CN109194484A - A kind of cross-domain transmission method of token based on shared key - Google Patents

A kind of cross-domain transmission method of token based on shared key Download PDF

Info

Publication number
CN109194484A
CN109194484A CN201810922170.3A CN201810922170A CN109194484A CN 109194484 A CN109194484 A CN 109194484A CN 201810922170 A CN201810922170 A CN 201810922170A CN 109194484 A CN109194484 A CN 109194484A
Authority
CN
China
Prior art keywords
key
algorithm
security parameter
visitor
interviewee
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201810922170.3A
Other languages
Chinese (zh)
Inventor
王妍
毛锐
杨海天
袁学斌
刘烁
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Institute of Information Engineering of CAS
Original Assignee
Institute of Information Engineering of CAS
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Institute of Information Engineering of CAS filed Critical Institute of Information Engineering of CAS
Priority to CN201810922170.3A priority Critical patent/CN109194484A/en
Publication of CN109194484A publication Critical patent/CN109194484A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3226Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a predetermined code, e.g. password, passphrase or PIN
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0807Network architectures or network communication protocols for network security for authentication of entities using tickets, e.g. Kerberos
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/085Secret sharing or secret splitting, e.g. threshold schemes

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Lock And Its Accessories (AREA)

Abstract

The cross-domain transmission method of a kind of token based on shared key provided by the invention, when two security domains carry out cross-domain access, interviewee is before sending target spoke to visitor, the public key that the private key generated using preset algorithm according to preconfigured security parameter and at random and visitor are sent obtains the first shared key, and target spoke is encrypted using the first shared key, and encrypted target spoke is sent to visitor, the public key that the private key and interviewee that visitor recycles preset algorithm to generate according to preconfigured security parameter and at random are sent obtains the second shared key, and encrypted target spoke is decrypted using the second shared key.This method can effectively ensure the safety of the first shared key and the second shared key, and then can effectively ensure the safety of target spoke, be attacked using target spoke interviewee to can effectively avoid third party.

