CN104735064A - Safety revocation and updating method for identification in identification password system - Google Patents

Safety revocation and updating method for identification in identification password system Download PDF

Info

Publication number
CN104735064A
CN104735064A CN201510113398.4A CN201510113398A CN104735064A CN 104735064 A CN104735064 A CN 104735064A CN 201510113398 A CN201510113398 A CN 201510113398A CN 104735064 A CN104735064 A CN 104735064A
Authority
CN
China
Prior art keywords
terminal
update
list
history
server
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201510113398.4A
Other languages
Chinese (zh)
Other versions
CN104735064B (en
Inventor
程朝辉
但波
吴福印
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shenzhen Ao Lian Information Security Technology Co Ltd
Original Assignee
Shenzhen Ao Lian Information Security Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shenzhen Ao Lian Information Security Technology Co Ltd filed Critical Shenzhen Ao Lian Information Security Technology Co Ltd
Priority to CN201510113398.4A priority Critical patent/CN104735064B/en
Publication of CN104735064A publication Critical patent/CN104735064A/en
Application granted granted Critical
Publication of CN104735064B publication Critical patent/CN104735064B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Storage Device Security (AREA)

Abstract

The invention discloses a safety revocation and updating method for identification in an identification password system. The technical purposes of instant identification safety revocation and updating are achieved. The method is achieved through communication of a computer terminal A, a computer terminal B, a server C and a computer K (a secret key generation center), wherein the computer terminal A and the computer terminal B are in safe communication through the identification password technology. The computer terminal A sends an identification request to the server C, the server C updates ID_A sent to the computer K, the computer K generates corresponding PRK_A sent to the server C, the server C sends ID_A' and PRK_A' to the computer terminal A, the server C generates an updating historical list of all updated ID and generates auxiliary data needing the computer terminal A and the computer terminal B to verify the authenticity of the updating historical lists, the auxiliary data of the authenticity of the updating historical lists are combined into a list, the computer terminal B obtains ID_A from the server C, the computer terminal B generates a secret key sent to the computer terminal A, the computer terminal A decodes or performs secret key exchange and sends the secret key to the computer terminal B, and the computer terminal B decodes or performs secret key exchange. According to the safety revocation and updating method for identification in the identification password system, the identification in the identification password system can be updated in time, and therefore the safety of the password application system is guaranteed.

