CN103780600B - RSA public key cryptography based off-line electric power transaction information system authorization method - Google Patents
RSA public key cryptography based off-line electric power transaction information system authorization method Download PDFInfo
- Publication number
- CN103780600B CN103780600B CN201310535751.9A CN201310535751A CN103780600B CN 103780600 B CN103780600 B CN 103780600B CN 201310535751 A CN201310535751 A CN 201310535751A CN 103780600 B CN103780600 B CN 103780600B
- Authority
- CN
- China
- Prior art keywords
- authorization code
- client
- authorization
- server
- code
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
- 238000013475 authorization Methods 0.000 title claims abstract description 156
- 238000000034 method Methods 0.000 title claims abstract description 40
- FFBHFFJDDLITSX-UHFFFAOYSA-N benzyl N-[2-hydroxy-4-(3-oxomorpholin-4-yl)phenyl]carbamate Chemical compound OC1=C(NC(=O)OCC2=CC=CC=C2)C=CC(=C1)N1CCOCC1=O FFBHFFJDDLITSX-UHFFFAOYSA-N 0.000 claims description 3
- 238000012797 qualification Methods 0.000 claims description 2
- 230000005540 biological transmission Effects 0.000 abstract description 3
- 238000012795 verification Methods 0.000 abstract 1
- 230000005611 electricity Effects 0.000 description 9
- 238000012544 monitoring process Methods 0.000 description 3
- 238000005516 engineering process Methods 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000003111 delayed effect Effects 0.000 description 1
- 230000001419 dependent effect Effects 0.000 description 1
- 238000006073 displacement reaction Methods 0.000 description 1
- 230000009977 dual effect Effects 0.000 description 1
- 239000000284 extract Substances 0.000 description 1
- 238000003780 insertion Methods 0.000 description 1
- 230000037431 insertion Effects 0.000 description 1
Abstract
The invention belongs to the field of electric power information security, and relates to an RSA public key cryptography based off-line electric power transaction information system authorization method which is applied to remote off-line authorization. According to the method, a client applies for a remote authorization code from a server firstly, the server automatically generates authorization codes with high complexity and provides the authorization code for the client, the client selects one of the authorization codes and stores the authorization code, the authorization code is encrypted by using a private key of the client, all of the authorization codes are encrypted by using a public key of the server and provided for the server; and the server verifies authorization codes submitted by the client, stores all of the authorization codes after the verification is successful, and prompts that the application for the authorization code of the client is successful. The client can carry out remote authorization after receiving the authorization code, and the process of authorization is very simple. According to the method provided by the invention, encrypted transmission for the authorization codes is carried out by adopting an RSA public key method, so that the security of the method is based on an RSA public key system, and security requirements of an electric power information system can be achieved.
Description
Technical field
The invention belongs to security information for power system field, relate to a kind of off-line power information system authorization method based on RSA public key cryptography for remote offline mandate.
Background technology
Electricity transaction mechanism establishes the data information management system of oneself at present, is directed to some ratio more sensitive data and data, or the mandate of some order, needs the mandate of person in charge to continue, and these mandates are all based on computer software.It is more flexible that some system designs, and can authorize in arbitrary terminal, and have is the strictest, it is necessary to just can authorize in the terminal specified.
If running into person in charge to go out situation the most in place, it is impossible to authorize in terminal, then run into emergency and will be delayed and cause unnecessary loss.Thus need a solution to solve remote offline mandate.
Most terminal logs in and all uses password, key disk, fingerprint to log in, requirement according to security stipulation, key disk to be carried with, other people are not allowed to replace logging in, in case accidental operation or malicious operation occur, so once donor goes out to authorize within the effective time, then must use remote offline mandate.
From the point of view of the angle of technology, it is necessary to find a kind of thing that can uniquely determine personal identification, and can remotely transmit, authorization code can only be used.Authorization code is used only once, the convenient any information inputted and do not comprise individual, can pass through phone, note, instant messaging etc. and be transmitted, and input is the most i.e. cancelled.Length can not be the shortest, it is to be ensured that the authorization code randomly generated never repeats.The mode that pure digi-tal or alphanumeric combine can be used, in order to avoid dictation process occurs mistake, J or G in letter can be removed, remove 0 and O, remove 1 and l, so printing or read when, be not easy generation and obscure.
Authorization code is before the use, it is necessary to the signature through dual: first pass through the signature of donor, and after server authentication, it is signed by oneself, during mandate is authenticated it, and the then replacement donor passed through authorizes.
The problem that traditional authorization method such as password authorization, hardware mandate, biological characteristic (fingerprint) mandate etc. all cannot solve remote authorization.Such as password authorization, although can carry out remote authorization, but often to there is password complexity relatively low for password, and the most under fire, therefore potential safety hazard is relatively big, does not authorizes core decision-making;Hardware mandate and biological characteristic are collected and owing to the limitation of himself does not possess the ability remotely providing and authorizing.
Summary of the invention
The technical problem to be solved in the present invention is:
1, authorize means want easily operated and realize, and can be combined with prior art, it is impossible to without restraint revise original system because introducing new authorization method.
2, the necessary safe enough of means is authorized, it is impossible to be hacked easily.
For solving the problems referred to above, the present invention proposes the method for a set of remote authorization, the off-line power information system authorization method of i.e. based on RSA public key cryptography.The method is first by user end to server application remote authorization code, the authorization code that service end automatically generates complexity higher is supplied to client, one of them authorization code of customer selecting preserves, and is encrypted with the private key of client by this authorization code and the public key encryption of all of authorization code server is submitted to server;The authorization code that client is submitted to by server is verified, preserves all of authorization code, and point out client authorization code application success after being proved to be successful.Client just can carry out remote authorization to key problem after successfully taking authorization code, and the process of mandate is the simplest.When long-range problem to be authorized by client, first authorization code is supplied to server end, server recalls previously saved authorization code from service after receiving authorization code, and the authorization code provided client with the authorization code recalled is verified, informs client authorization success after being verified.Taking RSA public-key method that authorization code is encrypted transmission in the present invention, therefore the safety of this invention is based on RSA Public Key Infrastructure, and at least in following 20 years, the method all has stronger level of security, therefore can reach the security requirement of power information system.
As it is shown on figure 3, the present invention is divided into two processes:
Process 1: the application of authorization code;
Step 1: client application authorization code, server generates one group of authorization code having upper and lower case letter, numeral and punctuation mark to constitute according to the application of user.
Step 2: client selects the authorization code private key of oneself to encrypt it, and is encrypted by the private key of all of authorization code server, and the authorization code after encryption is submitted to server.
Step 21: generate PKI (as shown in Figure 1).Big prime p and q that stochastic generation two is different and size is close;Calculate n=pq, n is open;Calculate φ=(p-1) (q-1);Then integer e is randomly choosed, 1 < e < φ so that gcd (e, φ)=1, e is open;Calculating meets the unique integral d of ed ≡ 1 (mod φ), 1 < d < φ;PKI is that (n, e), private key is d.
Step 22: the authorization code of selection is encrypted by client with the private key of oneself, with the PKI of server end, all of authorization code is encrypted (as shown in Figure 2).We are to tell about public key encryption process with server end PKI to authorization code encryption.Obtain server end trusted public keys (n, e);And message table is shown as the integer m in interval [0, n-1];Calculate ciphertext c, ciphertext c is sent to server.No longer describe the process of selected authorization code encryption is similar with said process with private key.
Step 3: server receives the authorization code after the encryption that client sends, and deciphers authorization code and verifies, is stored in authorization code data base, and notifies client authorization code application success after being proved to be successful.
Step 31: checking authorization code.After server end receives the encrypted authorization code that client sends over, first file decryption will be encrypted with the PKI of client and the private key of oneself, obtain authorization code and mandate code character that user selectes, server is by the authorization code of user and authorizes code character comparison one by one, if comparison success, application authorization code success, if comparison failure, notify that user applies for authorization code again.
Process 2: use authorization code to authorize
Step 1: authorization code is submitted to server by client.After server receives authorization code, from data base, first search for all authorization codes of this client.If not finding authorization code, authorization failure, if finding authorization code to enter step 2.
Step 2: the authorization code that client is provided by server is verified.Checking by then authorization failure, is not verified and is first deleted by the authorization code of client from data base, and notifies client authorization success.This step is similar to the step 31 of process 1, is taken out by the authorization code deposited, decrypt mandate code character in data base;If the authorization code provided with client and mandate code character comparison comparison one by one success, authorizing and pass through, if comparison failure, prompting user re-enters authorization code;The authorization code of three input errors of user, then cancel the mandate qualification of client, and client locked, and only could client be unlocked by a Successful login of client.
The beneficial effects of the present invention is:
1, authorization code can be effective against Database Intrusion.
Database server is invaded:
(1) authorization code is forged: effractor manually adds remote authorization code to server, but it is because not knowing the private key of donor, therefore authorization code cannot be signed, after input authorization code, its signature is verified by server, cannot pass through, its safety is consistent with the safety of rsa cryptosystem.
(2) theft destroys authorization code: effractor can arbitrarily revise the most signed authorization code so that it is lost efficacy, it is also possible to steal the most signed authorization code, so the vigorousness of authorization code is consistent with the safety of data base.
2, authorization code can successfully manage client brute force attack.
Authorized user is already logged into client server, it is also possible to user cipher is stolen, but cannot log database server, it is impossible to destroy.If at this moment it can guess out authorization code within three times, then forge and authorize successfully.
If the length of authorization code reaches 32 bytes, even if only with numeral, its probability guessed is only 10^32/tri-, because at most allowing conjecture three times.If using letter and symbol, can reach 95^32/tri-, approximating 10^63/tri-.
In order to increase External security, when carrying out remote authorization, it is also possible to increasing by two listed users as supervisor, these two supervisors should be randomly assigned by server.Supervisor should arrive that station terminal needing to authorize immediately and authorize, in order to examine the user needing to authorize the most legal.
3, use various ways can be had to preserve authorization code.
(1) recite:
(2) print in plain text: print authorization code and carry with in plain text, the most stolen.
(3) ciphertext prints: printing after using replacement, displacement, backward, mathematical operation and preserve, rule can be specified voluntarily by donor.
(4) electronic equipment preserves: needing to input password when of needs could show, these electronic equipments can use biological characteristic password to log in.
4, authorization code can successfully manage the most stolen risk.
During use, it is possible to use any means is transmitted, do not result in loss even if being ravesdropping in transmitting procedure in order to ensure authorization code yet, authorized user must enter authorization code input state, the most remotely obtain authorization code, will transmission one by one in transmitting procedure, it is simple to input.Server side also must assure that the remote authorization state of donor must be globally unique, it is impossible to have two remote authorizations to carry out simultaneously.
In sum, it is desirable to realize unauthorized remote mandate, it is necessary to steal the login password of three users simultaneously, and steal an effective authorization code, and log in terminal, can authorize, and two other user must be that the monitoring user that server is randomly assigned is the most permissible;If remote authorization to be destroyed, it is only necessary to intrusion base server.
Accompanying drawing explanation
Fig. 1 is that RSA Algorithm double secret key produces process.
Fig. 2 is the digital signature procedure utilizing RSA.
Fig. 3 is to utilize authorization code mandate browsing process.
Detailed description of the invention
As a example by confirming transaction in electricity transaction:
Certain electricity power enterprise electricity transaction declare granted after to be confirmed by electricity power enterprise director A, and now director A can not confirm sth. oneself because of special circumstances, and electricity power enterprise deal maker B does not confirm the authority of transaction, and now confirm that exchange hour is urgent, if transaction can not be confirmed in time, it is likely to result in electricity power enterprise cannot complete this time to conclude the business, it is necessary to wait until the carrying out of transaction next time, electricity power enterprise so can bring bigger loss.At this moment can only rely on director A that deal maker B is carried out remote authorization, to complete this time to conclude the business.
What application authorized is deal maker B, B after logging in electricity transaction management system, proposes to confirm the application of transaction, system, according to confirming that trading privilege requires that A authorizes, however, it was found that A is not logged on, asks whether to carry out remote authorization, after determining, wait the remote authorization code of A.Now client server guarantees now only have the terminal of B carrying out the remote authorization of A, accordingly even when authorization code is ravesdropping in transmitting procedure, also cannot carry out remote authorization in other terminal.
Client server extracts two online registrants out as supervisor temporarily from the region at B place simultaneously, and the terminal to B place is monitored authorizing.
B is after the remote authorization code obtaining A, after entering through checking, two supervisors of system requirements input its licencing key (login password) or insertion key disk is monitored authorizing, by rear, this sub-authorization is passed through, the authorization code of currently used mistake is moved into history authorization code tables by client server, and remote authorization terminates.
Client server is given respectively simultaneously needs the transaction application confirmed to send order, confirms this time transaction.
Illustrate:
1, the core of remote authorization code is RSA Algorithm, but depend alone algorithm be it cannot be guaranteed that remote authorization safety, it itself is safe for needing whole software system (client, server, data base), and rely on the restriction of agreement, further guarantee controllability and the safety authorized.If cannot ensure the safety of database server, then all of safe basis all can not exist.
2, software system can not replace people completely, in addition to remote authorization, if remote authorization code is deteriorated, then other way also should be had to authorize, it is impossible to be completely dependent on software system.Such as going up in example, authorization code is destroyed, then C can change the authority that equipment is transferred temporarily, allows B directly authorize, but this authority also needs to other restriction, it is impossible to individually authorized by C, in addition it is also necessary to the most permissible with the monitoring of its peer.Can be only achieved the balance of power by mutual monitoring, mutual pining down and stablize.
Claims (4)
1. an off-line power information system authorization method based on RSA public key cryptography, it is special
Levying and be, described method includes the application of authorization code and uses authorization code to carry out authorizing two mistakes
Journey, specific as follows:
The application of process 1 authorization code:
Step 1: client application authorization code, server is according to the application of user
Generate one group of authorization code having upper and lower case letter, numeral and punctuation mark to constitute;
Step 2: client selects the authorization code private key of oneself to encrypt it, and by institute
The PKI of some authorization code servers is encrypted, and the authorization code after encryption is submitted to service
Device;
Step 3: server receives the authorization code after the encryption that client sends, to authorization code solution
Close and verify, it is stored in authorization code data base after being proved to be successful, and notifies client authorization code
Apply for successfully;
Process 2 uses authorization code to authorize:
Step 4: authorization code is submitted to server by client;After server receives authorization code,
From data base, first search for all authorization codes of this client;If not finding authorization code, authorize mistake
Lose, if finding authorization code to enter step 5;
Step 5: the authorization code that client is provided by server is verified;Checking is not by then awarding
Weigh unsuccessfully, be verified and first from data base, the authorization code of client deleted, and notify client
End authorizes successfully.
Method the most according to claim 1, it is characterised in that described step 2 is concrete
Method is as follows:
Step 21: generate PKI;The Big prime p that stochastic generation two is different and size is close
And q;Calculate n=pq, n is open;Calculate φ=(p-1) (q-1);Then integer is randomly choosed
E, 1 < e < φ so that gcd (e, φ)=1, e is open;Calculating meets the most whole of ed ≡ 1 (mod φ)
Number d, 1 < d < φ;PKI is that (n, e), private key is d;
Step 22: client with the private key of oneself to select authorization code, with the PKI of server end
All of authorization code is encrypted;We are to tell about public affairs with server end PKI to authorization code encryption
Key ciphering process;Obtain server end trusted public keys (n, e);And message table is shown as interval
Integer m in [0, n-1];Calculate ciphertext c, ciphertext c is sent to server;With private key pair
The process of selected authorization code encryption is same as described above.
Method the most according to claim 1, it is characterised in that described step 3 is concrete
Method is as follows:
Checking authorization code;After server end receives the encrypted authorization code that client sends over, first
First will encrypt file decryption with the PKI of client and oneself private key, obtain that user selectes awards
Weighted code and mandate code character, server is by the authorization code of user and authorizes code character comparison one by one, if
Comparison success then application authorization code success, if comparison failure, notifies that user applies for authorizing again
Code.
Method the most according to claim 1, it is characterised in that described step 5 is concrete
Method is as follows:
The authorization code deposited in data base is taken out, decrypts mandate code character;With client's offer
If authorization code and mandate code character comparison comparison one by one success, authorize and pass through, if comparison failure
Then prompting user re-enters authorization code;The authorization code of three input errors of user, then cancel visitor
The mandate qualification at family, and client is locked, only by a Successful login of client
Client can be unlocked.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310535751.9A CN103780600B (en) | 2013-11-01 | 2013-11-01 | RSA public key cryptography based off-line electric power transaction information system authorization method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310535751.9A CN103780600B (en) | 2013-11-01 | 2013-11-01 | RSA public key cryptography based off-line electric power transaction information system authorization method |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN103780600A CN103780600A (en) | 2014-05-07 |
| CN103780600B true CN103780600B (en) | 2017-01-11 |
Family
ID=50572430
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201310535751.9A Expired - Fee Related CN103780600B (en) | 2013-11-01 | 2013-11-01 | RSA public key cryptography based off-line electric power transaction information system authorization method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN103780600B (en) |
Families Citing this family (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106487740A (en) * | 2015-08-24 | 2017-03-08 | 湖南大学 | A kind of file secure transmission method based on ICMP agreement |
| CN112463721A (en) * | 2020-12-18 | 2021-03-09 | 中国计量大学上虞高等研究院有限公司 | High-reliability offline protection system and configuration method of embedded SoC software |
| CN113676316B (en) * | 2021-07-06 | 2024-03-22 | 惠州市德赛西威汽车电子股份有限公司 | Method for opening debugging tool of vehicle system based on website access mode |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7522723B1 (en) * | 2008-05-29 | 2009-04-21 | Cheman Shaik | Password self encryption method and system and encryption by keys generated from personal secret information |
| CN101682507A (en) * | 2007-06-15 | 2010-03-24 | 索尼爱立信移动通讯有限公司 | Generation of device dependant rsa key |
| CN102136909A (en) * | 2010-01-25 | 2011-07-27 | 索尼公司 | Equipment authentication system and power supply control method |
-
2013
- 2013-11-01 CN CN201310535751.9A patent/CN103780600B/en not_active Expired - Fee Related
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101682507A (en) * | 2007-06-15 | 2010-03-24 | 索尼爱立信移动通讯有限公司 | Generation of device dependant rsa key |
| US7522723B1 (en) * | 2008-05-29 | 2009-04-21 | Cheman Shaik | Password self encryption method and system and encryption by keys generated from personal secret information |
| CN102136909A (en) * | 2010-01-25 | 2011-07-27 | 索尼公司 | Equipment authentication system and power supply control method |
Non-Patent Citations (1)
| Title |
|---|
| 《电力市场运营系统的安全分析与防护策略》;曹连军,王文等;《电网技术》;20050512;全文 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN103780600A (en) | 2014-05-07 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| EP3219049B1 (en) | Account recovery protocol | |
| CN102664885B (en) | Identity authentication method based on biological feature encryption and homomorphic algorithm | |
| JP5710439B2 (en) | Template delivery type cancelable biometric authentication system and method | |
| EP2304636A1 (en) | Mobile device assisted secure computer network communications | |
| CN111159684B (en) | Safety protection system and method based on browser | |
| EP2140605A1 (en) | Secure electronic messaging system requiring key retrieval for deriving decryption key | |
| CN106664209B (en) | The method and system of generation and the management of secret cryptographic key based on password | |
| EP3513539B1 (en) | User sign-in and authentication without passwords | |
| KR102011043B1 (en) | Method for digital signature based on quantum key distribution and system performing the same | |
| Tsai et al. | A chaotic map‐based anonymous multi‐server authenticated key agreement protocol using smart card | |
| EP3752940A1 (en) | Updating biometric template protection keys | |
| EP4072064A1 (en) | Electronic signature system and tamper-resistant device | |
| CN106059764A (en) | Password and fingerprint third-party authentication method based on halting key derivation function | |
| CN103780600B (en) | RSA public key cryptography based off-line electric power transaction information system authorization method | |
| CZ2013373A3 (en) | Authentication method of safe data channel | |
| US20140250499A1 (en) | Password based security method, systems and devices | |
| KR101206854B1 (en) | Authentication system and method based by unique identifier | |
| CN112530053B (en) | Control method and system of intelligent lock, lock equipment, server and storage medium | |
| KR102053993B1 (en) | Method for Authenticating by using Certificate | |
| TW201901508A (en) | Authentication method for login capable of enhancing data security and protection of user privacies | |
| JP2021111925A (en) | Electronic signature system | |
| JP2021050556A (en) | Authentication system | |
| KR101617875B1 (en) | authentication method for service of providing electronic documents, method and system for service of providing electronic documents | |
| Xu et al. | Qrtoken: Unifying authentication framework to protect user online identity | |
| CN110519223B (en) | Anti-quantum computing data isolation method and system based on asymmetric key pair |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20170111 Termination date: 20181101 |
|
| CF01 | Termination of patent right due to non-payment of annual fee |