Description

A kind of cross-domain transmission method of token based on shared key
Technical field
The present invention relates to cross-domain access technique fields, more particularly, to a kind of cross-domain biography of the token based on shared key Transmission method.
Background technique
With the fast development of network technology, IT application in enterprises it is universal, a large amount of application system is answered in enterprise With, the types of applications system in management enterprise for convenience, application system all carried out multilevel and multi-domain management by most enterprises, This has just drawn a series of the problem of cross-domain access.
In cross-domain access, authentication is foundation stone, is safe basis.After user passes through authentication, authentication service Identity token can be issued to user, user can be carried out cross-domain access after holding identity token.But identity token is in cross-domain mistake There is the risk kidnapped by third party in journey, once illegally kidnapped by third party, third party can rely on true identity Token launches a offensive to application system and network, it will comes with serious consequence.
Therefore, the protection transmitted between token security domain is just particularly important.
Summary of the invention
The present invention is caused to pacify to overcome between security domain in the prior art token transmission to exist by the risk that third party kidnaps Universe is easy the problem of being attacked, and provides a kind of cross-domain transmission method of the token based on shared key.
On the one hand, the present invention provides a kind of cross-domain transmission method of the token based on shared key, comprising:
The ID authentication request that visitor sends is received, the ID authentication request is authenticated, if authenticating successfully, Generate target spoke;
A random number is generated according to system time, as the first private key, using preset first algorithm according to described the One private key and preconfigured first security parameter obtain the first public key;
First public key is sent to the visitor so that the visitor according to system time generate one with Machine number is joined as the second private key, and using preset second algorithm according to second private key and preconfigured second safety Number obtains the second public key;
The second public key that the visitor sends is received, using preset third algorithm according to second public key and first Private key and the first security parameter obtain the first shared key, are added according to first shared key to the target spoke It is close, encrypted target spoke is sent to the visitor so that the visitor using preset 4th algorithm according to First public key and the second private key and the second security parameter obtain the second shared key, and according to second shared key Encrypted target spoke is decrypted;
Wherein, first security parameter is identical with second security parameter, and first algorithm and described second is calculated Method is identical, and the third algorithm is identical with the 4th algorithm.
Preferably, described to utilize preset first algorithm according to first private key and preconfigured first security parameter The first public key is obtained, before further include:
It is pre-configured with first security parameter, and presets first algorithm and third algorithm.
Preferably, first security parameter and the second security parameter include the primitive root and additional parameter of prime number, prime number.
Preferably, first algorithm and the second algorithm are as follows:
Key=gRmod p;
Wherein, key is public key;R is private key;P is prime number;G is the primitive root of prime number p.
Preferably, the third algorithm and the 4th algorithm are as follows:
Share key=keyRmod p+m;
Wherein, Share key is shared key;Key is public key;R is private key;P is prime number;G is the primitive root of prime number p;M is Additional parameter.
On the one hand, the present invention provides a kind of cross-domain transmission method of the token based on shared key, comprising:
ID authentication request is sent to interviewee, so that the interviewee authenticates the ID authentication request, And target spoke is generated after authenticating successfully, and a random number is generated according to system time, as the first private key, using pre- If the first algorithm the first public key is obtained according to first private key and preconfigured first security parameter;
The first public key that the interviewee sends is received, a random number is generated according to system time, as the second private key, The second public key is obtained according to second private key and preconfigured second security parameter using preset second algorithm;
Second public key is sent to the interviewee so that the interviewee using preset third algorithm according to Second public key and the first private key and the first security parameter obtain the first shared key, and according to first shared key The target spoke is encrypted;
Receive the encrypted target spoke that interviewee sends, using preset 4th algorithm according to first public key and Second private key and the second security parameter obtain the second shared key, are enabled according to second shared key to encrypted target Board is decrypted;
Wherein, first security parameter is identical with second security parameter, and first algorithm and described second is calculated Method is identical, and the third algorithm is identical with the 4th algorithm.
Preferably, described to utilize preset second algorithm according to second private key and preconfigured second security parameter The second public key is obtained, before further include:
It is pre-configured with second security parameter, and presets second algorithm and the 4th algorithm.
Preferably, first security parameter and the second security parameter include the primitive root and additional parameter of prime number, prime number.
On the one hand, the present invention provides a kind of electronic equipment, comprising:
At least one processor;And
At least one processor being connect with the processor communication, in which:
The memory is stored with the program instruction that can be executed by the processor, and the processor calls described program to refer to Enable the interviewee end transmission method for being able to carry out the cross-domain transmission method of token based on shared key and its any alternative embodiment The method.
On the one hand, the present invention provides a kind of electronic equipment, comprising:
At least one processor;And
At least one processor being connect with the processor communication, in which:
The memory is stored with the program instruction that can be executed by the processor, and the processor calls described program to refer to Enable the visitor end transmission method for being able to carry out the cross-domain transmission method of token based on shared key and its any alternative embodiment The method.
The cross-domain transmission method of a kind of token based on shared key provided by the invention, when two security domains carry out cross-domain visit When asking, interviewee before sending target spoke to visitor, using preset algorithm according to preconfigured security parameter and The public key that the private key generated at random and visitor send obtains the first shared key, and is enabled using the first shared key to target Board is encrypted, and encrypted target spoke is sent to visitor, and visitor recycles preset algorithm according to matching in advance The public key that the security parameter set and the private key generated at random and interviewee send obtains the second shared key, and total using second Target spoke after enjoying key pair encryption is decrypted.Interviewee and the pre-set security parameter of visitor and calculation in this method Method correspond to it is identical, so as to effectively ensure generate the first shared key it is identical with the second shared key, while first share it is close The generation of key and the second shared key respectively depend on interviewee and the preconfigured security parameter of visitor and algorithm and with The private key that machine generates, can effectively ensure the safety of the first shared key and the second shared key, and then can effectively ensure target The safety of token attacks interviewee using target spoke to can effectively avoid third party.
Detailed description of the invention
Fig. 1 is a kind of overall flow signal of the cross-domain transmission method of token based on shared key of the embodiment of the present invention Figure;
Fig. 2 is a kind of overall flow signal of the cross-domain transmission method of token based on shared key of the embodiment of the present invention Figure;
Fig. 3 is a kind of structural framing schematic diagram of interviewee end electronic equipment of the embodiment of the present invention;
Fig. 4 is a kind of structural framing schematic diagram of visitor end electronic equipment of the embodiment of the present invention.
Specific embodiment
With reference to the accompanying drawings and examples, specific embodiments of the present invention will be described in further detail.Implement below Example is not intended to limit the scope of the invention for illustrating the present invention.
It should be noted that in cross-domain access, two security domains for carrying out cross-domain access are respectively visitor and interviewed Person.When visitor needs to carry out cross-domain access to interviewee, visitor needs to interviewee's transmission ID authentication request, then by Interviewee authenticates the ID authentication request of visitor, if authenticating successfully, issues token to visitor, i.e., by interviewee Token is transferred to visitor.In order to realize the safe transmission of token, the present invention provide it is a kind of based on the token of shared key across Domain transmission method.
The present embodiment using interviewee as executing subject, to the cross-domain transmission method of the token based on shared key of the invention into Row illustrates.Fig. 1 is that a kind of overall flow of the cross-domain transmission method of token based on shared key of the embodiment of the present invention is shown It is intended to, as shown in Figure 1, the present invention provides a kind of cross-domain transmission method of the token based on shared key, comprising:
S1 receives the ID authentication request that visitor sends, authenticates to ID authentication request, if authenticating successfully, Generate target spoke;
Specifically, when visitor needs to access to interviewee, visitor need to send identity to interviewee and recognize first Card request authenticates the ID authentication request after interviewee receives the ID authentication request of visitor's transmission, if certification Success, then generate the corresponding identity token of visitor, as target spoke.Visitor can be to interviewee by the target spoke It accesses.
S2 generates a random number according to system time, as the first private key, using preset first algorithm according to first Private key and preconfigured first security parameter obtain the first public key;
Specifically, target spoke need to be sent to visitor after generating target spoke by interviewee.In order to ensure target order The safe transmission of board, in the present embodiment, interviewee need to add target spoke before target spoke is sent to visitor It is close.
Firstly, interviewee generates a random number according to system time, and using the random number as the first private key.In this base On plinth, interviewee is calculated according to the first private key and preconfigured first security parameter using preset first algorithm and obtains first Public key.
First public key is sent to visitor by S3, so that visitor generates a random number according to system time, as Second private key, and the second public affairs are obtained according to the second private key and preconfigured second security parameter using preset second algorithm Key;
Specifically, the first public key is sent to visitor after calculating the first public key of acquisition by interviewee.Visitor is receiving After the first public key sent to interviewee, that is, it can determine whether that interviewee exchanges public key intentionally at this time.On this basis, visitor according to System time generates a random number, and using the random number as the second private key, recycles preset second algorithm according to second Private key and preconfigured second security parameter obtain the second public key.Visitor is after calculating and obtaining the second public key, then by second Public key is sent to interviewee.
S4 receives the second public key that visitor sends, using preset third algorithm according to the second public key and the first private key And first security parameter obtain the first shared key, target spoke is encrypted according to the first shared key, after encryption Target spoke be sent to visitor so that visitor using preset 4th algorithm according to the first public key and the second private key with And second security parameter obtain the second shared key, and encrypted target spoke is decrypted according to the second shared key;
Wherein, the first security parameter and the second security parameter are identical, and the first algorithm and the second algorithm are identical, third algorithm and 4th algorithm is identical.
Specifically, interviewee receives the second public key that visitor sends, and using preset third algorithm according to the second public affairs Key and the first private key and the first security parameter, which calculate, obtains the first shared key.After calculating the first shared key of acquisition, by Visit person encrypts target spoke further according to the first shared key, and encrypted target spoke is sent to visitor.
Visitor is after the encrypted target spoke for receiving interviewee's transmission, in order to solve to target spoke It is close, at this point, visitor recycles preset 4th algorithm to be obtained according to the first public key and the second private key and the second security parameter Second shared key, and finally encrypted target spoke is decrypted according to the second shared key.Visitor as a result, It is accessed by the target spoke after decryption to interviewee.
It should be noted that the first security parameter, the first algorithm and third algorithm in above method step are interviewed Person end is pre-set, and the second security parameter, the second algorithm and the 4th algorithm are pre-set at visitor end.In addition, this In embodiment, the first security parameter and the second security parameter are identical, and the first algorithm and the second algorithm are identical, third algorithm and the 4th Algorithm is identical, thus, it can be ensured that the second shared key that the first shared key and visitor end that interviewee end generates generate It is identical.On the basis of ensuring that the first shared key and the second shared key are identical, when interviewee uses the first shared key pair When target spoke is encrypted and is transferred to visitor, visitor then available identical with the first shared key second share it is close Encrypted target spoke is decrypted in key.
It is understood that the first shared key is that interviewee end is public according to second using third algorithm in the present embodiment Key and the first private key and the first security parameter calculate acquisition, and the second public key therein is that visitor end utilizes the second algorithm It is obtained according to the second private key and the second security parameter.As can be seen that the generation of the first shared key depends on the first security parameter With the second security parameter, the first private key and the second private key and the second algorithm and third algorithm.That is, for interviewee end, First shared key obtains first that need to depend on itself preconfigured first security parameter, third algorithm and generate at random Private key, and transmitted except the first security parameter, third algorithm and the not oriented interviewee of the first private key, i.e., third party at all can not The first shared key of acquisition can not be calculated by obtaining the first security parameter, third algorithm and the first private key namely third party at all.By This, can effectively ensure the safety of the first shared key.Similarly, it can also effectively ensure the safety of the second shared key.
On the basis of the above, interviewee target spoke is encrypted using the first shared key and be transferred to visitor it Afterwards, it even if third party has intercepted encrypted target spoke, is shared since third party can not obtain the first shared key and second Key, therefore third party can not also be decrypted target spoke, can effectively ensure the safety of target spoke, and then can be effective Third party is avoided to attack using target spoke interviewee.
The cross-domain transmission method of a kind of token based on shared key provided by the invention, when two security domains carry out cross-domain visit When asking, interviewee before sending target spoke to visitor, using preset algorithm according to preconfigured security parameter and The public key that the private key generated at random and visitor send obtains the first shared key, and is enabled using the first shared key to target Board is encrypted, and encrypted target spoke is sent to visitor, and visitor recycles preset algorithm according to matching in advance The public key that the security parameter set and the private key generated at random and interviewee send obtains the second shared key, and total using second Target spoke after enjoying key pair encryption is decrypted.Interviewee and the pre-set security parameter of visitor and calculation in this method Method correspond to it is identical, so as to effectively ensure generate the first shared key it is identical with the second shared key, while first share it is close The generation of key and the second shared key respectively depend on interviewee and the preconfigured security parameter of visitor and algorithm and with The private key that machine generates, can effectively ensure the safety of the first shared key and the second shared key, and then can effectively ensure target The safety of token attacks interviewee using target spoke to can effectively avoid third party.
Based on any of the above-described embodiment, a kind of cross-domain transmission method of the token based on shared key is provided, utilization is preset First algorithm obtains the first public key according to the first private key and preconfigured first security parameter, before further include: be pre-configured with First security parameter, and preset the first algorithm and third algorithm.
Specifically, in the present embodiment, interviewee using preset first algorithm according to the first private key and preconfigured It before first security parameter obtains the first public key, also needs to be pre-configured with the first security parameter, and presets the first algorithm and the Three algorithms.Accordingly, visitor end also needs to be pre-configured with the second security parameter, and presets the second algorithm and third algorithm. Wherein, the first security parameter and the second security parameter are identical, and the first algorithm and the second algorithm are identical, and third algorithm and the 4th is calculated Method is identical.
The cross-domain transmission method of a kind of token based on shared key provided by the invention, interviewee and visitor are carrying out mesh Before marking token transmission, also needs that identical security parameter and algorithm is respectively configured at interviewee end and visitor end in advance, can have The second shared key that effect ensures that the first shared key of interviewee's generation and visitor generate is identical.
Based on any of the above-described embodiment, a kind of cross-domain transmission method of the token based on shared key, the first safety ginseng are provided Several and the second security parameter includes the primitive root and additional parameter of prime number, prime number.
Specifically, in the present embodiment, interviewee and preconfigured first security parameter of visitor and the second security parameter Identical, and the first security parameter and the second security parameter respectively include three parameters, one of parameter is prime number, and the prime number Prevailing value is larger, which is the foundation stone for guaranteeing to carry out safe transmission between interviewee and visitor.In addition, the prime number needs Interviewee and visitor negotiate determination, and specific value can be configured according to actual needs, be not specifically limited herein.True , can be using the primitive root of the prime number as another parameter after having determined prime number, while also needing to determine an additional parameter.That is, the first peace Population parameter and the second security parameter respectively include prime number, the primitive root of prime number and additional parameter totally three parameters.
The cross-domain transmission method of a kind of token based on shared key provided by the invention, the first security parameter and the second safety Parameter includes the primitive root and additional parameter of prime number, prime number, identical by being respectively configured in advance at interviewee end and visitor end Security parameter, the second shared key that can effectively ensure that the first shared key of interviewee's generation and visitor generate are identical.
Based on any of the above-described embodiment, provide a kind of cross-domain transmission method of the token based on shared key, the first algorithm and Second algorithm are as follows:
Key=gRmod p;
Wherein, key is public key;R is private key;P is prime number;G is the primitive root of prime number p.
Specifically, in the present embodiment, interviewee and visitor both ends preset the first algorithm and the second algorithm respectively, and First algorithm and the second algorithm are identical.First algorithm and the second algorithm are as follows:
Key=gRmod p;
Wherein, key is public key;R is private key;P is prime number;G is the primitive root of prime number p.
According to above-mentioned algorithm it is found that for interviewee, the first public key is according to the first private key and the first security parameter In prime number and prime number primitive root determine;For visitor, the second public key is according to the second private key and the second safety ginseng What the primitive root of prime number and prime number in number determined.
Based on any of the above-described embodiment, provide a kind of cross-domain transmission method of the token based on shared key, third algorithm and 4th algorithm are as follows:
Share key=keyRmod p+m;
Wherein, Share key is shared key;Key is public key;R is private key;P is prime number;G is the primitive root of prime number p;M is Additional parameter.
Specifically, in the present embodiment, interviewee and visitor both ends preset third algorithm and the 4th algorithm respectively, and Third algorithm is identical with the 4th algorithm.Third algorithm and the 4th algorithm are as follows:
Share key=keyRmod p+m;
Wherein, Share key is shared key;Key is public key;R is private key;P is prime number;G is the primitive root of prime number p;M is Additional parameter.
According to above-mentioned algorithm it is found that for interviewee, the first shared key is according to the second public key and the first private key And first all parameters included by security parameter determine;For visitor, the second shared key is according to first All parameters included by public key and the second private key and the second security parameter determine.
In order to facilitate understanding in above method embodiment the first shared key and the second shared key calculating process, now with Following examples are specifically described:
Assuming that prime number p included in the first security parameter and the second security parameter of interviewee and the configuration of visitor both ends It is 97;The primitive root g of prime number is 5;Additional parameter is 10.Simultaneously, it is assumed that the first private key that interviewee end generates at random is 36, second Private key is 58.
On the basis of the above, interviewee end calculates the first public key keya=5^36mod 97=50mod 97=obtained 50;Visitor end calculates the second public key keyb=5^58mod 97=44mod 97=44 obtained.
Further, interviewee end calculates the first shared key share_key 1=44^36mod 97+10=obtained 75mod 97+10=85;Visitor end calculates the second shared key share_key 2=50^58mod 97+10=obtained 75mod 97+10=85.
As can be seen that by interviewee end and visitor end finally calculate the first shared key of acquisition and second share it is close Key is identical.On this basis, interviewee encrypts target spoke using the first shared key, and encrypted target is enabled Board is sent to visitor, and visitor then can use the second shared key identical with the first shared key to encrypted target Token is decrypted.
The present embodiment using visitor as executing subject, to the cross-domain transmission method of the token based on shared key of the invention into Row illustrates.Fig. 2 is that a kind of overall flow of the cross-domain transmission method of token based on shared key of the embodiment of the present invention is shown It is intended to, as shown in Fig. 2, the present invention provides a kind of cross-domain transmission method of the token based on shared key, comprising:
S1 sends ID authentication request to interviewee, so that interviewee authenticates ID authentication request, and is recognizing Target spoke is generated after demonstrate,proving successfully, and a random number is generated according to system time, as the first private key, utilizes preset the One algorithm obtains the first public key according to the first private key and preconfigured first security parameter;
Specifically, when visitor needs to access to interviewee, visitor need to send identity to interviewee and recognize first Card request authenticates the ID authentication request after interviewee receives the ID authentication request of visitor's transmission, if certification Success, then generate the corresponding identity token of visitor, as target spoke.Visitor can be to interviewee by the target spoke It accesses.
Target spoke need to be sent to visitor after generating target spoke by interviewee.In order to ensure the peace of target spoke Complete to transmit, in the present embodiment, interviewee need to encrypt target spoke before target spoke is sent to visitor.Tool Body, interviewee generates a random number according to system time, and using the random number as the first private key.On this basis, by Visit person is calculated according to the first private key and preconfigured first security parameter using preset first algorithm and obtains the first public key.
S2, receives the first public key that interviewee sends, and generates a random number according to system time, as the second private key, The second public key is obtained according to the second private key and preconfigured second security parameter using preset second algorithm;
Specifically, the first public key is sent to visitor after calculating the first public key of acquisition by interviewee.Visitor is receiving After the first public key sent to interviewee, that is, it can determine whether that interviewee exchanges public key intentionally at this time.On this basis, visitor according to System time generates a random number, and using the random number as the second private key, recycles preset second algorithm according to second Private key and preconfigured second security parameter obtain the second public key.
Second public key is sent to interviewee by S3, so that interviewee is using preset third algorithm according to the second public key The first shared key is obtained with the first private key and the first security parameter, and target spoke is added according to the first shared key It is close;
Specifically, visitor is sent to interviewee after calculating the second public key of acquisition, then by the second public key.Interviewee receives The second public key that visitor sends, and joined using preset third algorithm according to the second public key and the first private key and the first safety Number, which calculates, obtains the first shared key.After calculating the first shared key of acquisition, interviewee is further according to the first shared key to mesh Mark token is encrypted, and encrypted target spoke is sent to visitor.
S4 receives the encrypted target spoke that interviewee sends, using preset 4th algorithm according to the first public key and Second private key and the second security parameter obtain the second shared key, according to the second shared key to encrypted target spoke into Row decryption;
Wherein, the first security parameter and the second security parameter are identical, and the first algorithm and the second algorithm are identical, third algorithm and 4th algorithm is identical.
Specifically, visitor is after the encrypted target spoke for receiving interviewee's transmission, in order to target spoke It is decrypted, at this point, visitor recycles preset 4th algorithm to be joined according to the first public key and the second private key and the second safety Number obtains the second shared key, and finally encrypted target spoke is decrypted according to the second shared key.It accesses as a result, Person can access to interviewee by the target spoke after decryption.
It should be noted that the first security parameter, the first algorithm and third algorithm in above method step are interviewed Person end is pre-set, and the second security parameter, the second algorithm and the 4th algorithm are pre-set at visitor end.In addition, this In embodiment, the first security parameter and the second security parameter are identical, and the first algorithm and the second algorithm are identical, third algorithm and the 4th Algorithm is identical, thus, it can be ensured that the second shared key that the first shared key and visitor end that interviewee end generates generate It is identical.On the basis of ensuring that the first shared key and the second shared key are identical, when interviewee uses the first shared key pair When target spoke is encrypted and is transferred to visitor, visitor then available identical with the first shared key second share it is close Encrypted target spoke is decrypted in key.
It is understood that the first shared key is that interviewee end is public according to second using third algorithm in the present embodiment Key and the first private key and the first security parameter calculate acquisition, and the second public key therein is that visitor end utilizes the second algorithm It is obtained according to the second private key and the second security parameter.As can be seen that the generation of the first shared key depends on the first security parameter With the second security parameter, the first private key and the second private key and the second algorithm and third algorithm.That is, for interviewee end, First shared key obtains first that need to depend on itself preconfigured first security parameter, third algorithm and generate at random Private key, and transmitted except the first security parameter, third algorithm and the not oriented interviewee of the first private key, i.e., third party at all can not The first shared key of acquisition can not be calculated by obtaining the first security parameter, third algorithm and the first private key namely third party at all.By This, can effectively ensure the safety of the first shared key.Similarly, it can also effectively ensure the safety of the second shared key.
On the basis of the above, interviewee target spoke is encrypted using the first shared key and be transferred to visitor it Afterwards, it even if third party has intercepted encrypted target spoke, is shared since third party can not obtain the first shared key and second Key, therefore third party can not also be decrypted target spoke, can effectively ensure the safety of target spoke, and then can be effective Third party is avoided to attack using target spoke interviewee.
The cross-domain transmission method of a kind of token based on shared key provided by the invention, when two security domains carry out cross-domain visit When asking, interviewee before sending target spoke to visitor, using preset algorithm according to preconfigured security parameter and The public key that the private key generated at random and visitor send obtains the first shared key, and is enabled using the first shared key to target Board is encrypted, and encrypted target spoke is sent to visitor, and visitor recycles preset algorithm according to matching in advance The public key that the security parameter set and the private key generated at random and interviewee send obtains the second shared key, and total using second Target spoke after enjoying key pair encryption is decrypted.Interviewee and the pre-set security parameter of visitor and calculation in this method Method correspond to it is identical, so as to effectively ensure generate the first shared key it is identical with the second shared key, while first share it is close The generation of key and the second shared key respectively depend on interviewee and the preconfigured security parameter of visitor and algorithm and with The private key that machine generates, can effectively ensure the safety of the first shared key and the second shared key, and then can effectively ensure target The safety of token attacks interviewee using target spoke to can effectively avoid third party.
Based on any of the above-described embodiment, a kind of cross-domain transmission method of the token based on shared key is provided, utilization is preset Second algorithm obtains the second public key according to the second private key and preconfigured second security parameter, before further include: be pre-configured with Second security parameter, and preset the second algorithm and the 4th algorithm.
Specifically, in the present embodiment, visitor using preset second algorithm according to the second private key and preconfigured It before second security parameter obtains the second public key, also needs to be pre-configured with the second security parameter, and presets the second algorithm and the Four algorithms.Accordingly, interviewee end also needs to be pre-configured with the first security parameter, and presets the first algorithm and third algorithm. Wherein, the first security parameter and the second security parameter are identical, and the first algorithm and the second algorithm are identical, and third algorithm and the 4th is calculated Method is identical.
The cross-domain transmission method of a kind of token based on shared key provided by the invention, interviewee and visitor are carrying out mesh Before marking token transmission, also needs that identical security parameter and algorithm is respectively configured at interviewee end and visitor end in advance, can have The second shared key that effect ensures that the first shared key of interviewee's generation and visitor generate is identical.
Based on any of the above-described embodiment, a kind of cross-domain transmission method of the token based on shared key, the first safety ginseng are provided Several and the second security parameter includes the primitive root and additional parameter of prime number, prime number.
Specifically, in the present embodiment, interviewee and preconfigured first security parameter of visitor and the second security parameter Identical, and the first security parameter and the second security parameter respectively include three parameters, one of parameter is prime number, and the prime number Prevailing value is larger, which is the foundation stone for guaranteeing to carry out safe transmission between interviewee and visitor.In addition, the prime number needs Interviewee and visitor negotiate determination, and specific value can be configured according to actual needs, be not specifically limited herein.True , can be using the primitive root of the prime number as another parameter after having determined prime number, while also needing to determine an additional parameter.That is, the first peace Population parameter and the second security parameter respectively include prime number, the primitive root of prime number and additional parameter totally three parameters.
The cross-domain transmission method of a kind of token based on shared key provided by the invention, the first security parameter and the second safety Parameter includes the primitive root and additional parameter of prime number, prime number, identical by being respectively configured in advance at interviewee end and visitor end Security parameter, the second shared key that can effectively ensure that the first shared key of interviewee's generation and visitor generate are identical.
Fig. 3 shows a kind of structural block diagram of interviewee end electronic equipment of the embodiment of the present invention.Referring to Fig. 3, the electronics Equipment, comprising: processor (processor) 31, memory (memory) 32 and bus 33;Wherein, it the processor 31 and deposits Reservoir 32 completes mutual communication by the bus 33;The processor 31 is used to call the program in the memory 32 Instruction, to execute method provided by the embodiment of the method for above-mentioned interviewee end, for example, receive the identity that visitor sends and recognize Card request, authenticates ID authentication request, if authenticating successfully, generates target spoke;One is generated according to system time Random number is obtained using preset first algorithm according to the first private key and preconfigured first security parameter as the first private key Obtain the first public key;First public key is sent to visitor, so that visitor generates a random number according to system time, as Second private key, and the second public affairs are obtained according to the second private key and preconfigured second security parameter using preset second algorithm Key;The second public key that visitor sends is received, using preset third algorithm according to the second public key and the first private key and first Security parameter obtains the first shared key, is encrypted according to the first shared key to target spoke, encrypted target is enabled Board is sent to visitor, so that visitor is pacified using preset 4th algorithm according to the first public key and the second private key and second Population parameter obtains the second shared key, and encrypted target spoke is decrypted according to the second shared key.
Fig. 4 shows a kind of structural block diagram of visitor end electronic equipment of the embodiment of the present invention.Referring to Fig. 4, the electronics Equipment, comprising: processor (processor) 41, memory (memory) 42 and bus 43;Wherein, it the processor 41 and deposits Reservoir 42 completes mutual communication by the bus 43;The processor 41 is used to call the program in the memory 42 Instruction, to execute method provided by the embodiment of the method for above-mentioned visitor end, for example, send authentication to interviewee and ask It asks, so that interviewee authenticates ID authentication request, and generates target spoke after authenticating successfully, and according to system Time generates a random number, as the first private key, using preset first algorithm according to the first private key and preconfigured the One security parameter obtains the first public key;The first public key that interviewee sends is received, a random number is generated according to system time, is made For the second private key, the second public affairs are obtained according to the second private key and preconfigured second security parameter using preset second algorithm Key;Second public key is sent to interviewee, so that interviewee is private according to the second public key and first using preset third algorithm Key and the first security parameter obtain the first shared key, and are encrypted according to the first shared key to target spoke;It receives The encrypted target spoke that interviewee sends, using preset 4th algorithm according to the first public key and the second private key and second Security parameter obtains the second shared key, and encrypted target spoke is decrypted according to the second shared key.
The present embodiment discloses a kind of computer program product, and the computer program product includes being stored in non-transient calculating Computer program on machine readable storage medium storing program for executing, the computer program include program instruction, when described program instruction is calculated When machine executes, computer is able to carry out method provided by the embodiment of the method for above-mentioned interviewee end, for example, receives visitor The ID authentication request of transmission, authenticates ID authentication request, if authenticating successfully, generates target spoke;According to system Time generates a random number, as the first private key, using preset first algorithm according to the first private key and preconfigured the One security parameter obtains the first public key;First public key is sent to visitor, so that visitor generates one according to system time A random number is joined as the second private key, and using preset second algorithm according to the second private key and preconfigured second safety Number obtains the second public key;The second public key that visitor sends is received, using preset third algorithm according to the second public key and first Private key and the first security parameter obtain the first shared key, are encrypted, will be added to target spoke according to the first shared key Target spoke after close is sent to visitor, so that visitor is private according to the first public key and second using preset 4th algorithm Key and the second security parameter obtain the second shared key, and are solved according to the second shared key to encrypted target spoke It is close.
The present embodiment discloses a kind of computer program product, and the computer program product includes being stored in non-transient calculating Computer program on machine readable storage medium storing program for executing, the computer program include program instruction, when described program instruction is calculated When machine executes, computer is able to carry out method provided by the embodiment of the method for above-mentioned visitor end, for example, sends out to interviewee ID authentication request is sent, so that interviewee authenticates ID authentication request, and target is generated after authenticating successfully and enables Board, an and random number is generated according to system time, as the first private key, using preset first algorithm according to the first private key and Preconfigured first security parameter obtains the first public key;The first public key that interviewee sends is received, is generated according to system time One random number is joined using preset second algorithm according to the second private key and preconfigured second safety as the second private key Number obtains the second public key;Second public key is sent to interviewee, so that interviewee is using preset third algorithm according to second Public key and the first private key and the first security parameter obtain the first shared key, and according to the first shared key to target spoke into Row encryption;The encrypted target spoke that interviewee sends is received, using preset 4th algorithm according to the first public key and second Private key and the second security parameter obtain the second shared key, are solved according to the second shared key to encrypted target spoke It is close.
The present embodiment provides a kind of non-transient computer readable storage medium, the non-transient computer readable storage medium Computer instruction is stored, the computer instruction makes the computer execute side provided by the embodiment of the method for above-mentioned interviewee end Method, for example, the ID authentication request that visitor sends is received, ID authentication request is authenticated, if authenticating successfully, Generate target spoke;A random number is generated according to system time, as the first private key, using preset first algorithm according to the One private key and preconfigured first security parameter obtain the first public key;First public key is sent to visitor, so that access Person generates a random number according to system time, as the second private key, and using preset second algorithm according to the second private key and Preconfigured second security parameter obtains the second public key;The second public key that visitor sends is received, is calculated using preset third Method obtains the first shared key according to the second public key and the first private key and the first security parameter, according to the first shared key to mesh Mark token is encrypted, and encrypted target spoke is sent to visitor, so that visitor utilizes preset 4th algorithm The second shared key is obtained according to the first public key and the second private key and the second security parameter, and according to the second shared key to adding Target spoke after close is decrypted.
The present embodiment provides a kind of non-transient computer readable storage medium, the non-transient computer readable storage medium Computer instruction is stored, the computer instruction makes the computer execute side provided by the embodiment of the method for above-mentioned visitor end Method, for example, ID authentication request is sent to interviewee, so that interviewee authenticates ID authentication request, and Target spoke is generated after authenticating successfully, and a random number is generated according to system time, and as the first private key, utilization is preset First algorithm obtains the first public key according to the first private key and preconfigured first security parameter;Receive interviewee sends first Public key generates a random number according to system time, as the second private key, using preset second algorithm according to the second private key and Preconfigured second security parameter obtains the second public key;Second public key is sent to interviewee, so that interviewee is using in advance If third algorithm the first shared key is obtained according to the second public key and the first private key and the first security parameter, and according to first Shared key encrypts target spoke;The encrypted target spoke that interviewee sends is received, is calculated using the preset 4th Method obtains the second shared key according to the first public key and the second private key and the second security parameter, according to the second shared key to adding Target spoke after close is decrypted.
Those of ordinary skill in the art will appreciate that: realize that all or part of the steps of above method embodiment can pass through The relevant hardware of program instruction is completed, and program above-mentioned can be stored in a computer readable storage medium, the program When being executed, step including the steps of the foregoing method embodiments is executed;And storage medium above-mentioned includes: ROM, RAM, magnetic disk or light The various media that can store program code such as disk.
The embodiments such as electronic equipment described above are only schematical, wherein it is described as illustrated by the separation member Unit may or may not be physically separated, and component shown as a unit may or may not be object Manage unit, it can it is in one place, or may be distributed over multiple network units.It can select according to the actual needs Some or all of the modules therein is selected to achieve the purpose of the solution of this embodiment.Those of ordinary skill in the art are not paying wound In the case where the labour for the property made, it can understand and implement.
Through the above description of the embodiments, those skilled in the art can be understood that each embodiment can It realizes by means of software and necessary general hardware platform, naturally it is also possible to pass through hardware.Based on this understanding, on Stating technical solution, substantially the part that contributes to existing technology can be embodied in the form of software products in other words, should Computer software product may be stored in a computer readable storage medium, such as ROM/RAM, magnetic disk, CD, including several fingers It enables and using so that a computer equipment (can be personal computer, server or the network equipment etc.) executes each implementation Method described in certain parts of example or embodiment.
Finally, the present processes are only preferable embodiment, it is not intended to limit the scope of the present invention.It is all Within the spirit and principles in the present invention, any modification, equivalent replacement, improvement and so on should be included in protection of the invention Within the scope of.

Claims (10)

1. a kind of cross-domain transmission method of token based on shared key characterized by comprising
The ID authentication request that visitor sends is received, the ID authentication request is authenticated, if authenticating successfully, is generated Target spoke;
A random number is generated according to system time, it is private according to described first using preset first algorithm as the first private key Key and preconfigured first security parameter obtain the first public key;
First public key is sent to the visitor, so that the visitor generates one at random according to system time Number, as the second private key, and using preset second algorithm according to second private key and preconfigured second security parameter Obtain the second public key;
The second public key that the visitor sends is received, using preset third algorithm according to second public key and the first private key And first security parameter obtain the first shared key, the target spoke is encrypted according to first shared key, Encrypted target spoke is sent to the visitor, so that the visitor is using preset 4th algorithm according to First public key and the second private key and the second security parameter obtain the second shared key, and according to second shared key to adding Target spoke after close is decrypted;
Wherein, first security parameter is identical with second security parameter, first algorithm and the second algorithm phase Together, the third algorithm is identical with the 4th algorithm.
2. the method according to claim 1, wherein described private according to described first using preset first algorithm Key and preconfigured first security parameter obtain the first public key, before further include:
It is pre-configured with first security parameter, and presets first algorithm and third algorithm.
3. the method according to claim 1, wherein first security parameter and the second security parameter include element The primitive root and additional parameter of number, prime number.
4. according to the method described in claim 3, it is characterized in that, first algorithm and the second algorithm are as follows:
Key=gRmod p;
Wherein, key is public key;R is private key;P is prime number;G is the primitive root of prime number p.
5. according to the method described in claim 3, it is characterized in that, the third algorithm and the 4th algorithm are as follows:
Share key=keyRmod p+m;
Wherein, Share key is shared key;Key is public key;R is private key;P is prime number;G is the primitive root of prime number p;M is additional Parameter.
6. a kind of cross-domain transmission method of token based on shared key characterized by comprising
ID authentication request is sent to interviewee, so that the interviewee authenticates the ID authentication request, and Target spoke is generated after authenticating successfully, and a random number is generated according to system time, and as the first private key, utilization is preset First algorithm obtains the first public key according to first private key and preconfigured first security parameter;
The first public key that the interviewee sends is received, a random number is generated according to system time, as the second private key, is utilized Preset second algorithm obtains the second public key according to second private key and preconfigured second security parameter;
Second public key is sent to the interviewee, so that the interviewee is using preset third algorithm according to Second public key and the first private key and the first security parameter obtain the first shared key, and according to first shared key to institute Target spoke is stated to be encrypted;
The encrypted target spoke that interviewee sends is received, using preset 4th algorithm according to first public key and second Private key and the second security parameter obtain the second shared key, according to second shared key to encrypted target spoke into Row decryption;
Wherein, first security parameter is identical with second security parameter, first algorithm and the second algorithm phase Together, the third algorithm is identical with the 4th algorithm.
7. according to the method described in claim 6, it is characterized in that, described private according to described second using preset second algorithm Key and preconfigured second security parameter obtain the second public key, before further include:
It is pre-configured with second security parameter, and presets second algorithm and the 4th algorithm.
8. according to the method described in claim 6, it is characterized in that, first security parameter and the second security parameter include element The primitive root and additional parameter of number, prime number.
9. a kind of electronic equipment characterized by comprising
At least one processor;And
At least one processor being connect with the processor communication, in which:
The memory is stored with the program instruction that can be executed by the processor, and the processor calls described program to instruct energy Enough execute method as claimed in claim 1 to 5.
10. a kind of electronic equipment characterized by comprising
At least one processor;And
At least one processor being connect with the processor communication, in which:
The memory is stored with the program instruction that can be executed by the processor, and the processor calls described program to instruct energy Enough methods executed as described in claim 6 to 8 is any.
CN201810922170.3A 2018-08-14 2018-08-14 A kind of cross-domain transmission method of token based on shared key Pending CN109194484A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201810922170.3A CN109194484A (en) 2018-08-14 2018-08-14 A kind of cross-domain transmission method of token based on shared key

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201810922170.3A CN109194484A (en) 2018-08-14 2018-08-14 A kind of cross-domain transmission method of token based on shared key

Publications (1)

Publication Number Publication Date
CN109194484A true CN109194484A (en) 2019-01-11

Family

ID=64921442

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201810922170.3A Pending CN109194484A (en) 2018-08-14 2018-08-14 A kind of cross-domain transmission method of token based on shared key

Country Status (1)

Country Link
CN (1) CN109194484A (en)

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2020233033A1 (en) * 2019-05-20 2020-11-26 深圳壹账通智能科技有限公司 Information interaction method, device and storage medium
CN112565189A (en) * 2020-11-04 2021-03-26 国网安徽省电力有限公司信息通信分公司 Access control system based on cloud computing data security
CN113114627A (en) * 2021-03-19 2021-07-13 京东数科海益信息科技有限公司 Secure data interaction method and system based on key exchange
CN113950802A (en) * 2019-08-22 2022-01-18 华为技术有限公司 Gateway apparatus and method for performing site-to-site communication
CN114389833A (en) * 2020-10-02 2022-04-22 辉达公司 Token-based zero-touch registration for provisioning edge computing applications

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1477810A (en) * 2003-06-12 2004-02-25 上海格尔软件股份有限公司 Dynamic password authentication method based on digital certificate implement
US20160070894A1 (en) * 2014-09-07 2016-03-10 Michael Boodaei Authentication method and system using password as the authentication key
CN105791359A (en) * 2014-12-24 2016-07-20 慧贤网智有限公司 Internet of things system and data interaction method
CN107104888A (en) * 2017-06-09 2017-08-29 成都轻车快马网络科技有限公司 A kind of safe instant communicating method
CN108092776A (en) * 2017-12-04 2018-05-29 南京南瑞信息通信科技有限公司 A kind of authentication server and authentication token

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1477810A (en) * 2003-06-12 2004-02-25 上海格尔软件股份有限公司 Dynamic password authentication method based on digital certificate implement
US20160070894A1 (en) * 2014-09-07 2016-03-10 Michael Boodaei Authentication method and system using password as the authentication key
CN105791359A (en) * 2014-12-24 2016-07-20 慧贤网智有限公司 Internet of things system and data interaction method
CN107104888A (en) * 2017-06-09 2017-08-29 成都轻车快马网络科技有限公司 A kind of safe instant communicating method
CN108092776A (en) * 2017-12-04 2018-05-29 南京南瑞信息通信科技有限公司 A kind of authentication server and authentication token

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
刘清堂、章光琼: "Diffie-Hellman算法", 《标准化教育资源的版权保护机制研究》 *

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2020233033A1 (en) * 2019-05-20 2020-11-26 深圳壹账通智能科技有限公司 Information interaction method, device and storage medium
CN113950802A (en) * 2019-08-22 2022-01-18 华为技术有限公司 Gateway apparatus and method for performing site-to-site communication
CN113950802B (en) * 2019-08-22 2023-09-01 华为云计算技术有限公司 Gateway device and method for performing site-to-site communication
CN114389833A (en) * 2020-10-02 2022-04-22 辉达公司 Token-based zero-touch registration for provisioning edge computing applications
CN112565189A (en) * 2020-11-04 2021-03-26 国网安徽省电力有限公司信息通信分公司 Access control system based on cloud computing data security
CN113114627A (en) * 2021-03-19 2021-07-13 京东数科海益信息科技有限公司 Secure data interaction method and system based on key exchange

Similar Documents

Publication Publication Date Title
CN109309565B (en) Security authentication method and device
JP6990690B2 (en) Methods and systems implemented by blockchain
CN109194484A (en) A kind of cross-domain transmission method of token based on shared key
EP3005608B1 (en) Authentication
CN105007577B (en) A kind of virtual SIM card parameter management method, mobile terminal and server
EP2639997B1 (en) Method and system for secure access of a first computer to a second computer
JP5562687B2 (en) Securing communications sent by a first user to a second user
US8971540B2 (en) Authentication
KR101634158B1 (en) Method for authenticating identity and generating share key
US9106644B2 (en) Authentication
CN109003083A (en) A kind of ca authentication method, apparatus and electronic equipment based on block chain
CN106790090A (en) Communication means, apparatus and system based on SSL
CN105915338B (en) Generate the method and system of key
CA2502134A1 (en) Inter-authentication method and device
CN108768633A (en) Realize the method and device of information sharing in block chain
CN104901809B (en) Remote authentication protocol method based on password and smart card
CN107920052B (en) Encryption method and intelligent device
CN110138548B (en) Quantum communication service station key negotiation method and system based on asymmetric key pool pair and DH protocol
CN112989426B (en) Authorization authentication method and device, and resource access token acquisition method
CN109858201A (en) A kind of security software pattern switching authorization method, client and server-side
CN105577377A (en) Identity-based authentication method and identity-based authentication system with secret key negotiation
CN110505055A (en) Based on unsymmetrical key pond to and key card outer net access identity authentication method and system
CN110176989B (en) Quantum communication service station identity authentication method and system based on asymmetric key pool
Yang et al. Towards practical anonymous password authentication
CN113626794A (en) Authentication and key agreement method, system and application in client/server mode

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20190111