Description

In a kind of id password system, mark safety is cancelled and the method upgraded
Technical field
The present invention relates to data security arts in compunication, particularly use identification cipher technology to carry out safeguard protection to data.
Background technology
When carrying out secure communication of network, two matters of utmost importance that solve are: the authentication (namely proving the identity of communication parties) of user and the privacy (namely ensureing that data are not obtained by unauthorized side) of data.These problems all need to rely on corresponding cryptographic technique to solve.Wherein asymmetric cryptographic technique because of its before communicating both sides without the need to shared secret and supported data signature function and have important application.But face problems in the application based on the conventional public-key system of certificate, the complexity of particularly certificate use procedure makes the domestic consumer not possessing relevant knowledge heavy in hand.Cryptographic technique based on mark reduces the complexity of key management and use in public key cryptosyst effectively, in the application of large-scale consumer, have significant advantage.
In id password system, the mark of user just can be used as the PKI (more precisely: the PKI of user can utilize a method of specifying to calculate from the mark of user and a disclosed system parameters) of user.In this case, user does not need application and exchanges certificate, thus greatly simplify the complexity of cryptographic system management.Third party's (key generation centre) that the private key of user is trusted by one in system uses identity private key generating algorithm to calculate generation.Such system has natural password and entrusts function, is very applicable to many applied environments having corresponding trust demand.
But also face a significant challenge in actual applications in id password system.Id password system have employed the identify label of user in application system, as used the PKI of addresses of items of mail as user of user in mailing system; Use the PKI of phone number as user of user in mobile communication system.In application process, private key corresponding to user ID may be revealed.In order to ensure the fail safe of user data, when private key is revealed, user needs more new key.Because of the technical characteristic of id password, key is changed and is meaned that the mark needs of user are changed.Because user ID is relatively solidified in application process, as the addresses of items of mail that uses during user's contacts with overseas parties or the more difficult change of phone number are followed, id password application system need effectively solve this problem.The settling mode of usual employing is the term of validity expanding mark on the basis of user ID, forms the encryption identification that new cryptographic system just really uses.This solution has following three shortcomings: the time basic synchronization 1) requiring all users; 2) need to obtain the private key in the new time cycle being identified to all users of after date; 3) if the key of user is lost within a time cycle, the data security that in this cycle, key loses user follow-up cannot be protected.The present invention to propose in a kind of id password system mark safety and to cancel and the method upgraded solves the problem.
Summary of the invention
The present invention to propose in a kind of id password system mark safety and to cancel and the method upgraded realizes the mark immediate updating in id password system, thus the safety of guarantee cipher application system.
For achieving the above object, disclose mark safety in a kind of id password system to cancel and the method upgraded.
The technical scheme that the present invention realizes goal of the invention employing is: in a kind of id password system, mark safety is cancelled and the method upgraded, the method is by means of two terminal A and B adopting id password system to be encrypted secure communication, the server C with identification renewal release module is cancelled with support mark, support that the communication between the computer K of tagged keys generation module realizes, terminal A, supporting id password Secure Application Module is also provided with in B, tag system parameter and identity private key, the identity management module that management mark cancels request and distribution indicator renewal list is also provided with in server C, Digital Signature module and identification renewal data storage, the module supporting identity private key systematic function is also provided with in computer K, tag system parameter and the main private key of mark, cancel in realization mark safety and to upgrade and id password safety applications is carried out in the process of data encryption or signature or cipher key change, comprise the following steps in modules implementation:
The private key PRK_A that step 1., terminal A application identities ID_A is corresponding carries out in data security communication process, and after revealing private key PRK_A, terminal A initiates identification renewal request to server C;
Step 2., after the identification renewal request (1) of server C receiving step, server C manage mark cancel request and distribution indicator renewal list identity management module verification terminal A really have ID_A after, upgrade the ID that ID_A is corresponding, be ID_A' by ID_A updated value, and be stored in identification renewal memory;
Step 3., server C management mark cancels request and distribution indicator upgrades the identity management module of list to the request of computer K initiation generating identification private key, computer K supports that the module of identity private key systematic function is according to the identity private key generating algorithm of agreement, generates the identity private key PRK_A' of corresponding ID_A';
Step 4., computer K supports that the tag system parameter that the module of identity private key systematic function uses it to have and the main private key of mark calculate the identity private key PRK_A' of ID_A' according to the identity private key generating algorithm of agreement and return to server C, ID_A' and PRK_A' secure distribution is delivered to terminal A by server C, server C manages mark and cancels the identity management module of request and distribution indicator renewal list according to renewal history list ID_UPDATE_HISTORY having upgraded ID all in certain format generation system, and generate the auxiliary data ID_UPDATE_AUTH that need be verified ID_UPDATE_HISTORY authenticity by terminal A and terminal B, server C manages after ID_UPDATE_HISTORY and ID_UPDATE_AUTH regularly encodes by the identity management module identifying the request cancelled and distribution indicator renewal list and merges into list ID_UPDATE_LIST,
Step 5., terminal B need with the terminal A having ID_A be encrypted communicate time, first obtain the id information of the renewal of ID_A to server C, its mode obtaining the id information upgraded comprises: obtain ID_UPDATE_LIST to server C or directly inquire about the renewal ID_A' value obtaining ID_A to C;
Step 6., server C is after the request receiving terminal B acquisition ID_UPDATE_LIST, server C manages mark and cancels the identity management module transmission ID_UPDATE_LIST of request and distribution indicator renewal list to terminal B, terminal B id password Secure Application Module is after acquisition ID_UPDATE_LIST, isolate ID_UPDATE_HISTORY and ID_UPDATE_AUTH, and according to the authenticity of predetermined method validation ID_UPDATE_HISTORY, up-to-date ID_A' is obtained from true ID_UPDATE_HISTORY list, or server C is receiving when terminal B inquires about the updated value of ID_A after request, inquire about it be stored in the ID_A updated value ID_A' in identification renewal data storage and send to terminal B safely,
Step 7., terminal B obtains after updated value ID_A' corresponding to ID_A through server C, id password Secure Application Module in terminal B uses ID_A' and tag system parameter to generate IKE data according to the mark encryption algorithm for encryption data of arranging or key key exchange agreement and is sent to terminal A, and terminal A id password Secure Application Module uses PRK_A' according to the mark decipherment algorithm data decryption of agreement or carries out IKE operation;
Step 8., terminal A obtains after ID_A corresponding updated value ID_A' and PRK_A' through server C, id password Secure Application Module in terminal A uses PRK_A', tag system parameter generates signed data according to the identification signature algorithm of arranging or IKE or IKE data are sent to terminal B, id password Secure Application Module in terminal B checks in ID_UPDATE_HISTORY whether ID_A' is the up-to-date ID updated value of ID_A, if, id password Secure Application Module in terminal B uses ID_A' carry out certifying signature data according to the identity verification signature algorithm of arranging or IKE or carry out IKE operation, if not, then carry out corresponding safety operation as stopped or alarm.
The invention has the beneficial effects as follows, in id password system, mark safety is cancelled and the method upgraded realizes the mark immediate updating in id password system, thus the safety of guarantee cipher application system.
Describe the present invention below in conjunction with accompanying drawing.
Accompanying drawing 1 is the embodiment of the present invention 1 logic diagram.
Accompanying drawing 2 is the embodiment of the present invention 2 logic diagram.
Embodiment
Referring to accompanying drawing, in a kind of id password system, mark safety is cancelled and the method upgraded, the method is by means of two terminal A and B adopting id password system to be encrypted secure communication, with supporting that mark cancels the server C of identity management module and the Digital Signature module issued with identification renewal, support that the communication between the computer K of tagged keys generation module realizes, terminal A, supporting id password Secure Application Module is also provided with in B, tag system parameter and identity private key, the identity management module that management mark cancels request and distribution indicator renewal list is also provided with in server C, Digital Signature module and identification renewal data storage, the module supporting identity private key systematic function is also provided with in computer K, tag system parameter and the main private key of mark, cancel in realization mark safety and to upgrade and id password safety applications is carried out in the process of data encryption or signature or cipher key change, comprise the following steps in modules implementation:
The private key PRK_A that step 1., terminal A application identities ID_A is corresponding carries out in data security communication process, and after revealing private key PRK_A, terminal A initiates identification renewal request to server C;
Step 2., after the identification renewal request (1) of server C receiving step, server C manage mark cancel request and distribution indicator renewal list identity management module verification terminal A really have ID_A after, upgrade the ID that ID_A is corresponding, be ID_A' by ID_A updated value, and be stored in identification renewal memory;
Step 3., server C management mark cancels request and distribution indicator upgrades the identity management module of list to the request of computer K initiation generating identification private key, computer K supports that the module of identity private key systematic function is according to the identity private key generating algorithm of agreement, generates the identity private key PRK_A' of corresponding ID_A';
Step 4., computer K supports that the tag system parameter that the module of identity private key systematic function uses it to have and the main private key of mark calculate the identity private key PRK_A' of ID_A' according to the identity private key generating algorithm of agreement and return to server C, ID_A' and PRK_A' secure distribution is delivered to terminal A by server C, server C manages mark and cancels the identity management module of request and distribution indicator renewal list according to renewal history list ID_UPDATE_HISTORY having upgraded ID all in certain format generation system, and generate the auxiliary data ID_UPDATE_AUTH that need be verified ID_UPDATE_HISTORY authenticity by terminal A and terminal B, server C manages after ID_UPDATE_HISTORY and ID_UPDATE_AUTH regularly encodes by the identity management module identifying the request cancelled and distribution indicator renewal list and merges into list ID_UPDATE_LIST,
Step 5., terminal B need with the terminal A having ID_A be encrypted communicate time, first obtain the id information of the renewal of ID_A to server C, its mode obtaining the id information upgraded comprises: obtain ID_UPDATE_LIST to server C or directly inquire about the renewal ID_A' value obtaining ID_A to C;
Step 6., server C is after the request receiving terminal B acquisition ID_UPDATE_LIST, server C manages mark and cancels the identity management module transmission ID_UPDATE_LIST of request and distribution indicator renewal list to terminal B, terminal B id password Secure Application Module is after acquisition ID_UPDATE_LIST, isolate ID_UPDATE_HISTORY and ID_UPDATE_AUTH, and according to the authenticity of predetermined method validation ID_UPDATE_HISTORY, up-to-date ID_A' is obtained from true ID_UPDATE_HISTORY list, or server C is receiving when terminal B inquires about the updated value of ID_A after request, inquire about it be stored in the ID_A updated value ID_A' in identification renewal data storage and send to terminal B safely,
Step 7., terminal B obtains after updated value ID_A' corresponding to ID_A through server C, id password Secure Application Module in terminal B uses ID_A' and tag system parameter to generate IKE data according to the mark encryption algorithm for encryption data of arranging or key key exchange agreement and is sent to terminal A, and terminal A id password Secure Application Module uses PRK_A' according to the mark decipherment algorithm data decryption of agreement or carries out IKE operation;
Step 8., terminal A obtains after ID_A corresponding updated value ID_A' and PRK_A' through server C, id password Secure Application Module in terminal A uses PRK_A', tag system parameter generates signed data according to the identification signature algorithm of arranging or IKE or IKE data are sent to terminal B, id password Secure Application Module in terminal B checks in ID_UPDATE_HISTORY whether ID_A' is the up-to-date ID updated value of ID_A, if, id password Secure Application Module in terminal B uses ID_A' carry out certifying signature data according to the identity verification signature algorithm of arranging or IKE or carry out IKE operation, if not, then carry out corresponding safety operation as stopped or alarm.
Embodiments of the invention can also be:
Terminal A, terminal B, server C and computer K adopt following step realize mark safety cancel and upgrades and id password safety applications process in: step 4. middle server C by ID_A' and PRK_A' secure distribution to after A, enter step 9.
Step 9., terminal A is after obtaining ID_A corresponding updated value ID_A' and PRK_A', id password Secure Application Module in terminal A uses PRK_A', tag system parameter generates the ident value ID_A' of signed data or the transmission of IKE data and use to terminal B according to the identification signature algorithm of arranging or IKE, terminal B is from after receiving and obtaining ID_A' data, the updated value list that the local ID_A stored of id password Secure Application Module inquiry is corresponding, whether oldly than the ID_A' of this locality storage check in the ID_A' obtained.If, then corresponding safety operation is as stopped or alarm, if not, then use ID_A' according to the identity verification signature algorithm of arranging or IKE, certifying signature data or carry out IKE operation, if signature verification success or IKE success, and the ID_A' ratio this locality storage obtained is new, then use ID_A' to upgrade the ID_A more new logo of this locality storage;
Step 10., after the updated value ID_A' of the local corresponding ID_A stored of terminal B id password Secure Application Module inquiry, use ID_A' and tag system parameter to be sent to terminal A according to the mark encryption algorithm for encryption data of arranging or generation IKE data, terminal A uses PRK_A' according to the mark decipherment algorithm data decryption of agreement or carries out IKE.
In the embodiment of the present invention, step 2. in ID updated value ID_A' corresponding to ID_A be configured to: corresponding each renewal of ID_A has a unidirectional counter CNT_A, if counter cnt _ A initial value is 1, often upgrade a CNT_A and add 1, ID_A upgrades rear renewal ID value at every turn has a timer TIME_A for ID_A|CNT_A or ID_A correspondence upgrades at every turn, TIME_A correspond to the standard time of current update request, ID_A upgrades rear renewal ID value for ID_A||TIME_A at every turn, wherein ID_A||CNT_A or D_A||TIME_A, represent and ID_A and CNT_A or TIME_A value are spliced in some way, character string in this way, it can be then string-concatenation, if ID_A and CNT_A or TIME_A is Bit String, it can be then Bit String splicing, to the requirement of operation be: from splicing unambiguous correct acquisition ID_A and CNT_A or TIME_A of end value or can ensure that splicing end value ID_A value has the prerequisite of uniqueness has uniqueness.
In the embodiment of the present invention, step 4. in, according in certain format generation system all upgraded the renewal history list ID_UPDATE_HISTORY of ID time, upgrade history list and at least comprise the ID_UPDATE_HISTORY rise time, the ID of each renewal, the update time that this ID upgrades at every turn, the ID updated value of each renewal, step 6. in, the up-to-date ID_A' of the maximum ID_A' of counter cnt _ A or timer TIME_A is obtained as up-to-date ID_A' from true ID_UPDATE_HISTORY list, step 8. in, at ID_UPDATE_HISTORY, terminal B checks that whether ID_A' is maximum or the TIME_A last look of CNT_A in ID_UPDATE_HISTORY, thus judge ID_A' whether as the up-to-date ID updated value of ID_A, step 9. in, terminal B is after each acquisition ID_A', whether CNT_A or TIME_A just in inspection ID_A' be less than the CNT_A of this locality storage or whether the ID_A' that judge obtain older than TIME_A be older than the ID_A' of this locality storage.
In the embodiment of the present invention, step 4. in, by terminal A, terminal B verifies that the generation method of the auxiliary data ID_UPDATE_AUTH of ID_UPDATE_HISTORY authenticity is: asked to generate corresponding identity private key PRK_LIST according to the identity private key generating algorithm of agreement as a new ID to computer K by this renewal history list ID_UPDATE_HISTORY, the tag system parameter that computer K uses it to have and the main private key of mark according to agreement identity private key generating algorithm calculate identity private key PRK_LIST corresponding to ID_UPDATE_HISTORY and return to server C.Identity private key PRK_LIST is published in ID_UPDATE_LIST as ID_UPDATE_AUTH by server C, step 6. in, terminal B isolates ID_UPDATE_HISTORY and PRK_LIST after acquisition ID_UPDATE_LIST, and use tag system parameter whether to be really the private key that ID_UPDATE_HISTORY is corresponding according to the identity private key generating algorithm authentication PRK_LIST of agreement by id password Secure Application Module, if be proved to be successful, then think that ID_UPDATE_HISTORY is true list.
In the embodiment of the present invention, step 4. in, by terminal A, terminal B verifies that the generation method of the auxiliary data ID_UPDATE_AUTH of ID_UPDATE_HISTORY authenticity is: the Digital Signature module of C adopts terminal A, the private key that terminal B can verify a digital certificate of legitimacy corresponding carries out digital signing operations to ID_UPDATE_HISTORY, using digital signature value as ID_UPDATE_AUTH, be published in ID_UPDATE_LIST, step 6. in, terminal B isolates ID_UPDATE_HISTORY and digital signature value after acquisition ID_UPDATE_LIST, whether terminal B also uses the digital signature of agreement and sign test proof of algorithm digital signature value to be the actual signature of ID_UPDATE_HISTORY, if be proved to be successful, then think that ID_UPDATE_HISTORY is true list.
In the embodiment of the present invention, step 4. in, by terminal A, terminal B verifies that the generation method of the auxiliary data ID_UPDATE_AUTH of ID_UPDATE_HISTORY authenticity is: the Digital Signature module of C adopts terminal A, terminal B, the private key that certain specific identifier ID_S that server C arranges is corresponding and tag system parameter adopt agreement identification signature algorithm to carry out digital signing operations to ID_UPDATE_HISTORY, using digital signature value as ID_UPDATE_AUTH, be published in ID_UPDATE_LIST, step 6. in, terminal B isolates ID_UPDATE_HISTORY and digital signature value after acquisition ID_UPDATE_LIST, terminal B also uses the mark ID_S and tag system parameter that arrange, according to the actual signature whether the mark sign test proof of algorithm digital signature value of agreement is ID_UPDATE_HISTORY, if be proved to be successful, then think that ID_UPDATE_HISTORY is true list.

Claims (7)

1. in an id password system, mark safety is cancelled and the method upgraded, the method is by means of two terminal A and B adopting id password system to be encrypted secure communication, with supporting that mark cancels the server C of identity management module and the Digital Signature module issued with identification renewal, support that the communication between the computer K of tagged keys generation module realizes, it is characterized in that: terminal A, supporting id password Secure Application Module is also provided with in B, tag system parameter and identity private key, the identity management module that management mark cancels request and distribution indicator renewal list is also provided with in server C, Digital Signature module and identification renewal data storage, the module supporting identity private key systematic function is also provided with in computer K, tag system parameter and the main private key of mark, cancel in realization mark safety and to upgrade and id password safety applications is carried out in the process of data encryption or signature or cipher key change, comprise the following steps in modules implementation:
The private key PRK_A that step 1., terminal A application identities ID_A is corresponding carries out in data security communication process, and after revealing private key PRK_A, terminal A initiates identification renewal request to server C;
Step 2., after the identification renewal request (1) of server C receiving step, server C manage mark cancel request and distribution indicator renewal list identity management module verification terminal A really have ID_A after, upgrade the ID that ID_A is corresponding, be ID_A' by ID_A updated value, and be stored in identification renewal memory;
Step 3., server C management mark cancels request and distribution indicator upgrades the identity management module of list to the request of computer K initiation generating identification private key, computer K supports that the module of identity private key systematic function is according to the identity private key generating algorithm of agreement, generates the identity private key PRK_A' of corresponding ID_A';
Step 4., computer K supports that the tag system parameter that the module of identity private key systematic function uses it to have and the main private key of mark calculate the identity private key PRK_A' of ID_A' according to the identity private key generating algorithm of agreement and return to server C, ID_A' and PRK_A' secure distribution is delivered to terminal A by server C, server C manages mark and cancels the identity management module of request and distribution indicator renewal list according to renewal history list ID_UPDATE_HISTORY having upgraded ID all in certain format generation system, and generate the auxiliary data ID_UPDATE_AUTH that need be verified ID_UPDATE_HISTORY authenticity by terminal A and terminal B, server C manages after ID_UPDATE_HISTORY and ID_UPDATE_AUTH regularly encodes by the identity management module identifying the request cancelled and distribution indicator renewal list and merges into list ID_UPDATE_LIST,
Step 5., terminal B need with the terminal A having ID_A be encrypted communicate time, first obtain the id information of the renewal of ID_A to server C, its mode obtaining the id information upgraded comprises: obtain ID_UPDATE_LIST to server C or directly inquire about the renewal ID_A' value obtaining ID_A to C;
Step 6., server C is after the request receiving terminal B acquisition ID_UPDATE_LIST, server C manages mark and cancels the identity management module transmission ID_UPDATE_LIST of request and distribution indicator renewal list to terminal B, terminal B id password Secure Application Module is after acquisition ID_UPDATE_LIST, isolate ID_UPDATE_HISTORY and ID_UPDATE_AUTH, and according to the authenticity of predetermined method validation ID_UPDATE_HISTORY, up-to-date ID_A' is obtained from true ID_UPDATE_HISTORY list, or server C is receiving when terminal B inquires about the updated value of ID_A after request, inquire about it be stored in the ID_A updated value ID_A' in identification renewal data storage and send to terminal B safely,
Step 7., terminal B obtains after updated value ID_A' corresponding to ID_A through server C, id password Secure Application Module in terminal B uses ID_A' and tag system parameter to generate IKE data according to the mark encryption algorithm for encryption data of arranging or key key exchange agreement and is sent to terminal A, and terminal A id password Secure Application Module uses PRK_A' according to the mark decipherment algorithm data decryption of agreement or carries out IKE operation;
Step 8., terminal A obtains after ID_A corresponding updated value ID_A' and PRK_A' through server C, id password Secure Application Module in terminal A uses PRK_A', tag system parameter generates signed data according to the identification signature algorithm of arranging or IKE or IKE data are sent to terminal B, id password Secure Application Module in terminal B checks in ID_UPDATE_HISTORY whether ID_A' is the up-to-date ID updated value of ID_A, if, id password Secure Application Module in terminal B uses ID_A' carry out certifying signature data according to the identity verification signature algorithm of arranging or IKE or carry out IKE operation, if not, then carry out corresponding safety operation as stopped or alarm.
2. in a kind of id password system according to claim 1, mark safety is cancelled and the method upgraded, it is characterized in that: terminal A, terminal B, server C and computer K adopt following step realize mark safety cancel and upgrades and id password safety applications process in: step 4. middle server C by ID_A' and PRK_A' secure distribution to after A, enter step 9.
Step 9., terminal A is after obtaining ID_A corresponding updated value ID_A' and PRK_A', id password Secure Application Module in terminal A uses PRK_A', tag system parameter generates the ident value ID_A' of signed data or the transmission of IKE data and use to terminal B according to the identification signature algorithm of arranging or IKE, terminal B is from after receiving and obtaining ID_A' data, the updated value list that the local ID_A stored of id password Secure Application Module inquiry is corresponding, whether oldly than the ID_A' of this locality storage check in the ID_A' obtained, if, then corresponding safety operation is as stopped or alarm, if not, then use ID_A' according to the identity verification signature algorithm of arranging or IKE, certifying signature data or carry out IKE operation, if signature verification success or IKE success, and the ID_A' ratio this locality storage obtained is new, then use ID_A' to upgrade the ID_A more new logo of this locality storage,
Step 10., after the updated value ID_A' of the local corresponding ID_A stored of terminal B id password Secure Application Module inquiry, use ID_A' and tag system parameter to be sent to terminal A according to the mark encryption algorithm for encryption data of arranging or generation IKE data, terminal A uses PRK_A' according to the mark decipherment algorithm data decryption of agreement or carries out IKE.
3. in a kind of id password system according to claim 1, mark safety is cancelled and the method upgraded, it is characterized in that: the ID updated value ID_A' that ID_A is corresponding is configured to: corresponding each renewal of ID_A has a unidirectional counter CNT_A, if counter cnt _ A initial value is 1, often upgrade a CNT_A and add 1, ID_A upgrades rear renewal ID value at every turn has a timer TIME_A for ID_A|CNT_A or ID_A correspondence upgrades at every turn, TIME_A correspond to the standard time of current update request, ID_A upgrades rear renewal ID value for ID_A||TIME_A at every turn, wherein ID_A||CNT_A or D_A||TIME_A, represent and ID_A and CNT_A or TIME_A value are spliced in some way, character string in this way, it can be then string-concatenation, if ID_A and CNT_A or TIME_A is Bit String, it can be then Bit String splicing, to the requirement of operation be: from splicing unambiguous correct acquisition ID_A and CNT_A or TIME_A of end value or can ensure that splicing end value ID_A value has the prerequisite of uniqueness has uniqueness.
4. in a kind of id password system according to claim 1, mark safety is cancelled and the method upgraded, it is characterized in that: step 4. in, according in certain format generation system all upgraded the renewal history list ID_UPDATE_HISTORY of ID time, upgrade history list and at least comprise the ID_UPDATE_HISTORY rise time, the ID of each renewal, the update time that this ID upgrades at every turn, the ID updated value of each renewal, step 6. in, the up-to-date ID_A' of the maximum ID_A' of counter cnt _ A or timer TIME_A is obtained as up-to-date ID_A' from true ID_UPDATE_HISTORY list, step 8. in, at ID_UPDATE_HISTORY, terminal B checks that whether ID_A' is maximum or the TIME_A last look of CNT_A in ID_UPDATE_HISTORY, thus judge ID_A' whether as the up-to-date ID updated value of ID_A, step 9. in, terminal B is after each acquisition ID_A', whether CNT_A or TIME_A just in inspection ID_A' be less than the CNT_A of this locality storage or whether the ID_A' that judge obtain older than TIME_A be older than the ID_A' of this locality storage.
5. in a kind of id password system according to claim 1, mark safety is cancelled and the method upgraded, it is characterized in that: step 4. in, by terminal A, terminal B verifies that the generation method of the auxiliary data ID_UPDATE_AUTH of ID_UPDATE_HISTORY authenticity is: asked to generate corresponding identity private key PRK_LIST according to the identity private key generating algorithm of agreement as a new ID to computer K by this renewal history list ID_UPDATE_HISTORY, the tag system parameter that computer K uses it to have and the main private key of mark according to agreement identity private key generating algorithm calculate identity private key PRK_LIST corresponding to ID_UPDATE_HISTORY and return to server C, identity private key PRK_LIST is published in ID_UPDATE_LIST as ID_UPDATE_AUTH by server C, step 6. in, terminal B isolates ID_UPDATE_HISTORY and PRK_LIST after acquisition ID_UPDATE_LIST, and use tag system parameter whether to be really the private key that ID_UPDATE_HISTORY is corresponding according to the identity private key generating algorithm authentication PRK_LIST of agreement by id password Secure Application Module, if be proved to be successful, then think that ID_UPDATE_HISTORY is true list.
6. in a kind of id password system according to claim 1, mark safety is cancelled and the method upgraded, it is characterized in that: step 4. in, by terminal A, terminal B verifies that the generation method of the auxiliary data ID_UPDATE_AUTH of ID_UPDATE_HISTORY authenticity is: the Digital Signature module of C adopts terminal A, the private key that terminal B can verify a digital certificate of legitimacy corresponding carries out digital signing operations to ID_UPDATE_HISTORY, using digital signature value as ID_UPDATE_AUTH, be published in ID_UPDATE_LIST, step 6. in, terminal B isolates ID_UPDATE_HISTORY and digital signature value after acquisition ID_UPDATE_LIST, whether terminal B also uses the digital signature of agreement and sign test proof of algorithm digital signature value to be the actual signature of ID_UPDATE_HISTORY, if be proved to be successful, then think that ID_UPDATE_HISTORY is true list.
7. in a kind of id password system according to claim 1, mark safety is cancelled and the method upgraded, it is characterized in that: step 4. in, by terminal A, terminal B verifies that the generation method of the auxiliary data ID_UPDATE_AUTH of ID_UPDATE_HISTORY authenticity is: the Digital Signature module of C adopts terminal A, terminal B, the private key that certain specific identifier ID_S that server C arranges is corresponding and tag system parameter adopt agreement identification signature algorithm to carry out digital signing operations to ID_UPDATE_HISTORY, using digital signature value as ID_UPDATE_AUTH, be published in ID_UPDATE_LIST, step 6. in, terminal B isolates ID_UPDATE_HISTORY and digital signature value after acquisition ID_UPDATE_LIST, terminal B also uses the mark ID_S and tag system parameter that arrange, according to the actual signature whether the mark sign test proof of algorithm digital signature value of agreement is ID_UPDATE_HISTORY, if be proved to be successful, then think that ID_UPDATE_HISTORY is true list.
CN201510113398.4A 2015-03-16 2015-03-16 The method that safety is cancelled and updated is identified in a kind of id password system Active CN104735064B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201510113398.4A CN104735064B (en) 2015-03-16 2015-03-16 The method that safety is cancelled and updated is identified in a kind of id password system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201510113398.4A CN104735064B (en) 2015-03-16 2015-03-16 The method that safety is cancelled and updated is identified in a kind of id password system

Publications (2)

Publication Number Publication Date
CN104735064A true CN104735064A (en) 2015-06-24
CN104735064B CN104735064B (en) 2018-03-27

Family

ID=53458499

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201510113398.4A Active CN104735064B (en) 2015-03-16 2015-03-16 The method that safety is cancelled and updated is identified in a kind of id password system

Country Status (1)

Country Link
CN (1) CN104735064B (en)

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106911467A (en) * 2015-12-23 2017-06-30 北京握奇智能科技有限公司 A kind of data confidentiality storage and the method for transmission
CN106941406A (en) * 2017-05-02 2017-07-11 深圳奥联信息安全技术有限公司 Identify-based encryption endorsement method, decryption sign test method and its device
CN109005029A (en) * 2018-06-25 2018-12-14 北京迪曼森科技有限公司 Trusted application mark generation method and system, application method and apply end equipment
CN111010271A (en) * 2019-12-17 2020-04-14 湖南安方信息技术有限公司 General identification representation method for identification password update revocation
CN116346336A (en) * 2023-03-22 2023-06-27 华中科技大学 Key distribution method based on multi-layer key generation center and related system

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20070028114A1 (en) * 2005-03-30 2007-02-01 Mccullagh Noel Verification of identity based signatures
CN101789865A (en) * 2010-03-04 2010-07-28 深圳市华信安创科技有限公司 Dedicated server used for encryption and encryption method
CN103166762A (en) * 2013-03-07 2013-06-19 武汉理工大学 Identification application method for dealing with disclosure of private key
CN103326853A (en) * 2012-03-22 2013-09-25 中兴通讯股份有限公司 Method and device for upgrading secret key
CN103825724A (en) * 2014-02-21 2014-05-28 武汉理工大学 Identification type password system and method for updating and recovering private key automatically

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20070028114A1 (en) * 2005-03-30 2007-02-01 Mccullagh Noel Verification of identity based signatures
CN101789865A (en) * 2010-03-04 2010-07-28 深圳市华信安创科技有限公司 Dedicated server used for encryption and encryption method
CN103326853A (en) * 2012-03-22 2013-09-25 中兴通讯股份有限公司 Method and device for upgrading secret key
CN103166762A (en) * 2013-03-07 2013-06-19 武汉理工大学 Identification application method for dealing with disclosure of private key
CN103825724A (en) * 2014-02-21 2014-05-28 武汉理工大学 Identification type password system and method for updating and recovering private key automatically

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
刘镪等: "基于身份标识的密码体制及其在安全电子邮件的应用", 《信息安全与技术》 *

Cited By (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106911467A (en) * 2015-12-23 2017-06-30 北京握奇智能科技有限公司 A kind of data confidentiality storage and the method for transmission
CN106941406A (en) * 2017-05-02 2017-07-11 深圳奥联信息安全技术有限公司 Identify-based encryption endorsement method, decryption sign test method and its device
CN106941406B (en) * 2017-05-02 2019-11-08 深圳奥联信息安全技术有限公司 Identify-based encryption endorsement method, decryption sign test method and device thereof
CN109005029A (en) * 2018-06-25 2018-12-14 北京迪曼森科技有限公司 Trusted application mark generation method and system, application method and apply end equipment
CN109005029B (en) * 2018-06-25 2019-08-16 北京迪曼森科技有限公司 Trusted application mark generation method and system, application method and apply end equipment
CN111010271A (en) * 2019-12-17 2020-04-14 湖南安方信息技术有限公司 General identification representation method for identification password update revocation
CN111010271B (en) * 2019-12-17 2023-04-07 湖南安方信息技术有限公司 General identification representation method for identification password update revocation
CN116346336A (en) * 2023-03-22 2023-06-27 华中科技大学 Key distribution method based on multi-layer key generation center and related system
CN116346336B (en) * 2023-03-22 2024-02-06 华中科技大学 Key distribution method based on multi-layer key generation center and related system

Also Published As

Publication number Publication date
CN104735064B (en) 2018-03-27

Similar Documents

Publication Publication Date Title
CN109495274B (en) Decentralized intelligent lock electronic key distribution method and system
CN103067401B (en) Method and system for key protection
JP6226197B2 (en) Certificate issuing system, client terminal, server device, certificate acquisition method, and certificate issuing method
US10015159B2 (en) Terminal authentication system, server device, and terminal authentication method
CN101189827B (en) Method for inclusive authentication and management of service provider, terminal and user identity module, and system and terminal device using the method
CN108377190B (en) Authentication equipment and working method thereof
CN103118027B (en) The method of TLS passage is set up based on the close algorithm of state
CN110050437B (en) Apparatus and method for distributed certificate registration
CN103490881B (en) Authentication service system, user authentication method, and authentication information processing method and system
CN101409619B (en) Flash memory card and method for implementing virtual special network key exchange
US20070257813A1 (en) Secure network bootstrap of devices in an automatic meter reading network
US10637818B2 (en) System and method for resetting passwords on electronic devices
CN103078742B (en) Generation method and system of digital certificate
EP3425842B1 (en) Communication system and communication method for certificate generation
CN105790938A (en) System and method for generating safety unit key based on reliable execution environment
CN102404347A (en) Mobile internet access authentication method based on public key infrastructure
CN101005357A (en) Method and system for updating certification key
CN102594803B (en) Information safety devices and server time synchronous method
CN104412273A (en) Method and system for activation
CN104735064A (en) Safety revocation and updating method for identification in identification password system
CN105635062A (en) Network access equipment verification method and device
CN112804356B (en) Block chain-based networking equipment supervision authentication method and system
CN104125239A (en) Network authentication method and system based on data link encryption transmission
CN110212991B (en) Quantum wireless network communication system
CN105577650A (en) Remote time synchronization method and system of one-time password (OTP)

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant