CN109104288A - A kind of Authentication protocol design and its implementation based on common key cryptosystem - Google Patents
A kind of Authentication protocol design and its implementation based on common key cryptosystem Download PDFInfo
- Publication number
- CN109104288A CN109104288A CN201810858536.5A CN201810858536A CN109104288A CN 109104288 A CN109104288 A CN 109104288A CN 201810858536 A CN201810858536 A CN 201810858536A CN 109104288 A CN109104288 A CN 109104288A
- Authority
- CN
- China
- Prior art keywords
- key
- user
- server
- authentication
- authentication protocol
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/06—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
- H04L9/0618—Block ciphers, i.e. encrypting groups of characters of a plain text message using fixed encryption transformation
- H04L9/0625—Block ciphers, i.e. encrypting groups of characters of a plain text message using fixed encryption transformation with splitting of the data block into left and right halves, e.g. Feistel based algorithms, DES, FEAL, IDEA or KASUMI
Abstract
The invention discloses a kind of Authentication protocol designs and its implementation based on common key cryptosystem of field of information security technology, including client, encrypting module, user program, authentication server, management server, application server, application interface, system database, database management module;The client includes supporting the network equipment and radius server of IEEE8 0.21X agreement, carries out certification control for the access to Internet user;The application interface provides the application and development interface of the client and application server, the present invention is using no certificate signature system, signature verifier is when verifying signature without verifying the validity of signer public key as under conventional public-key cryptographic system, the key escrow being not based in identification cipher system, using the related news of higher layer message format transmitting authentication public key, without understanding low-level details, its certification mode is highly-safe, good reliability, while there is good system to expand performance.
Description
Technical field
The invention discloses a kind of Authentication protocol design and its implementation based on common key cryptosystem, specially information
Security technology area.
Background technique
Public key cryptography technology, which is that one kind is widely applied, adds the information such as the file, the message that are sent to specified recipient
Close technology.The system for using this cryptographic technique needs to generate a pair of associated public key and private mathematically for each user
Key, public key are published by certain mode, so that any sender can get the public key of recipient, private key then has recipient
Secret saves.
Common key cryptosystem application in an important demand for security be to ensure that the public key used it is exact belong to it is specified
Recipient, that is, need a kind of user identifier (ID) and its public key to be bound together security mechanism.Conventional public-key password body
In system, for example, by using the system of RSA, DSA, ECC scheduling algorithm, the generation of public key and the mark of user are not related, need by
Tripartite authentication center (CA) provides certificate, i.e., signs to the public key of user and mark, the two is bound.Public key KPI can
Authentication and authorization server are provided for a large amount of user, is adapted as the base of the basic identity authentication protocol on internet
Infrastructure.The identity authentication protocol degree of safety of public key mode is high, but its computing cost is big, standard disunity, and user identifier is private
After key is lost, the mark of user and public key are bound together in conventional public-key system, if private key for user is lost, user can be weighed
Newborn public key and private key in a pair, and in id password system, the mark of user is exactly public key, therefore can not be canceled.For
This, we have proposed a kind of Authentication protocol designs based on common key cryptosystem and its implementation to come into operation, on solving
State problem.
Summary of the invention
The purpose of the present invention is to provide a kind of Authentication protocol design and its implementation based on common key cryptosystem, with
Solve the problems mentioned above in the background art.
To achieve the above object, the invention provides the following technical scheme: a kind of authentication protocol based on common key cryptosystem
Design and its implementation, including client, encrypting module, user program, authentication server, management server, application
Server, application interface, system database, database management module;
The client includes supporting the network equipment and radius server of IEEE8 0.21X agreement, for online
The access of user carries out certification control;The application interface provides the application and development interface of the client and application server,
It includes creating or reading ID authentication request routine, the routine of safety or classified information is created;The encrypting module is used for will
User identifier ID and its public key are bound, and carry out data encryption using key encryption block algorithm DES;The system database is for remembering
Sensitive information, shared key and its failure period data of each user are recorded, and information is carried out by the database management module
Security maintenance;The management server provides the network operation interface being written and read to the application server, and customer can
It operates on any machine on network;The authentication server is requestor's generation session key, and periodically from described
The key of update is obtained in user program.
Preferably, the authentication server in dialup server and leaves authentication information concentratedly using charging is dialled in
Radius server between certified transmission, authorization and configuration information agreement.
Preferably, controlled ports built in the application interface and uncontrolled port, wherein the uncontrolled port is located always
In diconnected state, for transmitting EAP protocol packet;The controlled ports can be configured to the controlled two kinds of sides of bi-direction controlled, defeated people
Formula, to adapt to different application environments.
Preferably, the client further includes WEB server, for register user by WEB mode to internet records into
Row inquiry, system manager are counted and are managed by price bidding of the WEB server to registration user.
Preferably, specific step is as follows for the implementation method:
S1: sending certification request to authenticator pae, input security parameter k, is carried out just using KGC operation algorithm to system
Beginningization;
S2: receiving the EAP Request of authenticator pae, and carries out response, and KGC is after the identity for confirming user, input system ginseng
The status identifier ID of number params, master key master-key and a userA, IDA∈{0,1}*, calculate qA=H1(IDA)
∈G1And return to the part private key D of userA=(s+qA)-1 p∈G1, then by DAUser is sent to by safe lane;
S3: the secret value x of user is inputtedA, public key RAWith part private key DA, calculateAnd SA=(xA+
yA)-1DA∈G1, and return to the private key SK of userA=SA;
S4: input message plaintext m ∈ M, signer identity IDA, private key SAAnd system parameter params, nothing is carried out to system
Certificate signature;
S5: verifying the information of input, if passing through, completes authentication protocol, if not passing through, return step S2 into
Row is verified again.
Preferably, KGC algorithm are as follows: output < G1, G2, e >, wherein G1And G2It is two q rank cyclic groups, e:G1×G2→G2It is
One bilinear map selects a random numberAnd G1A generation member P ∈ G1, calculate Ppub=sP and g=e (p,
P), three cryptographic Hash functions are selected WithAnd open system parameter
Params=< G1, G2, e, q, g, P, Ppub, H1, H2, H3>, message space is M={ 0,1 }*, system master key master-key is
Preferably, the algorithm when carrying out without certificate signature operates to one random number of selectionCalculate U=gr=e
(P, P)rIfCalculate V=(r+h) SA, σ=(U, V) is returned as signer A to the signature of m.
Preferably, when being verified, Q is calculatedA=(s+qA) P=Ppub+H1(IDA) P, yA=H2(RA) and h=H3(m,
U), e (V, R are checkedA+yAQA)=UghWhether true, if equation is set up, otherwise verifier's output 1 exports 0.
Compared with prior art, the beneficial effects of the present invention are: the present invention is using no certificate signature system, signature verifier
When verifying signature without verifying the validity of signer public key as under conventional public-key cryptographic system, it is not based on identity
Key escrow in cryptographic system, using the related news of higher layer message format transmitting authentication public key, without understanding bottom
Details, certification mode is highly-safe, good reliability, while there is good system to expand performance.
Detailed description of the invention
Fig. 1 is present system functional block diagram.
Specific embodiment
Following will be combined with the drawings in the embodiments of the present invention, and technical solution in the embodiment of the present invention carries out clear, complete
Site preparation description, it is clear that described embodiments are only a part of the embodiments of the present invention, instead of all the embodiments.It is based on
Embodiment in the present invention, it is obtained by those of ordinary skill in the art without making creative efforts every other
Embodiment, it shall fall within the protection scope of the present invention.
Referring to Fig. 1, the present invention provides a kind of technical solution: a kind of Authentication protocol design based on common key cryptosystem,
Including client, encrypting module, user program, authentication server, management server, application server, application interface, it is
System database, database management module;
The client includes supporting the network equipment and radius server of IEEE8 0.21X agreement, for online
The access of user carries out certification control;The application interface provides the application and development interface of the client and application server,
It includes creating or reading ID authentication request routine, the routine of safety or classified information is created;The encrypting module is used for will
User identifier ID and its public key are bound, and carry out data encryption using key encryption block algorithm DES;The system database is for remembering
Sensitive information, shared key and its failure period data of each user are recorded, and information is carried out by the database management module
Security maintenance;The management server provides the network operation interface being written and read to the application server, and customer can
It operates on any machine on network;The authentication server is requestor's generation session key, and periodically from described
The key of update is obtained in user program.
Wherein, the authentication server in dialup server and leaves authentication information concentratedly using charging is dialled in
Certified transmission between radius server, authorization and configuration information agreement, controlled ports built in the application interface and it is non-by
Port is controlled, wherein the uncontrolled port is in diconnected state always, for transmitting EAP protocol packet;The controlled ports
It can be configured to bi-direction controlled, the defeated controlled two ways of people, to adapt to different application environments, the client further includes WEB clothes
Business device, inquires internet records by WEB mode for registering user, system manager passes through the WEB server pair
The price bidding of registration user is counted and is managed.
The present invention also provides a kind of implementation methods of Authentication protocol design based on common key cryptosystem, and specific steps are such as
Under:
S1: sending certification request to authenticator pae, input security parameter k, is carried out just using KGC operation algorithm to system
Beginningization, KGC algorithm are as follows: output < G1, G2, e >, wherein G1And G2It is two q rank cyclic groups, e:G1×G2→G2It is a bilinearity
Mapping, selects a random numberAnd G1A generation member P ∈ G1, calculate Ppub=sP and g=e (p, p) selects three
Cryptographic Hash function WithAnd open system parameter params=<
G1, G2, e, q, g, P, Ppub, H1, H2, H3>, message space is M={ 0,1 }*, system master key master-key is
S2: receiving the EAP Request of authenticator pae, and carries out response, and KGC is after the identity for confirming user, input system ginseng
The status identifier ID of number params, master key master-key and a userA, IDA∈{0,1}*, calculate qA=H1(IDA)
∈G1And return to the part private key D of userA=(s+qA)-1p∈G1, then by DAUser is sent to by safe lane;
S3: the secret value x of user is inputtedA, public key RAWith part private key DA, calculateAnd SA=(xA+
yA)-1DA∈G1, and return to the private key SK of userA=SA;
S4: input message plaintext m ∈ M, signer identity IDA, private key SAAnd system parameter params, nothing is carried out to system
Certificate signature, the algorithm when carrying out without certificate signature operate to one random number of selectionCalculate U=gr=e (P, P)r,
IfCalculate V=(r+h) SA, σ=(U, V) is returned as signer A to the signature of m;
S5: verifying the information of input, if passing through, completes authentication protocol, if not passing through, return step S2 into
Row is verified again, when being verified, calculates QA=(s+qA) P=Ppub+H1(IDA) P, yA=H2(RA) and h=H3(m, U), inspection
Look into e (V, RA+yAQA)=UghWhether true, if equation is set up, otherwise verifier's output 1 exports 0.
It although an embodiment of the present invention has been shown and described, for the ordinary skill in the art, can be with
A variety of variations, modification, replacement can be carried out to these embodiments without departing from the principles and spirit of the present invention by understanding
And modification, the scope of the present invention is defined by the appended.
Claims (8)
1. a kind of Authentication protocol design based on common key cryptosystem, it is characterised in that: including client, encrypting module, user
Program, authentication server, management server, application server, application interface, system database, database management module;
The client includes supporting the network equipment and radius server of IEEE8 0.21X agreement, for Internet user
Access carry out certification control;The application interface provides the application and development interface of the client and application server, packet
Containing creating or reading ID authentication request routine, the routine of safety or classified information is created;The encrypting module is used for user
It identifies ID and its public key is bound, data encryption is carried out using key encryption block algorithm DES;The system database is every for recording
Sensitive information, shared key and its failure period data of a user, and information security is carried out by the database management module
Maintenance;The management server provides the network operation interface being written and read to the application server, and customer can run
On any machine on network;The authentication server is requestor's generation session key, and periodically from the user
The key of update is obtained in program.
2. a kind of Authentication protocol design based on common key cryptosystem according to claim 1, it is characterised in that: the body
Part certificate server is transmitted between dialup server and the radius server for leaving authentication information concentratedly using charging is dialled in
The agreement of certification, authorization and configuration information.
3. a kind of Authentication protocol design based on common key cryptosystem according to claim 1, it is characterised in that: described to answer
Controlled ports and uncontrolled port built in interface, wherein the uncontrolled port is in diconnected state always, for passing
Pass EAP protocol packet;The controlled ports can be configured to bi-direction controlled, the defeated controlled two ways of people, to adapt to different application rings
Border.
4. a kind of Authentication protocol design based on common key cryptosystem according to claim 1, it is characterised in that: the visitor
Family end further includes WEB server, is inquired by WEB mode internet records for registering user, system manager passes through
The WEB server is counted and is managed to the price bidding of registration user.
5. a kind of implementation method of the Authentication protocol design based on common key cryptosystem, it is characterised in that: the tool of the implementation method
Steps are as follows for body:
S1: sending certification request to authenticator pae, input security parameter k, is initialized using KGC operation algorithm to system;
S2: receiving the EAP Request of authenticator pae, and carries out response, and KGC is after the identity for confirming user, input system parameter
The status identifier ID of params, master key master-key and a userA, IDA∈{0,1}*, calculate qA=H1(IDA)∈
G1And return to the part private key D of userA=(s+qA)-1p∈G1, then by DAUser is sent to by safe lane;
S3: the secret value x of user is inputtedA, public key RAWith part private key DA, calculateAnd SA=(xA+yA)-1DA
∈G1, and return to the private key SK of userA=SA;
S4: input message plaintext m ∈ M, signer identity IDA, private key SAAnd system parameter params, system is carried out without certificate
Signature;
S5: verifying the information of input, if passing through, completes authentication protocol, if not passing through, return step S2 carries out weight
New verifying.
6. a kind of implementation method of Authentication protocol design based on common key cryptosystem according to claim 5, feature
It is: in the step S1, KGC algorithm are as follows: output < G1, G2, e >, wherein G1And G2It is two q rank cyclic groups, e:G1×G2→
G2It is a bilinear map, selects a random numberAnd G1A generation member P ∈ G1, calculate Ppub=sP and g=e
(p, p) selects three cryptographic Hash functionsWithAnd open system
Parameter params=< G1, G2, e, q, g, P, Ppub, H1, H2, H3>, message space is M={ 0,1 }*, system master key master-
Key is
7. a kind of implementation method of Authentication protocol design based on common key cryptosystem according to claim 5, feature
Be: in the step S4, the algorithm when carrying out without certificate signature operates to one random number of selectionCalculate U=gr
=e (P, P)rIfCalculate V=(r+h) SA, σ=(U, V) is returned as signer A to the signature of m.
8. a kind of implementation method of Authentication protocol design based on common key cryptosystem according to claim 5, feature
It is: in the step S5, when being verified, calculates QA=(s+qA) P=Ppub+H1(IDA) P, yA=H2(RA) and h=H3
(m, U) checks e (V, RA+yAQA)=UghWhether true, if equation is set up, otherwise verifier's output 1 exports 0.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201810858536.5A CN109104288A (en) | 2018-07-31 | 2018-07-31 | A kind of Authentication protocol design and its implementation based on common key cryptosystem |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201810858536.5A CN109104288A (en) | 2018-07-31 | 2018-07-31 | A kind of Authentication protocol design and its implementation based on common key cryptosystem |
Publications (1)
Publication Number | Publication Date |
---|---|
CN109104288A true CN109104288A (en) | 2018-12-28 |
Family
ID=64847968
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201810858536.5A Pending CN109104288A (en) | 2018-07-31 | 2018-07-31 | A kind of Authentication protocol design and its implementation based on common key cryptosystem |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN109104288A (en) |
Cited By (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111601072A (en) * | 2020-04-07 | 2020-08-28 | 青岛奥利普自动化控制***有限公司 | SCADA-based data processing method and device |
CN113162949A (en) * | 2021-05-13 | 2021-07-23 | 北京工业大学 | Cross-domain identity authentication scheme of industrial Internet of things equipment based on block chain |
CN114205171A (en) * | 2021-12-21 | 2022-03-18 | 安徽安联云服务有限公司 | Internet of things paas platform system |
CN114650165A (en) * | 2022-01-28 | 2022-06-21 | 国网江苏省电力有限公司南京供电分公司 | System security control method based on network slice and certificateless public key cryptosystem |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20060168648A1 (en) * | 2005-01-26 | 2006-07-27 | Lockdown Networks, Inc. | Enabling dynamic authentication with different protocols on the same port for a switch |
CN101272379A (en) * | 2008-05-13 | 2008-09-24 | 武汉理工大学 | Improving method based on IEEE802.1x safety authentication protocol |
CN106936584A (en) * | 2017-03-08 | 2017-07-07 | 平顶山学院 | A kind of building method without CertPubKey cryptographic system |
CN107819780A (en) * | 2017-11-22 | 2018-03-20 | 国网山东省电力公司 | A kind of method for network authorization based on 802.1x |
