CN105577370A - Authentication key agreement method applied in client-server environment - Google Patents

Authentication key agreement method applied in client-server environment Download PDF

Info

Publication number
CN105577370A
CN105577370A CN201610111129.9A CN201610111129A CN105577370A CN 105577370 A CN105577370 A CN 105577370A CN 201610111129 A CN201610111129 A CN 201610111129A CN 105577370 A CN105577370 A CN 105577370A
Authority
CN
China
Prior art keywords
equipment
aux
parameter
key
cert
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201610111129.9A
Other languages
Chinese (zh)
Inventor
赵运磊
李俊全
陈伟东
李尧
徐琳
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Individual
Original Assignee
Individual
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Individual filed Critical Individual
Priority to CN201610111129.9A priority Critical patent/CN105577370A/en
Publication of CN105577370A publication Critical patent/CN105577370A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0838Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these
    • H04L9/0841Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these involving Diffie-Hellman or related key agreement protocols
    • H04L9/0844Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these involving Diffie-Hellman or related key agreement protocols with user authentication or key authentication, e.g. ElGamal, MTI, MQV-Menezes-Qu-Vanstone protocol or Diffie-Hellman protocols using implicitly-certified keys

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

The invention provides an authentication key agreement method applied in a client-server environment. The method comprises following steps that: a first device sends determined X ' =Agx to a second device; the A is equal to ga; the second device determines Y '=Bye; the B is equal to gb, the Y is equal to gy, the e is equal to h (Y, auxh); an S is determined according to the y, b and X'; a KA and a KB are determined based on the S; CB=AE (KB, (IB, B, CERTB, Y, DataB)) is determined by using authenticated encryption AE according to the KB; the Y ' and CB are sent to the first device; the first device determines the S according to the x, a and Y '; the KA and KB are determined based on the S; the CB is decrypted by using the KB so as to obtain CERTB and Y; if public key certificates CERTB and Y ' are valid, a session key is determined according to the obtained parameters; CA=AE (KA, (IA, A, CERTA, x, DataA)) is determined by using the AE according to the KA; the CA is sent to the second device; the second device decrypts the CA by using the KA so as to obtain CERTA and x; if public key certificates CERTA and X' are valid; a session key is determined according to the obtained parameters; the first device at most operates 2.5 modular exponent operation; the second device at most operates 3.5 modular exponent operation; and the method of the invention has excellent application flexibility.

Description

A kind of authentication key agreement method being applied to client-server-environment
Technical field
The present invention relates to art of cryptography, specifically, relate to a kind of be applied to client-server-environment authentication key agreement method.
Background technology
Authenticated key agreement is the core content of cipher theory and application, and wherein tls protocol (transport layer protocol) is the international standard of current most widely used subjective entropy.The current latest edition of TLS is TLS1.2, and standardization and application are for many years.In order to adapt to new challenge and the new demand of network security, current IETF International Organization for standardization is working out up-to-date TLS1.3 standard.
Roughly running is as follows for current TLS1.3 key agreement protocol:
The first round: first user (client) sends parameter X=g xto the second user, wherein, g represents the generator of the cyclic subgroup G of finite group G ', x represent first for DH-index;
Second takes turns: the second user (server) sends parameter Y=g yto first user, the second user goes back calculating parameter K=X ywith parameter C b=AE (K, (I b, B, CERT b, Finish b)), wherein B=g b, Finish b=KDF (X b, H (X, Y)), the second user is by (Y, C b) be sent to first user.
Third round: first user calculating parameter K=Y xwith parameter C a=AE (K, (I a, A, CERT a, Sig a, Finish a)), wherein Sig athat first user utilizes its private key to (X, Y, C b) digital signature, Finish b=KDF (B x, H (X, Y, C b)).First user is by C bbe sent to user B, and run KDF (X y, X b), the second user checks Sig athe validity of signing also runs KDF (X y, X b) derive session key.
The main computing unit of cryptographic algorithm is module exponent computing.International digital signature standard DSA algorithm needs 1 module exponent computing to carry out signature generation, and signature verification needs 2 module exponent computings.And for the above-mentioned TLS1.3 agreement based on DSA digital signature, the second user (server) need run 4.5 module exponent computings altogether, first user (client) need run 4 module exponent computings altogether.This makes TLS1.3 be difficult to configuration on the equipment (such as the mobile device such as mobile phone, smart card) of computation-bound and application.
Therefore, under the background that mobile interchange is popularized on a large scale and applied, a kind of novel efficient authentication key agreement method being applied to client-server environment more is efficiently needed badly.
Summary of the invention
For solving the problem, the invention provides a kind of be applied to client-server-environment authentication key agreement method, described method comprises:
First equipment is according to the PKI A=g of its DH-index x generated and the first equipment a, determine the first parameter X '=Ag x∈ G or X '=A x∈ G, and by described first parameter X ' and the first supplementary aux asend to the second equipment, wherein, g represents that the rank of the cyclic subgroup G of finite group G ' are the generator of q, x ∈ Z q, A ∈ G, a ∈ Z qthe private key of the first equipment, aux acan be empty data acquisition system;
The DH-index y ∈ Z that second equipment generates according to it qwith the PKI B=g of the second equipment b∈ G and the second supplementary aux bit can be empty data acquisition system, wherein b ∈ Z qbe the private key of the second equipment, and receive described first parameter X ' and the first supplementary aux adetermine the second parameter Y '=BY e∈ G or Y '=B ey ∈ G, wherein Y=g y∈ G, y ∈ Z q, e=h (Y=g y, aux h), a hash function, 1≤L h≤ | q|, | q| represents the binary length of q aux h ⊆ aux A ∪ aux B ∪ { X ′ , I B , B , CERT B , I A , A , CERT A } ∪ Data B , Described second equipment is according to (b, y) and the second supplementary aux band the described first parameter X ' received and described first supplementary aux a, determine shared key S in advance, according to S and X ', Y ', aux a, aux ba subset utilize key derivation functions KDF to determine the authenticated encryption key K of the first equipment and the second equipment aand K b, wherein K aand K bequal or not etc., the second equipment utilization one symmetric encipherment algorithm AE does not calculate C b=AE (K b, (I b, B, CERT b, Y, Data b)), wherein CERT bthe public key certificate of the second equipment, I brepresent the identity of the second equipment, Data bbe the second equipment other need encrypted transmission can be empty data acquisition system, CERT athe public key certificate of the first equipment, I arepresent the identity of the first equipment; Described second equipment is by the second parameter Y ' and C band aux bsend to described first equipment, and derive session key;
Described first equipment is according to (a, x) and described first supplementary aux aand the described second parameter Y ' received and the second supplementary aux bdetermine S, according to S and X ', Y ', aux a, aux ba subset utilize key derivation functions KDF to determine the authenticated encryption key K of the first equipment and the second equipment aand K b, then utilize K bdecipher the described C received bobtain (I b, B, CERT b, Y); Described first device authentication public key certificate CERT bwith the validity of the second parameter Y ', if the result is incorrect, stop running, if the result correctly, calculates C a=AE (K a, (I a, A, CERT a, x, Data a)), wherein I arepresent the identity of the first equipment, CERT athe public key certificate of the first equipment, Data abe the first equipment other need encrypted transmission can be empty data acquisition system; First equipment is by C asend to the second equipment, and derive session key;
Described second equipment utilization K adecipher the described C received aobtain (I a, A, CERT a, x), verification public key certificate CERT awith the validity of the first parameter X ', if the result is incorrect, stop running, if the result correctly, derives session key;
In concrete enforcement, recommend X '=Ag x∈ G and Y '=BY e∈ G, or, X '=A x∈ G and Y '=BY e∈ G, or, X '=Ag x∈ G and Y '=B ey ∈ G, or, X '=A x∈ G and Y '=B ey ∈ G;
Require that the first equipment and the second equipment should calculate identical shared key S in advance, and derive identical session key.
According to one embodiment of present invention,
E=h (I b, B, Y=g y, X ', aux e) or e=h (I b, B, Y=g y, aux e), and can be sky, (the I generally speaking in function input b, B) and can CERT be used bor CERT bhash substitute, in like manner function input in (I a, A) and can CERT be used aor CERT ahash substitute, suggestion aux efor empty or comprise the random number r that a timestamp and/or second equipment chooses b, wherein r b∈ aux bor r b∈ Data b, in the present invention for convenience of description, we suppose that the output of hash function and the order of input have nothing to do, specifically, for e=h (I b, B, Y=g y, X ', aux e)=h (Y=g y, aux h), aux h=aux e∪ { I b, B, X ' };
And/or, aux acomprise random number and/or the identity information of timestamp and/or the first equipment and/or the IP address information of the first equipment that the first equipment generates, or aux afor sky; aux bcomprise random number and/or the identity information of timestamp and/or the second equipment and/or the IP address information of the second equipment that the second equipment generates, or aux bfor sky;
And/or, according to the required security intensity needs reached, the length of x | the length of x| and y | y| is variable, that is: 0 < | x|≤| q|, 0 < | y|≤| q|, wherein | the length of what q| represented is q, or x=h x(x ', aux x), wherein h x: { 0,1} *→ { 0,1} | x|a hash function, x ' ∈ { 0,1} *be the first equipment choose maintain secrecy random number and the length of x ' | x ' | with | q| is polynomial relation, in the practical application of inventive method, recommend x=h x(x ', I a, A) or x=h x(x ', I a, A, t a), wherein t abe a timestamp information, or x and y is all direct from Z qa son concentrate random selecting;
And/or, after described second equipment determines S, also judge that whether S is the identical element in G ', if S is unit of unit, then stops performing subsequent step, otherwise continue subsequent step; And/or, after described first equipment determines S, also judge that whether S is the identical element in G ', if S is unit of unit, then stops performing subsequent step, otherwise continue subsequent step;
And/or, AE is a symmetrical authentication encryption algorithm, AE determines state for the treatment of or random algorithm, and with united information authenticated encryption function (authenticatedencryptionwithassociateddata, AEAD) and message-length hidden function can be provided.
According to one embodiment of present invention,
| x|=[| q|/2] or | x|=[| q|/4] or | x|=|q|; And/or | y|=[| q|/2] or | y|=[| q|/4] or | y|=|q|; And/or L h≤ [| q|/2] or L h≤ [| q|/4] or L h≤ | q|, wherein for a real number α, if α is decimal, | what [α] represented is rounding up or down of α.In concrete enforcement, recommend L h=[| q|/2].
According to one embodiment of present invention,
Determine the authenticated encryption key K of the first equipment and the second equipment according to following expression described in described first equipment and/or the second equipment aand K b,
{K A,K B,K′}←KDF(S,aux)
a u x &SubsetEqual; { X &prime; , Y &prime; , aux A , aux B }
Wherein, KDF is key derivation functions, K ' ∈ { 0,1} *represent extra key derivation, can be sky;
Session cipher key setting is { K by described first equipment and the second equipment a, K b, K ' } or { K a, K bor K ', or, session key by K ' or S and aux K &SubsetEqual; { X &prime; , Y &prime; , I A , I B A , B , Data A , Data B , aux A , aux B } Derive.Such as, session key by KDF (K ', r a|| r b) or KDF (K ', r a|| Y), wherein r abe the random number chosen of the first equipment and r a∈ Data aor r a∈ aux a(recommend r a∈ Data a), r bbe the random number chosen of the second equipment and r b∈ Data bor r b∈ aux b(recommend r b∈ Data b), or KDF (K ', x||Y).
According to one embodiment of present invention,
Described second equipment determines S according to following expression:
S=X ' (b+ye) tor S=X ' (be+y) t
Described first equipment determines S according to following expression:
S=Y ' (a+x) tor S=Y ' (axt)
Wherein, t represents association factor, and namely the rank of group G ' are divided by the business on the rank of group G.
In concrete enforcement, recommend X '=Ag x∈ G and Y '=BY e∈ G and S=X ' (b+ye) t=Y ' (a+x) t, or, X '=A x∈ G and Y '=BY e∈ G and S=X ' (b+ye) t=Y ' axt, or, X '=Ag x∈ G and Y '=B ey ∈ G and S=X ' (be+y) t=Y ' (a+x) t, or, X '=A x∈ G and Y '=B ey ∈ G and S=X ' (be+y) t=Y ' axt.
According to one embodiment of present invention,
Described second equipment determines S according to following expression:
S=X ' (b+ye)or S=X ' (be+y),
Described first equipment determines S according to following expression:
S=Y ' (a+x)or S=Y ' (ax).
In concrete enforcement, recommend X '=Ag x∈ G and Y '=BY e∈ G and S=X ' (b+ye)=Y ' (a+x), or, X '=A x∈ G and Y '=BY e∈ G and S=X ' (b+ye)=Y ' ax, or, X '=Ag x∈ G and Y '=B ey ∈ G and S=X ' (be+y)=Y ' (a+x), or, X '=A x∈ G and Y '=B ey ∈ G and S=X ' (be+y)=Y ' ax.
According to one embodiment of present invention,
Whether described first equipment, before determining S, first detects the second parameter Y ' ∈ G and sets up, if be false, then stops performing subsequent step;
And/or whether described second equipment, before determining S, first detects the first parameter X ' ∈ G and set up, if be false, then stop performing subsequent step.
According to one embodiment of present invention,
The method of the validity of described first device authentication second parameter Y ' is as follows: calculate e=h (I according to method agreement b, B, Y=g y, X ', aux e) or e=h (I b, B, Y=g y, aux e), then verify Y '=BY e∈ G ' (corresponding Y '=BY ethis situation of ∈ G ') or Y '=B ey ∈ G ' (corresponding Y '=B ethis situation of Y ∈ G ');
The method of the validity of described second device authentication first parameter X ' is as follows: check x ∈ Z q, and then verify X '=Ag according to method agreement x∈ G (corresponding X '=Ag xthis situation of ∈ G) or X '=A x∈ G (corresponding X '=A xthis situation of ∈ G).
Be applied in the TLS1.3 cryptographic key negotiation method of client-server environment existing, server need run 4.5 module exponent computings, and client need run 4.5 module exponent computings.And in session cipher negotiating method provided by the present invention, client (first user) only needs operation 2.5 module exponent computings, server (the second user) only needs operation 3.5 module exponent computings.By the configuration recommended | x|=|y|=L h=[| q|/2], in session cipher negotiating method provided by the present invention, client only needs operation 2 module exponent computings, and server (the second user) only needs operation 2.5 module exponent computings! This also just considerably reduces the data amount of calculation of each equipment, improves the formation efficiency of session key, saves the hardware resource of equipment.In addition, due to | x|, | y|, L hcan dynamic conditioning etc. parameter, session cipher negotiating method provided by the present invention is also more flexible in application than TLS1.3.
Other features and advantages of the present invention will be set forth in the following description, and, partly become apparent from specification, or understand by implementing the present invention.Object of the present invention and other advantages realize by structure specifically noted in specification, claims and accompanying drawing and obtain.
Accompanying drawing explanation
In order to be illustrated more clearly in the embodiment of the present invention or technical scheme of the prior art, do simple introduction by accompanying drawing required in embodiment or description of the prior art below:
Fig. 1 is the flow chart of session key defining method according to an embodiment of the invention.
Embodiment
Describe embodiments of the present invention in detail below with reference to drawings and Examples, to the present invention, how application technology means solve technical problem whereby, and the implementation procedure reaching technique effect can fully understand and implement according to this.It should be noted that, only otherwise form conflict, each embodiment in the present invention and each feature in each embodiment can be combined with each other, and the technical scheme formed is all within protection scope of the present invention.
Meanwhile, in the following description, many details have been set forth for illustrative purposes, to provide thorough understanding of embodiments of the invention.But, it will be apparent to those skilled in the art that the present invention can detail here or described ad hoc fashion implement.
In addition, can perform in the computer system of such as one group of computer executable instructions in the step shown in the flow chart of accompanying drawing, and, although show logical order in flow charts, but in some cases, can be different from the step shown or described by order execution herein.
In cryptographic technique, G represents a cyclic subgroup of a finite group G ', and wherein the rank of finite group G ' and cyclic subgroup G are respectively N and q, and g is the generator of cyclic subgroup G.1 grepresent the identical element of finite group G ', wherein, G/1 grepresent in cyclic subgroup G except identical element 1 goutside the set that forms of all elements, G '/1 grepresent and deduct identical element 1 by finite group G ' gthe set of other elements is (namely in finite group G ' non-1 afterwards gset).For arbitrary element X ∈ G ', X -1represent the inverse element of element X relative to finite group G ', i.e. XX -1=1 g.
Generally speaking, the rank q of cyclic subgroup G is a large prime number.Typically, | q| is 256 or 512, wherein | length when q| represents that q represents with 2 systems.Z qfor digital collection 0,1,2 ..., q-1}, and then representative digit set 1,2 ..., q-1}.
In order to the convenience stated, in the present invention, employing multiplication represents the operation on (multiplicativerepresentation) group, and namely finite group G ' and cyclic subgroup G is multiplicative group.Certainly, this method also can equivalently be applied in module, such as elliptic curve and other algebraic groups or concrete group, finite field, plural number or compound die (compositemoduli) etc.
Generally speaking, for the operation in multiplicative group, the operation on index asks mould to q, and the operation of the upper element of group asks modulo operation or other operations to be the elements in finite group G ' or cyclic subgroup G with the result of guarantee operation to N or N+1.Such as, g xbe commonly referred to as g xmodq, g xg yordinary representation be g xg y∈ G ', x+y ∈ Z qthat represent is (x+y) modq, xy ∈ Z qthat represent is (xy) modq.
In the present embodiment, parameter G, q and g, the authentication encryption algorithm AE used and key length thereof, AE, KDF, h scheduling algorithm used, the concrete account form of the first parameter X ', and the concrete account form of parameter Y ', parameter L h, L, session key length, aux a, aux b, aux, aux k, aux h, aux e, and Data a, Data bconcrete value and set-up mode etc. can be determined and reach an agreement between the user or equipment of operation method before inventive method is run, or be run the user of inventive method and equipment before agreement is run or among exchange and consult these parameters and reach an agreement, the present invention is not limited thereto.
