CN116566662A - Identity authentication method, session encryption method and related equipment of communication network - Google Patents

Identity authentication method, session encryption method and related equipment of communication network Download PDF

Info

Publication number
CN116566662A
CN116566662A CN202310457458.9A CN202310457458A CN116566662A CN 116566662 A CN116566662 A CN 116566662A CN 202310457458 A CN202310457458 A CN 202310457458A CN 116566662 A CN116566662 A CN 116566662A
Authority
CN
China
Prior art keywords
factor
target
login
identifier
user
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202310457458.9A
Other languages
Chinese (zh)
Inventor
王晨宇
徐国胜
徐国爱
钟林良
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing University of Posts and Telecommunications
Original Assignee
Beijing University of Posts and Telecommunications
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing University of Posts and Telecommunications filed Critical Beijing University of Posts and Telecommunications
Priority to CN202310457458.9A priority Critical patent/CN116566662A/en
Publication of CN116566662A publication Critical patent/CN116566662A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0815Network architectures or network communication protocols for network security for authentication of entities providing single-sign-on or federations
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0442Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply asymmetric encryption, i.e. different keys for encryption and decryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3236Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer And Data Communications (AREA)

Abstract

The application provides a user identity authentication method, a session encryption method and related equipment of various communication networks; the method comprises the following steps: calculating a first factor to be tested by using the login identifier and the login password, if the first factor is the same as the first target factor, calculating a first intermediate quantity, encoding the login identifier into a second intermediate quantity by using the first intermediate quantity, encoding the login identifier and the login password into a second factor to be tested, and transmitting the first intermediate quantity, the second intermediate quantity and the second factor to be tested to a server side; if the server side has the target identifier which is the same as the login identifier, a second target factor is calculated, if the second target factor is the same as the second factor to be checked, a public key pair and a private key pair are generated, and a third factor to be checked is calculated and taken out and sent to the user side; the user side calculates a third target factor, if the third target factor is the same as the third factor to be tested, a fourth factor to be tested is calculated and sent to the server side; and the server calculates a fourth target factor, and the fourth target factor are the same, so that the login identification and the login password are authenticated to be legal.

Description

Identity authentication method, session encryption method and related equipment of communication network
Technical Field
The embodiment of the application relates to the technical field of information security, in particular to a user identity authentication method, a session encryption method and related equipment of a communication network.
Background
The most prominent of the existing multi-factor user identity authentication modes based on passwords is that the off-line password guessing attack cannot be resisted and the forward security is lacking. Authentication protocols in the past have generally been based on the assumption that data in smart cards or mobile devices cannot be obtained by an attacker, but as attack techniques have evolved, it has become a well-established fact that an attacker can obtain such data. In an offline password guessing attack, an attacker can guess the user's password offline after successfully acquiring the smart card or biometric features.
In addition, the forward security problem is also extremely critical, and the forward security problem can ensure that even if the system is broken, the prior communication content is not acquired by an attacker, so that the loss of the broken system is reduced. But currently most user identity authentication protocols for network-oriented video conferences cannot achieve forward security, which means that they cannot protect the communication content.
Based on this, there is a need to design a more reliable and secure authentication technique to meet the needs in high security demand environments.
Disclosure of Invention
In view of the foregoing, an object of the present application is to provide a user identity authentication method, a session encryption method and related devices for a communication network.
Based on the above object, the present application provides a user identity authentication method of a communication network, wherein the communication network includes a server side and at least one user side;
the method comprises the following steps:
after a login identifier and a login password are input to a user side, the user side is enabled to calculate a first factor to be tested by using the login identifier and the login password, when the first factor to be tested is the same as a preset first target factor, modular exponentiation is carried out on a first random number generated by the user side to obtain a first intermediate quantity, the login identifier is encoded into a second intermediate quantity by using the first intermediate quantity, the login identifier and the login password are encoded into a second factor to be tested, and the first intermediate quantity, the second intermediate quantity and the second factor to be tested are sent to a server side;
the server side decodes the login identifier, when the server side has the same target identifier as the login identifier, a second target factor is calculated by using the first intermediate quantity and the second intermediate quantity, when the second target factor is the same as the second factor to be checked, a public key pair and a private key pair are generated, the public key pair is encoded into a third factor to be checked, and the third factor to be checked and the public key pair are sent to the user side;
The user end codes the login identification and the public key pair into a third target factor, and when the third target factor is the same as the third factor to be checked, codes the login identification and the public key pair into a fourth factor to be checked, and sends the fourth factor to be checked to the server end;
and enabling the server to calculate a fourth target factor by utilizing the private key pair and the target identifier, and when the fourth target factor is the same as the fourth factor to be tested, authenticating that the login identifier and the login password are legal, and logging in a target account corresponding to the target identifier.
Further, the method further comprises:
when the server side judges that the first factor to be tested is different from the first target factor, determining that the login identification is illegal, and terminating session connection;
when the server side judges that the target identifier which is the same as the login identifier is not provided, the login identifier is determined to be illegal, and session connection is terminated;
when the second target factor is different from the second factor to be tested, determining that the login identification is illegal, terminating session connection, judging the number of times that the user terminal is judged to be illegal currently, when the number of times exceeds a preset number threshold, enabling the server terminal to determine a target account corresponding to the target identification, freezing the target account, and enabling the user terminal to freeze data corresponding to the login identification;
When the third target factor is different from the third factor to be tested, determining that the login identification is illegal, and terminating session connection;
and when the fourth target factor is different from the fourth factor to be tested, determining that the login identification is illegal, and terminating session connection.
Further, before the login identification and the login password are input to the user side, the method further comprises the following steps:
after a preset target identifier and a target password are input to the user terminal, enabling the user terminal to generate a first random number, adopting a hash function, and disturbing the target password by using the first random number to obtain a target password disturbance result;
the user terminal sends the target identifier and the target password disturbance result to the server terminal;
enabling the server side to carry out modular exponentiation on the target identifier and the target password disturbance result to obtain the first target factor;
the server side is enabled to check whether the target identifier exists in the stored user identifiers, when the target identifier does not exist in the user identifiers, the target identifier is stored, the target account is created for the target identifier, and a unique random number corresponding to the target identifier is generated in the target account;
The server side is enabled to adopt the hash function, the target identifier added with the unique random number is disturbed, a target identifier disturbance result is obtained, exclusive-or operation is carried out on the target identifier disturbance result and the target password disturbance result, and a first exclusive-or result is obtained;
the server side sends the first target factor, a first exclusive-or result and the hash function to the user side for storage;
and enabling the user side to store the first target factor, a first exclusive-or result, the hash function and the first random number so as to finish the registration of the target account.
Further, after encoding the login identifier and the login password as the second factor to be verified, the method further includes:
the user side sends the first intermediate quantity, the second factor to be checked and a preset freezing instruction to the server side;
after the server receives the freezing instruction, the login identifier is decoded, when the server has the same target identifier as the login identifier, a second target factor is calculated by using the first intermediate quantity and the second intermediate quantity, and when the second target factor is the same as the second factor to be checked, the unique random number is set to be a null value, so that the login identifier cannot be authenticated next time.
Further, after the unique random number is set to a null value so that the login identifier cannot be authenticated next time, the method further includes:
after the login identification and the login password are input to the user side, enabling the user side to extract the first random number, adopting a hash function, and disturbing the login password by utilizing the first random number to obtain a login password disturbance result;
the user sends the login identification and the login disturbance result to the server;
the server side is enabled to check whether the target identifier which is the same as the login identifier is provided, and if the target identifier which is the same as the login identifier is provided, whether a target account corresponding to the target identifier is frozen is checked;
when the target account is frozen, checking whether the data corresponding to the user side login identification is frozen or not;
when the data corresponding to the login identification of the user terminal is frozen, the user terminal re-registers the login identification and the login password for the target account terminal.
In view of the above object, the present application provides a session encryption method applied to a communication network, where the communication network includes a server end as described in any of the above, and at least one user end as described in any of the above;
The method comprises the following steps:
the user side calculates a first session key by using legal login identification;
the server side calculates a second session key by using the stored target identifier which is the same as the login identifier;
the user side encrypts the data sent to the server side by using the first session key, and decrypts the data sent by the server side by using the first session key;
and encrypting the data sent to the user terminal by the server terminal by using the second session key, and decrypting the data sent by the user terminal by using the second session key.
Based on the same inventive concept, the application also provides a user identity authentication device of a communication network, comprising: the device comprises an input module, a first verification module, a second verification module and a third verification module;
the input module is configured to, after inputting a login identifier and a login password to a user side, enable the user side to calculate a first factor to be tested by using the login identifier and the login password, and when the first factor to be tested is the same as a preset first target factor, perform modular exponentiation on a first random number generated by the user side to obtain a first intermediate quantity, encode the login identifier into a second intermediate quantity by using the first intermediate quantity, encode the login identifier and the login password into a second factor to be tested, and send the first intermediate quantity, the second intermediate quantity and the second factor to be tested to a server side;
The first verification module is configured to enable the server side to decode the login identifier, calculate a second target factor by using the first intermediate quantity and the second intermediate quantity when the server side has the same target identifier as the login identifier, generate a public key pair and a private key pair when the second target factor is the same as the second factor to be verified, encode the public key pair into a third factor to be verified, and send the third factor to be verified and the public key pair to the user side;
the second verification module is configured to enable the user side to encode the login identifier and the public key pair into a third target factor, encode the login identifier and the public key pair into a fourth factor to be verified when the third target factor is the same as the third factor to be verified, and send the fourth factor to be verified to the server side;
the third verification module is configured to enable the server side to calculate a fourth target factor by using the private key pair and the target identifier, and when the fourth target factor is the same as the fourth factor to be verified, the login identifier and the login password are authenticated to be legal, and a target account corresponding to the target identifier is logged in.
Based on the same inventive concept, the present application further provides a session encryption device, including: the system comprises a first computing module, a second computing module, a first encryption and decryption module and a second encryption and decryption module;
the first computing module is configured to enable the user side to compute a first session key by utilizing legal login identification;
the second calculating module is configured to enable the server side to calculate a second session key by using the stored target identifier which is the same as the login identifier;
the first encryption and decryption module is configured to enable the user side to encrypt data sent to the server side by using the first session key and decrypt the data sent by the server side by using the first session key;
the second encryption and decryption module is configured to enable the server side to encrypt data sent to the user side by using the second session key and decrypt the data sent by the user side by using the second session key.
Based on the same inventive concept, the application also provides an electronic device, which comprises a memory, a processor and a computer program stored on the memory and capable of running on the processor, wherein the processor realizes the user identity authentication method and/or the session encryption method of the communication network according to any one of the above when executing the program.
Based on the same inventive concept, the present application also provides a non-transitory computer readable storage medium, wherein the non-transitory computer readable storage medium stores computer instructions for causing the computer to perform a user identity authentication method and/or a session encryption method of the above-mentioned communication network.
As can be seen from the above, the user identity authentication method, session encryption method and related device of the communication network provided by the present application design a first factor to be checked, a second factor to be checked, a third factor to be checked and a fourth factor to be checked based on a login identifier and a login password input at a user end, so that a server authenticates the login identifier and the login password input at the user end, wherein the identity of the user end is authenticated through the first factor to be checked, the number of authentication failures is stored at the server end, modular exponentiation and hash function are comprehensively utilized to perform operation, and RSA encryption algorithm is combined to perform encryption communication, so that forward security of a session key between the user end and the server end is realized.
Drawings
In order to more clearly illustrate the technical solutions of the present application or related art, the drawings that are required to be used in the description of the embodiments or related art will be briefly described below, and it is apparent that the drawings in the following description are only embodiments of the present application, and other drawings may be obtained according to these drawings without inventive effort to those of ordinary skill in the art.
FIG. 1 is a flowchart of a user identity authentication method according to an embodiment of the present application;
FIG. 2 is a flow chart of a session encryption method according to an embodiment of the present application;
FIG. 3 is a schematic diagram of a user identity authentication device according to an embodiment of the present application;
fig. 4 is a schematic structural diagram of a session encryption device according to an embodiment of the present application;
fig. 5 is a schematic structural diagram of an electronic device according to an embodiment of the present application.
Detailed Description
For the purposes of making the objects, technical solutions and advantages of the present application more apparent, the present application will be further described in detail below with reference to the accompanying drawings.
It should be noted that unless otherwise defined, technical or scientific terms used in the embodiments of the present application should be given a general meaning as understood by one of ordinary skill in the art to which the present application belongs. The terms "first," "second," and the like, as used in the embodiments of the present application, do not denote any order, quantity, or importance, but rather are used to distinguish one element from another. The word "comprising" or "comprises", and the like, means that elements or items preceding the word are included in the element or item listed after the word and equivalents thereof, but does not exclude other elements or items. The terms "connected" or "connected," and the like, are not limited to physical or mechanical connections, but may include electrical connections, whether direct or indirect. "upper", "lower", "left", "right", etc. are used merely to indicate relative positional relationships, which may also be changed when the absolute position of the object to be described is changed.
It will be appreciated that before using the technical solutions of the various embodiments in the disclosure, the user may be informed of the type of personal information involved, the range of use, the use scenario, etc. in an appropriate manner, and obtain the authorization of the user.
For example, in response to receiving an active request from a user, a prompt is sent to the user to explicitly prompt the user that the operation it is requesting to perform will require personal information to be obtained and used with the user. Therefore, the user can select whether to provide personal information to the software or hardware such as the electronic equipment, the application program, the server or the storage medium for executing the operation of the technical scheme according to the prompt information.
As an alternative but non-limiting implementation, in response to receiving an active request from a user, the manner in which the prompt information is sent to the user may be, for example, a popup, in which the prompt information may be presented in a text manner. In addition, a selection control for the user to select to provide personal information to the electronic device in a 'consent' or 'disagreement' manner can be carried in the popup window.
It will be appreciated that the above-described notification and user authorization process is merely illustrative, and not limiting of the implementations of the present disclosure, and that other ways of satisfying relevant legal regulations may be applied to the implementations of the present disclosure.
As described in the background section, the related user identity authentication method and session encryption method of the communication network are also difficult to meet the actual use needs.
The applicant finds that in the process of implementing the present application, the main problems of the user identity authentication method and the session encryption method of the related communication network are as follows: the most prominent of the existing multi-factor user identity authentication modes based on passwords is that the off-line password guessing attack cannot be resisted and the forward security is lacking. Authentication protocols in the past have generally been based on the assumption that data in smart cards or mobile devices cannot be obtained by an attacker, but as attack techniques have evolved, it has become a well-established fact that an attacker can obtain such data. In an offline password guessing attack, an attacker can guess the user's password offline after successfully acquiring the smart card or biometric features.
In addition, the forward security problem is also extremely critical, and the forward security problem can ensure that even if the system is broken, the prior communication content is not acquired by an attacker, so that the loss of the broken system is reduced. But currently most user identity authentication protocols for network-oriented video conferences cannot achieve forward security, which means that they cannot protect the communication content. Therefore, there is a need to design a more reliable and secure authentication technique to meet the needs in high security demand environments.
Based on this, one or more embodiments in the present application provide a user identity authentication method and a session encryption method of a communication network.
In the embodiment of the application, a communication network with a server side and at least one user side is taken as a specific example of a user identity authentication method and a session encryption method for executing the communication network, and a network video conference is taken as a specific use scene of the user identity authentication method and the session encryption method of the communication network.
The server side and the user side can communicate through a channel.
Further, a subunit for storing and operating is provided in the client, and in this embodiment, the subunit is called a smart card, and has functions of storing data sent by the server, calculating the data, and the like.
Further, the server side is denoted as S, and any ith user side is denoted as U i
In one or more embodiments of the present application, the server side may be caused to perform system initialization before the user side communicates with the server side.
Specifically, the server S may be set with a generator G and a long key x of a prime order multiplicable group G, and with a corresponding initial public key y=g x mod p, where p represents a larger prime number.
Further, the server S is provided with a hash function h (·) 0,1 * →0,1 l Where l is the bit length of the function output.
Based on the method, a user participating in the network video conference can establish a registration account through the user terminal and serve as a target account, and after the registration is completed, when the user logs in the target account, the user terminal can input a login identification and a login password to verify whether the target account can be legally logged in.
Embodiments of the present application are described in detail below with reference to the accompanying drawings.
Referring to fig. 1, a user identity authentication method of a communication network according to an embodiment of the present application includes the following steps:
step S101, after a login identifier and a login password are input to a user side, the user side is enabled to calculate a first factor to be tested by using the login identifier and the login password, when the first factor to be tested is the same as a preset first target factor, modular exponentiation is carried out on a first random number generated by the user side, a first intermediate quantity is obtained, the login identifier is encoded into a second intermediate quantity by using the first intermediate quantity, the login identifier and the login password are encoded into a second factor to be tested, and the first intermediate quantity, the second intermediate quantity and the second factor to be tested are sent to a server side.
In the embodiment of the present application, as described above, the user is required to perform account registration before the user inputs the login identification and the login password to the user terminal.
Specifically, the user may give the user terminal U i Inputting preset target identification ID i And target password PW i And let the user end U i A first random number b is generated.
Based on the above, the user terminal can use the first random number b and the target password PW i Performing bit connection operation, and disturbing the operation result by adopting the hash function to realize the original target password PW i And obtain the target password disturbance result PWR i
Specifically, the target password perturbation result PWR may be determined according to the following formula i
PWR i =h(PW i ||b)
Further, let the user terminal perturb the target password by PWR i And a target identification ID i And sending the data to a server side.
Further, at the server side S, at a certain time interval T rg After receiving the target password disturbance result PWR i And a target identification ID i Based on this, by perturbing the result PWR by the target password i And a target identification ID i Performing operation to obtain a first target factor A i
Specifically, a hash function may be employed to perturb the result PWR to the target password, respectively i And a target identification ID i And performing disturbance, performing exclusive-or operation on the results after the disturbance, performing modular operation on the results after the exclusive-or operation, and performing disturbance on the results after the modular operation to obtain a first target factor.
Specifically, the first target factor a may be determined according to the following formula i
Wherein n0 is [2 ] 4 ,2 8 ]An integer within.
Further, the server S is made to check whether the target ID exists in the stored user ID i When the target identification ID does not exist in the user identification i The server S is made to be the user U i Creating a new account as a target account, in which a target record is created: and the target identification ID i Stored in the record.
In this embodiment, the target record may be specifically expressed as: { ID i ,y i ,T rg ,Honey-List=0}。
Wherein y is i Indicating the server S as user U i The unique random number being generated, i.e. the unique random number y i With user U i Target identification ID of (2) i Uniquely corresponds to the first and second data.
Further, honey-List represents the number of failures in login or authentication.
Further, let the server end use the unique random number y i Time interval T rg Target identification ID i Bit connection operation is carried out on the long secret key x, and the operation result is disturbed by using the hash function to obtain a target identification disturbance result K i
Specifically, the target identification disturbance result K may be determined according to the following formula i
K i =h(ID i ||x||y i ||T rg )
Further, the disturbance result K of the server side to the target mark is caused i And target password perturbation result PWR i Performing exclusive-or operation to obtain a first exclusive-or result L i
Specifically, the first exclusive OR result L may be determined according to the following formula i
Further, the server side determines a first target factor A i First exclusive OR result L i Hash functions h (·), n 0 And sending the p, g and the initial public key y to the user side.
Further, the first target factor A sent by the server is received at the user terminal i First exclusive OR result L i Hash functions h (·), n 0 After p, g and the initial public key y, it is stored to the smart card and the first random number b is stored to the smart card in the client.
Based on this, user U i Registration of the target account is completed, and a target identification ID is created i And target password PW i
In the present embodiment, at user U i After registration is completed, a login identifier and a login password can be input to the user side when the user side logs in, whether the login identifier and the login password are consistent with a target identifier and a login password which are registered previously or not is verified through interaction and operation between the user side and the server, and the user side can log in to a target account after authentication is consistent.
Specifically, a login identification ID 'is input at the user side' i And a login password PW' i
L1 further uses the first random number b stored in the smart card and the login password PW' i Performing bit join operation, and disturbing the result of the bit join operation by adopting the hash function to realize the original login password PW' i And obtaining a log-in password perturbation result PWR' i
Specifically, the login password perturbation result PWR 'may be determined according to the following formula' i
PWR′ i =h(PW′ i ||b)
Further, the user side disturbs the result PWR 'by the login password' i And login identification ID' i Performing operation to obtain a first factor A 'to be tested' i
Specifically, hash functions can be adopted to respectively disturb the login password PWR 'results' i And login identification ID' i Performing disturbance, performing exclusive-or operation on the results after the disturbance, performing modular operation on the results after the exclusive-or operation, and performing disturbance on the results after the modular operation to obtain a first factor A 'to be tested' i
Specifically, the first factor to be tested A 'can be determined according to the following formula' i
Further, the user side uses the first target factor A stored in the smart card i With the first test factor A' i A comparison is made.
Further, when the first target factor A i With the first test factor A' i If they are not equal, the login ID 'input to the user is considered' i And a login password PW' i And therefore terminates the authentication process and terminates the session connection between the current client and the server.
Further, when the first target factor A i With the first test factor A' i And when the sizes are equal, continuing authentication.
L2 further, let the user use the smart card to generate a second random number r 1 And uses the second random number r 1 Performing modular exponentiation to obtain a first intermediate quantity C 1 And C 2 By C 1 And C 2 Will log in the sign ID' i Encoded as a second intermediate quantity D i And will log in the sign ID' i And a login password PW' i Encoding as the second factor to be tested。
Specifically, the user is caused to use g stored in the smart card and the generated second random number r 1 Performing modular exponentiation according to the following formula to obtain a first intermediate quantity C 1
Further, the user is caused to use the initial public key y stored in the smart card and the generated second random number r 1 Performing modular exponentiation again according to the following formula to obtain a first intermediate quantity C 2
Based on this, C can be 1 And C 2 Performing bit connection operation, interfering the bit connection operation result by adopting a hash function, and combining the operation result of the hash function with a login identifier ID' i Performing exclusive OR operation to obtain a second intermediate quantity D i
Specifically, D may be determined according to the following formula i
Further, the result PWR 'is perturbed to the login password' i And the first exclusive OR result L i Performing an exclusive-or operation, and combining the result of the exclusive-or operation with a second intermediate quantity D i First intermediate quantity C 1 And C 2 Performing bit connection operation together, and performing disturbance of hash function on the bit connection operation result to obtain a second factor M to be tested 1 Thereby realizing the login identification ID' i And a login password PW' i Encoded together as the second factor to be tested M 1
Specifically, the first can be determined according to the following formulaTwo factors to be tested M 1
M 1 =h(D i ||C 1 ||C 2 ||K′ i )
Wherein,,
l3 based on this, let the user terminal let the first intermediate quantity C 1 Second intermediate quantity D i And a second factor to be tested M 1 And sending the authentication result to a server side so as to enable the server to carry out the next authentication.
Step S102, enabling the server side to decode the login identifier, when the server side is provided with a target identifier identical to the login identifier, calculating a second target factor by utilizing the first intermediate quantity and the second intermediate quantity, and when the second target factor is identical to the second factor to be checked, generating a public key pair and a private key pair, encoding the public key pair into a third factor to be checked, and sending the third factor to be checked and the public key pair to the user side.
In the embodiment of the present application, the server receives the first intermediate quantity C sent from the user 1 Second intermediate quantity D i And a second factor to be tested M 1 And decoding the login identification by using the first intermediate quantity.
L4 specifically, let the server side count the first intermediate quantity C 1 Performing modular exponentiation, applying disturbance to the modular exponentiation result by adopting hash function, and combining the operation result of hash function with second intermediate quantity D i Performing exclusive OR operation to obtain the decoded login ID' i
Specifically, the login identification ID 'may be determined according to the following formula' i
Wherein,,
further, the server searches from all the stored user identifications to judge whether any user identification and the login identification ID 'exist or not' i If the user identification is the target identification, the user identification is taken as the target identification, and authentication is continued.
Further, when the server end does not have any user identification and the login identification ID' i If the login identification ID ' is the same, the login identification ID ' input to the user is considered ' i And a login password PW' i And therefore terminates the authentication process and terminates the session connection between the current client and the server.
L5 further, let the server end make the first intermediate quantity C 1 And the second intermediate amount D i Performing bit connection operation and connecting the login ID' i Adding the second target factor M 'to the bit-concatenated operation to calculate a second target factor M' 1
Specifically, the second target factor M 'may be determined according to the following formula' 1
M′ 1 =h(D i ||C 1 ||C′ 2 ||K i )
Wherein K is i =h(ID′ i ||x||y i ||T rg )。
Further, let the server end pair the second target factor M' 1 And a second factor to be tested M 1 A comparison is made.
Further, when the second target factor M' 1 And a second factor to be tested M 1 If they are not equal, the login password PW 'input to the user is considered' i And is illegal, thus terminating the authentication process and terminating the session connection between the current user terminal and the server terminal.
Further, when authenticating the login password PW' i If not, adding 1 to the number of times in the Honey-List, and if the number of times in the Honey-List exceeds the preset number threshold, enabling the server side to determine the ID of the target identifier i The corresponding target account is frozen, and simultaneously, the user side is enabled toThe login identification ID' i All data corresponding to the correlation is frozen.
In some embodiments, after the target account is frozen, all data within the target account will not be able to be called and read; for the login identification ID' i After the corresponding relevant all data are frozen, the relevant all data cannot be called and read.
Further, when the second target factor M' 1 And a second factor to be tested M 1 And when the sizes are equal, continuing authentication.
L6 further causes the server side to initialize an RSA encryption algorithm (asymmetric encryption algorithm) and generate a pair of public key pairs (n, e) and a pair of private key pairs (n, d).
Based on the above, the server side pair public key pair, C' 2 、K i Target identification ID i And a first intermediate quantity C 1 Performing bit connection operation to obtain a third factor M to be tested 2
Specifically, the third factor to be tested M may be determined according to the following formula 2
M 2 =h(ID i ||K i ||C 1 ||C′ 2 ||n||e)
Further, let the server side determine the third factor M to be tested 2 And the generated public key pair (n, e) is sent to the user side so as to enable the user side to carry out the next authentication.
Step S103, the user end encodes the login identification and the public key pair into a third target factor, and when the third target factor is the same as the third factor to be checked, the login identification and the public key pair are encoded into a fourth factor to be checked, and the fourth factor to be checked is sent to the server end.
In the embodiment of the present application, the user side receives the third factor to be tested M sent from the server side 2 And a public key pair (n, e) and generates a third target factor M' 2
L7 specifically, let the user end pair login identification ID' i First intermediate quantity C 1 First middle partAmount of C 2 And (n, e) the public key pair, and adding the login password PW 'into the bit connection operation' i Related K' i After calculating the third target factor M 'by a hash function' 2
Specifically, the third target factor M 'may be determined according to the following formula' 2
M′ 2 =h(ID′ i ||K′ i ||C 1 ||C 2 ||n||e)
Further, let the user end pair the third target factor M' 2 And the third factor to be tested M 2 A comparison is made.
Further, when the third target factor M' 2 And the third factor to be tested M 2 If they are not equal, the login password PW 'input to the user is considered' i And is illegal, thus terminating the authentication process and terminating the session connection between the current user terminal and the server terminal.
Further, when the third target factor M' 2 And the third factor to be tested M 2 And when the sizes are equal, continuing authentication.
Further, the user uses the smart card to generate a third random number r 2 Wherein r is 2 ∈[0,n]。
Further, the third random number r is used 2 And performing modular exponentiation operation on the private key pair to obtain a third intermediate quantity C 3 And for a third intermediate quantity C 3 Login identification ID' i With login password PW' i Related K' i And a third random number r 2 Performing bit connection operation to encode the fourth factor M 3
Specifically, the fourth factor to be tested M may be determined according to the formula shown below 3
M 3 =h(ID′ i ||C 3 ||K′ i ||r 2 )
Wherein the third intermediate quantity C can be determined according to the formula shown below 3
Further, let the user terminal determine the fourth factor M to be tested 3 And a third intermediate quantity C 3 And sending the authentication result to the server side so as to enable the server side to carry out the next authentication.
Step S104, the server calculates a fourth target factor by using the private key pair and the target identifier, and when the fourth target factor is the same as the fourth factor to be checked, the login identifier and the login password are authenticated to be legal, and a target account corresponding to the target identifier is logged in.
In the embodiment of the present application, the server receives the fourth factor M to be tested from the user 3 And a third intermediate quantity C 3 And uses the private key pair (n, d) generated in the preceding step and a third intermediate quantity C 3 To calculate the fourth target factor M' 3
L9 specifically, modulo exponentiation of (n, d) with the private key, and combining the result of the modulo exponentiation with K i Target identification ID i Third intermediate quantity C 3 Performing bit concatenation operation, and performing hash function on the result of the bit concatenation operation to obtain a fourth target factor M' 3
Wherein the fourth target factor M 'can be determined according to the following formula' 3
M′ 3 =h(ID i ||C 3 ||K i ||r′ 2 )
Wherein,,
further, let the server end pair the fourth target factor M' 3 And the fourth factor M to be tested 3 A comparison is made.
Further, when the fourth target factor M' 3 And the fourth factor M to be tested 3 If they are not equal, the login password PW 'input to the user is considered' i Illegitimate, thus endStopping the authentication process and terminating the session connection between the current user terminal and the server terminal.
Further, when the fourth target factor M' 3 And the fourth factor M to be tested 3 When the sizes are equal, the login identification D 'is considered' i And login password authentication PW' i Based on the method, the user can log in the server and the target identification ID through the server i The corresponding target account.
In another embodiment of the present application, after encoding the login identification and the login password as the second to-be-checked factor, further comprising:
the user side sends the first intermediate quantity, the second factor to be checked and a preset freezing instruction to the server side;
after the server receives the freezing instruction, the login identifier is decoded, when the server has the same target identifier as the login identifier, a second target factor is calculated by using the first intermediate quantity and the second intermediate quantity, and when the second target factor is the same as the second factor to be checked, the unique random number is set to be a null value, so that the login identifier cannot be authenticated next time.
In this embodiment, when the user finds that the client is stolen, the user may choose to actively freeze the registered target account.
Specifically, the user may input a login identification ID 'to the client' i And a login password PW' i
Further, the first random number b and the login password PW 'stored in the smart card are utilized' i Performing bit join operation, and disturbing the result of the bit join operation by adopting the hash function to realize the original login password PW' i And obtaining a log-in password perturbation result PWR' i
Specifically, the login password perturbation result PWR 'may be determined according to the following formula' i
PWR′ i =h(PW′ i ||b)
Further, the user side disturbs the result PWR 'by the login password' i And login identification ID' i Performing operation to obtain a first factor A 'to be tested' i
Specifically, hash functions can be adopted to respectively disturb the login password PWR 'results' i And login identification ID' i Performing disturbance, performing exclusive-or operation on the results after the disturbance, performing modular operation on the results after the exclusive-or operation, and performing disturbance on the results after the modular operation to obtain a first factor A 'to be tested' i
Specifically, the first factor to be tested A 'can be determined according to the following formula' i
Further, the user side uses the first target factor A stored in the smart card i With the first test factor A' i A comparison is made.
Further, when the first target factor A i With the first test factor A' i If they are not equal, the login ID 'input to the user is considered' i And a login password PW' i And therefore terminates the authentication process and terminates the session connection between the current client and the server.
Further, when the first target factor A i With the first test factor A' i And when the sizes are equal, continuing authentication.
Further, the user uses the smart card to generate a second random number r 1 And uses the second random number r 1 Performing modular exponentiation to obtain a first intermediate quantity C 1 And C 2 By C 1 And C 2 Will log in the sign ID' i Encoded as a second intermediate quantity D i And will log in the sign ID' i And a login password PW' i Encoding as the second factor to be tested.
Concrete embodimentsThe user is enabled to use g stored in the smart card and the generated second random number r 1 Performing modular exponentiation according to the following formula to obtain a first intermediate quantity C 1
Further, the user is caused to use the initial public key y stored in the smart card and the generated second random number r 1 Performing modular exponentiation again according to the following formula to obtain a first intermediate quantity C 2
Based on this, C can be 1 And C 2 Performing bit connection operation, interfering the bit connection operation result by adopting a hash function, and combining the operation result of the hash function with a login identifier ID' i Performing exclusive OR operation to obtain a second intermediate quantity D i
Specifically, D may be determined according to the following formula i
Further, the result PWR 'is perturbed to the login password' i And the first exclusive OR result L i Performing an exclusive-or operation, and combining the result of the exclusive-or operation with a second intermediate quantity D i First intermediate quantity C 1 And C 2 Performing bit connection operation together, and performing disturbance of hash function on the bit connection operation result to obtain a second factor M to be tested 1 Thereby realizing the login identification ID' i And a login password PW' i Encoded together as the second factor to be tested M 1
Specifically, the second factor to be tested M may be determined according to the following formula 1
M 1 =h(D i ||C 1 ||C 2 ||K′ i )
Wherein,,
based on this, let the user terminal let the first intermediate quantity C 1 Second intermediate quantity D i Second factor to be tested M 1 And sending the freezing instruction to the server side.
Further, let the server side receive the first intermediate quantity C sent from the user side 1 Second intermediate quantity D i Second factor to be tested M 1 And freezing the instruction and decoding the login identification by using the first intermediate quantity.
Further, let the server end count the first intermediate quantity C 1 Performing modular exponentiation, applying disturbance to the modular exponentiation result by adopting hash function, and combining the operation result of hash function with second intermediate quantity D i Performing exclusive OR operation to obtain the decoded login ID' i
Specifically, the login identification ID 'may be determined according to the following formula' i
Wherein,,
further, the server searches from all the stored user identifications to judge whether any user identification and the login identification ID 'exist or not' i If the user identification is the target identification, the user identification is taken as the target identification, and authentication is continued.
Further, when the server end does not have any user identification and the login identification ID' i If the login identification ID ' is the same, the login identification ID ' input to the user is considered ' i And a login password PW' i At least one of which is illegal and thus the terminalStopping the authentication process and terminating the session connection between the current user terminal and the server terminal.
Further, the server side is enabled to make the first intermediate quantity C 1 And the second intermediate amount D i Performing bit connection operation and connecting the login ID' i Adding the second target factor M 'to the bit-concatenated operation to calculate a second target factor M' 1
Specifically, the second target factor M 'may be determined according to the following formula' 1
M′ 1 =h(D i ||C 1 ||C′ 2 ||K i )
Wherein K is i =h(ID′ i ||x||y i ||T rg )。
Further, let the server end pair the second target factor M' 1 And a second factor to be tested M 1 A comparison is made.
Further, when the second target factor M' 1 And a second factor to be tested M 1 If they are not equal, the login password PW 'input to the user is considered' i And is illegal, thus terminating the authentication process and terminating the session connection between the current user terminal and the server terminal.
Further, when authenticating the login password PW' i If not, adding 1 to the number of times in the Honey-List, and if the number of times in the Honey-List exceeds the preset number threshold, enabling the server side to determine the ID of the target identifier i The corresponding target account is frozen, and the user terminal simultaneously makes the login identification ID' i All data corresponding to the correlation is frozen.
In some embodiments, after the target account is frozen, all data within the target account will not be able to be called and read; for the login identification ID' i After the corresponding relevant all data are frozen, the relevant all data cannot be called and read.
Further, when the second target factor M' 1 And a second factor to be tested M 1 When the sizes are equal, the unique random number y is obtained i Set to a null value.
Based on this, the login identification ID' i The next authentication cannot be performed, that is, with the login identification ID' i Identical target identification ID i The corresponding target account cannot be logged in.
In another embodiment of the present application, after the unique random number is set to a null value to enable the login identifier to be unable to perform the next authentication, the method further includes:
after the login identification and the login password are input to the user side, enabling the user side to extract the first random number, adopting a hash function, and disturbing the login password by utilizing the first random number to obtain a login password disturbance result;
the user sends the login identification and the login disturbance result to the server;
the server side is enabled to check whether the target identifier which is the same as the login identifier is provided, and if the target identifier which is the same as the login identifier is provided, whether a target account corresponding to the target identifier is frozen is checked;
when the target account is frozen, checking whether the data corresponding to the user side login identification is frozen or not;
when the data corresponding to the login identification of the user terminal is frozen, the user terminal re-registers the login identification and the login password for the target account terminal.
In the embodiment of the application, after the target account registered by the user is frozen, the frozen state of the target account can be released by re-registering.
Specifically, a login identification ID 'is input at the user side' i And a login password PW' i
Further, the first random number b and the login password PW 'stored in the smart card are utilized' i Performing bit join operation, and disturbing the result of the bit join operation by adopting the hash function to realize the original login password PW' i And obtaining a log-in password perturbation result PWR' i
Specifically, the login password perturbation result PWR 'may be determined according to the following formula' i
PWR′ i =h(PW′ i ||b)
Further, the login password disturbance result PWR' i And login identification ID' i And sending the data to a server side.
Further, a login password disturbance result PWR 'is received at the server side' i And login identification ID' i Then, searching whether any user identification and the login identification ID 'exist in the stored user account' i The same applies.
Further, if any user identification exists and the login identification ID' i The user identification is determined as the target identification ID i
Further, the target identification ID is judged i Whether the corresponding target account is still in a frozen state.
Further, if the target account is in a frozen state, judging that the target account is matched with the login identifier ID 'in the smart card of the user side' i Whether the associated data is in a frozen state.
Further, if the login identification ID 'is matched with the login identification ID' i The relevant data is in a frozen state, and the user is provided with a new login identification and a new login password for the target account.
Further, the new login identification and the new login password are registered again through the user side.
It can be seen that, in the user identity authentication method of the communication network according to the embodiment of the present application, the first factor to be checked, the second factor to be checked, the third factor to be checked and the fourth factor to be checked are designed based on the login identifier and the login password input at the user end, so that the server authenticates the login identifier and the login password input at the user end, wherein the identity of the user end is authenticated through the first factor to be checked, the number of times of authentication failure is stored at the server end, the modular exponentiation and the hash function are comprehensively utilized to perform the operation, and the RSA encryption algorithm is combined to perform the encrypted communication, thereby realizing the forward security of the session key between the user end and the server end.
Referring to fig. 2, a session encryption method according to an embodiment of the present application is applied to the communication network in the foregoing embodiment, and includes the same server and at least one client.
And specifically comprises the following steps:
step 201, the user side calculates a first session key by using a legal login identifier.
In this embodiment, after determining that the login identifier and the login password of the user are legal, the user may be enabled to pair the login identifier ID' i First intermediate quantity C 1 And C 2 Third intermediate quantity C 3 With login password PW' i Related K' i And a third random number r 2 Performing bit concatenation operation and performing hash function on the result of the bit concatenation operation to obtain a first session key SK 1
Wherein the first session key SK may be determined according to the formula shown below 1 :SK 1 =h(ID′ i ||C 1 ||C 2 ||C 3 ||K′ i ||r 2 )。
Step S202, the server calculates a second session key by using the stored target identifier which is the same as the login identifier.
In the present embodiment, the server terminal is provided with a login identifier ID' i Identical target identification ID i The server side can be made to target identification ID i First intermediate quantity C 1 Third intermediate quantity C 3 、C′ 2 、r′ 2 And login identification ID i Related K i Performing bit concatenation operation and performing hash function on the result of the bit concatenation operation to obtain a second session key SK 2
Wherein the second session key SK may be determined according to the formula shown below 2 :SK 2 =h(ID i ||C 1 ||C′ 2 ||C 3 ||K i ||r′ 2 )。
Step S203, the user side encrypts the data sent to the server side by using the first session key, and decrypts the data sent from the server side by using the first session key.
In this embodiment, the ue calculates the extracted first session key SK based on the foregoing steps 1 The first session key SK may be used in communication with the server side 1 Encrypting the data and transmitting the encrypted data to the server.
In some embodiments, the user side may also use the first session key SK 1 Decrypting the encrypted data sent by the server to obtain the original data.
Step S204, the server encrypts the data sent to the user terminal by using the second session key, and decrypts the data sent from the user terminal by using the second session key.
In this embodiment, the server calculates the second session key SK based on the foregoing steps 2 The second session key SK can be used when communicating with the client 2 Encrypting the data and transmitting the encrypted data to the user terminal.
In some embodiments, the server side may also use the first person session key SK 2 Decrypting the encrypted data sent by the user terminal to obtain the original data.
It should be noted that, the method of the embodiments of the present application may be performed by a single device, such as a computer or a server. The method of the embodiment can also be applied to a distributed scene, and is completed by mutually matching a plurality of devices. In the case of such a distributed scenario, one of the devices may perform only one or more steps of the methods of embodiments of the present application, which interact with each other to complete the methods.
It should be noted that some embodiments of the present application are described above. Other embodiments are within the scope of the following claims. In some cases, the actions or steps recited in the claims may be performed in a different order than in the embodiments described above and still achieve desirable results. In addition, the processes depicted in the accompanying figures do not necessarily require the particular order shown, or sequential order, to achieve desirable results. In some embodiments, multitasking and parallel processing are also possible or may be advantageous.
Based on the same inventive concept, the embodiment of the application also provides a user identity authentication device of the communication network, which corresponds to the method of any embodiment.
Referring to fig. 3, the user identity authentication device of the communication network includes: an input module 301, a first authentication module 302, a second authentication module 303, and a third authentication module 304;
the input module 301 is configured to, after inputting a login identifier and a login password to a user side, enable the user side to calculate a first factor to be tested by using the login identifier and the login password, and when the first factor to be tested is the same as a preset first target factor, perform modular exponentiation on a first random number generated by the user side to obtain a first intermediate quantity, encode the login identifier into a second intermediate quantity by using the first intermediate quantity, encode the login identifier and the login password into a second factor to be tested, and send the first intermediate quantity, the second intermediate quantity and the second factor to be tested to a server side;
the first verification module 302 is configured to enable the server side to decode the login identifier, calculate a second target factor by using the first intermediate quantity and the second intermediate quantity when the server side has the same target identifier as the login identifier, generate a public key pair and a private key pair when the second target factor is the same as the second factor to be verified, encode the public key pair into a third factor to be verified, and send the third factor to be verified and the public key pair to the user side;
The second verification module 303 is configured to enable the user side to encode the login identifier and the public key pair into a third target factor, and when the third target factor is the same as the third factor to be verified, encode the login identifier and the public key pair into a fourth factor to be verified, and send the fourth factor to be verified to the server side;
the third verification module 304 is configured to enable the server to calculate a fourth target factor by using the private key pair and the target identifier, and when the fourth target factor is the same as the fourth factor to be verified, authenticate that the login identifier and the login password are legal, and log in a target account corresponding to the target identifier.
Based on the same inventive concept, the embodiment of the application also provides a session encryption device corresponding to the method of any embodiment.
Referring to fig. 4, the session encryption apparatus includes: a first computing module 401, a second computing module 402, a first encryption and decryption module 403 and a second encryption and decryption module 404;
wherein, the first computing module 401 is configured to enable the user side to calculate a first session key by using a legal login identifier;
The second calculating module 402 is configured to cause the server side to calculate a second session key using the stored target identifier that is the same as the login identifier;
the first encryption/decryption module 403 is configured to enable the user side to encrypt data sent to the server side by using the first session key, and decrypt data sent from the server side by using the first session key;
the second encryption and decryption module 404 is configured to enable the server to encrypt the data sent to the user by using the second session key, and decrypt the data sent from the user by using the second session key.
For convenience of description, the above devices are described as being functionally divided into various modules, respectively. Of course, the functions of each module may be implemented in the same piece or pieces of software and/or hardware when implementing the embodiments of the present application.
The device of the foregoing embodiment is configured to implement the user identity authentication method and/or the session encryption method of the corresponding communication network in any of the foregoing embodiments, and has the beneficial effects of the corresponding method embodiment, which are not described herein.
Based on the same inventive concept, the embodiments of the present application also provide an electronic device corresponding to the method of any of the embodiments described above, including a memory, a processor, and a computer program stored on the memory and executable on the processor, where the processor implements the user identity authentication method and/or session encryption method of the communication network according to any of the embodiments described above when executing the program.
Fig. 5 shows a more specific hardware architecture of an electronic device according to this embodiment, where the device may include: a processor 1010, a memory 1020, an input/output interface 1030, a communication interface 1040, and a bus 1050. Wherein processor 1010, memory 1020, input/output interface 1030, and communication interface 1040 implement communication connections therebetween within the device via a bus 1050.
The processor 1010 may be implemented by a general-purpose CPU (Central Processing Unit ), a microprocessor, an application-specific integrated circuit (Application Specific Integrated Circuit, ASIC), or one or more integrated circuits, etc. for executing relevant programs to implement the technical solutions provided in the embodiments of the present application.
The Memory 1020 may be implemented in the form of ROM (Read Only Memory), RAM (Random Access Memory ), static storage device, dynamic storage device, or the like. Memory 1020 may store an operating system and other application programs, and when the solutions provided by the embodiments of the present application are implemented in software or firmware, the relevant program code is stored in memory 1020 and invoked for execution by processor 1010.
The input/output interface 1030 is used to connect with an input/output module for inputting and outputting information. The input/output module may be configured as a component in a device (not shown in the figure) or may be external to the device to provide corresponding functionality. Wherein the input devices may include a keyboard, mouse, touch screen, microphone, various types of sensors, etc., and the output devices may include a display, speaker, vibrator, indicator lights, etc.
Communication interface 1040 is used to connect communication modules (not shown) to enable communication interactions of the present device with other devices. The communication module may implement communication through a wired manner (such as USB, network cable, etc.), or may implement communication through a wireless manner (such as mobile network, WIFI, bluetooth, etc.).
Bus 1050 includes a path for transferring information between components of the device (e.g., processor 1010, memory 1020, input/output interface 1030, and communication interface 1040).
It should be noted that although the above-described device only shows processor 1010, memory 1020, input/output interface 1030, communication interface 1040, and bus 1050, in an implementation, the device may include other components necessary to achieve proper operation. Furthermore, it will be understood by those skilled in the art that the above-described apparatus may include only the components necessary to implement the embodiments of the present application, and not all the components shown in the drawings.
The device of the foregoing embodiment is configured to implement the user identity authentication method and/or the session encryption method of the corresponding communication network in any of the foregoing embodiments, and has the beneficial effects of the corresponding method embodiment, which are not described herein.
Based on the same inventive concept, corresponding to any of the above embodiments, the present application further provides a non-transitory computer readable storage medium storing computer instructions for causing the computer to perform the user identity authentication method and/or the session encryption method of the communication network according to any of the above embodiments.
The computer readable media of the present embodiments, including both permanent and non-permanent, removable and non-removable media, may be used to implement information storage by any method or technology. The information may be computer readable instructions, data structures, modules of a program, or other data. Examples of storage media for a computer include, but are not limited to, phase change memory (PRAM), static Random Access Memory (SRAM), dynamic Random Access Memory (DRAM), other types of Random Access Memory (RAM), read Only Memory (ROM), electrically Erasable Programmable Read Only Memory (EEPROM), flash memory or other memory technology, compact disc read only memory (CD-ROM), digital Versatile Discs (DVD) or other optical storage, magnetic cassettes, magnetic tape disk storage or other magnetic storage devices, or any other non-transmission medium, which can be used to store information that can be accessed by a computing device.
The storage medium of the foregoing embodiments stores computer instructions for causing the computer to perform the user identity authentication method and/or the session encryption method of the communication network according to any one of the foregoing embodiments, and have the beneficial effects of the corresponding method embodiments, which are not described herein.
Those of ordinary skill in the art will appreciate that: the discussion of any of the embodiments above is merely exemplary and is not intended to suggest that the scope of the application (including the claims) is limited to these examples; the technical features of the above embodiments or in the different embodiments may also be combined under the idea of the present application, the steps may be implemented in any order, and there are many other variations of the different aspects of the embodiments of the present application as described above, which are not provided in details for the sake of brevity.
Additionally, well-known power/ground connections to Integrated Circuit (IC) chips and other components may or may not be shown within the provided figures, in order to simplify the illustration and discussion, and so as not to obscure the embodiments of the present application. Furthermore, the devices may be shown in block diagram form in order to avoid obscuring the embodiments of the present application, and this also takes into account the fact that specifics with respect to implementation of such block diagram devices are highly dependent upon the platform on which the embodiments of the present application are to be implemented (i.e., such specifics should be well within purview of one skilled in the art). Where specific details (e.g., circuits) are set forth in order to describe example embodiments of the application, it should be apparent to one skilled in the art that embodiments of the application can be practiced without, or with variation of, these specific details. Accordingly, the description is to be regarded as illustrative in nature and not as restrictive.
While the present application has been described in conjunction with specific embodiments thereof, many alternatives, modifications, and variations of those embodiments will be apparent to those skilled in the art in light of the foregoing description. For example, other memory architectures (e.g., dynamic RAM (DRAM)) may use the embodiments discussed.
The embodiments of the present application are intended to embrace all such alternatives, modifications and variances which fall within the broad scope of the appended claims. Any omissions, modifications, equivalents, improvements, and the like, which are within the spirit and principles of the embodiments of the present application, are therefore intended to be included within the scope of the present application.

Claims (10)

1. The identity authentication method of the communication network is characterized in that the communication network comprises a server side and at least one user side;
the method comprises the following steps:
after a login identifier and a login password are input to a user side, the user side is enabled to calculate a first factor to be tested by using the login identifier and the login password, when the first factor to be tested is the same as a preset first target factor, modular exponentiation is carried out on a first random number generated by the user side to obtain a first intermediate quantity, the login identifier is encoded into a second intermediate quantity by using the first intermediate quantity, the login identifier and the login password are encoded into a second factor to be tested, and the first intermediate quantity, the second intermediate quantity and the second factor to be tested are sent to a server side;
The server side decodes the login identifier, when the server side has the same target identifier as the login identifier, a second target factor is calculated by using the first intermediate quantity and the second intermediate quantity, when the second target factor is the same as the second factor to be checked, a public key pair and a private key pair are generated, the public key pair is encoded into a third factor to be checked, and the third factor to be checked and the public key pair are sent to the user side;
the user end codes the login identification and the public key pair into a third target factor, and when the third target factor is the same as the third factor to be checked, codes the login identification and the public key pair into a fourth factor to be checked, and sends the fourth factor to be checked to the server end;
and enabling the server to calculate a fourth target factor by utilizing the private key pair and the target identifier, and when the fourth target factor is the same as the fourth factor to be tested, authenticating that the login identifier and the login password are legal, and logging in a target account corresponding to the target identifier.
2. The method according to claim 1, wherein the method further comprises:
When the server side judges that the first factor to be tested is different from the first target factor, determining that the login identification is illegal, and terminating session connection;
when the server side judges that the target identifier which is the same as the login identifier is not provided, the login identifier is determined to be illegal, and session connection is terminated;
when the second target factor is different from the second factor to be tested, determining that the login identification is illegal, terminating session connection, judging the number of times that the user terminal is judged to be illegal currently, when the number of times exceeds a preset number threshold, enabling the server terminal to determine a target account corresponding to the target identification, freezing the target account, and enabling the user terminal to freeze data corresponding to the login identification;
when the third target factor is different from the third factor to be tested, determining that the login identification is illegal, and terminating session connection;
and when the fourth target factor is different from the fourth factor to be tested, determining that the login identification is illegal, and terminating session connection.
3. The method of claim 1, wherein before entering the login identification and the login password into the client, further comprising:
After a preset target identifier and a target password are input to the user terminal, enabling the user terminal to generate a first random number, adopting a hash function, and disturbing the target password by using the first random number to obtain a target password disturbance result;
the user terminal sends the target identifier and the target password disturbance result to the server terminal;
enabling the server side to carry out modular exponentiation on the target identifier and the target password disturbance result to obtain the first target factor;
the server side is enabled to check whether the target identifier exists in the stored user identifiers, when the target identifier does not exist in the user identifiers, the target identifier is stored, the target account is created for the target identifier, and a unique random number corresponding to the target identifier is generated in the target account;
the server side is enabled to adopt the hash function, the target identifier added with the unique random number is disturbed, a target identifier disturbance result is obtained, exclusive-or operation is carried out on the target identifier disturbance result and the target password disturbance result, and a first exclusive-or result is obtained;
The server side sends the first target factor, a first exclusive-or result and the hash function to the user side for storage;
and enabling the user side to store the first target factor, a first exclusive-or result, the hash function and the first random number so as to finish the registration of the target account.
4. A method according to claim 3, wherein after encoding the login identification and the login password as a second factor to be tested, further comprising:
the user side sends the first intermediate quantity, the second factor to be checked and a preset freezing instruction to the server side;
after the server receives the freezing instruction, the login identifier is decoded, when the server has the same target identifier as the login identifier, a second target factor is calculated by using the first intermediate quantity and the second intermediate quantity, and when the second target factor is the same as the second factor to be checked, the unique random number is set to be a null value, so that the login identifier cannot be authenticated next time.
5. The method of claim 4, wherein after the setting the unique random number to a null value to disable the login identification from a next authentication, further comprising:
After the login identification and the login password are input to the user side, enabling the user side to extract the first random number, adopting a hash function, and disturbing the login password by utilizing the first random number to obtain a login password disturbance result;
the user sends the login identification and the login disturbance result to the server;
the server side is enabled to check whether the target identifier which is the same as the login identifier is provided, if the target identifier which is the same as the login identifier is provided, whether a target account corresponding to the target identifier is frozen is checked, and if the target account is frozen, whether data corresponding to the login identifier of the user side is frozen is checked;
when the data corresponding to the login identification of the user terminal is frozen, the user terminal re-registers the login identification and the login password for the target account terminal.
6. A session encryption method, characterized by being applied to a communication network, wherein the communication network comprises a server side according to any of claims 1-5 and at least one user side according to any of claims 1-5;
the method comprises the following steps:
The user side calculates a first session key by using a legal login identifier, encrypts data sent to the server side by using the first session key, and decrypts the data sent by the server side by using the first session key;
and the server calculates a second session key by using the stored target identifier which is the same as the login identifier, encrypts the data sent to the user terminal by using the second session key, and decrypts the data sent by the user terminal by using the second session key.
7. An identity authentication device for a communication network, comprising: the device comprises an input module, a first verification module, a second verification module and a third verification module;
the input module is configured to, after inputting a login identifier and a login password to a user side, enable the user side to calculate a first factor to be tested by using the login identifier and the login password, and when the first factor to be tested is the same as a preset first target factor, perform modular exponentiation on a first random number generated by the user side to obtain a first intermediate quantity, encode the login identifier into a second intermediate quantity by using the first intermediate quantity, encode the login identifier and the login password into a second factor to be tested, and send the first intermediate quantity, the second intermediate quantity and the second factor to be tested to a server side;
The first verification module is configured to enable the server side to decode the login identifier, calculate a second target factor by using the first intermediate quantity and the second intermediate quantity when the server side has the same target identifier as the login identifier, generate a public key pair and a private key pair when the second target factor is the same as the second factor to be verified, encode the public key pair into a third factor to be verified, and send the third factor to be verified and the public key pair to the user side;
the second verification module is configured to enable the user side to encode the login identifier and the public key pair into a third target factor, encode the login identifier and the public key pair into a fourth factor to be verified when the third target factor is the same as the third factor to be verified, and send the fourth factor to be verified to the server side;
the third verification module is configured to enable the server side to calculate a fourth target factor by using the private key pair and the target identifier, and when the fourth target factor is the same as the fourth factor to be verified, the login identifier and the login password are authenticated to be legal, and a target account corresponding to the target identifier is logged in.
8. A session encryption apparatus, comprising: the system comprises a first computing module, a second computing module, a first encryption and decryption module and a second encryption and decryption module;
the first computing module is configured to enable the user side to compute a first session key by utilizing legal login identification;
the second calculating module is configured to enable the server side to calculate a second session key by using the stored target identifier which is the same as the login identifier;
the first encryption and decryption module is configured to enable the user side to encrypt data sent to the server side by using the first session key and decrypt the data sent by the server side by using the first session key;
the second encryption and decryption module is configured to enable the server side to encrypt data sent to the user side by using the second session key and decrypt the data sent by the user side by using the second session key.
9. An electronic device comprising a memory, a processor and a computer program stored on the memory and executable by the processor, characterized in that the processor implements the method of any of claims 1 to 5 and/or claim 6 when executing the computer program.
10. A non-transitory computer readable storage medium storing computer instructions for causing a computer to perform the method of any of claims 1 to 5 and/or claim 6.
CN202310457458.9A 2023-04-24 2023-04-24 Identity authentication method, session encryption method and related equipment of communication network Pending CN116566662A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202310457458.9A CN116566662A (en) 2023-04-24 2023-04-24 Identity authentication method, session encryption method and related equipment of communication network

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202310457458.9A CN116566662A (en) 2023-04-24 2023-04-24 Identity authentication method, session encryption method and related equipment of communication network

Publications (1)

Publication Number Publication Date
CN116566662A true CN116566662A (en) 2023-08-08

Family

ID=87495719

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202310457458.9A Pending CN116566662A (en) 2023-04-24 2023-04-24 Identity authentication method, session encryption method and related equipment of communication network

Country Status (1)

Country Link
CN (1) CN116566662A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117640090A (en) * 2024-01-25 2024-03-01 蓝象智联(杭州)科技有限公司 Identity verification method and system

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117640090A (en) * 2024-01-25 2024-03-01 蓝象智联(杭州)科技有限公司 Identity verification method and system
CN117640090B (en) * 2024-01-25 2024-04-12 蓝象智联(杭州)科技有限公司 Identity verification method and system

Similar Documents

Publication Publication Date Title
KR102307665B1 (en) identity authentication
CN106656907B (en) Method, device, terminal equipment and system for authentication
US10797879B2 (en) Methods and systems to facilitate authentication of a user
CN109150835B (en) Cloud data access method, device, equipment and computer readable storage medium
CN112291190B (en) Identity authentication method, terminal and server
CN110401615B (en) Identity authentication method, device, equipment, system and readable storage medium
US20130185210A1 (en) Method and System for Making Digital Payments
CN113691502B (en) Communication method, device, gateway server, client and storage medium
US8438384B2 (en) System and method for performing mutual authentication
US20160182230A1 (en) Secure token-based signature schemes using look-up tables
US10547451B2 (en) Method and device for authentication
KR20140030616A (en) Apparatus and method for remotely deleting important information
KR20110139798A (en) Control method of data management system with emproved security
CN114553590B (en) Data transmission method and related equipment
CN112241527B (en) Secret key generation method and system of terminal equipment of Internet of things and electronic equipment
CN113010874A (en) Login authentication method and device, electronic equipment and computer readable storage medium
CN110933675A (en) Wireless sensor network authentication method, system and electronic equipment
CN116566662A (en) Identity authentication method, session encryption method and related equipment of communication network
CN114244530A (en) Resource access method and device, electronic equipment and computer readable storage medium
CN111901303A (en) Device authentication method and apparatus, storage medium, and electronic apparatus
Amintoosi et al. TAMA: three-factor authentication for multi-server architecture
KR20180113688A (en) Encryption method and system using authorization key of device
CN112437046B (en) Communication method, system, electronic device and storage medium for preventing replay attack
KR101912403B1 (en) Method for security authentication between equipment
JP6167667B2 (en) Authentication system, authentication method, authentication program, and authentication apparatus

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination