CN112689283A - Key protection and negotiation method, system and storage medium - Google Patents

Key protection and negotiation method, system and storage medium Download PDF

Info

Publication number
CN112689283A
CN112689283A CN202011482095.7A CN202011482095A CN112689283A CN 112689283 A CN112689283 A CN 112689283A CN 202011482095 A CN202011482095 A CN 202011482095A CN 112689283 A CN112689283 A CN 112689283A
Authority
CN
China
Prior art keywords
server
key
user terminal
auxiliary
main server
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202011482095.7A
Other languages
Chinese (zh)
Other versions
CN112689283B (en
Inventor
谢永
张松松
江政良
马瑞江
刘萍
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Qinghai University
Original Assignee
Qinghai University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Qinghai University filed Critical Qinghai University
Priority to CN202011482095.7A priority Critical patent/CN112689283B/en
Publication of CN112689283A publication Critical patent/CN112689283A/en
Application granted granted Critical
Publication of CN112689283B publication Critical patent/CN112689283B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Landscapes

  • Storage Device Security (AREA)

Abstract

The invention relates to a method, a system and a storage medium for protecting and negotiating a secret key, wherein the method comprises the following steps: the key system generates key parameters, a user terminal registers to a main server and an auxiliary server, and the double servers cooperate with the user terminal to perform key agreement authentication, wherein the key agreement authentication comprises the steps that the user terminal sends verification messages carrying passwords and user names to the auxiliary server and the main server, the auxiliary server authenticates the verification messages, when the verification passes, whether a key index corresponding to the verification messages exists or not is verified through a honeypot technology, and when the verification passes, the auxiliary server messages are sent; the main server receives and verifies the verification message and the auxiliary service message, and when the verification is passed, the main server sends a key negotiation request to the user terminal, and the user terminal performs key negotiation with the main server according to the key negotiation request; the main server executes key agreement, and the auxiliary server stores partial blinded data, so that data loss caused by user terminal loss and the attack of the authentication server is solved.

Description

Key protection and negotiation method, system and storage medium
Technical Field
The present invention relates to the field of network security, and in particular, to a method, system, and storage medium for key protection and negotiation.
Background
With the entrance of wireless networks into thousands of households, the use of user terminals is diversified, and not only limited to handheld phones, notebooks, sensors, but also our watches are now small computers capable of using mobile networks; the total number of global mobile networking devices will currently increase from 69 to 95 billion in 2014; various services or services facing to the user terminal are particularly numerous, and especially the development of the existing 5G technology further promotes the further development of the services facing to the user terminal; according to statistics, at present, 95% of services and services can be completed through the user terminal.
Because most of the services are completed through the user terminal, the user terminal brings great convenience to work and life, but has serious problems; almost every user terminal has the risk of suffering malicious attack, which causes the leakage of user terminal data and authentication information, and the safety problem of the user terminal is worried.
In all malicious events of the user terminal, the main part is that an attacker utilizes security holes of the user terminal in the wireless communication process to intercept, eavesdrop, cheat, invade and other malicious attacks so as to obtain user privacy data and authentication information; in particular, the attack type is divided into three aspects. The first point is that an attacker obtains data through equipment loss caused by attacking a user terminal or carelessness of a user, so that great threat is caused to data security; secondly, the user terminal is also likely to be stolen by an attacker in the transmission process; thirdly, the user terminal and the server authenticate each other, and the server is also possibly attacked; therefore, it is important that a security scheme is used to ensure the integrity and privacy of the data of the mobile subscriber during the whole communication process.
In order to secure data information and authentication information of a user terminal, a series of scholars have proposed various authentication protocols of the user terminal and a server, but none of the protocols involve a security problem: in order to complete the security authentication, the user terminal needs to store some important authentication-related data; however, if the user terminal is lost, the attacker can obtain the important data of the user terminal through various means, and the leakage of the important data is caused, because the data on the user terminal exists, the attacker has more ways to implement security attack, impersonate attack, modify attack, forge attack and the like, and the influence is not only the user who loses the user terminal, but also other users who do not lose the user terminal.
Disclosure of Invention
The technical problem to be solved by the invention is to provide a method, a system and a storage medium for protecting and negotiating the key, wherein the authentication is carried out by the cooperation of double servers and a user terminal, so that no matter an adversary obtains the data of any one party of equipment, the effective authentication data can not be obtained, and the data loss caused by the loss and the attack of the user terminal is solved; and the leakage of user terminal data caused by the fact that a server providing the authentication service is damaged is also avoided.
The technical scheme for solving the technical problems is as follows: a key protection and negotiation method, comprising:
s1, generating key parameters by the key system;
s2, the user terminal registers to the main server and the auxiliary server according to the key parameter;
s3, the auxiliary server and the main server cooperate to perform key agreement authentication with the user terminal;
the S3 includes:
s31, the user terminal sends the verification information with password and user name to the auxiliary server and the main server;
s32, the auxiliary server authenticates the verification message;
s33, when the authentication is passed, the auxiliary server verifies whether a key index corresponding to the verification message exists through a honeypot technology, and when the verification is passed, the auxiliary server message is sent;
s34, the main server receives and verifies the verification message and the auxiliary service message, and when the verification is passed, the main server sends a key negotiation request to the user terminal;
and S35, the user terminal performs key agreement with the main server according to the key agreement request.
The invention has the beneficial effects that: the key system generates key parameters, a user terminal registers to a main server and an auxiliary server, and the double servers cooperate with the user terminal to carry out key agreement authentication, wherein the key agreement comprises that the user terminal sends verification messages carrying passwords and user names to the auxiliary server and the main server, the auxiliary server authenticates the verification messages, when the verification passes, whether a key index corresponding to the verification messages exists is verified through a honeypot technology, and when the verification passes, the auxiliary server messages are sent; the main server receives and verifies the verification message and the auxiliary service message, and when the verification is passed, the main server sends a key negotiation request to the user terminal, and the user terminal performs key negotiation with the main server according to the key negotiation request; the authentication of the user terminal is carried out through cooperation of a main server and an auxiliary server; the main server is responsible for final key agreement execution; the auxiliary server stores partial blinded data, and the main server stores a small amount of data; when any one of the devices is trapped or lost, the key information cannot be leaked, and the authentication cannot be normally carried out; the data loss caused by the loss and the attack of the user terminal is solved; and the leakage of user terminal data caused by the fact that a server providing the authentication service is damaged is also avoided.
In order to solve the above technical problem, the present invention further provides a key protection and negotiation system, where the key protection and negotiation system includes a key system, a main server, an auxiliary server, and a user terminal, so as to implement the steps of the key protection and negotiation method.
In order to solve the above technical problem, the present invention further provides a storage medium, wherein the storage medium includes one or more computer programs stored therein, and the one or more computer programs are executable by one or more processors to implement the steps of the key protection and negotiation method described above.
Drawings
Fig. 1 is a flowchart illustrating a key protection and negotiation method according to an embodiment of the present invention;
fig. 2 is a block diagram of a key protection and negotiation system according to an embodiment of the present invention;
fig. 3 is a schematic flowchart of a key agreement authentication performed by the cooperation of the auxiliary server and the main server with the user terminal according to an embodiment of the present invention.
Detailed Description
The principles and features of this invention are described below in conjunction with the following drawings, which are set forth by way of illustration only and are not intended to limit the scope of the invention.
The noun explains:
z: a trusted large integer;
q: a credible large prime number satisfying q >2 z;
g: a trusted q-order addition cycle group;
p: a generator on G;
Ppubi: a system public key;
xi: a server private key;
hi: a hash function, where i ═ 0,1, 2,3, 4;
e (a, b): elliptic curve, satisfies y2=x3+ax2+ bmod p, wherein
Figure RE-GDA0002945294150000041
params: the system publishes the parameters;
IDi: user terminal identity information;
sk: a Paillier encrypted private key selected by the user terminal;
pk: the Paillier encrypted public key selected by the user terminal;
pr [ E ]: a likelihood representation of an E event;
enc is Paillier encryption algorithm;
dec is Paillier decryption algorithm;
Tithe current time of the system;
Diauthentication information of the main server and the user terminal;
πizero knowledge proof subprotocol authentication parameters
Figure RE-GDA0002945294150000051
Honeypot system authentication information.
As shown in fig. 1, fig. 1 is a flowchart of a key protection and negotiation method provided in an embodiment of the present invention, where the key protection and negotiation method includes:
s1, generating key parameters by the key system;
s2, the user terminal registers to the main server and the auxiliary server according to the key parameter;
s3, the auxiliary server and the main server cooperate to perform key agreement authentication with the user terminal;
as shown in fig. 2 and 3, fig. 2 is a framework diagram of a key protection and agreement system provided by the present embodiment, fig. 3 is a schematic flow diagram of a secondary server and a primary server cooperating with a user terminal for key agreement and authentication,
s3 includes:
s31, the user terminal sends the verification information with password and user name to the auxiliary server and the main server;
s32, the auxiliary server authenticates the verification message;
s33, when the authentication is passed, the auxiliary server verifies whether a key index corresponding to the verification message exists through the honeypot technology, and when the verification is passed, the auxiliary server message is sent;
s34, the main server receives and verifies the verification message and the auxiliary service message, and when the verification is passed, the main server sends a key negotiation request to the user terminal;
and S35, the user terminal performs key agreement with the main server according to the key agreement request.
The process of the key agreement authentication comprises the steps that a user terminal sends a verification message carrying a password and a user name, an auxiliary server authenticates the verification message, verifies whether a key index corresponding to the verification message exists or not through a honeypot technology after the verification is passed, and sends the auxiliary server message when the verification is passed; the main server receives and verifies the verification message sent by the user terminal and the auxiliary service message sent by the auxiliary server, and when the verification is passed, a key negotiation request is sent to the user terminal, and finally the user terminal performs key negotiation with the main server according to the key negotiation request and performs key authentication with the user terminal through cooperation of the main server and the auxiliary server; the key agreement stage is completed by the main server, the auxiliary authentication cloud server only stores the blinded data of the user part, and even if an attacker obtains the corresponding server, effective information cannot be formed; the attack loss of the user terminal, the impersonation attack, the off-line guess attack and the like can be effectively prevented.
Specifically, S31 includes:
s311, the user terminal inputs identity IDiAnd password PWiCalculate h0(PWi||ni),h0Hash functions, random numbers, for collision resistance
Figure RE-GDA0002945294150000061
Figure RE-GDA0002945294150000062
Representing a random selection in a non-zero multiplicative group formed based on a large prime number q;
s312, the user terminal selects the random number ri∈Zq *Respectively calculating user terminal authentication information Ri=riP, random number encryption information Ci=Encpk(ri) Authentication information Ei=ri -1DiComputing messages sent to a host server
Figure RE-GDA0002945294150000063
And betai1=h4(IDi,PIDi1,Ri,Ei,Ti) (ii) a Computing messages sent to an auxiliary server
Figure RE-GDA0002945294150000064
βi2=h4(IDi,PIDi2,Ri,Ci,Ti) Value associated with honeypot verification message
Figure RE-GDA0002945294150000065
Will { PIDi1,Ri,Ei,Tii1iSending { R } to the main serveri,Ci,PIDi2,Tii2,PPWiSending the data to an auxiliary server; p is a generator on G, G represents a credible q-order addition cycle group, h0,h2,h4Hash function for collision resistance, Ppub1Is the system master public key, Ppub2The method comprises the steps of providing a system auxiliary public key, Enc is a Paillier encryption algorithm, pk is a Paillier encrypted public key selected by a user terminal, and TiAs the current time of the system, DiVerification information of the main server and the user terminal, piiProving a subprotocol authentication parameter for zero knowledge;
s32 includes:
s321, the auxiliary server randomly selects r2∈Zq *And rho ∈ Zq *Calculating an authentication value R of the auxiliary server2=r2P, is solved out
Figure RE-GDA0002945294150000066
Verification of equation betai2=h4(IDi,PIDi2,Ri,Ci,Ti) Is true, where x2A private key of the secondary server;
s33 includes:
s331, when the equation is established, the auxiliary server calculates h0(IDi),
Figure RE-GDA0002945294150000071
Taking out time TregCalculate mi=h4(x2||h0(IDi)||Treg) Find out whether or not
Figure RE-GDA0002945294150000072
Figure RE-GDA0002945294150000073
Is honeypot system authentication information;
in some embodiments, when equation βi2=h4(IDi,PIDi2,Ri,Ci,Ti) If not, the key protection and negotiation process is terminated. When it is not present
Figure RE-GDA0002945294150000074
And then terminating the key protection and negotiation process.
S332, when existing
Figure RE-GDA0002945294150000075
The auxiliary server calculates the key index ai=h1(h0(IDi)||Treg||mi) Verify a)iWhether or not to match the list generated during the registration phase h0(IDi),Treg,aiA in Honey _ List ═ NULL }iEqual; when equal, the secondary server calculates an authentication value
Figure RE-GDA0002945294150000076
Computing a primary server authentication value
Figure RE-GDA0002945294150000077
β2=h4(IDi,PIDi3,R2,C2,T2) (ii) a Will be provided with
Figure RE-GDA0002945294150000078
Sending the data to a main server; wherein h is1Hash function for collision resistance, T2For secondary server current time stamp, random number ki∈Zq *The list comprising a user name h0(IDi) Current time TregKey index aiAnd honeypot List honeypot _ List NULL;
s34 includes:
s341, the host server receives the PID of the user terminali1,Ri,Ei,Tii1i}, calculating
Figure RE-GDA0002945294150000079
Verifying pi by zero knowledge proof of child protocoli,x1A private key value for a host server;
s342, the primary server receives the message of the auxiliary server
Figure RE-GDA00029452941500000710
Computing
Figure RE-GDA00029452941500000711
Verification of beta2Whether or not it is equal to h4(IDi,PIDi3,R2,C2,T2),h4A hash function that is collision resistant;
s343, when beta2Is equal to h4(IDi,PIDi3,R2,C2,T2) The main server passes the verification of the zero-knowledge proof subprotocol
Figure RE-GDA00029452941500000712
Calculating ks=Dsk(C2)modq=rir2kiVerify equation ksEi=(x1+h0(IDi))R2Whether the result is true or not; wherein Ei=ri -1ki -1(x1+h0(IDi) P, wherein sk is a Paillier encrypted private key selected by the user terminal;
S344. when the equation is satisfied, the primary server randomly selects r1∈Zq *Calculating R1=r1P,R1i=r1RiCalculating the session key value sk to be authenticated1i=h3(IDi,R1i,Ri,R1,Ti,T1),β1=h4(IDi,R1,T1,sk1i,Ti) Authentication message { R11,T1H to the user terminal3Hash function for collision resistance, T1Is the current timestamp;
s35 includes:
s351, the user terminal receives the R11,T1}, calculating Ri1=riR1,sks1=h3(IDi,Ri1,Ri,R1,Ti,T1) Calculating beta'1=h4(IDi,R1,T1,ski1,Ti) Judgment of beta'1Whether or not equal to beta1(ii) a If yes, the key agreement is successful.
In the embodiment, the double servers cooperate with the user terminal to perform key agreement authentication, wherein the key agreement comprises the steps that the user terminal sends verification messages of passwords and user names, the auxiliary server authenticates the messages, the authentication is performed through a honeypot technology after passing the authentication, when the verification passes, the main server receives and verifies the verification messages of the user terminal and the auxiliary server, a key agreement request is sent to the user terminal, and finally the user terminal verifies the key agreement request, and when the verification is successful, the key agreement is successful; the authentication of the user terminal is carried out through cooperation of a main server and an auxiliary server; the main server is responsible for final key agreement execution; the auxiliary server stores partial blinded data, and the main server stores a small amount of data; when any one of the devices is trapped or lost, the key information cannot be leaked, and the authentication cannot be normally carried out; the data loss caused by the loss and the attack of the user terminal is solved; and the leakage of user terminal data caused by the fact that a server providing the authentication service is damaged is also avoided.
In this embodiment, the honeypot system may be located in the auxiliary server, or may be a system independent of the main server and the auxiliary server; when the secondary server verifies, it is verified by the honeypot system, in particular, by calculating the key index ai=h1(h0(IDi)||Treg||mi) Verify a)iWhether or not to correspond to the list { h }0(IDi),Treg,aiA of Honey _ List ═ NULL }iThe method comprises the following steps that (1) the lists are generated in a registration phase and consist of user names, current time, key indexes and honeypot lists; if a isiAnd list generated during registration phase h0(IDi),Treg,aiA in Honey _ List ═ NULL }iWhen the values are not equal, the user terminal is indicated to be possible to fall into the honeypot attack, the auxiliary server judges whether the Honey _ List entry is smaller than the threshold value MAX or not, and when the Honey _ List entry is smaller than the threshold value MAX, the auxiliary server judges that the Honey _ List entry is smaller than the threshold value MAX
Figure RE-GDA0002945294150000081
Writing into an auxiliary server; when the Honey _ List item is larger than or equal to MAX, the auxiliary server reports the error, and the user terminal name ID is terminatediThe right of use of; the MAX may be flexibly adjusted according to actual requirements, for example, MAX is 10.
In this embodiment, S1 specifically includes:
s11, selecting a large prime number p by the key generation center, and selecting a safe elliptic curve Ep(a, b) wherein
Figure RE-GDA0002945294150000091
At Ep(a, b) selecting a point P as a generator to generate a q-add group G, wherein
Figure RE-GDA0002945294150000092
Representing a random selection in a non-zero multiplicative group formed based on a large prime number q;
s12, the master server selects a key
Figure RE-GDA0002945294150000093
As a master key and calculates the formula Ppub1=x1P, obtaining Ppub1As the master public key, the master key x1Safe preservation; auxiliary server selects a key
Figure RE-GDA0002945294150000094
As a master key and calculates the formula Ppub2=x2P is obtained, Ppub2As the auxiliary public key, the auxiliary key x2Safe preservation;
s13, the key generation center constructs a hash function of collision resistance, which is respectively expressed as: h is0=G*×G->Zp*、 h1=G*×G×G->Zp*、h2=G*×G×G×G->Zp*、h3G × G × G × G- > Zp and h4G × G × G × G × G- > Zp, wherein h0,h1,h2,h3,h4A hash function representing collision resistance, a → B represents a mapping defining a domain a to a value domain B, {0,1 }' represents a string of 0 or 1, and x represents a cartesian product;
s14, the key generation center publishes the public parameter params ═ (G, P, q, h)i,Ppub1,Ppub2) Wherein the common parameters Pars comprise an addition cycle group G, a generator P on the addition cycle group G, and a safe elliptic curve Ep(a, b), hash function h0,h1,h2,h3,h4Master public key Ppub1And an auxiliary public key Ppub2
Generating cryptosystem parameters by a key generation center, determining a master public key and a secondary apartment of a master server and a secondary server, the key generation center publishing a public parameter params ═ G, P, q, hi,Ppub1,Ppub2) (ii) a Therefore, the key agreement between the main server, the auxiliary server and the user terminal is facilitated, and the reliability and the safety of the key agreement authentication are improved.
In this embodiment, S2 specifically includes:
s21, the user terminal selects random number
Figure RE-GDA0002945294150000095
Input identity IDiAnd password PWiCalculate h0(PWi||ni) (ii) a The user terminal sends h to the main server in a safe channel mode0(IDi) And h0(PWi||ni);h0A hash function that is collision resistant;
s22, the main server selects a random number ki∈Zq *Calculating Di=ki -1(x1+h1(IDi) P) and DiTransmitting the data to the user terminal through a secure channel; will { h }0(IDi),ki,h0(PWi||ni) Transmitting the data to an auxiliary server through a safety channel; wherein the generating element of the P elliptic curve, h1Hash function for collision resistance, DiAuthentication information for the main server and the user terminal;
s23, the auxiliary server searches h0(IDi) Checking if it is a new user terminal, and when it is a new user terminal, the auxiliary server creating a new list in the database
{h0(IDi),Treg,aiAnd calculating m according to the Honey _ List which is NULL }, and calculating m according to the Honey _ List which is NULL }i=h4(x2||h0(IDi)||Treg),
Figure RE-GDA0002945294150000101
Generating honeypot value honeyword and storing the honeypot value honeyword into honeyy _ List to obtain honeypot value honeypot _ List
{h0(IDi),Treg,ai,Honey_List=NULL};ai=h1(h0(IDi)||Treg||mi) As a key index; h is4For a hash function against collision, the list includes the user name h0(IDi) Current time TregKey index aiAnd honeypot List honeypot _ List NULL;
