CN109104288A - A kind of Authentication protocol design and its implementation based on common key cryptosystem - Google Patents

A kind of Authentication protocol design and its implementation based on common key cryptosystem Download PDF

Info

Publication number
CN109104288A
CN109104288A CN201810858536.5A CN201810858536A CN109104288A CN 109104288 A CN109104288 A CN 109104288A CN 201810858536 A CN201810858536 A CN 201810858536A CN 109104288 A CN109104288 A CN 109104288A
Authority
CN
China
Prior art keywords
key
user
server
authentication
authentication protocol
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201810858536.5A
Other languages
Chinese (zh)
Inventor
余磊
卓泽朋
郭宇燕
江明明
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huaibei Normal University
Original Assignee
Huaibei Normal University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huaibei Normal University filed Critical Huaibei Normal University
Priority to CN201810858536.5A priority Critical patent/CN109104288A/en
Publication of CN109104288A publication Critical patent/CN109104288A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/06Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
    • H04L9/0618Block ciphers, i.e. encrypting groups of characters of a plain text message using fixed encryption transformation
    • H04L9/0625Block ciphers, i.e. encrypting groups of characters of a plain text message using fixed encryption transformation with splitting of the data block into left and right halves, e.g. Feistel based algorithms, DES, FEAL, IDEA or KASUMI

Abstract

The invention discloses a kind of Authentication protocol designs and its implementation based on common key cryptosystem of field of information security technology, including client, encrypting module, user program, authentication server, management server, application server, application interface, system database, database management module;The client includes supporting the network equipment and radius server of IEEE8 0.21X agreement, carries out certification control for the access to Internet user;The application interface provides the application and development interface of the client and application server, the present invention is using no certificate signature system, signature verifier is when verifying signature without verifying the validity of signer public key as under conventional public-key cryptographic system, the key escrow being not based in identification cipher system, using the related news of higher layer message format transmitting authentication public key, without understanding low-level details, its certification mode is highly-safe, good reliability, while there is good system to expand performance.

Description

A kind of Authentication protocol design and its implementation based on common key cryptosystem
Technical field
The invention discloses a kind of Authentication protocol design and its implementation based on common key cryptosystem, specially information Security technology area.
Background technique
Public key cryptography technology, which is that one kind is widely applied, adds the information such as the file, the message that are sent to specified recipient Close technology.The system for using this cryptographic technique needs to generate a pair of associated public key and private mathematically for each user Key, public key are published by certain mode, so that any sender can get the public key of recipient, private key then has recipient Secret saves.
Common key cryptosystem application in an important demand for security be to ensure that the public key used it is exact belong to it is specified Recipient, that is, need a kind of user identifier (ID) and its public key to be bound together security mechanism.Conventional public-key password body In system, for example, by using the system of RSA, DSA, ECC scheduling algorithm, the generation of public key and the mark of user are not related, need by Tripartite authentication center (CA) provides certificate, i.e., signs to the public key of user and mark, the two is bound.Public key KPI can Authentication and authorization server are provided for a large amount of user, is adapted as the base of the basic identity authentication protocol on internet Infrastructure.The identity authentication protocol degree of safety of public key mode is high, but its computing cost is big, standard disunity, and user identifier is private After key is lost, the mark of user and public key are bound together in conventional public-key system, if private key for user is lost, user can be weighed Newborn public key and private key in a pair, and in id password system, the mark of user is exactly public key, therefore can not be canceled.For This, we have proposed a kind of Authentication protocol designs based on common key cryptosystem and its implementation to come into operation, on solving State problem.
Summary of the invention
The purpose of the present invention is to provide a kind of Authentication protocol design and its implementation based on common key cryptosystem, with Solve the problems mentioned above in the background art.
To achieve the above object, the invention provides the following technical scheme: a kind of authentication protocol based on common key cryptosystem Design and its implementation, including client, encrypting module, user program, authentication server, management server, application Server, application interface, system database, database management module;
The client includes supporting the network equipment and radius server of IEEE8 0.21X agreement, for online The access of user carries out certification control;The application interface provides the application and development interface of the client and application server, It includes creating or reading ID authentication request routine, the routine of safety or classified information is created;The encrypting module is used for will User identifier ID and its public key are bound, and carry out data encryption using key encryption block algorithm DES;The system database is for remembering Sensitive information, shared key and its failure period data of each user are recorded, and information is carried out by the database management module Security maintenance;The management server provides the network operation interface being written and read to the application server, and customer can It operates on any machine on network;The authentication server is requestor's generation session key, and periodically from described The key of update is obtained in user program.
Preferably, the authentication server in dialup server and leaves authentication information concentratedly using charging is dialled in Radius server between certified transmission, authorization and configuration information agreement.
Preferably, controlled ports built in the application interface and uncontrolled port, wherein the uncontrolled port is located always In diconnected state, for transmitting EAP protocol packet;The controlled ports can be configured to the controlled two kinds of sides of bi-direction controlled, defeated people Formula, to adapt to different application environments.
Preferably, the client further includes WEB server, for register user by WEB mode to internet records into Row inquiry, system manager are counted and are managed by price bidding of the WEB server to registration user.
Preferably, specific step is as follows for the implementation method:
S1: sending certification request to authenticator pae, input security parameter k, is carried out just using KGC operation algorithm to system Beginningization;
S2: receiving the EAP Request of authenticator pae, and carries out response, and KGC is after the identity for confirming user, input system ginseng The status identifier ID of number params, master key master-key and a userA, IDA∈{0,1}*, calculate qA=H1(IDA) ∈G1And return to the part private key D of userA=(s+qA)-1 p∈G1, then by DAUser is sent to by safe lane;
S3: the secret value x of user is inputtedA, public key RAWith part private key DA, calculateAnd SA=(xA+ yA)-1DA∈G1, and return to the private key SK of userA=SA
S4: input message plaintext m ∈ M, signer identity IDA, private key SAAnd system parameter params, nothing is carried out to system Certificate signature;
S5: verifying the information of input, if passing through, completes authentication protocol, if not passing through, return step S2 into Row is verified again.
Preferably, KGC algorithm are as follows: output < G1, G2, e >, wherein G1And G2It is two q rank cyclic groups, e:G1×G2→G2It is One bilinear map selects a random numberAnd G1A generation member P ∈ G1, calculate Ppub=sP and g=e (p, P), three cryptographic Hash functions are selected WithAnd open system parameter Params=< G1, G2, e, q, g, P, Ppub, H1, H2, H3>, message space is M={ 0,1 }*, system master key master-key is
Preferably, the algorithm when carrying out without certificate signature operates to one random number of selectionCalculate U=gr=e (P, P)rIfCalculate V=(r+h) SA, σ=(U, V) is returned as signer A to the signature of m.
Preferably, when being verified, Q is calculatedA=(s+qA) P=Ppub+H1(IDA) P, yA=H2(RA) and h=H3(m, U), e (V, R are checkedA+yAQA)=UghWhether true, if equation is set up, otherwise verifier's output 1 exports 0.
Compared with prior art, the beneficial effects of the present invention are: the present invention is using no certificate signature system, signature verifier When verifying signature without verifying the validity of signer public key as under conventional public-key cryptographic system, it is not based on identity Key escrow in cryptographic system, using the related news of higher layer message format transmitting authentication public key, without understanding bottom Details, certification mode is highly-safe, good reliability, while there is good system to expand performance.
Detailed description of the invention
Fig. 1 is present system functional block diagram.
Specific embodiment
Following will be combined with the drawings in the embodiments of the present invention, and technical solution in the embodiment of the present invention carries out clear, complete Site preparation description, it is clear that described embodiments are only a part of the embodiments of the present invention, instead of all the embodiments.It is based on Embodiment in the present invention, it is obtained by those of ordinary skill in the art without making creative efforts every other Embodiment, it shall fall within the protection scope of the present invention.
Referring to Fig. 1, the present invention provides a kind of technical solution: a kind of Authentication protocol design based on common key cryptosystem, Including client, encrypting module, user program, authentication server, management server, application server, application interface, it is System database, database management module;
The client includes supporting the network equipment and radius server of IEEE8 0.21X agreement, for online The access of user carries out certification control;The application interface provides the application and development interface of the client and application server, It includes creating or reading ID authentication request routine, the routine of safety or classified information is created;The encrypting module is used for will User identifier ID and its public key are bound, and carry out data encryption using key encryption block algorithm DES;The system database is for remembering Sensitive information, shared key and its failure period data of each user are recorded, and information is carried out by the database management module Security maintenance;The management server provides the network operation interface being written and read to the application server, and customer can It operates on any machine on network;The authentication server is requestor's generation session key, and periodically from described The key of update is obtained in user program.
Wherein, the authentication server in dialup server and leaves authentication information concentratedly using charging is dialled in Certified transmission between radius server, authorization and configuration information agreement, controlled ports built in the application interface and it is non-by Port is controlled, wherein the uncontrolled port is in diconnected state always, for transmitting EAP protocol packet;The controlled ports It can be configured to bi-direction controlled, the defeated controlled two ways of people, to adapt to different application environments, the client further includes WEB clothes Business device, inquires internet records by WEB mode for registering user, system manager passes through the WEB server pair The price bidding of registration user is counted and is managed.
The present invention also provides a kind of implementation methods of Authentication protocol design based on common key cryptosystem, and specific steps are such as Under:
S1: sending certification request to authenticator pae, input security parameter k, is carried out just using KGC operation algorithm to system Beginningization, KGC algorithm are as follows: output < G1, G2, e >, wherein G1And G2It is two q rank cyclic groups, e:G1×G2→G2It is a bilinearity Mapping, selects a random numberAnd G1A generation member P ∈ G1, calculate Ppub=sP and g=e (p, p) selects three Cryptographic Hash function WithAnd open system parameter params=< G1, G2, e, q, g, P, Ppub, H1, H2, H3>, message space is M={ 0,1 }*, system master key master-key is
S2: receiving the EAP Request of authenticator pae, and carries out response, and KGC is after the identity for confirming user, input system ginseng The status identifier ID of number params, master key master-key and a userA, IDA∈{0,1}*, calculate qA=H1(IDA) ∈G1And return to the part private key D of userA=(s+qA)-1p∈G1, then by DAUser is sent to by safe lane;
S3: the secret value x of user is inputtedA, public key RAWith part private key DA, calculateAnd SA=(xA+ yA)-1DA∈G1, and return to the private key SK of userA=SA
S4: input message plaintext m ∈ M, signer identity IDA, private key SAAnd system parameter params, nothing is carried out to system Certificate signature, the algorithm when carrying out without certificate signature operate to one random number of selectionCalculate U=gr=e (P, P)r, IfCalculate V=(r+h) SA, σ=(U, V) is returned as signer A to the signature of m;
S5: verifying the information of input, if passing through, completes authentication protocol, if not passing through, return step S2 into Row is verified again, when being verified, calculates QA=(s+qA) P=Ppub+H1(IDA) P, yA=H2(RA) and h=H3(m, U), inspection Look into e (V, RA+yAQA)=UghWhether true, if equation is set up, otherwise verifier's output 1 exports 0.
It although an embodiment of the present invention has been shown and described, for the ordinary skill in the art, can be with A variety of variations, modification, replacement can be carried out to these embodiments without departing from the principles and spirit of the present invention by understanding And modification, the scope of the present invention is defined by the appended.

Claims (8)

1. a kind of Authentication protocol design based on common key cryptosystem, it is characterised in that: including client, encrypting module, user Program, authentication server, management server, application server, application interface, system database, database management module;
The client includes supporting the network equipment and radius server of IEEE8 0.21X agreement, for Internet user Access carry out certification control;The application interface provides the application and development interface of the client and application server, packet Containing creating or reading ID authentication request routine, the routine of safety or classified information is created;The encrypting module is used for user It identifies ID and its public key is bound, data encryption is carried out using key encryption block algorithm DES;The system database is every for recording Sensitive information, shared key and its failure period data of a user, and information security is carried out by the database management module Maintenance;The management server provides the network operation interface being written and read to the application server, and customer can run On any machine on network;The authentication server is requestor's generation session key, and periodically from the user The key of update is obtained in program.
2. a kind of Authentication protocol design based on common key cryptosystem according to claim 1, it is characterised in that: the body Part certificate server is transmitted between dialup server and the radius server for leaving authentication information concentratedly using charging is dialled in The agreement of certification, authorization and configuration information.
3. a kind of Authentication protocol design based on common key cryptosystem according to claim 1, it is characterised in that: described to answer Controlled ports and uncontrolled port built in interface, wherein the uncontrolled port is in diconnected state always, for passing Pass EAP protocol packet;The controlled ports can be configured to bi-direction controlled, the defeated controlled two ways of people, to adapt to different application rings Border.
4. a kind of Authentication protocol design based on common key cryptosystem according to claim 1, it is characterised in that: the visitor Family end further includes WEB server, is inquired by WEB mode internet records for registering user, system manager passes through The WEB server is counted and is managed to the price bidding of registration user.
5. a kind of implementation method of the Authentication protocol design based on common key cryptosystem, it is characterised in that: the tool of the implementation method Steps are as follows for body:
S1: sending certification request to authenticator pae, input security parameter k, is initialized using KGC operation algorithm to system;
S2: receiving the EAP Request of authenticator pae, and carries out response, and KGC is after the identity for confirming user, input system parameter The status identifier ID of params, master key master-key and a userA, IDA∈{0,1}*, calculate qA=H1(IDA)∈ G1And return to the part private key D of userA=(s+qA)-1p∈G1, then by DAUser is sent to by safe lane;
S3: the secret value x of user is inputtedA, public key RAWith part private key DA, calculateAnd SA=(xA+yA)-1DA ∈G1, and return to the private key SK of userA=SA
S4: input message plaintext m ∈ M, signer identity IDA, private key SAAnd system parameter params, system is carried out without certificate Signature;
S5: verifying the information of input, if passing through, completes authentication protocol, if not passing through, return step S2 carries out weight New verifying.
6. a kind of implementation method of Authentication protocol design based on common key cryptosystem according to claim 5, feature It is: in the step S1, KGC algorithm are as follows: output < G1, G2, e >, wherein G1And G2It is two q rank cyclic groups, e:G1×G2→ G2It is a bilinear map, selects a random numberAnd G1A generation member P ∈ G1, calculate Ppub=sP and g=e (p, p) selects three cryptographic Hash functionsWithAnd open system Parameter params=< G1, G2, e, q, g, P, Ppub, H1, H2, H3>, message space is M={ 0,1 }*, system master key master- Key is
7. a kind of implementation method of Authentication protocol design based on common key cryptosystem according to claim 5, feature Be: in the step S4, the algorithm when carrying out without certificate signature operates to one random number of selectionCalculate U=gr =e (P, P)rIfCalculate V=(r+h) SA, σ=(U, V) is returned as signer A to the signature of m.
8. a kind of implementation method of Authentication protocol design based on common key cryptosystem according to claim 5, feature It is: in the step S5, when being verified, calculates QA=(s+qA) P=Ppub+H1(IDA) P, yA=H2(RA) and h=H3 (m, U) checks e (V, RA+yAQA)=UghWhether true, if equation is set up, otherwise verifier's output 1 exports 0.
CN201810858536.5A 2018-07-31 2018-07-31 A kind of Authentication protocol design and its implementation based on common key cryptosystem Pending CN109104288A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201810858536.5A CN109104288A (en) 2018-07-31 2018-07-31 A kind of Authentication protocol design and its implementation based on common key cryptosystem

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201810858536.5A CN109104288A (en) 2018-07-31 2018-07-31 A kind of Authentication protocol design and its implementation based on common key cryptosystem

Publications (1)

Publication Number Publication Date
CN109104288A true CN109104288A (en) 2018-12-28

Family

ID=64847968

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201810858536.5A Pending CN109104288A (en) 2018-07-31 2018-07-31 A kind of Authentication protocol design and its implementation based on common key cryptosystem

Country Status (1)

Country Link
CN (1) CN109104288A (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111601072A (en) * 2020-04-07 2020-08-28 青岛奥利普自动化控制***有限公司 SCADA-based data processing method and device
CN113162949A (en) * 2021-05-13 2021-07-23 北京工业大学 Cross-domain identity authentication scheme of industrial Internet of things equipment based on block chain
CN114205171A (en) * 2021-12-21 2022-03-18 安徽安联云服务有限公司 Internet of things paas platform system
CN114650165A (en) * 2022-01-28 2022-06-21 国网江苏省电力有限公司南京供电分公司 System security control method based on network slice and certificateless public key cryptosystem

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20060168648A1 (en) * 2005-01-26 2006-07-27 Lockdown Networks, Inc. Enabling dynamic authentication with different protocols on the same port for a switch
CN101272379A (en) * 2008-05-13 2008-09-24 武汉理工大学 Improving method based on IEEE802.1x safety authentication protocol
CN106936584A (en) * 2017-03-08 2017-07-07 平顶山学院 A kind of building method without CertPubKey cryptographic system
CN107819780A (en) * 2017-11-22 2018-03-20 国网山东省电力公司 A kind of method for network authorization based on 802.1x
US20180176775A1 (en) * 2016-12-21 2018-06-21 T-Mobile Usa, Inc. Network operation and trusted execution environment

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20060168648A1 (en) * 2005-01-26 2006-07-27 Lockdown Networks, Inc. Enabling dynamic authentication with different protocols on the same port for a switch
CN101272379A (en) * 2008-05-13 2008-09-24 武汉理工大学 Improving method based on IEEE802.1x safety authentication protocol
US20180176775A1 (en) * 2016-12-21 2018-06-21 T-Mobile Usa, Inc. Network operation and trusted execution environment
CN106936584A (en) * 2017-03-08 2017-07-07 平顶山学院 A kind of building method without CertPubKey cryptographic system
CN107819780A (en) * 2017-11-22 2018-03-20 国网山东省电力公司 A kind of method for network authorization based on 802.1x

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
曹璞: "基于公钥密码的Kerberos认证协议研究", 《中国优秀硕士学位论文全文数据库 信息科技辑》 *
杨慧谊: "基于802.1X协议网络认证技术研究与实现", 《中国优秀硕士学位论文全文数据库 信息科技辑》 *

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111601072A (en) * 2020-04-07 2020-08-28 青岛奥利普自动化控制***有限公司 SCADA-based data processing method and device
CN111601072B (en) * 2020-04-07 2023-03-24 青岛奥利普奇智智能工业技术有限公司 SCADA-based data processing method and device
CN113162949A (en) * 2021-05-13 2021-07-23 北京工业大学 Cross-domain identity authentication scheme of industrial Internet of things equipment based on block chain
CN114205171A (en) * 2021-12-21 2022-03-18 安徽安联云服务有限公司 Internet of things paas platform system
CN114650165A (en) * 2022-01-28 2022-06-21 国网江苏省电力有限公司南京供电分公司 System security control method based on network slice and certificateless public key cryptosystem
CN114650165B (en) * 2022-01-28 2023-09-15 国网江苏省电力有限公司南京供电分公司 System security control method based on network slice and certificate-free public key cryptosystem

Similar Documents

Publication Publication Date Title
EP3602952B1 (en) Method and system for identity and access management for blockchain interoperability
Joaquim et al. REVS–a robust electronic voting system
Shen et al. A modified remote user authentication scheme using smart cards
Horn et al. Authentication protocols for mobile network environment value-added services
US8930704B2 (en) Digital signature method and system
EP2847928B1 (en) Method and system for a certificate-less authentication encryption (clae)
CN110138560B (en) Double-proxy cross-domain authentication method based on identification password and alliance chain
CN102647461B (en) Communication means based on HTTP, server, terminal
CN109104288A (en) A kind of Authentication protocol design and its implementation based on common key cryptosystem
US20050105735A1 (en) Information processing system and method, information processing device and method, recording medium, and program
Chen et al. The design of a secure anonymous internet voting system
Wang et al. Achieving secure and flexible m-services through tickets
CN109243020A (en) A kind of smart lock identity identifying method based on no certificate
CN108833373A (en) The instant messaging and anonymous access method of facing relation secret protection social networks
Li et al. Practical deniable authentication for pervasive computing environments
CN112508576A (en) Key management method, system and storage medium based on block chain
CN102511057B (en) Method and device for authenticating components within an automatic teller machine
Chang et al. An anonymous voting mechanism based on the key exchange protocol
CN108880803A (en) A kind of method and system signed using digital signature to block chain affairs
WO2022008940A1 (en) Method and system for a verifiable identity based encryption (vibe) using certificate-less authentication encryption (clae)
Thomas et al. A secure way of exchanging the secret keys in advanced metering infrastructure
Mateu et al. Constructing credential-based E-voting systems from offline E-coin protocols
Zwierko et al. A light-weight e-voting system with distributed trust
CN108923923A (en) A kind of design and its implementation of the code key agreement protocol based on trusted third party
Zhang et al. A lightweight electronic voting scheme based on blind signature and Kerberos mechanism

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication

Application publication date: 20181228

RJ01 Rejection of invention patent application after publication