CN1832397A - Authorization key, consultation and update method based on common key credentials between interface of electronic equipment - Google Patents
Authorization key, consultation and update method based on common key credentials between interface of electronic equipment Download PDFInfo
- Publication number
- CN1832397A CN1832397A CN 200510124342 CN200510124342A CN1832397A CN 1832397 A CN1832397 A CN 1832397A CN 200510124342 CN200510124342 CN 200510124342 CN 200510124342 A CN200510124342 A CN 200510124342A CN 1832397 A CN1832397 A CN 1832397A
- Authority
- CN
- China
- Prior art keywords
- key
- source
- hash
- des
- destination device
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Landscapes
- Storage Device Security (AREA)
Abstract
This invention relates to a negotiation and an update method for certified cryptographic keys based on public keys among interfaces of electronic equipments, in which, a source device and a destination device taking part in the negotiation select a single-way or double-way certification mode to finish the certification and negotiation and update of the cryptographic keys, in which, the one-way or double-way mode generates a shared secret by using the Diffie-Hellman cryptographic exchange technology to secure the consistency of the shared secret and the integrality of the protocol information by a HMAC cryptographic key hashing function and to secure the sender of the certificate to hold the private key corresponding to the public key in the certificate so as to determine the legality of the device, under the re-certification situation, the legality of the device is confirmed by using the shared cryptographic key.
Description
Technical field
The present invention relates to maintain secrecy or the key exchange method of secure communication, relate in particular to a kind of based on public key certificate authentication key agreement method and to the update method of authenticate key.
Background technology
The digitlization of audio-visual entertainment content makes that the domestic consumer can watch undistortedly, storage and spreading digital content.The number of times of copy does not influence the quality of digital content, and Internet technology and P-2-P technology make the wide-scale distribution of digital content become possibility again.The convenience of this undistorted copy characteristic and wide-scale distribution is a kind of threat for the copyright owner of digital audio-video entertainment content.
In order to protect copyright owner's interests; be used for decoding; storage; show that the consumer-elcetronics devices of digital audio-video content should itself have the function of copyright protection; promptly can carry out corresponding operation according to the copyright protection information of digital audio-video content; be that these equipment have a module special disposal copyright protection information; this module is come executable operations according to copyright protection information; such as showing certain film, copyright information can not be copied; so after equipment receives the copy request; this equipment will be refused this request, and such equipment is referred to as legitimate device.Consumer-elcetronics devices among the domestic consumer differs, and to establish a capital be legitimate device, only transmits between legitimate device in order to guarantee the digital audio-video content, need authenticate by the legitimacy of authenticated key agreement agreement to equipment before content delivery, generates and share key.Like this, make video content between legitimate device, transmit, thereby be protected.
When the digital audio-video content is transmitted between interface, be easy to be intercepted and captured by illegality equipment.If the digital audio-video content of intercepting and capturing can be by Direct Recognition, these contents threaten copyright owner's interests equally so.In order to prevent this point, use encryption technology usually, between interface, transmit data encrypted, even these data also are difficult to identify original video content after intercepting and capturing.The fail safe of modern encryption technology almost completely depends on the safety of key; be used for encrypted secret key and obtain by the authenticate key that verification process produces usually, and be used for specifically protecting the fail safe of the cryptographic algorithm of video content to depend on the fail safe of the key of these algorithms.
Connection between the legitimate device need meet certain interface specification.Common interface has HDMI, DVI interface, IEEE1394 interface, POD-Host interface etc.Wherein HDMI is the interfacing that is connected display terminal and digital content sources with DVI.IEEE1394 is a kind of serial bus interface technology of high speed, is widely used in the video content transmission.The POD-Host interface is a kind of satellite interface that is used for cable network, and decoded cable network digital content is transferred in the main process equipment by this interface, and main process equipment comprises set-top box or Digital Television etc.
At above-mentioned three kinds of interfaces, the corresponding abroad HDCP (broadband digital content protection) that formulated, DTCP (DTCP), PODCP (POD Copy Protection) standard or standard.HDCP is used to protect the digital content of HDMI and the transmission of DVI interface.DTCP is used to protect IEEE1394, the digital content of serial line interfaces such as USB transmission.PODCP is used to protect the content delivery of POD interface.
The authentication and the cipher key change of HDCP system are divided into three phases.First stage is come authentication purpose equipment by source device (contents transmission device) by the shared secret that check destination device (content receiving apparatus) generates.Second stage is used for the topology information that destination device was collected and checked to source device.Three phases is used for Link State inspection and key updating.This system has used a kind of simply based on the method for identity, is proved dangerous.The assailant only needs about 40 equipment that the HDCP system is housed, and just can obtain some system parameterss, and then is not having can to make illegality equipment arbitrarily under the situation of authorizing.These illegality equipments can not be tested out by legitimate device.
The authentication of DTCP system and cipher key change have two ranks, fully authentication and limited authentication.Limited authentication is the lower authentication mode of a kind of level of security, does not allow to be used for the digital content of " mustn't copy forever ".Technically, this authentication mode and HDCP system class have seemingly just increased an optional certification authentication process, thereby to the attack of HDCP system, suitable equally for the DTCP system.For no other reason than that the difference of DTCP system safety parameter is attacked devices needed quantity difference.Authentication is considered to the higher authentication mode of a kind of level of security fully, is applicable to various digital contents.Technically, authentication is based on a kind of authentication mode of public key certificate infrastructure fully, has used signature technology and Diffie-Hellman key (DH key) switching technology.Declare in the DTCP white paper that the combination of signature technology and Internet Key Exchange can resist the threat of " man-in-the-middle attack ".Yet we the analysis showed that the DTCP agreement can not be resisted " man-in-the-middle attack " fully.Typical attack method comprises reflection attack, and Lowe attacks, Wiener attack etc.These attacks can make the authentication property of authentication fully lose efficacy.Lowe attacks can cause sender's mismatch or recipient's mismatch.Wherein sender's mismatch is meant that receiving equipment thinks that digital content comes from device A, and comes from equipment B in fact; Recipient's mismatch is meant that transmitting apparatus thinks that digital content has sent to device A, and is to have given equipment B in fact.Recipient's mismatch can threaten the integrality of system, and sender's mismatch then can threaten the application of DTCP in some important fields of identity information.
The authentication of PODCP system and cipher key change also are based on public key certificate infrastructure, finish the authentication of POD to main frame.Its authentication and cipher key change mainly are made up of two parts, are respectively to authenticate again and authenticate.Again authentication is to have under the situation of shared secret at POD and host stores, confirms the consistency of shared secret.To be the regulation main frame send to POD with the sub-fraction of shared secret as authenticate key to PODCP technically, and POD confirms this authenticate key.This mode is obviously too simple, can not resist the simplest Replay Attack, thereby does not reach authentication property.Its fail safe only come from illegality equipment by the authentication after can not decrypts digital content.The authentication of POD and main frame is intended to finish the authentication of POD to main frame, and sets up the secret of sharing.Its fail safe comes from the checking to certificate and information signature.Yet the message of this authentication protocol can be reset, and this makes the leakage of certain the interim DH key of legal hosts can cause illegality equipment to utilize the key of this leakage and the signature information of this main frame transmission to pretend to be this legal hosts, receives the digital audio-video content.In addition, the PODCP authentication protocol comprises that POD gives some authentication informations of main frame, and these information are helpless to the authentication of POD to main frame.
From the above, the authentication in the interface protection standard of having announced in the prior art and authenticated key agreement agreement and imperfection also exist problems.In addition, when a consumer-elcetronics devices has a plurality of interface, need to realize a plurality of authentication modules, waste system resource.
Summary of the invention
The object of the present invention is to provide a kind of authenticated key agreement and method for updating that is applicable between electronic equipment interfaces based on public key certificate.
For achieving the above object, the invention provides a kind of authenticated key agreement and update method that is used between electronic equipment interfaces based on PKI.That is, the source device of participation authenticated key agreement and destination device basis be the configuration information of interface separately, selects unidirectional authentication or two-way authentication mode, generates shared secret by using the Diffie-Hellman Internet Key Exchange; Guarantee the consistency of the shared secret generated and the integrality of message by HMAC key hash function.
Described unilateral authentication and two-way authentication mode comprise authentication fully and authentication again respectively, under the situation of authentication fully, do not have under the situation of shared key K _ M at source device and destination device, by use signature technology guarantee the sender of certificate hold really with certificate in the corresponding private key of PKI, thereby determine the legitimacy of equipment; Under the situation of authentication again, hold the legitimacy that shared this fact of key is confirmed equipment by use.
Described two-way complete authentication mode be source device and the destination device at communicating pair have list of cert situation under, confirm that certified side has the private key that it sends certificate really, thereby determine certified side's identity; When confirming identity, generate the secret value that communicating pair exclusively enjoys by the exchange random number, and can confirm the consistency and the secret of this value.
Adopt two-way the authentication fully when carrying out Authentication and Key Agreement between source device and destination device, (G n) goes up realization, wherein F to this authentication mode for Fq, E at elliptic curve by following steps
qBe the finite field that is characterized as q, E is F
qOn elliptic curve, G is the basic point on the E, n is the rank of G:
A) source device calculates random number 1<x<n, calculates scalar and takes advantage of xG, sends source device list of cert and this scalar and takes advantage of: Cert_Source_list ‖ xG;
B) whether destination device checking source device certificate is revoked, the content in each territory of certificate in the checking source device list of cert; Calculate random number 1<y<n, calculate scalar and take advantage of yG, use HMAC key hash function Hash, with the xyG low level | the q| bit is a key, ID_Source carries out hash to the unique sign of the certificate of source device, the private key of application target equipment uses signature algorithm E_S signature to this Hash Value, sends following content to source device:
Cert_Des_list‖yG‖E_S{Hash([xyG]
lsb|q|,ID_Source)};
C) whether source device checking destination device certificate is revoked, and the content in each territory of certificate is calculated shared secret xyG in the checking destination device list of cert, calculates Hash Value Hash ([xyG]
Lsb|q|, ID_Source), the destination device signature that checking receives; Use HMAC key hash function Hash, with an xyG high position (| xyG|-|q|) bit is a key, ID_Des carries out hash to the unique sign of the certificate of destination device, use the private key of source device that this Hash Value is used signature algorithm E_S signature, confirm that the destination device certificate is not revoked, send following content to destination device:
E_S{Hash([xyG]
msb|q|,ID_Des)}
Afterwards, source device uses HMAC key hash function Hash to be key with xyG, and ID_Source ‖ xG ‖ ID_Des ‖ yG is carried out hash, and its result is as shared key K _ M of both sides, and the storage data are right<K_M, ID_Des 〉;
D) destination device calculates Hash Value Hash ([xyG]
Msb|q|, ID_Des), the source device signature that checking receives; Confirming that the source device certificate is not revoked, use HMAC key hash function Hash, is key with xyG, and ID_Source ‖ xG ‖ ID_Des ‖ yG is carried out hash, and its result is as shared key K _ M of both sides, the storage data are right<and K_M, ID_Source 〉.
Described two-way authentication mode again is to be that source device and destination device have under the situation of shared key K _ M at communicating pair, confirms that both sides have identical shared key really, examines the identity of communicating pair; Simultaneously, both sides generate new shared key by the random number and the shared secret of exchange, finish key updating.
When between source device and destination device, using two-way authentication mode again to authenticate, have following steps with key updating:
A) source device reads the unique sign of the holder ID_Source in the source device certificate, calculates random number R and_Source, sends the unique sign of source device and this random number:
ID_Source‖Rand_Source;
B) ID_Source of the ID_Source of destination device checking reception and local storage; Calculate random number R and_Des, use HMAC key hash function Hash, to share the height of key K _ M | K_M|/2 bit is a key, ID_Source ‖ Rand_Source ‖ ID_Des ‖ Rand_Des is carried out hash, obtain Des_HashValue, the certificate holder who reads in the destination device certificate indicates ID_Des, sends the unique sign of destination device, random number and Hash Value:
ID_Des‖Rand_Des‖Des_HashValue;
C) ID_Des of the ID_Des of source device checking reception and local storage, the Hash Value Des_HashValue of checking reception; Use HMAC key hash function Hash, to share the low of key K _ M | K_M|/2 bit is a key, and ID_Des ‖ Rand_Des is carried out hash, obtains the Source_HashValue value, sends this Hash Value to destination device; Use Hash to be key afterwards, Rand_Des ‖ Rand_Source carried out hash, obtain new shared key with current shared key K_M:
K_M=Hash(K_M,Rand_Des‖Rand_Source);
D) the Hash Value Source_HashValue of destination device checking reception, checking is key by then using Hash with current shared key K_M, and Rand_Des ‖ Rand_Source is carried out hash, obtains new shared key:
K_M=Hash(K_M,Rand_Des‖Rand_Source)。
Described unidirectional complete authentication mode is to have under the situation of list of cert certified side, confirms that certified side has the private key that it sends certificate really, thereby determines certified side's identity; When confirming certified side's identity, the both sides of negotiation generate the shared secret that both sides exclusively enjoy by the random value of exchange, and can be confirmed the consistency of this value by authenticating party.
When between source device and destination device, using unidirectional complete authentication mode to carry out Authentication and Key Agreement, by following steps at elliptic curve (F
q, E, G, n) go up realization:
A) source device calculates random number 1<x<n, calculates scalar and takes advantage of xG, sends unique sign of source device and scalar and takes advantage of:
ID_Source‖xG;
B) destination device calculates random number 1<y<n, calculate scalar and take advantage of yG, calculate shared secret xyG, use HMAC key hash function Hash, with the xyG low level | the q| bit is a key, ID_Source carries out hash to the unique sign of the certificate of source device, and the private key of application target equipment uses signature algorithm E_S signature to this Hash Value, sends following content to source device:
Cert_Des_list‖yG‖E_S{Hash([xyG]
lsb|q|,ID_Source)};
Use the Hash function to be key with xyG, ID_Source ‖ xG ‖ ID_Des ‖ yG is carried out hash, its result is as shared key K _ M of both sides, and the storage data are right<K_M, ID_Source 〉;
C) whether source device checking destination device certificate is revoked, and the content in each territory of certificate is calculated shared secret xyG in the checking destination device list of cert, the correctness of the destination device signature that checking receives; Using HMAC key hash function Hash, is key with xyG, and ID_Source ‖ xG ‖ ID_Des ‖ yG is carried out hash, and its result confirms that as shared key K _ M of both sides the destination device certificate is not revoked, the storage data are right<and K_M, ID_Des 〉.
Described unidirectional authentication mode again is to be that source device and destination device have under the situation of shared key K _ M at communicating pair, confirms that by authenticating party certified side has the shared secret identical with authenticating party really; After confirming the consistency of shared secret, communicating pair upgrades both sides' shared key by the random number that authenticating party sent, and finishes key updating; The affirmation of certified side's identity is finished by the binding of authenticating party identity and shared key.
When between source device and destination device, adopting unidirectional authentication mode again to authenticate, have following steps with key updating:
A) source device calculates random number R and_Source, sends the unique sign of source device and this random number:
ID_Source‖Rand_Source;
B) ID_Source of the ID_Source of destination device checking reception and local storage; Using HMAC key hash function Hash to share the low of key K _ M | K_M|/2 bit is key, ID_Source ‖ Rand_Source is carried out hash, obtain the Uni_Des_HashValue value, the certificate holder who reads in the destination device certificate indicates ID_Des, sends unique sign of destination device and Hash Value:
ID_Des‖Uni_Des_HashValue;
Using Hash, is key with K_M, and Rand_Source is carried out hash, obtains new shared key K _ M;
C) ID_Des of the ID_Des of source device checking reception and local storage, checking Hash Value Uni_Des_HashValue; Use HMAC key hash function Hash to be key, Rand_Source is carried out hash, obtain new shared key K _ M with K_M.
Description of drawings
Fig. 1 represents according to two-way complete authentication message exchange flow chart of the present invention;
Fig. 2 represents according to the two-way exchange of authentication message again flow chart of the present invention;
Fig. 3 represents according to unidirectional complete authentication message exchange flow chart of the present invention;
Fig. 4 represents according to the unidirectional exchange of authentication message again flow chart of the present invention.
Embodiment
When digital content is propagated between two consumer-elcetronics devicess; in order to guarantee that digital content is to propagate between two legal consumer-elcetronics devicess; and the digital content of being propagated is effectively protected and is difficult for being blocked or stealing, two each interfaces of consumer-elcetronics devices need carry out authentication and key agreement according to its selection of configuration appropriate authentication key agreement mode separately.
In the present invention, described authenticated key agreement mode comprises unidirectional authentication and two-way authentication mode.Described unidirectional authentication comprises unidirectional complete authentication mode and unidirectional authentication mode again; Described two-way authentication mode comprises two-way complete authentication mode and two-way authentication mode again.
Here, two equipment that participation authenticated key agreement mode is moved are called source device and destination device.Source device and destination device are carried out a kind of authentication mode according to the selection of configuration of both sides' interface:
1) interface type is POD or HDMI, DVI, and the fill order is to authenticated key agreement and key updating.
2) interface type is IEEE1394, USB, and source device and destination device are all supported two-way authentication, then carry out two-way authentication key agreement and renewal.
3) interface type is IEEE1394, and USB, destination device only support unilateral authentication, allows in the source device configured strategy to carry out unilateral authentication, and then the fill order is to authenticated key agreement and renewal.
4) other interface type, according to the collocation strategy of source device, the certificate scheme of support, the certificate scheme type that the certificate scheme decision that destination device is supported is carried out.
Under the general situation, source device select the fill order to or the two-way authentication mode after, if the shared key before the local not storage, then the fill order to or two-way complete authentication mode; If the shared key before local the storage, then the fill order to or two-way authentication mode again.
In four kinds of mentioned authenticated key agreement modes of the present invention, use following content:
1) participate in source device that the authenticated key agreement mode moves and destination device respectively at local Store Credentials tabulation Cert_Source_list and Cert_Des_list, the quantity of the certificate that is comprised in these list of cert is by the trust model decision of applied environment.Cert_Source_list comprises source device certificate Cert_Source at least, and Cert_Des_list then comprises destination device certificate Cert_Des at least.The certificate format of employed device certificate can be abideed by form or certain certificate format that is common to a plurality of interfaces that X.509 CCITT stipulates, at least to comprise " the unique sign of certificate holder ", " public key information ", " certificate issuance person sign ", " certificate signature algorithm information ", contents such as " certificate signature ".In the authenticated key agreement mode certificate information of using is comprised " the certificate holder sign " ID_Source of source device certificate and " the unique sign of certificate holder " ID_Des of destination device certificate, other operation relevant with certificate is narrated with written form.
2) the authenticated key agreement mode need be made as (F about one group of parameter of elliptic curve
q, E, G, n), F wherein
qFor being characterized as the finite field of q, E is F
qOn elliptic curve, G is the basic point on the E, n is the rank of G.
3) the signature algorithm E_S{} in the authenticated key agreement mode represents to use unique private key of equipment to come the content in { } is signed.Signature algorithm can be any specific algorithm, selects message attack safety as long as this algorithm satisfies adaptability.(key, content) expression uses key key to calculate the Hash Value of content to HMAC key hash function Hash in this mode.Same Hash can be any specific algorithm, as long as this algorithm has mixing transformation, anti-collision attack, antigen three character attributes as attacking.
4) using symbol in the authenticated key agreement mode | x| represents the length of data x, the number of employed binary character when promptly this data conversion is binary representation, for example | 2
192|=192; Use symbol [x]
LsbyThe y Bit data of x of representing to fetch data from lowest order (0 bit) to the y-1 bit; Use symbol [x]
MsbyRepresent to fetch data x from the y bit to highest order (| x|-y) Bit data.
Authenticated key agreement and update method based on public key certificate between electronic equipment interfaces of the present invention generate shared secret by using the Diffie-Hellman Internet Key Exchange; Guarantee the consistency of the shared secret generated and the integrality of message by hmac algorithm; Under the situation of authentication fully, by use signature technology guarantee the sender of certificate hold really with certificate in the corresponding private key of PKI, thereby determine the legitimacy of equipment; Under the situation of authentication again, hold the legitimacy that shared this fact of key is confirmed equipment by use.Here, suppose that prejudgementing character Diffie-Hellman problem is a difficult problem on the elliptic curve, suppose that used signature algorithm is safe, supposes that used hmac algorithm has mixing transformation, anti-collision attack, antigen three character as attacking under adaptability selection message attack.Under above-mentioned assumed conditions, can prove that authenticated key agreement of the present invention and update method are being safe aspect secret and the authentication property.
After source device and destination device are determined a kind of authenticated key agreement mode according to the configuration of its interface, then carry out authentication and cipher key change according to the content of this selected authenticated key agreement mode.
Four kinds of authenticated key agreement modes of the present invention are described respectively below.After source device is selected to carry out the two-way authentication mode, if the shared key before the local not storage is then carried out two-way complete authentication mode.
(1) two-way authentication fully
When adopting two-way complete authentication mode between source device and the destination device, by following steps at elliptic curve (F
q, E, G n) goes up realization, wherein F
qFor being characterized as the finite field of q, E is F
qOn elliptic curve, G is the basic point on the E, n is the rank of G.
As shown in Figure 1, two-way complete authentication mode comprises the steps:
1. the source device main program calls the two-way subprogram that authenticates fully and sends two-way article one message that authenticates fully.This subprogram reads source device list of cert Cert_Source_list, calculates random number 1<x<n, calculates scalar and takes advantage of xG, sends message, and promptly source device list of cert and scalar are taken advantage of xG:
Cert_Source_list‖xG
In actual applications, above-mentioned message sends after need encapsulate again.Should indicate auth type (the two-way 0x01 that authenticates fully) under this message to the encapsulation of this message elements, if can exist a plurality of sessions to move simultaneously between source device and the destination device, then packaging information also comprises the session sequence number.
2. the destination device main program authenticates the two-way subprogram that authenticates fully that article one message hands to this equipment fully and handles two-way.This agreement subprogram will be finished following operation:
A) verify by the certificate validity query resource of destination device whether source device certificate Cert_Source is revoked.If there is not the certificate validity query resource in destination device, then send a notification message to source device indication destination device scarce capacity, stop carrying out this two-way complete mode.
In actual applications, each interface distributes specific sequence number (for example 0x01 represents not exist the resource of certificate validity inquiry) for this notification message, and according to the encapsulation of the form of each interface notification message and send this sequence number, encapsulated information should be enough to show the session sequence that mistake occurs, the part DH public key information that for example comprises special session, perhaps there is not multiple session in the session sequence number that perhaps comprises special session between source device and the destination device.
B) might be consuming time longer in view of certificate validity checking, so this subprogram need be verified below the executed in parallel with certificate validity and operates:
I. verify the information in each territory of certificate in the source device list of cert, specifically verify the standard decision of content by diploma system.Authentication failed then sends a notification message to source device, and report certification authentication failure stops carrying out this mode.
Ii. calculate random number y, calculate scalar and take advantage of yG, calculate shared secret xyG, use HMAC key hash function Hash, calculate Hash ([xyG]
Lsb|q|, ID_Source), the private key of application target equipment uses signature algorithm E_S{} signature to the Hash Value that calculated, reads destination device list of cert Cert_Des_list, sends message to source device:
Cert_Des_list‖yG‖E_S{Hash([xyG]
lsb|q|,ID_Source)}
In actual applications, encapsulate above-mentioned message, and then send.Want clear and definite message affiliated session sequence and auth type when encapsulating this protocol message.
3. the source device main program is responsible for the two-way second message that authenticates is fully handed to the full bi-directional authentication subprogram of this equipment and handled, and the notification message that destination device is sent is handed to notification message and handled subprogram and carry out.
The notification message of source device is handled " not having the validity query resource " that subprogram sends for destination device, and " certification authentication failure " such two class notification messages stop the specified session of these notification messages, regains system resource.
The two-way subprogram that authenticates is fully finished following operation:
A) verify by the certificate validity query resource of source device whether destination device certificate Cert_Des is revoked.If there is not the certificate validity query resource in source device, then send a notification message to destination device indication source device scarce capacity, stop carrying out this two-way complete authentication mode.
In actual applications, each interface need distribute specific sequence number (for example 0x01 represents not exist the resource of certificate validity inquiry) for this notification message, and according to the encapsulation of the form of each interface notification message and send this sequence number, can indicate when requiring encapsulation and wrong session sequence occurs.
B) might be consuming time longer in view of certificate validity checking, so this agreement subprogram need be verified below the executed in parallel with certificate validity and operates:
I. verify the information in each territory of certificate in the destination device list of cert, specifically verify the standard decision of content by each interface diploma system.Authentication failed then sends a notification message to destination device, and report certification authentication failure stops carrying out two-way authentication fully.
Ii. calculate shared secret xyG, use HMAC key hash function Hash, calculate Hash ([xyG]
Lsb|q|, ID_Source), checking receives the validity of signing in the message, if checking not by send a notification message and report an error to destination device, stop carrying out two-way authentication fully.
In actual applications, each interface should distribute specific sequence number (for example 0x02 represents the certification authentication failure) for this notification message, and according to the encapsulation of the form of each interface notification message and send this sequence number, wrong session sequence appears in same can indicating when requiring encapsulation.
Iii. use the Hash function, with [xyG]
Msb|q|Be key, ID_Des carries out hash to the unique sign of the certificate of destination device, uses the private key of source device that this Hash Value is used signature algorithm E_S{} signature:
E_S{Hash([xyG]
msb|q|,ID_Des)};
In actual applications, above-mentioned signature is encapsulated, want the session sequence and the auth type of clear and definite message during encapsulation.
Iv. source device uses the Hash function, is key with xyG, and ID_Source ‖ xG ‖ ID_Des ‖ yG is carried out hash, and its result is as shared key K _ M of both sides:
K_M=Hash(xyG,ID_Source‖xG‖ID_Des‖yG);
V. check the result of in step a) certificate validity inquiry, if the certificate of destination device is effectively, then store data right<K_M, ID_Des 〉, the signature information that generates among the forwarding step iii is given destination device, otherwise sends a notification message, and termination protocol is carried out.
In actual applications, each interface should distribute specific sequence number (for example 0x04 represents that certificate is revoked) for this notification message, and according to the encapsulation of the form of each interface notification message and send this sequence number, can indicate when requiring encapsulation and wrong session sequence occurs.
4. the destination device main program is responsible for the two-way complete authentication protocol subprogram that the two-way message elements that authenticates the 3rd message is fully handed to this equipment is handled the message of reception, and the notification message that the notification message that receives is handed to destination device is handled subprogram and carried out.
The notification message of destination device is handled " not having the validity query resource " that subprogram sends for source device, " certification authentication failure ", " signature information authentication failed ", " certificate is revoked " a few like this class notification messages, stop the specified session of these notification messages, regain system resource.
The two-way subprogram that authenticates fully of destination device is finished following operation:
A) use HMAC key hash function Hash, calculate Hash ([xyG]
Msb|q|, ID_Des), read PKI among the Cert_Source, checking receives in the message and signs, and verifies that invalid then sending a notification message reports an error to source device, stops carrying out two-way authentication fully.
In actual applications, each interface is that this notification message distributes specific sequence number (for example 0x03 presentation protocol signature information authentication failed), and according to the form encapsulation of each interface notification message and send this sequence number, indicates during encapsulation wrong session sequence to occur.
B) a) result of middle Cert_Source validity inquiry of inspection step 2 is revoked if Query Result shows the source device certificate, and then sending a notification message reports an error to the source function device, and the termination execution is two-way to be authenticated fully.
In actual applications, each interface is that this notification message distributes specific sequence number (for example 0x04 represents that certificate is revoked), and according to the form encapsulation of each interface notification message and send this sequence number, can indicate during encapsulation wrong session sequence to occur.
C) use Hash function calculation master key K_M as follows:
K_M=Hash(xyG,ID_Source‖xG‖ID_Des‖yG);
D) storage<K_M, ID_Source 〉.
5. source device is after receiving the notification message of destination device, and the data of removing storage are right<K_M, ID_Des 〉.
(2) two-way authentication again
After source device is selected to carry out two-way authentication, if the shared key before local the storage is then carried out two-way authentication mode again.As shown in Figure 2, these agreement concrete steps are as follows:
1. the source device main program calls the two-way subprogram that authenticates again and sends two-way article one message that authenticates fully.This agreement subprogram reads the unique sign of the holder ID_Source in the source device certificate, calculates the random number R and_Source that is no less than 64 bits, sends message:
ID_Source‖Rand_Source
In actual applications, above-mentioned message needs encapsulation, and the encapsulation of this message elements is wanted to indicate auth type under this message, if can exist a plurality of sessions to move simultaneously between source device and the destination device, then packaging information also comprises the session sequence number.
2. the destination device main program is responsible for authenticating the two-way subprogram that authenticates again that article one message hands to this equipment again and handling two-way.This agreement subprogram will be finished following operation:
A) store<K_M the ID_Source that is relatively received and this locality, ID_Source〉in ID_Source whether identical, if it is different, removing<K_M then, ID_Source 〉, send a notification message to source device then, stop the execution of two-way authentication mode again this time, two-way authentication is fully carried out in request.
In actual applications, each interface should distribute specific sequence number (for example 0x05 represents that again certificate of certification holder sign does not match) for this notification message, and according to the encapsulation of the form of each interface notification message and send this sequence number, can indicate when requiring encapsulation and wrong session sequence occurs.
B) if the ID_Source that is received and local storage<K_M, ID_Source〉in ID_Source identical, the certificate holder who then reads in the destination device certificate indicates ID_Des, calculating is no less than 64 bit random number R and_Des, use HMAC key hash function Hash, to share the height of key K _ M | K_M|/2 bit, carry out hash to ID_Source ‖ Rand_Source ‖ ID_Des ‖ Rand_Des, obtain the Des_HashValue value, calculate Hash Value Des_HashValue:
Hash([K_M]
msb|K_M|/2,ID_Source‖Rand_Source‖ID_Des‖Rand_Des)
C) send message:
ID_Des‖Rand_Des‖Des_HashValue。
In actual applications, need encapsulate, want clear and definite message affiliated session sequence and auth type during encapsulation message.
3. the source device main program is responsible for two-wayly authenticating the message that subprogram is handled reception to what the two-way message elements that authenticates second message was again handed to this equipment again, and the notification message that destination device is sent is handed to notification message and handled subprogram and carry out.
The notification message of source device is handled " certificate of certification holder sign does not match again " such notification message that subprogram sends for destination device, stop the specified session of these notification messages, regain system resource, removing<K_M, ID_Des 〉, carry out two-way authentication fully with this destination device then.
The two-way authentication mode again that source device adopts has following steps:
A) store<K_M the ID_Des that is relatively received and this locality, ID_Des〉in ID_Des whether identical, if different, then store<K_M removing this locality, ID_Des 〉, send " the certificate of certification holder does not match again " notification message and give destination device, stop this session, recovery system resource, removing<K_M, ID_Des 〉, carry out two-way authentication fully with this destination device then.
B) if ID_Des that is received and local storage<K_M, ID_Des〉in ID_Des identical, then use HMAC key hash function Hash to calculate following Hash Value Local_Des_Hash Value:
Hash([K_M]
msb|K_M|/2,ID_Source‖Rand_Source‖ID_Des‖Rand_Des)
C) whether the HashValue that relatively receives is identical with the Local_Des_HashValue of calculating, different then remove local storage<K_M, ID_Des 〉, send " authenticating Hash Value does not again match " notification message and give destination device, stop this session, recovery system resource, removing<K_M, ID_Des 〉, carry out two-way authentication fully with this destination device then.
D) use the Hash function, to share the low of key K _ M | K_M|/2 bit is a key, and ID_Des ‖ Rand_Des is carried out hash, and calculating and sending send Hash Value Source_HashValue to give destination device:
Hash([K_M]
lsb|K_M|/2‖ID_Des‖Rand_Des)
In actual applications, need to send Hash Value Source_HashValue to destination device after the encapsulation.At this moment the protocol message unit only comprises this Hash Value.Want clear and definite message affiliated session sequence and auth type during encapsulation.
E) calculate new K_M, renewal<K_M, ID_Des〉in K_M.New K_M is calculated as follows:
K_M=Hash(K_M,Rand_Des‖Rand_Source)
4. the destination device main program is responsible for authenticating the 3rd message again and handing to the message that the two-way subprogram of authentication protocol again of this equipment is handled reception two-way, and the notification message that the notification message that receives is handed to destination device is handled subprogram and carried out.
The notification message of destination device is handled " certificate of certification holder sign does not match again " that subprogram sends for source device, " authenticating Hash Value does not again match " such two class notification messages, stop the specified session of these notification messages, regain system resource, removing<K_M, ID_Source 〉.
The two-way authentication protocol again of destination device subprogram is finished following operation:
A) calculate Hash Value Local_Source_HashValue with HMAC key hash function Hash:
Hash([K_M]
lsb|K_M|/2‖ID_Des‖Rand_Des)
B) whether the Source_HashValue that relatively receives is identical with the Local_Source_HashValue of calculating, difference then sends " authenticating Hash Value does not again match " notification message and gives source device, stops this session, the recovery system resource, removing<K_M, ID_Source 〉.
C) calculate new K_M, renewal<K_M, ID_Source〉in K_M, authentication state is set.New K_M is calculated as follows:
K_M=Hash(K_M,Rand_Des‖Rand_Source)。
5. source device is after receiving the notification message of destination device, the right<K_M that clears data, ID_Des 〉, carry out two-way complete authentication protocol.
(3) unidirectional authentication fully
After source device was selected to carry out unilateral authentication, if local do not have to store authenticate key in the past, then the fill order was to complete authentication protocol.As shown in Figure 3, these agreement concrete steps are as follows:
1. determining the fill order after authenticating fully, the source device main program calls unidirectional complete authentication protocol subprogram and sends unidirectional article one message that authenticates fully.The certificate holder that this agreement subprogram reads in the source device certificate indicates ID_Source, calculates random number x, calculates scalar and takes advantage of xG, and send protocol message:
ID_Source‖xG
In actual applications, above-mentioned message need encapsulate transmission, the encapsulation of this protocol message unit is wanted to indicate auth type under this message, if can there be a plurality of sessions of operation simultaneously between source device and the destination device, then packaging information also should comprise the session sequence number.
2. the destination device main program is responsible for authenticating the unidirectional subprogram that authenticates fully that article one protocol message hands to this equipment fully and handling unidirectional.This agreement subprogram will be finished following operation:
A) calculate random number y, calculate yG, calculate shared secret xyG, use HMAC key hash function Hash, calculate Hash ([xyG]
Lsb|q|, ID_Source), the Hash Value signature to calculating reads the destination device list of cert, sends protocol message:
Cert_Des_list‖yG‖E_S{Hash([xyG]
lsb|q|,ID_Source)}
In actual applications, above-mentioned message need encapsulate transmission.Want clear and definite message affiliated session sequence and auth type during encapsulation.
B) using the Hash function, is key with xyG, and ID_Source ‖ xG ‖ ID_Des ‖ yG is carried out hash, calculates the shared key of master key K_M as both sides, storage<K_M, ID_Source 〉.K_M is calculated as follows:
K_M=Hash(xyG,ID_Source‖xG‖ID_Des‖yG)
3. the source device main program is responsible for the unidirectional second protocol message that authenticates is fully handed to the protocol message that the unidirectional complete authentication protocol subprogram of this equipment is handled reception.This agreement subprogram is finished following operation:
A) verify by the certificate validity query resource of source device whether the certificate that receives is revoked.If there is not the certificate validity query resource in source device, then send " resource that does not have the certificate validity inquiry " notification message to destination device indication source device scarce capacity, stop carrying out unilateral authentication.
In actual applications, the encapsulation above-mentioned steps produce in a) notification message the time want to indicate and wrong session sequence occurs.
B) might be consuming time longer in view of certificate validity checking, so this agreement subprogram need be verified below the executed in parallel with certificate validity and operates:
I. verify the information in each territory of certificate in the destination device list of cert, specifically verify the standard decision of content by each interface diploma system.Authentication failed then sends " certification authentication failure " notification message to destination device, and termination protocol is carried out.
Want to indicate during the notification message that encapsulation above-mentioned steps b in actual applications) produces in the i item and wrong session sequence occurs.
Ii. calculate shared secret xyG, use HMAC key hash function Hash to calculate Hash ([xyG]
Lsb|q|, ID_Source), the public key verifications that reads Cert_Des receives the validity of signing in the message, if checking not by send " agreement signature information authentication failed " notification message and report an error the termination protocol execution to destination device.
Want to indicate during the notification message that encapsulation above-mentioned steps b in actual applications) produces in the ii item and wrong session sequence occurs.
Iii. using Hash, is key with xyG, and ID_Source ‖ xG ‖ ID_Des ‖ yG is carried out hash, calculates the shared key of master key K_M as both sides:
K_M=Hash(xyG,ID_Source‖xG‖ID_Des‖yG)。
Iv. check validity Query Result in step a), if certificate is effectively then storage<K_M, ID_Des 〉, otherwise send a notification message, indication " certificate is revoked ", termination routine is carried out.
Want to indicate during the notification message that encapsulation above-mentioned steps b in actual applications) produces in the iv item and wrong session sequence occurs.
4. the destination device main program is responsible for that the notification message that receives is handed to notification message and is handled the subprogram execution.
The notification message of destination device is handled " not having the validity query resource " that subprogram sends for source device, " certification authentication failure ", " signature information authentication failed ", " certificate is revoked " a few like this class notification messages, stop the specified session of these notification messages, regain system resource.
(4) unidirectional authentication again
After source device select to be carried out unilateral authentication, if the authenticate key before local the storage, then the fill order was to authentication mode again.As shown in Figure 4, these agreement concrete steps are as follows:
1. the source device main program calls the unidirectional subprogram that authenticates again and sends unidirectional article one message that authenticates fully.This subprogram reads the unique sign of the holder ID_Source in the source device certificate, calculates to be no less than 64 bit random number R and_Source, sends message:
ID_Source‖Rand_Source
In actual applications, above-mentioned message needs encapsulation, and the encapsulation of this message elements is wanted to indicate auth type under this message, if can exist a plurality of sessions to move simultaneously between source device and the destination device, then packaging information also should comprise the session sequence number.
2. the destination device main program is responsible for authenticating the unidirectional subprogram that authenticates again that article one message hands to this equipment again and handling unidirectional.This agreement subprogram will be finished following operation:
A) store<K_M the ID_Source that is relatively received and this locality, ID_Source〉in ID_Source whether identical, if it is different, removing<K_M then, ID_Source 〉, send " certificate holder sign does not match " notification message to source device then, stop this time unidirectional execution of authentication again.
In actual applications, the encapsulation above-mentioned steps is wanted during notification message to indicate in a) and wrong session sequence occurred.
B) if the ID_Source that is received and local storage<K_M, ID_Source〉in ID_Source identical, then use HMAC key hash function Hash, to share the low of key K _ M | K_M|/2 bit, ID_Source ‖ Rand_Source is carried out hash, calculates following Hash Value Uni_Des_HashValue:
Hash([K_M]
lsb|K_M|/2,ID_Source‖Rand_Source)
C) the certificate holder who reads in the destination device certificate indicates ID_Des, sends message:
ID_Des‖Uni_Des_HashValue
In actual applications, above-mentioned message needs encapsulation.Want clear and definite message affiliated session sequence and auth type during encapsulation.
D) calculate new K_M, renewal<K_M, ID_Source〉in K_M.New K_M is calculated as follows:
K_M=Hash(K_M,Rand_Source)
3. the source device main program is responsible for unidirectional authenticate again that second message hands to this equipment unidirectional authenticated the message that subprogram is handled reception again, and the notification message that destination device is sent is handed to notification message and handled subprogram and carry out.
The notification message of source device is handled " certificate of certification holder sign does not match again " such notification message that subprogram sends for destination device, stop the specified session of these notification messages, regain system resource, right<K_M clears data, ID_Des 〉, then with this destination device fill order to fully the authentication.
The unidirectional subprogram that authenticates again of source device is carried out following steps:
A) data of ID_Des that is relatively received and local storage right<K_M, ID_Des〉in ID_Des whether identical, if different would remove local storage<K_M, ID_Des 〉, send " the certificate of certification holder does not match again " notification message and give destination device, stop this session, the recovery system resource, removing<K_M, ID_Des 〉, then with this destination device fill order to authentication fully.
B) if ID_Des that is received and local storage<K_M, ID_Des〉in ID_Des identical, then use HMAC key hash function Hash to calculate following Hash Value Uni_Local_Des_HashValue:
Hash([K_M]
lsb|K_M|/2,ID_Source‖Rand_Source)
C) whether the Uni_Des_HashValue that relatively receives is identical with the Uni_Local_Des_HashValue of calculating, if different would remove local storage<K_M, ID_Des 〉, send " authenticating Hash Value does not again match " notification message and give destination device, stop this session, recovery system resource, removing<K_M, ID_Des 〉, then with this destination device fill order to fully the authentication.
D) calculate new K_M, renewal<K_M, ID_Des〉in K_M, authentication state is set.New K_M is calculated as follows:
K_M=Hash(K_M,Rand_Source)
4. the destination device main program is responsible for the notification message that receives is handed to the notification message processing subprogram execution of destination device.
The notification message of destination device is handled subprogram can be for " certificate of certification holder sign match again " of source device transmission, " authenticating Hash Value does not again match " such two class notification messages, stop the specified session of these notification messages, regain system resource, removing<K_M, ID_Source 〉.
The beneficial effect that the present invention compared with prior art has is: the present invention takes all factors into consideration the multiple interfaces of consumer electronics, and a kind of Authentication and Key Agreement scheme based on PKI is provided.This scheme has the secret and the consistency of evincible authentication feature and authenticate key when rudimentary algorithm has safety guarantee.This scheme has been optimized message number of times and calculation cost simultaneously, has higher efficient.
Above-mentioned authenticated key agreement mode of the present invention can realize with the form of agreement, is applied to participate in the source device and destination device of authenticated key agreement.
The concrete application of above-mentioned authenticated key agreement agreement of the present invention is described below.
Suppose that source device A and destination device B carry out authenticated key agreement and renewal.The local Store Credentials tabulation of device A: device certificate Cert_A, device A sign and issue the certificate Cert_A_Adm of mechanism, sign and issue the certificate Cert_Root of the mechanism of Cert_A_Adm.The local Store Credentials tabulation of equipment B: device certificate Cert_B, equipment B sign and issue the certificate Cert_B_Adm of mechanism, sign and issue the certificate Cert_Root of the mechanism of Cert_B_Adm.Device A and equipment B have been decided through consultation one group of algorithm and open parameter, comprise signature algorithm ECCDSA, and hmac algorithm HMAC-SHA (key, content), the open parameter (F of elliptic curve
q, E, G, n), | q|=192, | K_M|=256, the elliptic curve scalar takes advantage of computational chart to be shown xG, yG etc.
The DVI of device A and equipment B, interfaces such as HDMI or POD-Host are before the transmission data, and the fill order is to authenticated key agreement and renewal in meeting.If device A detects and stores shared key less than this locality, then the fill order is to authentication fully.Device A is calculated random number 1<x<n, and transmitting apparatus A unique sign ID_A and xG give equipment B; Equipment B sends Cert_B, Cert_B_Adm, the Hash Value ECCDSA{HMAC-SHA ([xyG] of yG and signature according to the step operation of unidirectional authentication regulation fully
Lsb192, ID_A) } and give device A, and calculate authenticate key K_M according to the rules; Device A detects the message that receives, and finishes the authentication to equipment B, and authentication success is calculating K _ M then, and authentication state is set, and reports an error to equipment B otherwise send a notification message.
Device A and equipment B be at DVI, HDMI, if interfaces such as POD-Host find that to authenticated key agreement with when upgrading this locality stores shared key the fill order, then the fill order is to authentication again.Device A is calculated 64 bit random number R and_A, and transmitting apparatus A unique sign ID_A and Rand_A give equipment B; The key K that equipment B use to store _ M calculates the HMAC Hash Value of ID_A ‖ Rand_A, and sends equipment B unique sign ID_B and Hash Value to device A; The correctness of device A checking Hash Value, thus confirm whether equipment B has identical shared key, if having then upgrade this key.
Device A and equipment B be at IEEE1394, when USB etc. may support between the interface of two-way authentication key agreement and renewal the transmission data, submits the authentication capability of equipment B by equipment B to device A, and device A preferentially selects to carry out two-way authentication key agreement and renewal.If show that destination device does not have storage to share key in the local authentication capability that does not have storage to share key or destination device of device A, then carry out two-way authentication fully.Device A sends Cert_A to equipment B, the xG of Cert_A_Adm and calculating; Equipment B sends Cert_B according to the two-way step of authentication fully to device A, Cert_B_Adm, and yG and signature information, the content of signature are to use the partial information of xyG to make key ID_Source is carried out the Hash Value that the HMAC-SHA computing obtains; The message that the device A checking receives is finished the authentication to equipment B, sends signature information to equipment B, and authentication state is set simultaneously, and key is shared in calculating and storage.The signature information that the equipment B check receives in conjunction with the message that the first step receives, is finished the authentication to device A, and authentication state is set, and key is shared in calculating and storage.
Device A and equipment B are after selecting to carry out the two-way authentication key agreement and upgrading, if destination device stores shared key, source device also stores shared key simultaneously, then carry out two-way authentication again.Device A is given equipment B transmitting apparatus A unique sign ID_A and Rand_A; Destination device sends ID_Des, and Rand_Des and a Hash Value, this Hash Value use HMAC-SHA to calculate, and key is the partial information of the K_M of local storage, and the content of hash has comprised the sign and the random number of device A, the sign of equipment B and random number.Device A confirms that by the checking Hash Value equipment B and device A have identical shared key, then device A according to the rules calculating and sending send new Hash Value to give equipment B, and authentication state is set, upgrade and key is shared in storage.Equipment B confirms that by the checking Hash Value device A and equipment B have identical shared key, and equipment B is provided with authentication state then, upgrades and shares key.
Claims (10)
1. an authenticated key agreement and update method that is used between electronic equipment interfaces based on PKI, it is characterized in that, the source device of participation authenticated key agreement and destination device basis be the configuration information of interface separately, select unidirectional authentication or two-way authentication mode, generate shared secret by using the Diffie-Hellman Internet Key Exchange; Guarantee the consistency of the shared secret generated and the integrality of message by HMAC key hash function.
2. the method for claim 1, it is characterized in that, described unilateral authentication and two-way authentication mode comprise authentication fully and authentication again respectively, under the situation of authentication fully, do not have under the situation of shared key K _ M at source device and destination device, by use signature technology guarantee the sender of certificate hold really with certificate in the corresponding private key of PKI, thereby determine the legitimacy of equipment; Under the situation of authentication again, hold the legitimacy that shared this fact of key is confirmed equipment by use.
3. method as claimed in claim 2, described two-way complete authentication mode be source device and the destination device at communicating pair have list of cert situation under, confirm that certified side has the private key that it sends certificate really, thereby determine certified side's identity; When confirming identity, generate the secret value that communicating pair exclusively enjoys by the exchange random number, and can confirm the consistency and the secret of this value.
4. method as claimed in claim 3 adopts two-way the authentication fully when carrying out Authentication and Key Agreement between source device and destination device, (G n) goes up realization, wherein F to this authentication mode for Fq, E at elliptic curve by following steps
qBe the finite field that is characterized as q, E is F
qOn elliptic curve, G is the basic point on the E, n is the rank of G:
A) source device calculates random number 1<x<n, calculates scalar and takes advantage of xG, sends source device list of cert and this scalar and takes advantage of: Cert_Source_list||xG;
B) whether destination device checking source device certificate is revoked, the content in each territory of certificate in the checking source device list of cert; Calculate random number 1<y<n, calculate scalar and take advantage of yG, use HMAC key hash function Hash, with the xyG low level | the q| bit is a key, ID_Source carries out hash to the unique sign of the certificate of source device, the private key of application target equipment uses signature algorithm E_S signature to this Hash Value, sends following content to source device:
Cert_Des_list||yG||E_S{Hash([xyG]
lsb|q|,ID_Source)};
C) whether source device checking destination device certificate is revoked, and the content in each territory of certificate is calculated shared secret xyG in the checking destination device list of cert, calculates Hash Value Hash ([xyG]
Lsb|q|, ID_Source), the destination device signature that checking receives; Use HMAC key hash function Hash, with an xyG high position (| xyG|-|q|) bit is a key, ID_Des carries out hash to the unique sign of the certificate of destination device, use the private key of source device that this Hash Value is used signature algorithm E_S signature, confirm that the destination device certificate is not revoked, send following content to destination device:
E_S{Hash([xyG]
msb|q|,ID_Des)}
Afterwards, source device uses HMAC key hash function Hash to be key with xyG, and ID_Source||xG||ID_Des||yG is carried out hash, and its result is as shared key K _ M of both sides, and the storage data are right<K_M, ID_Des 〉;
D) destination device calculates Hash Value Hash ([xyG]
Msb|q|, ID_Des), the source device signature that checking receives; Confirming that the source device certificate is not revoked, use HMAC key hash function Hash, is key with xyG, and ID_Source||xG||ID_Des||yG is carried out hash, and its result is as shared key K _ M of both sides, the storage data are right<and K_M, ID_Source 〉.
5. method as claimed in claim 2, described two-way authentication mode again are to be that source device and destination device have under the situation of shared key K _ M at communicating pair, confirm that both sides have identical shared key really, examine the identity of communicating pair; Simultaneously, both sides generate new shared key by the random number and the shared secret of exchange, finish key updating.
6. as the described method of above-mentioned claim 5, when between source device and destination device, using two-way authentication mode again to authenticate, have following steps with key updating:
A) source device reads the unique sign of the holder ID_Source in the source device certificate, calculates random number R and_Source, sends the unique sign of source device and this random number:
ID_Source||Rand_Source;
B) ID_Source of the ID_Source of destination device checking reception and local storage; Calculate random number R and_Des, use HMAC key hash function Hash, to share the height of key K _ M | K_M|/2 bit is a key, ID_Source||Rand_Source||ID_Des||Rand_Des is carried out hash, obtain Des_HashValue, the certificate holder who reads in the destination device certificate indicates ID_Des, sends the unique sign of destination device, random number and Hash Value:
ID_Des||Rand_Des||Des_HashValue;
C) ID_Des of the ID_Des of source device checking reception and local storage, the Hash Value Des_HashValue of checking reception; Use HMAC key hash function Hash, to share the low of key K _ M | K_M|/2 bit is a key, and ID_Des||Rand_Des is carried out hash, obtains the Source_HashValue value, sends this Hash Value to destination device; Use Hash to be key afterwards, Rand_Des||Rand_Source carried out hash, obtain new shared key with current shared key K_M:
K_M=Hash(K_M,Rand_Des||Rand_Source);
D) the Hash Value Source_HashValue of destination device checking reception, checking is key by then using Hash with current shared key K_M, and Rand_Des||Rand_Source is carried out hash, obtains new shared key:
K_M=Hash(K_M,Rand_Des||Rand_Source)。
7. method as claimed in claim 2, described unidirectional complete authentication mode is to have under the situation of list of cert certified side, confirms that certified side has the private key that it sends certificate really, thereby determines certified side's identity; When confirming certified side's identity, the both sides of negotiation generate the shared secret that both sides exclusively enjoy by the random value of exchange, and can be confirmed the consistency of this value by authenticating party.
8. method as claimed in claim 7, when between source device and destination device, using unidirectional complete authentication mode to carry out Authentication and Key Agreement, by following steps at elliptic curve (F
q, E, G, n) go up realization:
A) source device calculates random number 1<x<n, calculates scalar and takes advantage of xG, sends unique sign of source device and scalar and takes advantage of:
ID_Source||xG;
B) destination device calculates random number 1<y<n, calculate scalar and take advantage of yG, calculate shared secret xyG, use HMAC key hash function Hash, with the xyG low level | the q| bit is a key, ID_Source carries out hash to the unique sign of the certificate of source device, and the private key of application target equipment uses signature algorithm E_S signature to this Hash Value, sends following content to source device:
Cert_Des_list||yG||E_S{Hash([xyG]
lsb|q|,ID_Source)};
Use the Hash function to be key with xyG, ID_Source||xG||ID_Des||yG is carried out hash, its result is as shared key K _ M of both sides, and the storage data are right<K_M, ID_Source 〉;
C) whether source device checking destination device certificate is revoked, and the content in each territory of certificate is calculated shared secret xyG in the checking destination device list of cert, the correctness of the destination device signature that checking receives; Using HMAC key hash function Hash, is key with xyG, and ID_Source||xG||ID_Des||yG is carried out hash, and its result confirms that as shared key K _ M of both sides the destination device certificate is not revoked, the storage data are right<and K_M, ID_Des 〉.
9. method as claimed in claim 2, described unidirectional authentication mode again are to be that source device and destination device have under the situation of shared key K _ M at communicating pair, confirm that by authenticating party certified side has the shared secret identical with authenticating party really; After confirming the consistency of shared secret, communicating pair upgrades both sides' shared key by the random number that authenticating party sent, and finishes key updating; The affirmation of certified side's identity is finished by the binding of authenticating party identity and shared key.
10. as the described method of above-mentioned claim 9, when between source device and destination device, adopting unidirectional authentication mode again to authenticate, have following steps with key updating:
A) source device calculates random number R and_Source, sends the unique sign of source device and this random number:
ID_Source||Rand_Source;
B) ID_Source of the ID_Source of destination device checking reception and local storage; Using HMAC key hash function Hash to share the low of key K _ M | K_M/2 position bit is key, ID_Source||Rand_Source is carried out hash, obtain the Uni_Des_HashValue value, the certificate holder who reads in the destination device certificate indicates ID_Des, sends unique sign of destination device and Hash Value:
ID_Des||Uni_Des_HashValue;
Using Hash, is key with K_M, and Rand_Source is carried out hash, obtains new shared key K _ M;
C) ID_Des of the ID_Des of source device checking reception and local storage, checking Hash Value Uni_Des_HashValue; Use HMAC key hash function Hash to be key, Rand_Source is carried out hash, obtain new shared key K _ M with K_M.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2005101243425A CN1832397B (en) | 2005-11-28 | 2005-11-28 | Authorization key, consultation and update method based on common key credentials between interface of electronic equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2005101243425A CN1832397B (en) | 2005-11-28 | 2005-11-28 | Authorization key, consultation and update method based on common key credentials between interface of electronic equipment |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN1832397A true CN1832397A (en) | 2006-09-13 |
| CN1832397B CN1832397B (en) | 2010-09-29 |
Family
ID=36994422
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2005101243425A Expired - Fee Related CN1832397B (en) | 2005-11-28 | 2005-11-28 | Authorization key, consultation and update method based on common key credentials between interface of electronic equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN1832397B (en) |
Cited By (19)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102739660A (en) * | 2012-06-16 | 2012-10-17 | 华南师范大学 | Key exchange method for single sign on system |
| WO2012171285A1 (en) * | 2011-06-15 | 2012-12-20 | 中兴通讯股份有限公司 | Method, protocol, and smart card for bidirectional authentication between terminal and smart card |
| CN102904714A (en) * | 2011-07-25 | 2013-01-30 | 深圳市金溢科技有限公司 | Encryption key exchange method for secret key encryption communication system |
| CN102983971A (en) * | 2012-10-10 | 2013-03-20 | 中国科学技术大学苏州研究院 | Certificateless signature algorithm for user identity authentication in network environment |
| CN105227309A (en) * | 2014-06-17 | 2016-01-06 | 上海崴澜网络科技有限公司 | For the encryption method of internet-of-things terminal and high in the clouds communication |
| CN105337734A (en) * | 2014-08-05 | 2016-02-17 | 英赛瑟库尔公司 | Elliptic curve encryption method comprising error detection |
| CN105812136A (en) * | 2014-12-30 | 2016-07-27 | 北京握奇智能科技有限公司 | Update method, update system and security authentication device |
| CN105981398A (en) * | 2013-12-03 | 2016-09-28 | 三星电子株式会社 | Contents security method and electronic apparatus for providing contents security function |
| CN106603182A (en) * | 2015-10-16 | 2017-04-26 | 北京邮电大学 | Space environment oriented safe time synchronization method |
| US10003966B2 (en) | 2013-10-28 | 2018-06-19 | Huawei Device (Dongguan) Co., Ltd. | Key configuration method and apparatus |
| CN109040149A (en) * | 2018-11-02 | 2018-12-18 | 美的集团股份有限公司 | Cryptographic key negotiation method, Cloud Server, equipment, storage medium and system |
| CN109218023A (en) * | 2017-06-29 | 2019-01-15 | 英特尔公司 | Technology for robust calculation digital signature of elliptic curve |
| CN109687957A (en) * | 2018-12-26 | 2019-04-26 | 无锡泛太科技有限公司 | A kind of RFID authentication method of the public-key cryptography scheme based on ellipse-hyperbolic |
| CN111630810A (en) * | 2017-11-10 | 2020-09-04 | 日本电信电话株式会社 | Key exchange device, key exchange system, key exchange method, and key exchange program |
| CN112260987A (en) * | 2020-09-10 | 2021-01-22 | 西安电子科技大学 | Bidirectional security authentication method and system in digital content protection system |
| CN112514321A (en) * | 2018-05-31 | 2021-03-16 | 爱迪德技术有限公司 | Shared secret establishment |
| CN112632475A (en) * | 2020-12-30 | 2021-04-09 | 郑州轻工业大学 | Picture copyright protection system and method based on state password and picture steganography |
| CN112738038A (en) * | 2020-12-17 | 2021-04-30 | 北京握奇智能科技有限公司 | Key agreement method and device based on asymmetric password authentication |
| CN115104282A (en) * | 2020-02-29 | 2022-09-23 | 华为技术有限公司 | Key updating method and related device |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1192542C (en) * | 2003-04-23 | 2005-03-09 | 浙江大学 | Key exchanging method based on public key certificate |
| CN1667999A (en) * | 2005-01-18 | 2005-09-14 | 中国电子科技集团公司第三十研究所 | A secure communication method between mobile nodes in mobile self-organized network |
-
2005
- 2005-11-28 CN CN2005101243425A patent/CN1832397B/en not_active Expired - Fee Related
Cited By (26)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2012171285A1 (en) * | 2011-06-15 | 2012-12-20 | 中兴通讯股份有限公司 | Method, protocol, and smart card for bidirectional authentication between terminal and smart card |
| CN102904714A (en) * | 2011-07-25 | 2013-01-30 | 深圳市金溢科技有限公司 | Encryption key exchange method for secret key encryption communication system |
| CN102739660B (en) * | 2012-06-16 | 2015-07-08 | 华南师范大学 | Key exchange method for single sign on system |
| CN102739660A (en) * | 2012-06-16 | 2012-10-17 | 华南师范大学 | Key exchange method for single sign on system |
| CN102983971A (en) * | 2012-10-10 | 2013-03-20 | 中国科学技术大学苏州研究院 | Certificateless signature algorithm for user identity authentication in network environment |
| CN102983971B (en) * | 2012-10-10 | 2015-07-15 | 中国科学技术大学苏州研究院 | Certificateless signature algorithm for user identity authentication in network environment |
| US10003966B2 (en) | 2013-10-28 | 2018-06-19 | Huawei Device (Dongguan) Co., Ltd. | Key configuration method and apparatus |
| CN105981398A (en) * | 2013-12-03 | 2016-09-28 | 三星电子株式会社 | Contents security method and electronic apparatus for providing contents security function |
| CN105227309A (en) * | 2014-06-17 | 2016-01-06 | 上海崴澜网络科技有限公司 | For the encryption method of internet-of-things terminal and high in the clouds communication |
| CN105227309B (en) * | 2014-06-17 | 2019-01-08 | 上海崴澜网络科技有限公司 | Encryption method for internet-of-things terminal and cloud communication |
| CN105337734A (en) * | 2014-08-05 | 2016-02-17 | 英赛瑟库尔公司 | Elliptic curve encryption method comprising error detection |
| CN105812136A (en) * | 2014-12-30 | 2016-07-27 | 北京握奇智能科技有限公司 | Update method, update system and security authentication device |
| CN106603182A (en) * | 2015-10-16 | 2017-04-26 | 北京邮电大学 | Space environment oriented safe time synchronization method |
| CN109218023A (en) * | 2017-06-29 | 2019-01-15 | 英特尔公司 | Technology for robust calculation digital signature of elliptic curve |
| CN111630810B (en) * | 2017-11-10 | 2023-05-30 | 日本电信电话株式会社 | Key exchange device, key exchange system, key exchange method, and recording medium |
| CN111630810A (en) * | 2017-11-10 | 2020-09-04 | 日本电信电话株式会社 | Key exchange device, key exchange system, key exchange method, and key exchange program |
| CN112514321A (en) * | 2018-05-31 | 2021-03-16 | 爱迪德技术有限公司 | Shared secret establishment |
| CN109040149A (en) * | 2018-11-02 | 2018-12-18 | 美的集团股份有限公司 | Cryptographic key negotiation method, Cloud Server, equipment, storage medium and system |
| CN109687957A (en) * | 2018-12-26 | 2019-04-26 | 无锡泛太科技有限公司 | A kind of RFID authentication method of the public-key cryptography scheme based on ellipse-hyperbolic |
| CN115104282A (en) * | 2020-02-29 | 2022-09-23 | 华为技术有限公司 | Key updating method and related device |
| CN115104282B (en) * | 2020-02-29 | 2023-08-22 | 华为技术有限公司 | Key updating method and related device |
| CN112260987A (en) * | 2020-09-10 | 2021-01-22 | 西安电子科技大学 | Bidirectional security authentication method and system in digital content protection system |
| CN112738038A (en) * | 2020-12-17 | 2021-04-30 | 北京握奇智能科技有限公司 | Key agreement method and device based on asymmetric password authentication |
| CN112738038B (en) * | 2020-12-17 | 2024-05-28 | 北京握奇智能科技有限公司 | Key negotiation method and device based on asymmetric password authentication |
| CN112632475A (en) * | 2020-12-30 | 2021-04-09 | 郑州轻工业大学 | Picture copyright protection system and method based on state password and picture steganography |
| CN112632475B (en) * | 2020-12-30 | 2024-03-29 | 郑州轻工业大学 | Picture copyright protection system and method based on national password and picture steganography |
Also Published As
| Publication number | Publication date |
|---|---|
| CN1832397B (en) | 2010-09-29 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN1832397A (en) | Authorization key, consultation and update method based on common key credentials between interface of electronic equipment | |
| CN1175614C (en) | Digital AV data transmitting unit, receiving unit, transmitting/receiving unit and medium | |
| CN1934564A (en) | Method and apparatus for digital rights management using certificate revocation list | |
| CN1685306A (en) | Printing system, printing device and method for giving printing command | |
| CN1268088C (en) | PKI-based VPN cipher key exchange implementing method | |
| CN1901512A (en) | Information communication system, information communication apparatus and method, and computer program | |
| CN101044490A (en) | Method and system for using a compact disk as a smart key device | |
| CN1653778A (en) | Data transmitting apparatus, data receiving apparatus, data transmission system and data transmission method | |
| CN1751533A (en) | Method for creating and distributing cryptographic keys in a mobile radio system, and corresponding mobile radio system | |
| CN1691672A (en) | Method and apparatus for informatin processing | |
| CN1758595A (en) | The method of using broadcast cryptography that device is authenticated | |
| CN1685706A (en) | Domain based on certificate granting | |
| CN1921395A (en) | Method and system for improving security of network software | |
| CN1859729A (en) | Authentifying method and relative information transfer method | |
| CN1790359A (en) | Method and system for using a portable computing device as a smart key device | |
| CN1518825A (en) | Device arranged for exchanging data and method of authenticating | |
| CN101064628A (en) | Household network appliance safe management system and method | |
| CN1615632A (en) | Mechanism for supporting wired and wireless methods for client and server side authentication | |
| CN1694452A (en) | Communication method and system between a terminal and at least a communication device | |
| CN1596522A (en) | Encryption device, a decrypting device, a secret key generation device, a copyright protection system and a cipher communication device | |
| CN1961311A (en) | Method and apparatus for transmitting rights object information between device and portable storage | |
| CN1929369A (en) | Method and apparatus for securely transmitting and receiving data in peer-to-peer manner | |
| CN101031066A (en) | Transmitter, receiver, and transmitting method | |
| CN1866825A (en) | Content transmission apparatus, content reception apparatus, content transmission method and content reception method | |
| CN1617489A (en) | Information processing device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| ASS | Succession or assignment of patent right |
Owner name: SICHUAN CHANGHONG ELECTRIC CO., LTD. Free format text: FORMER OWNER: BEIJING POWER DIGITAL TECHLABS CO., LTD. Effective date: 20100609 |
|
| C41 | Transfer of patent application or patent right or utility model | ||
| COR | Change of bibliographic data |
Free format text: CORRECT: ADDRESS; FROM: 100016 ROOM AE26-28, 2/F, BUILDING 51, NO.14, JIUXIANQIAO ROAD, CHAOYANG DISTRICT, BEIJING TO: 621000 NO.35, MIANXING EAST ROAD, MIANYANG CITY HIGH-TECH ZONE, SICHUAN PROVINCE |
|
| TA01 | Transfer of patent application right |
Effective date of registration: 20100609 Address after: 621000 Mianyang province high tech Zone, East Hing Road, No. 35 cotton Applicant after: Sichuan Changhong Electrical Appliance Co., Ltd. Address before: 100016, room two, building 51, building 14, Jiuxianqiao Road, Chaoyang District, Beijing, Applicant before: Beijing Puaode Ditial Technology Co., Ltd. |
|
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20100929 Termination date: 20201128 |