s24, the user terminal receives D sent by the main serveriStore niAnd Di
In this embodiment, when the auxiliary server passes search h0(IDi) Checking if it is not a new user terminal, updating TregAnd ai
The user terminal registers to the main server and the auxiliary server according to the key parameters, firstly the user terminal sends a verification request with identity to the main server, the main server determines the verification information of the user terminal, and then the auxiliary server creates a list in a database and determines a key index, thereby realizing the registration of the user terminal, the main server and the auxiliary server and ensuring the reliability and the safety of subsequent key negotiation.
It will be understood that the user terminal may need to change the key periodically, and the key updating step is further included: when the user terminal has a new secret key PWnUser terminal recalculates h0(PWn||ni) Sent to the main server, and the auxiliary server updates the corresponding
Figure RE-GDA0002945294150000102
As a key index and stored in the secondary server.
It should be noted that the main server verifies pi through the zero-knowledge proof sub-protocoliThe method comprises the following steps:
the primary server initializes the system parameters params ═ G, P, q, Ri,h,pk,IDi),
Figure RE-GDA0002945294150000111
Calculating R'i=Enc(ri) (ii) a h represents a hash function against collision, a → B represents a mapping defining a domain a to a value domain B, {0,1 }. denotes a string of 0 or 1, and x represents a cartesian product;
the main server selects a random number
Figure RE-GDA0002945294150000112
Calculating K as kP, calculating
Figure RE-GDA0002945294150000113
Calculating z as k-riEmodq and keEnc (k); output (z, k)e,e);
Primary server compute Kv=zP+eRiCalculate ev=h(Ri,Kv,IDi) And kv=ke·(R'i)-eWhen e is equal to evAnd Encpk(z)=kvWhen the authentication is passed, output 1; when e ≠ evOr Encpk(z)≠kvWhen the authentication fails, 0 is output to terminate the procedure.
The main server passes the verification of the zero-knowledge proof subprotocol
Figure RE-GDA0002945294150000114
The method comprises the following steps:
the primary server initializes the system parameters params ═ G, P, q, R2,h,pk,IDi),
Figure RE-GDA0002945294150000115
Calculating R'2=Enc(r2) (ii) a h represents a hash function against collision, a → B represents a mapping defining a domain a to a value domain B, {0,1 }. denotes a string of 0 or 1, and x represents a cartesian product;
the main server selects a random number
Figure RE-GDA0002945294150000116
Calculating K as kP, calculating
Figure RE-GDA0002945294150000117
Calculating z as k-r2Emodq; output (z, e);
primary server compute Kv=zP+eR2Calculate ev=h(R2,Kv,IDi) When e is equal to evOutputting 1 authentication pass; when e ≠ evWhen the authentication fails, 0 is output to terminate the procedure.
The zero knowledge proves that another lock is added to the safety of protocol authentication.
The present embodiment further provides a key protection and negotiation system, where the key protection and negotiation system includes a key system, a main server, an auxiliary server, and a user terminal, so as to implement the steps of the key protection and negotiation method, which are not described in detail herein.
The present embodiment also provides a storage medium, where the storage medium includes one or more computer programs stored therein, and the one or more computer programs may be executed by one or more processors to implement the steps of the key protection and negotiation method in the foregoing embodiments, which are not described herein again.
By the key protection and negotiation method, system and storage medium provided by the embodiment, authentication and key coordination are completed by one user terminal and two servers, some information required by authentication can be stored on the user terminal, and even if the user terminal is lost, an adversary cannot realize authentication through the information of the user terminal.
The first purpose is to realize authentication and key agreement between a user terminal and a server. Even if the user terminal is attacked or lost, the information stored in the terminal is obtained by the attacker, but mutual authentication and key agreement with the cloud server cannot be performed.
From the server perspective, the primary server, which is the second purpose of providing business services to the user, does not store any user identity information. Even if the attacker successfully attacks the main server, no user information is obtained. The auxiliary authentication cloud server only stores the data of the user part in a blinded mode, and even if an attacker obtains the data, effective information cannot be formed.
Most of the calculation work is completed by the main server in the key agreement stage; the attack loss of the user terminal, the impersonation attack, the off-line guess attack and the like can be effectively prevented; in addition, compared with the similar scheme, the communication cost and the calculation overhead are lower in cost.
It is clear to those skilled in the art that, for convenience and brevity of description, the specific working processes of the above-described apparatuses and units may refer to the corresponding processes in the foregoing method embodiments, and are not described herein again.
In the several embodiments provided in the present application, it should be understood that the disclosed apparatus and method may be implemented in other ways. For example, the above-described apparatus embodiments are merely illustrative, and for example, a division of a unit is merely a logical division, and an actual implementation may have another division, for example, a plurality of units or components may be combined or integrated into another system, or some features may be omitted, or not executed.
Units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment of the present invention.
In addition, functional units in the embodiments of the present invention may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit. The integrated unit can be realized in a form of hardware, and can also be realized in a form of a software functional unit.
The integrated unit, if implemented in the form of a software functional unit and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present invention essentially or partially contributes to the prior art, or all or part of the technical solution can be embodied in the form of a software product stored in a storage medium and including instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and other various media capable of storing program codes.
The technical solutions provided by the embodiments of the present invention are described in detail above, and the principles and embodiments of the present invention are explained in the present invention by applying specific examples, and the descriptions of the embodiments are only used to help understanding the principles of the embodiments of the present invention; the above description is only for the purpose of illustrating the preferred embodiments of the present invention and is not to be construed as limiting the invention, and any modifications, equivalents, improvements and the like that fall within the spirit and principle of the present invention are intended to be included therein.

Claims (10)

1. A method for key protection and negotiation, the method comprising:
s1, generating key parameters by the key system;
s2, the user terminal registers to the main server and the auxiliary server according to the key parameter;
s3, the auxiliary server and the main server cooperate to perform key agreement authentication with the user terminal;
the S3 includes:
s31, the user terminal sends the verification information with password and user name to the auxiliary server and the main server;
s32, the auxiliary server authenticates the verification message;
s33, when the authentication is passed, the auxiliary server verifies whether a key index corresponding to the verification message exists through a honeypot technology, and when the verification is passed, the auxiliary server message is sent;
s34, the main server receives and verifies the verification message and the auxiliary service message, and when the verification is passed, the main server sends a key negotiation request to the user terminal;
and S35, the user terminal performs key agreement with the main server according to the key agreement request.
2. The key protection and agreement method according to claim 1, wherein the S31 includes:
s311, user terminal input bodyShare IDiAnd password PWiCalculate h0(PWi||ni) H is said0Hash functions, random numbers, for collision resistance
Figure RE-FDA0002945294140000011
Figure RE-FDA0002945294140000012
Representing a random selection in a non-zero multiplicative group formed based on a large prime number q;
s312, the user terminal selects the random number
Figure RE-FDA0002945294140000013
Respectively calculating user terminal authentication information Ri=riP, random number encryption information Ci=Encpk(ri) Authentication information
Figure RE-FDA0002945294140000014
Computing messages sent to a host server
Figure RE-FDA0002945294140000021
Information processing device
Figure RE-FDA0002945294140000022
βi2=h4(IDi,PIDi2,Ri,Ci,Ti) Value associated with honeypot verification message
Figure RE-FDA0002945294140000023
Will { PIDi1,Ri,Ei,Tii1iSending { R } to the main serveri,Ci,PIDi2,Tii2,PPWiSending the data to an auxiliary server; p is a generator on G, G represents a credible q-order addition cycle group, h0,h2,h4To resist collisionHash function of collision, Ppub1Is the system master public key, Ppub2The method comprises the steps of providing a system auxiliary public key, Enc is a Paillier encryption algorithm, pk is a Paillier encrypted public key selected by a user terminal, and TiFor the current time of the system, said DiVerification information, pi, for said main server and said user terminaliProving a subprotocol authentication parameter for zero knowledge;
the S32 includes:
s321, the auxiliary server randomly selects r2∈Zq *And rho ∈ Zq *Calculating an authentication value R of the auxiliary server2=r2P, is solved out
Figure RE-FDA0002945294140000024
Verification of equation betai2=h4(IDi,PIDi2,Ri,Ci,Ti) Is true, where x2A private key of the secondary server;
the S33 includes:
s331, when the equation is established, the auxiliary server calculates h0(IDi),
Figure RE-FDA0002945294140000025
Taking out time TregCalculate mi=h4(x2||h0(IDi)||Treg) Find out whether or not
Figure RE-FDA0002945294140000026
The above-mentioned
Figure RE-FDA0002945294140000027
Is honeypot system authentication information;
s332, when existing
Figure RE-FDA0002945294140000028
Then, the auxiliary server calculates the key index ai=h1(h0(IDi)||Treg||mi) Verify a)iWhether or not to match the list generated during the registration phase h0(IDi),Treg,aiA in Honey _ List ═ NULL }iEqual; when equal, the secondary server calculates an authentication value
Figure RE-FDA0002945294140000029
Computing a primary server authentication value
Figure RE-FDA00029452941400000210
β2=h4(IDi,PIDi3,R2,C2,T2) (ii) a Will be provided with
Figure RE-FDA00029452941400000211
Sending the data to a main server; wherein h is1As hash function against collision, the T2A random number k for the secondary server current timestampi∈Zq *(ii) a The list includes a username h0(IDi) Current time TregKey index aiAnd honeypot List honeypot _ List NULL;
the S34 includes:
s341, receiving the PID of the user terminal by the main serveri1,Ri,Ei,Tii1iAt this time, calculate
Figure RE-FDA0002945294140000031
Verifying pi by zero knowledge proof of child protocoli,x1A private key value for a host server;
s342, the main server receives the message of the auxiliary server
Figure RE-FDA0002945294140000032
Time, calculate
Figure RE-FDA0002945294140000033
Verification of beta2Whether or not it is equal to h4(IDi,PIDi3,R2,C2,T2) H is said4A hash function that is collision resistant;
s343, when beta2Is equal to h4(IDi,PIDi3,R2,C2,T2) The main server passes the verification of the zero-knowledge proof subprotocol
Figure RE-FDA0002945294140000034
Calculating ks=Dsk(C2)modq=rir2kiVerify equation ksEi=(x1+h0(IDi))R2Whether the result is true or not; wherein
Figure RE-FDA0002945294140000035
The sk is a Paillier encrypted private key selected by the user terminal;
s344, when the equation is established, the main server randomly selects r1∈Zq *Calculating R1=r1P,R1i=r1RiCalculating the session key value sk to be authenticated1i=h3(IDi,R1i,Ri,R1,Ti,T1),β1=h4(IDi,R1,T1,sk1i,Ti) Authentication message { R11,T1H to the user terminal3As hash function against collision, the T1Is the current timestamp;
the S35 includes:
s351, the user terminal receives the R11,T1}, calculating Ri1=riR1,sks1=h3(IDi,Ri1,Ri,R1,Ti,T1) Calculating beta'1=h4(IDi,R1,T1,ski1,Ti) Judgment of beta'1Whether or not equal to beta1(ii) a If yes, the key agreement is successful.
3. The key protection and agreement method according to claim 2, wherein the S332 further comprises:
when a isiAnd list generated during registration phase h0(IDi),Treg,aiA in Honey _ List ═ NULL }iWhen the values are not equal, the auxiliary server judges whether the Honey _ List entries are smaller than a threshold MAX, and when the values are smaller than the MAX, the auxiliary server judges whether the Honey _ List entries are smaller than the threshold MAX or not
Figure RE-FDA0002945294140000036
Writing into an auxiliary server; when the Honey _ List entry is greater than or equal to the MAX, the auxiliary server reports an error, terminating the user terminal name IDiThe right of use.
4. The key protection and agreement method according to claim 3, wherein the S2 specifically includes:
s21, the user terminal selects random number
Figure RE-FDA0002945294140000041
Input identity IDiAnd password PWiCalculate h0(PWi||ni) (ii) a The user terminal sends h to the main server in a safe channel mode0(IDi) And h0(PWi||ni) (ii) a H is0A hash function that is collision resistant;
s22, the main server selects a random number ki∈Zq *Calculating
Figure RE-FDA0002945294140000042
And D isiTransmitting the data to the user terminal through a secure channel; will { h }0(IDi),ki,h0(PWi||ni) Through a secure channelTransmitting to the auxiliary server; wherein the generator of the P elliptic curve, the h1Hash function for collision resistance, said DiAuthentication information for the main server and the user terminal;
s23, the auxiliary server searches h0(IDi) Checking if it is a new user terminal, and when it is a new user terminal, the auxiliary server creates a new list { h } in the database0(IDi),Treg,aiAnd calculating m according to the Honey _ List which is NULL }, and calculating m according to the Honey _ List which is NULL }i=h4(x2||h0(IDi)||Treg),
Figure RE-FDA0002945294140000043
Generating honeypot value honeyword and storing the honeypot value honeyword into honeyy _ List to obtain { h0(IDi),Treg,aiHoneylistlist NULL }; a is ai=h1(h0(IDi)||Treg||mi) As a key index; h is4A hash function that is collision resistant; the list includes a username h0(IDi) Current time TregKey index aiAnd honeypot List honeypot _ List NULL;
s24, the user terminal receives D sent by the main serveriStore niAnd Di
5. The key protection and agreement method according to claim 4, wherein the S23 further includes: auxiliary server searches through h0(IDi) Updating T when checking that it is not a new user terminalregAnd ai
6. The key protection and agreement method according to claim 4, wherein the S2 further includes:
when the user terminal has a new secret key PWnUser terminal recalculates h0(PWn||ni) Sent to the main server and the auxiliary server, and the auxiliary server updates the corresponding
Figure RE-FDA0002945294140000044
As a key index and stored in the secondary server.
7. The key protection and agreement method according to any one of claims 2-6, characterised in that the proof of zero knowledge subprotocol verifies piiThe method comprises the following steps:
the main server initializes a system parameter params ═ G, P, q, Ri,h,pk,IDi) Said
Figure RE-FDA0002945294140000051
Calculating R'i=Enc(ri) (ii) a H represents a hash function against collision, A → B represents a mapping defining a domain A to a value domain B, {0,1 }. represents a string of 0 or 1, and x represents a Cartesian product;
the main server selects a random number
Figure RE-FDA0002945294140000052
Calculating K as K, calculating
Figure RE-FDA0002945294140000053
Calculating z as k-riEmodq and keEnc (k); output (z, k)e,e);
The primary server calculates Kv=zP+eRiCalculate ev=h(Ri,Kv,IDi) And kv=ke·(R′i)-eWhen e is equal to evAnd Encpk(z)=kvWhen the authentication is successful, the authentication is passed; when e ≠ evOr Encpk(z)≠kvWhen authentication fails, the procedure is terminated.
8. The key protection and agreement method according to any one of claims 2-6, characterised in that the proof of zero knowledge subprotocol verification
Figure RE-FDA0002945294140000054
The method comprises the following steps:
the main server initializes a system parameter params ═ G, P, q, R2,h,pk,IDi) Said
Figure RE-FDA0002945294140000055
Calculating R'2=Enc(r2) (ii) a H represents a hash function against collision, A → B represents a mapping defining a domain A to a value domain B, {0,1 }. represents a string of 0 or 1, and x represents a Cartesian product;
the main server selects a random number
Figure RE-FDA0002945294140000056
Calculating K as kP, calculating
Figure RE-FDA0002945294140000057
Calculating z as k-r2Emodq; output (z, e);
the primary server calculates Kv=zP+eR2Calculate ev=h(R2,Kv,IDi) When e is equal to evThe authentication is passed; when e ≠ evWhen authentication fails, the procedure is terminated.
9. A key protection and agreement system, characterized in that, the key protection and agreement comprises a key system, a main server, an auxiliary server and a user terminal, to implement the key protection and agreement method of any of the preceding claims 1-8.
10. A storage medium comprising one or more computer programs stored thereon, the one or more computer programs being executable by one or more processors to implement the key protection and negotiation method of any one of claims 1-8.
CN202011482095.7A 2020-12-15 2020-12-15 Key protection and negotiation method, system and storage medium Active CN112689283B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202011482095.7A CN112689283B (en) 2020-12-15 2020-12-15 Key protection and negotiation method, system and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202011482095.7A CN112689283B (en) 2020-12-15 2020-12-15 Key protection and negotiation method, system and storage medium

Publications (2)

Publication Number Publication Date
CN112689283A true CN112689283A (en) 2021-04-20
CN112689283B CN112689283B (en) 2021-11-23

Family

ID=75448009

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202011482095.7A Active CN112689283B (en) 2020-12-15 2020-12-15 Key protection and negotiation method, system and storage medium

Country Status (1)

Country Link
CN (1) CN112689283B (en)

Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105471833A (en) * 2015-05-14 2016-04-06 瑞数信息技术(上海)有限公司 Safe communication method and device
CN105516201A (en) * 2016-01-20 2016-04-20 陕西师范大学 Lightweight anonymous authentication and key negotiation method in multi-server environment
US20160156626A1 (en) * 2014-06-26 2016-06-02 Amazon Technologies, Inc. Mutual authentication with symmetric secrets and signatures
US20180198763A1 (en) * 2017-01-11 2018-07-12 Mastercard International Incorporated Systems and methods for secure communication bootstrapping of a device
CN108400962A (en) * 2017-02-08 2018-08-14 上海格尔软件股份有限公司 A kind of Authentication and Key Agreement method under multiserver framework
CN109041205A (en) * 2018-08-23 2018-12-18 刘高峰 Client registers method, apparatus and system
US20190102569A1 (en) * 2017-10-04 2019-04-04 Amir Keyvan Khandani Methods for secure data storage
CN110234111A (en) * 2019-06-10 2019-09-13 北京航空航天大学 A kind of two-factor authentication key agreement protocol suitable for multiple gateway wireless sensor network

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107342859B (en) * 2017-07-07 2018-04-20 安徽大学 Anonymous authentication method and application thereof
CN108322486B (en) * 2018-05-07 2021-06-01 安徽大学 Authentication method for multi-server architecture under Internet of vehicles cloud environment
CN110581836B (en) * 2018-06-11 2021-11-30 阿里巴巴集团控股有限公司 Data processing method, device and equipment

Patent Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20160156626A1 (en) * 2014-06-26 2016-06-02 Amazon Technologies, Inc. Mutual authentication with symmetric secrets and signatures
CN105471833A (en) * 2015-05-14 2016-04-06 瑞数信息技术(上海)有限公司 Safe communication method and device
CN105516201A (en) * 2016-01-20 2016-04-20 陕西师范大学 Lightweight anonymous authentication and key negotiation method in multi-server environment
US20180198763A1 (en) * 2017-01-11 2018-07-12 Mastercard International Incorporated Systems and methods for secure communication bootstrapping of a device
CN108400962A (en) * 2017-02-08 2018-08-14 上海格尔软件股份有限公司 A kind of Authentication and Key Agreement method under multiserver framework
US20190102569A1 (en) * 2017-10-04 2019-04-04 Amir Keyvan Khandani Methods for secure data storage
CN109041205A (en) * 2018-08-23 2018-12-18 刘高峰 Client registers method, apparatus and system
CN110234111A (en) * 2019-06-10 2019-09-13 北京航空航天大学 A kind of two-factor authentication key agreement protocol suitable for multiple gateway wireless sensor network

Non-Patent Citations (4)

* Cited by examiner, † Cited by third party
Title
YANJIANG YANG: "A practical password-based two-server authentication and key exchange system", 《IEEE》 *
万涛: "多服务器架构下认证与密钥协商协议", 《计算机研究与发展》 *
葛丽娜: "基于几何方法的双服务器口令认证与密钥协商", 《计算机集成制造***》 *
谢永: "面向车联网的多服务器架构的匿名双向认证与密钥协商协议", 《计算机研究与发展》 *

Also Published As

Publication number Publication date
CN112689283B (en) 2021-11-23

Similar Documents

Publication Publication Date Title
Wazid et al. Design of secure key management and user authentication scheme for fog computing services
Chen et al. Server-aided public key encryption with keyword search
Feng et al. Ideal lattice-based anonymous authentication protocol for mobile devices
Eddine et al. EASBF: An efficient authentication scheme over blockchain for fog computing-enabled internet of vehicles
Chattaraj et al. A new two-server authentication and key agreement protocol for accessing secure cloud services
Ghaffar et al. An improved authentication scheme for remote data access and sharing over cloud storage in cyber-physical-social-systems
US8422670B2 (en) Password authentication method
Dabra et al. LBA-PAKE: lattice-based anonymous password authenticated key exchange for mobile devices
JP2008545353A (en) Establishing a reliable relationship between unknown communicating parties
Srinivas et al. Provably secure biometric based authentication and key agreement protocol for wireless sensor networks
Chakrabarti et al. Password-based authentication: Preventing dictionary attacks
Yu et al. Provably secure single sign-on scheme in distributed systems and networks
CN113849815B (en) Unified identity authentication platform based on zero trust and confidential calculation
Mahmood et al. PUF enable lightweight key-exchange and mutual authentication protocol for multi-server based D2D communication
Sureshkumar et al. A robust mutual authentication scheme for session initiation protocol with key establishment
Ul Hassan et al. An Improved SIP Authenticated Key Agreement Based on Dongqing et al.
Berini et al. HCALA: Hyperelliptic curve-based anonymous lightweight authentication scheme for Internet of Drones
Huszti et al. A simple authentication scheme for clouds
Jia et al. A Redesigned Identity-Based Anonymous Authentication Scheme for Mobile-Edge Computing
Kumar et al. A conditional privacy-preserving and desynchronization-resistant authentication protocol for vehicular ad hoc network
Karmakar et al. A PUF and Fuzzy Extractor-Based UAV-Ground Station and UAV-UAV authentication mechanism with intelligent adaptation of secure sessions
Salvakkam et al. Design of fully homomorphic multikey encryption scheme for secured cloud access and storage environment
Harkins Secure password ciphersuites for transport layer security (TLS)
Chaudhary et al. A construction of three party post quantum secure authenticated key exchange using ring learning with errors and ecc cryptography
Lee et al. Secure and anonymous authentication scheme for mobile edge computing environments

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant