credentials are as follows: user obtains trusted party The system public parameter of publication, then by probabilistic polynomial time algorithm according to system public parameter, message, user attribute Voucher, one generate the anonymous credentials for generating the private key r and selection attribute to be used of anonymous credentials.

4. the method as described in claim 1, it is characterised in that the method that service provider SP verifies the anonymous credentials are as follows: service Provider utilizes certainty polynomial time algorithm, according to system public parameter, message, predicate and to the signature verification of message The anonymous credentials.

5. the method as described in claim 1, it is characterised in that trusted party utilizes probabilistic polynomial time algorithm, according to trusted party The security parameter of setting generates master key x and system public parameter.

6. the method as described in claim 1, it is characterised in that the generation method of the attribute credential are as follows: when user U application with Attribute set Ω_UWhen the attribute credential of ∈ Ω, wherein Ω is the set of all properties, Ω_UFor the attribute set of user U；Trusted party Whether comprising redundant attributes in the attribute submitted when examining user U application first, refuse to generate attribute credential if including, it is no Then trusted party random selection one generates memberThen to Ω_UThe attribute value ω of middle ith attribute_Ui, calculate medianTo calculate output attribute voucher cre={ g_U,{U_i}(ω_Ui∈Ω_U)}。

7. method as claimed in claim 6, it is characterised in that the method for generating the anonymous credentials are as follows:

81) when user will access a service of service provider, user passes through user agent UA from the user property set Middle selection one can satisfy the attribute set of the corresponding service strategy of the serviceWherein should Service strategy are as follows: at least t attribute in k attribute in user property set property set A corresponding with the service is consistent；

82) user selects set D={ d_iIn preceding n+t-k-1 element, the set of these elements is denoted as D_n+t-k-1；

83) user uses the median U in its attribute credential cre_iIt calculates ω is redundant attributes；

84) it randomly choosesAs the private key r for generating anonymous credentials, calculate Obtain the anonymous credentials (π₁,π₂,π₃,π₄)。

8. the method as described in claim 1, it is characterised in that each attribute that user terminal submits user distributes one by can Letter side sets attribute-bit, uses corresponding mark and attribute value to be sent to attribute and attribute value that user to be applied credible Side.

9. a kind of anonymous authentication system based on attribute, it is characterised in that including passing through network trusted party TP interconnected, use Act on behalf of UA and service provider SP in family；Wherein,

Trusted party is responsible for authenticating user, according to the security parameter of setting, generates a master key x and system public parameter；Wherein, main Key x is the private key of trusted party TP；The attribute that verifying user U is possessed, and ginseng is disclosed according to the attribute of U, master key x and system Number generates for it and issues attribute credential cre；

User agent registers application, reception, storage, the inquiry of attribute and attribute credential for user U to trusted party, to clothes Business provider SP initiates access request, and generates anonymous credentials and show service provider；

Service provider verifies the anonymous credentials that user agent shows, and is verified and meets corresponding access strategy, Then give corresponding access authority

Wherein, the generation method of the master key x and system public parameter are as follows:

11) the Prime Orders cyclic group that two ranks are p is arranged in trusted partyWithG isGeneration member,ForIt arrives On bilinear map；

12) the maximum attribute number that may include in attribute credential is set as n, is then each user property i that may be used points Properties value ω_i, and in addition select n-1 redundant attributes d_jForm a redundant attributes collection D；Wherein each redundant attributes d_jNot with User property repeats；

13) it randomly choosesMiddle generation member g, h randomly choose x ∈ Z_pAs the private key of TP, i.e. master key, probabilistic polynomial is utilized Time algorithm generates common parameterΩ={ ω_i, D={ d_j}。