US20180176775A1 (en) * | 2016-12-21 | 2018-06-21 | T-Mobile Usa, Inc. | Network operation and trusted execution environment |
-
2018
- 2018-07-31 CN CN201810858536.5A patent/CN109104288A/en active Pending
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20060168648A1 (en) * | 2005-01-26 | 2006-07-27 | Lockdown Networks, Inc. | Enabling dynamic authentication with different protocols on the same port for a switch |
CN101272379A (en) * | 2008-05-13 | 2008-09-24 | 武汉理工大学 | Improving method based on IEEE802.1x safety authentication protocol |
US20180176775A1 (en) * | 2016-12-21 | 2018-06-21 | T-Mobile Usa, Inc. | Network operation and trusted execution environment |
CN106936584A (en) * | 2017-03-08 | 2017-07-07 | 平顶山学院 | A kind of building method without CertPubKey cryptographic system |
CN107819780A (en) * | 2017-11-22 | 2018-03-20 | 国网山东省电力公司 | A kind of method for network authorization based on 802.1x |
Non-Patent Citations (2)
Title |
---|
曹璞: "基于公钥密码的Kerberos认证协议研究", 《中国优秀硕士学位论文全文数据库 信息科技辑》 * |
杨慧谊: "基于802.1X协议网络认证技术研究与实现", 《中国优秀硕士学位论文全文数据库 信息科技辑》 * |
Cited By (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111601072A (en) * | 2020-04-07 | 2020-08-28 | 青岛奥利普自动化控制***有限公司 | SCADA-based data processing method and device |
CN111601072B (en) * | 2020-04-07 | 2023-03-24 | 青岛奥利普奇智智能工业技术有限公司 | SCADA-based data processing method and device |
CN113162949A (en) * | 2021-05-13 | 2021-07-23 | 北京工业大学 | Cross-domain identity authentication scheme of industrial Internet of things equipment based on block chain |
CN114205171A (en) * | 2021-12-21 | 2022-03-18 | 安徽安联云服务有限公司 | Internet of things paas platform system |
CN114650165A (en) * | 2022-01-28 | 2022-06-21 | 国网江苏省电力有限公司南京供电分公司 | System security control method based on network slice and certificateless public key cryptosystem |
CN114650165B (en) * | 2022-01-28 | 2023-09-15 | 国网江苏省电力有限公司南京供电分公司 | System security control method based on network slice and certificate-free public key cryptosystem |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
EP3602952B1 (en) | Method and system for identity and access management for blockchain interoperability | |
Joaquim et al. | REVS–a robust electronic voting system | |
Shen et al. | A modified remote user authentication scheme using smart cards | |
Horn et al. | Authentication protocols for mobile network environment value-added services | |
US8930704B2 (en) | Digital signature method and system | |
EP2847928B1 (en) | Method and system for a certificate-less authentication encryption (clae) | |
CN110138560B (en) | Double-proxy cross-domain authentication method based on identification password and alliance chain | |
CN102647461B (en) | Communication means based on HTTP, server, terminal | |
CN109104288A (en) | A kind of Authentication protocol design and its implementation based on common key cryptosystem | |
US20050105735A1 (en) | Information processing system and method, information processing device and method, recording medium, and program | |
Chen et al. | The design of a secure anonymous internet voting system | |
Wang et al. | Achieving secure and flexible m-services through tickets | |
CN109243020A (en) | A kind of smart lock identity identifying method based on no certificate | |
CN108833373A (en) | The instant messaging and anonymous access method of facing relation secret protection social networks | |
Li et al. | Practical deniable authentication for pervasive computing environments | |
CN112508576A (en) | Key management method, system and storage medium based on block chain | |
CN102511057B (en) | Method and device for authenticating components within an automatic teller machine | |
Chang et al. | An anonymous voting mechanism based on the key exchange protocol | |
CN108880803A (en) | A kind of method and system signed using digital signature to block chain affairs | |
WO2022008940A1 (en) | Method and system for a verifiable identity based encryption (vibe) using certificate-less authentication encryption (clae) | |
Thomas et al. | A secure way of exchanging the secret keys in advanced metering infrastructure | |
Mateu et al. | Constructing credential-based E-voting systems from offline E-coin protocols | |
Zwierko et al. | A light-weight e-voting system with distributed trust | |
CN108923923A (en) | A kind of design and its implementation of the code key agreement protocol based on trusted third party | |
Zhang et al. | A lightweight electronic voting scheme based on blind signature and Kerberos mechanism |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20181228 |
|
RJ01 | Rejection of invention patent application after publication |