If discrete logarithm assumption is set up on cyclic subgroup G, i.e. given X=g x(wherein, x is from digital collection for ∈ G middle random selecting, L a≤ | q| indicates the length of 0-1 string), do not have the algorithm of probabilistic polynomial time can obtain x with the probability of can not ignore by X.
In follow-up description, adopt I aand I bindicate the distinctive identity of logic OR (such as name, equipment Serial Number, email, IP address or the operating role of method etc.) of different user or equipment.And these identity indicate can may adjoint, comprise or be contained in a digital certificate.
In the present embodiment, there is identity and indicate I athe first equipment there is with it corresponding PKI A.In the present embodiment, A=g a∈ G.Wherein, a indicates the private key of the first equipment, and it can be existed by the first equipment Z q * = { 1 , 2 , ... , q - 1 } Middle random selecting.
Correspondingly, in the present embodiment, there is identity and indicate I bthe second equipment there is with it corresponding PKI B.In the present embodiment, B=g b∈ G.Wherein, b indicates the private key of the second equipment, and it can be existed by the second equipment middle random selecting.
It is pointed out that in case of no particular description, the binding of PKI A and the first equipment and the binding of PKI B and the second equipment, is performed by a mechanism of trusted third party.Such as the first equipment, mechanism of trusted third party can check that the identity of the first equipment indicates I usually avalidity and the validity of corresponding PKI A, then to (I a, A) and do a digital signature, and by (I a, A) and the digital foreground that generates of trusted third party form one for (I a, A) public key certificate, be CERT a.
Fig. 1 shows the flow chart of the session key defining method that the present embodiment provides.
As shown in Figure 1, in the present embodiment, first the first equipment according to discrete logarithm (the i.e. DH-index) x of the DH key contribution X of its PKI A and the first equipment, determine the first parameter X '.In the present embodiment, the road that the PKI A of the first equipment can adopt following expression to determine:
A=g a(1)
Wherein, a represents the private key of the first equipment.
First parameter X ' can calculate according to following expression:
X′=Ag x(2)
Wherein, x=h is recommended x(x ', I a, A) or x=h x(x ', I a, A, t a) or directly from Z qa son concentrate random selecting, wherein x ' ∈ { 0,1} *a random number, the length of x ' | x ' | with | q| be polynomial relation (such as | x ' |=| q|), t ait is a timestamp information.
After obtaining parameter X ', the first equipment is incited somebody to action X ', aux asend to the second equipment.Wherein, aux arepresent the supplementary (i.e. the first supplementary) that the first equipment generates.In the present embodiment, the first supplementary aux afor the identity except the first equipment indicates, other except PKI and public key certificate information to perform relevant information to agreement a subset or sequence.
It is pointed out that different embodiments of the invention ancestor, the first supplementary aux aboth can be empty, and also can comprise repeat element, the present invention is not limited thereto.As the first supplementary aux aduring for sky, the first parameter X ' is namely sent to the second equipment by the first equipment.As the first supplementary aux awhen not being empty, the first supplementary aux aother random numbers that the information comprised can comprise the IP address of any one in following lising or the several: the first equipment, the IP address of the second equipment, the first equipment send and Session ID sid etc.
Second equipment receive that the first equipment sends X ', aux aafter, calculate e=h (I b, B, Y=g y, X ', aux e), wherein (I b, B) and can CERT be used bor CERT bhash replace, y represents the discrete logarithm of the DH key contribution Y of the second equipment, i.e. DH-index, and t represents association factor, and it is the business of rank divided by the rank of group G of crowd G ', and B represents the second equipment.In the present embodiment, the second equipment calculates the second parameter Y ' and shared key S in advance according to following expression:
Y′=Bg ye(3)
S=X′ (b+ye)t(4)
In the present embodiment, the second equipment can judge after obtaining shared key S in advance whether the shared key S in advance calculated is unit of unit, namely judges S=1 gwhether set up.If set up, termination is performed subsequent step by the second equipment, thus stops session operation; If be false, the second equipment then can calculate { K according to the parameter S calculated a, K b, K ' }.Particularly, in the present embodiment, the second equipment calculates { K according to following expression a, K b, K ' }:
{K A,K B,K′}←KDF(S,aux K)(5)
Wherein, KDF represents key derivation functions.Generally speaking, since KDF can be a hash function or hash function sequence (such as HMAC, HKDF etc.), the pseudo-random function also can be being random seed with shared key S in advance.Aux represents supplementary, and it can be a numerical value string assemble or counter.In different embodiments of the invention, aux can for set X ', Y ', aux a, aux ba subset, recommend { X &prime; , Y &prime; } &SubsetEqual; a u x &SubsetEqual; { X &prime; , Y &prime; , aux A , aux B } .
In the present embodiment, K a∈ { 0,1} lrepresent the key of the authenticated encryption of the first equipment use, it sends to the information of the second equipment for authenticated encryption first equipment, the length of what wherein L represented is authenticated encryption function key.K b∈ { 0,1} lrepresent the key of the authenticated encryption of the second equipment use, it sends to the information of the first equipment for authenticated encryption second equipment.K ' ∈ { 0,1} *it is extra key derivation.It is pointed out that according to application scenarios, extra key derivation K ' can be empty.
In different embodiments of the invention, key K awith key K bboth can be identical, also can be different.If key K awith key K bidentical, namely exist:
K A=K B=K∈{0,1} L(6)
Second equipment then calculates { K, K ' } according to according to shared key S in advance, that is:
{K,K′}←KDF(S,aux)(7)
It should be noted that, in different embodiments of the invention, session key and authenticate key both can be derived in identical input by same key derivation functions, also can be derived respectively in different inputs by same key derivation functions.In addition, session key can also be derived in identical input or in different inputs by different key derivation functions respectively with authenticate key.
In the present embodiment, the second equipment calculates { K a, K b, K ' } after, will according to key K bcalculate the second equipment ciphertext C b.Particularly, in the present embodiment, the second equipment calculates the second equipment ciphertext C according to following expression b:
C B=AE(K B,(I B,B,CERT B,Y,Data B)(8)
Wherein, I brepresent that the identity of the second equipment indicates, B represents the PKI of the second equipment, CERT brepresent the public key certificate of the second equipment, Data brepresent that the second equipment needs to be encrypted the partial data that can be sky of transmission, AE is an authenticated encryption function, it can be that determine or random or carrier state, and with united information authenticated encryption function (authenticatedencryptionwithassociateddata, AEAD) and message-length hidden function can be provided.If AE is the authenticated encryption function with united information, Y ' and/or aux bpart (the IP address of such as the second user, and/or, the IP address etc. of first user) or all can as a part for united information.
In the present embodiment, Data bfor removing user identity I b, PKI B, public key certificate CERT bin addition other perform to agreement a subset of relevant information or sequence he, it can for empty or comprise repeat element.In the present embodiment, other and agreement perform relevant information and comprise any one in following lising or several:
User need be transmitted or the message of certification, all or part of system parameters, parameter | x|, | y|, L hl}, the sign of parameter protocol preliminary examination person and respondent, IP address, protocol version, security parameter and key parameter, the session identifier of agreement, the random number that user exchanges, timestamp, cookie, understanding numerical value, and other protocol conversations need the information (such as parameter X ' and/or parameter Y ') etc. of transmission.
It is pointed out that in the present embodiment, AE (K b, (I b, B, CERT b, Y, Data b) refer to and first will gather { I b, B, CERT b, Y, Data bin all elements according to preset order (this preset order can be any, but the both sides needing agreement to exchange all realize knowing and reaching an agreement) connect, such as obtain M=I b|| B||CERT b|| B||Data b; Subsequently M is become binary system according to pre-arranged code rule encoding, and the binary coding obtained is utilized K bcarry out authenticated encryption.
Second equipment obtains the second equipment ciphertext C bafter, can by Y ', C b, aux bsend to the first equipment.Wherein, aux brepresent the second supplementary, it can be a subset or sequence except the identity of the second equipment indicates, other except PKI and public key certificate information to perform relevant information to agreement.Second supplementary aux bboth can be empty, also comprise repeat element.Such as, the second supplementary aux bother random numbers that the information comprised can send for the IP address of any one in following lising or the several: the first equipment, the IP address of the second equipment, the second equipment and Session ID sid etc.
First equipment receive that the second equipment sends Y ', C b, axu bafter, S can be calculated according to the second parameter Y '.Particularly, in the present embodiment, the first equipment calculates shared key S in advance according to following expression:
S=Y′ (a+x)t(9)
First equipment is determined to obtain, in advance after shared key S, can judge that whether shared key S is unit of unit in advance, namely judges S=1 gwhether set up.If set up, stopping is performed subsequent step by the first equipment, thus stops session operation.If be false, the first equipment then can calculate { K according to the shared key S in advance calculated a, K b, K ' }.Particularly, in the present embodiment, the first equipment calculates { K according to following expression a, K b, K ' }:
{K A,K B,K′}←KDF(S,aux)(10)
Subsequently, the first equipment is according to the authenticated encryption key K of the second equipment obtained band the second equipment ciphertext C bcalculate (I b, B, CERT b, Y).Particularly, in the present embodiment, the first equipment calculates (I according to following expression b, B, CERT b, Y):
(I B,B,CERT B,Y)←DE(K B,C B)(11)
Wherein, DE represents the decryption function corresponding to authenticated encryption function AE.
In the present embodiment, the first equipment is obtaining (I b, B, CERT b, Y) after, can to the public key certificate CERT of the second equipment b, the second parameter Y ' verifies.Particularly, in the present embodiment, checking Y '=BY ewhether ∈ G ' sets up, and CERT bvalidity.If Y '=BY e∈ G ' and public key certificate CERT beffectively, the first equipment then thinks public key certificate CERT b, and the second parameter Y ' have passed checking; Otherwise think public key certificate CERT b, and the second parameter Y ' by checking, now stoppings is carried out subsequent step by the first equipment, thus stop session operation.
As public key certificate CERT b, and after the second parameter Y ' have passed the verification operation of the first equipment, the first equipment just can determine session key according to obtained parameter according to preset rules.Particularly, in the present embodiment, the first equipment is preferably by { K a, K b, K ' } and as session key.
As public key certificate CERT b, and after the second parameter Y ' have passed the verification operation of the first equipment, the first equipment also will according to authenticated encryption key K adetermine the first equipment ciphertext C a.Particularly, in the present embodiment, the first equipment calculates the first equipment ciphertext C according to following expression a:
C A=AE(K A,(I A,A,CERT A,x,Data A))(12)
Wherein, I arepresent that the identity of the first equipment indicates, A represents the PKI of the first equipment, CERT arepresent the public key certificate of the first equipment, Data arepresent that the first equipment needs to be encrypted the partial data that can be sky of transmission.If AE is the authenticated encryption function with united information, X ' and/or aux apartly or entirely can as a part for united information.
First equipment obtains the first equipment ciphertext C aafter, can by the first equipment ciphertext C asend to the second equipment.
Second equipment receives the first equipment ciphertext C that the first equipment sends aafter, can according to the first equipment ciphertext C adetermine (I a, A, CERT a, x).Particularly, in the present embodiment, the second equipment determines (I according to following expression a, A, CERT a, x):
(I A,A,CERT A,x)←DE(K A,C A)(13)
Obtain (I a, A, CERT a, x), the second equipment will to the public key certificate CERT of the first obtained parameter X ' and the first equipment averify.Particularly, in the present embodiment, the second equipment is to public key certificate CERT avalidity verify, and verify x ∈ Z qand X '=Ag xwhether ∈ G ' sets up, if public key certificate CERT aeffectively, x ∈ Z qand X '=Ag x∈ G sets up, and the second equipment then thinks public key certificate CERT a, and the first parameter X ' have passed checking; Otherwise think public key certificate CERT a, and the first parameter X ' by checking, now stoppings is carried out subsequent step by the second equipment, thus stop session operation.
When the second equipment thinks public key certificate CERT a, and the first parameter X ' by checking time, the second equipment then can by { K a, K b, K ' } and be set to session key.Generally speaking, if K ' is empty, namely session key is set to { K a, K b, this corresponds to safety authentication channel (and being not only key agreement).
It should be noted that, in other embodiments of invention, the first equipment and the second equipment other Reasonable Parameters can also be set as session key (such as K ', or by K ' or S and aux K &SubsetEqual; { X &prime; , Y &prime; , I A , I B A , B , Data A , Data B , aux A , aux B } Derive), the present invention is not limited thereto.Such as in other embodiments of the invention, the first equipment and the second equipment can also according to preset rules, by { K a, K bor extra key derivation K ' as session key, or be by the 3rd supplementary aux kand extra key derivation K ' or in advance shared key S derive session key.Wherein, the 3rd supplementary aux kso that X ', Y ', x, Y, I a, I b, A, B, Data a, Data b, aux a, aux bsubset, and the identity comprising the first equipment and the second equipment indicates I aand I b, namely exist:
{ I A , I B } &SubsetEqual; aux K &SubsetEqual; { X &prime; , Y &prime; , x , Y , I A , I B A , B , Data A , Data B , aux A , aux B } - - - ( 14 )
It is pointed out that in the foregoing description, the first equipment and the second equipment can also adopt other reasonable manners to calculate shared key S in advance, the present invention is not limited thereto.
Such as in other embodiments of the invention, the second equipment can also adopt following expression to calculate shared key S in advance:
S=X′ (b+ye)(15)
Correspondingly, the first equipment then calculates shared key S in advance according to following expression:
S=Y ' (a+x)or S=Y ' (ax)(16)
It should be noted that, in this embodiment, whether the first equipment and/or the second equipment are also obtaining in advance after shared key S, can not be that unit of unit tests to shared key S in advance, but now the second equipment needs to check before shared key S in advance and confirm whether X ' ∈ G sets up calculating.If set up, then proceed subsequent step, otherwise stop performing subsequent step.
, also it is pointed out that in other embodiments of the invention, can also adopt other rational method to calculate the first parameter X ' and the second parameter Y ', the present invention is not limited thereto equally meanwhile.Such as in one embodiment of the invention, the first equipment can calculate the first parameter X ' according to following expression:
X′=A x(17)
Correspondingly, the second equipment then calculates the second parameter Y ' according to following expression:
Y '=BY eor Y '=B ey (18)
Now, in this embodiment, the first equipment will calculate shared key S in advance according to following expression:
S=Y′ (axt)(19)
And the second equipment will calculate shared key S in advance according to following expression:
S=X ' (b+ye) tor S=X ' (be+y) t(20)
In this embodiment, the first equipment is obtaining (I b, B, CERT b, Y) after, to the public key certificate CERT of the second equipment b, the second parameter Y ' is when verifying, can to public key certificate CERT bvalidity verify, and checking and Y '=BY e∈ G ' or Y '=B ewhether Y ∈ G ' sets up.In like manner, the second equipment is obtaining (I a, A, CERT a, x), to the public key certificate CERT of the first equipment a, the first parameter X ' is when verifying, can to public key certificate CERT avalidity verify, and verify x ∈ Z qand X '=A xwhether ∈ G sets up.
It should be noted that, in the present embodiment, DH-index x and DH-index y meets following expression:
|x|=|y|=L h=[|q|/2](21)
That is, the binary length of DH-index x and DH-index y is equal, and the half equaling the binary length of the rank q of the cyclic subgroup G of finite group G ' rounds (can, for rounding up, also can be in different embodiments, round downwards).
It should be noted that, in other embodiments of the invention, the binary length of DH-index x and DH-index y can also be other reasonable values, the present invention is not limited thereto.Such as in other embodiments of the invention, DH-index x and DH-index y length can also meet following expression:
| x|=|y|=[| q|/4] or | x|=|y|=|q| (22)
In another embodiment of the invention, the first equipment and the pre-configured shared key (K of the second equipment 1, K 2).First equipment, according to the discrete logarithm x of the DH key contribution X of its PKI A and the first equipment, determines the 3rd parameter X ".In the present embodiment, the road that the PKI A of the first equipment can adopt following expression to determine:
A=g a(23)
Wherein, a represents the private key of the first equipment.
3rd parameter X " can calculate according to following expression:
X &prime; &prime; = Ag x &CirclePlus; K 1 - - - ( 24 )
Obtain the 3rd parameter X " after, the 3rd parameter X " is sent to the second equipment by the first equipment.
Second equipment receives the 3rd parameter X that the first equipment sends " after, " shared key S in advance can be calculated according to the 3rd parameter X.Meanwhile, the second equipment also can calculate the 4th parameter Y ".Particularly, in the present embodiment, the second equipment calculate in advance shared key S time, first according to the 3rd parameter X " calculating parameter X ', subsequently according to the discrete logarithm y calculating parameter S of the DH key contribution Y of parameter X ' and the second equipment, that is:
X &prime; = X &prime; &prime; &CirclePlus; K 1 - - - ( 25 )
S=X′ (b+ye)t(26)
Particularly, in the present embodiment, the second equipment calculates the 4th parameter Y according to following expression ":
Y &prime; &prime; = Bg y e &CirclePlus; K 1 - - - ( 27 )
Wherein, t represents association factor, and B represents the PKI of the second equipment.
In the present embodiment, the second equipment can judge after obtaining S whether the shared key S in advance calculated is unit of unit, namely judges S=1 gwhether set up.If set up, notice is performed subsequent step by the second equipment, thus stops session operation; If be false, the second equipment then can calculate { K according to the parameter S calculated a, K b.Particularly, in the present embodiment, the second equipment calculates { K according to following expression a, K b}:
{ K A , K B , K &prime; } &LeftArrow; K D F ( S &CirclePlus; K 2 , X &prime; &prime; | | Y &prime; &prime; ) - - - ( 28 )
Wherein, KDF represents preset-key derivative function.
It should be noted that, in different embodiments of the invention, session key and authenticate key both can be derived in identical input by same key derivation functions, also can be derived respectively in different inputs by same key derivation functions.In addition, session key can also be derived in identical input or in different inputs by different key derivation functions respectively with authenticate key.
Meanwhile, in the present embodiment, symmetric key (K 1, K 2) in parameter K 1and K 2separate or equal, and exist:
|K 1|=|K 2|=|X′|=|Y′|=|S|(29)
That is: parameter K 1, K 2, X ', Y ' and S binary length equal.
It should be noted that, in the present embodiment, when determining session key, the first equipment and the second equipment share symmetric key (K in advance 1, K 2), i.e. symmetric key (K 1, K 2) be known for the second equipment and the second equipment.
In the present embodiment, the second equipment calculates { K a, K bafter, by the authenticated encryption key K according to the second equipment bcalculate the second equipment ciphertext C b.Particularly, in the present embodiment, the second equipment calculates C according to following expression b:
C B=AE(K B,(I B,B,CERT B,Y,Data B)(30)
Wherein, I brepresent that the identity of the second equipment indicates, B represents the PKI of the second equipment, CERT brepresent the public key certificate of the second equipment.
It is pointed out that in the present embodiment, AE (K b, (I b, B, CERT b, Y, Data b) refer to and first will gather { I b, B, CERT b, Y, Data bin all elements according to preset order (this preset order can be any, but the both sides needing agreement to exchange all realize knowing and reaching an agreement) connect, such as obtain M=I b|| B||CERT b|| Y||Data b; Subsequently M is become binary system according to pre-arranged code rule encoding, and the binary coding obtained is utilized K bcarry out authenticated encryption.
Second equipment obtains C bafter, can by Y ", C bsend to the first equipment.First equipment receive that the second equipment sends Y ", C bafter, " shared key S in advance can be calculated according to the 4th parameter Y.Particularly, in the present embodiment, the second equipment calculate in advance shared key S time, first according to the 4th parameter Y, " calculating parameter Y ' calculates shared key S in advance according to the discrete logarithm x of the DH key contribution X of parameter Y ' and the second equipment, that is: subsequently
Y &prime; = Y &prime; &prime; &CirclePlus; K 1 - - - ( 31 )
S=Y′ (a+x)t(32)
First equipment is determined to obtain, in advance after shared key S, can judge that whether shared key S is unit of unit in advance, namely judges S=1 gwhether set up.If set up, stopping is performed subsequent step by the first equipment, thus stops session operation.If be false, the first equipment then can calculate { K according to the shared key S in advance calculated a, K b.Particularly, in the present embodiment, the first equipment calculates { K according to following expression a, K b}:
{ K A , K B , K &prime; } &LeftArrow; K D F ( S &CirclePlus; K 2 , X &prime; &prime; | | Y &prime; &prime; ) - - - ( 33 )
Subsequently, the first equipment is according to the authenticated encryption key K of the second equipment obtained band the second equipment ciphertext C bcalculate (I b, B, CERT b, Y).Particularly, in the present embodiment, the first equipment calculates (I according to following expression b, B, CERT b, Y):
(I B,B,CERT B,Y,Data B)←DE(K B,C B)(34)
Wherein, DE represents the decryption function corresponding to authenticated encryption function AE.
In the present embodiment, the first equipment is obtaining (I b, B, CERT b, Y) after, can to the public key certificate CERT of the second equipment b, the 4th parameter Y " verifies.Particularly, in the present embodiment, the first equipment is to public key certificate CERT bvalidity verify, and to verify whether set up, if public key certificate CERT beffectively and set up, the first equipment then thinks public key certificate CERT b, and the 4th parameter Y " have passed checking; Otherwise think public key certificate CERT b, and the 4th parameter Y " by checking, now stoppings is carried out subsequent step by the first equipment, thus stop session operation.
As public key certificate CERT b, and the 4th parameter Y " after the verification operation by the first equipment, the first equipment will according to K adetermine the first equipment ciphertext C a.Particularly, in the present embodiment, the first equipment calculates the first equipment ciphertext C according to following expression a:
C A=AE(K A,(I A,A,CERT A,x,Data A))(32)
Wherein, Data arepresent the information needing encrypted transmission, timestamp information and/or random number can be comprised.
First equipment obtains the first equipment ciphertext C aafter, can by the first equipment ciphertext C asend to the second equipment.
First equipment is by (K a, K b) or KDF (K ', r a|| r b) as session key.
Second equipment receives the first equipment ciphertext C that the first equipment sends aafter, can according to the first equipment ciphertext C adetermine (I a, A, CERT a, x).Particularly, in the present embodiment, the second equipment determines (I according to following expression a, A, CERT a, x):
(I A,A,CERT A,x,Data A)←DE(K A,C A)(33)
Obtain (I a, A, CERT a, x), the second equipment will to the public key certificate CERT of the first obtained equipment a, the 3rd parameter X " verifies.Particularly, in the present embodiment, the second equipment is to public key certificate CERT avalidity verify, and to verify and whether set up, if public key certificate CERT aeffectively, x ∈ Z qand set up, the second equipment then thinks public key certificate CERT a, and the 3rd parameter X " have passed checking; Otherwise think public key certificate CERT a, and the 3rd parameter X " by checking, now stoppings is carried out subsequent step by the second equipment, thus stop session operation.
When the second equipment thinks public key certificate CERT a, discrete logarithm x and parameter X ' by checking time, the second equipment then can by { K a, K bkDF (K ', r a|| r b) be set to session key.
It should be noted that, in the present embodiment, method for expressing, the key of above-mentioned parameter, function, algorithm, user role sign and session tag derive mechanism and parameter aux a, aux b, aux kdeng, all can run both sides' (i.e. the first equipment and the second equipment) by agreement and consult to determine based on default mechanism.But parameter | x| and parameter | y| can come to be determined separately by the first equipment and the second equipment respectively according to application scenarios.
Determine in the method for session key existing, each equipment of protocol interaction all needs at least to run 4 or 4.5 module exponent computings.And determine in the method for session key provided by the present invention, make L h=[| q|/2], the first equipment of protocol interaction only needs the computing of operation 2.5 lattice module exponent, and the second equipment only needs operation 3.5 module exponent computings.By reasonably configuration parameter | x|=|y|=[| q|/2] L aand L b, the first equipment even can be made only to run 2 module exponent computings, and the second equipment only runs 2.5 module exponent computings.This also just considerably reduces the data amount of calculation of each equipment, improves the formation efficiency of session key, saves the hardware resource of equipment.In addition, due to | x|, | y|, L hcan dynamic conditioning etc. parameter, session cipher negotiating method provided by the present invention is also more flexible in application.
It should be understood that disclosed embodiment of this invention is not limited to particular procedure step disclosed herein, and the equivalent of these features that those of ordinary skill in the related art understand should be extended to substitute.It is to be further understood that term is only for describing the object of specific embodiment as used herein, and and do not mean that restriction.
Special characteristic, structure or characteristic that " embodiment " mentioned in specification or " embodiment " mean to describe in conjunction with the embodiments comprise at least one embodiment of the present invention.Therefore, specification various places throughout occur phrase " embodiment " or " embodiment " might not all refer to same embodiment.
Although above-mentioned example is for illustration of the principle of the present invention in one or more application, but for a person skilled in the art, when not deviating from principle of the present invention and thought, obviously can in form, the details of usage and enforcement does various amendment and need not creative work be paid.Therefore, the present invention is limited by appending claims.

Claims (8)

1. be applied to an authentication key agreement method for client-server-environment, it is characterized in that, described method comprises:
First equipment is according to the PKI A=g of its DH-index x generated and the first equipment a, determine the first parameter X '=Ag x∈ G or X '=A x∈ G, and by described first parameter X ' and the first supplementary aux asend to the second equipment, wherein, g represents that the rank of the cyclic subgroup G of finite group G ' are the generator of q, x ∈ Z q, A ∈ G, a ∈ Z qthe private key of the first equipment, aux acan be empty data acquisition system;
The DH-index y ∈ Z that second equipment generates according to it qwith the PKI B=g of the second equipment b∈ G and the second supplementary aux bit can be empty data acquisition system, wherein b ∈ Z qbe the private key of the second equipment, and receive described first parameter X ' and the first supplementary aux adetermine the second parameter Y '=BY e∈ G or Y '=B ey ∈ G, wherein Y=g y∈ G, y ∈ Z q, e=h (Y=g y, aux h), a transfer function, 1≤L h≤ | q|, | q| represents the binary length of q, aux h &SubsetEqual; aux A &cup; aux B &cup; { X &prime; , I B , B , CERT B , I A , A , CERT A } &cup; Data B , , Described second equipment is according to (b, y) and the second supplementary aux band the described first parameter X ' received and described first supplementary aux a, determine shared key S in advance, according to S and X ', Y ', aux a, aux ba subset utilize key derivation functions KDF to determine the authenticated encryption key K of the first equipment and the second equipment aand K b, wherein K aand K bequal or not etc., the second equipment utilization one symmetric encipherment algorithm AE does not calculate C b=AE (K b, (I b, B, CERT b, Y, Data b)), wherein CERT bthe public key certificate of the second equipment, I brepresent the identity of the second equipment, Data bbe the second equipment other need encrypted transmission can be empty data acquisition system, CERT athe public key certificate of the first equipment, I arepresent the identity of the first equipment, described second equipment is by the second parameter Y ' and C band aux bsend to described first equipment, and derive session key;
Described first equipment is according to (a, x) and described first supplementary aux aand the described second parameter Y ' received and the second supplementary aux bdetermine S, according to S and X ', Y ', aux a, aux ba subset utilize key derivation functions KDF to determine the authenticated encryption key K of the first equipment and the second equipment aand K b, then utilize K bdecipher the described C received bobtain (I b, B, CERT b, Y); Described first device authentication public key certificate CERT bwith the validity of the second parameter Y ', if the result is incorrect, stop running, if the result correctly, calculates C a=AE (K a, (I a, A, CERT a, x, Data a)), wherein I arepresent the identity of the first equipment, CERT athe public key certificate of the first equipment, Data abe the first equipment other need encrypted transmission can be empty data acquisition system; First equipment is by C asend to the second equipment, and derive session key;
Described second equipment utilization K adecipher the described C received aobtain (I a, A, CERT a, x), verification public key certificate CERT awith the validity of the first parameter X ', if the result is incorrect, stop running, if the result correctly, derives session key.
2. the method for claim 1, is characterized in that,
E=h (I b, B, Y=g y, X ', aux e) or E=h (I b, B, Y=g y, aux e), and can be sky, or aux ecomprise the random number r that a timestamp and/or the second equipment are chosen band/or first equipment identity and/or public key information, wherein r b∈ aux bor r b∈ Data b, a function of h to be the output of a hash function or h the be x-axial coordinate of Y or the x-axial coordinate of Y;
And/or, aux acomprise random number and/or the identity information of timestamp and/or the first equipment and/or the IP address information of the first equipment that the first equipment generates, or aux afor sky; aux bcomprise random number and/or the identity information of timestamp and/or the second equipment and/or the IP address information of the second equipment that the second equipment generates, or aux bfor sky;
And/or, according to the required security intensity needs reached, the length of x | the length of x| and y | y| is variable, that is: 0 < | x|≤| q|, 0 < | y|≤| q|, wherein | the length of what q| represented is q, or x=h x(x ', aux x), wherein h x: { 0,1} *→ { 0,1} | x|a hash function, x ' ∈ { 0,1} *be the first equipment choose maintain secrecy random number and the length of x ' | x ' | with | q| is polynomial relation, or x and y is all direct from Z qa son concentrate random selecting;
And/or, after described second equipment determines S, also judge that whether S is the identical element in G ', if S is unit of unit, then stops performing subsequent step, otherwise continue subsequent step; And/or, after described first equipment determines S, also judge that whether S is the identical element in G ', if S is unit of unit, then stops performing subsequent step, otherwise continue subsequent step.
And/or AE is a symmetrical authentication encryption algorithm.
3. method as claimed in claim 1 or 2, is characterized in that,
| x|=[| q|/2] or | x|=[| q|/4] or | x|=|q|; And/or | y|=[| q|/2] or | y|=[| q|/4] or | y|=|q|; And/or L h≤ [| q|/2] or L h≤ [| q|/4] or L h≤ | q|, wherein for a real number α, if α is decimal, | what [α] represented is rounding up or down of α.
4. the method according to any one of claims 1 to 3, is characterized in that,
Determine the authenticated encryption key K of the first equipment and the second equipment according to following expression described in described first equipment and/or the second equipment aand K b,
{K A,K B,K′}←KDF(S,aux)
a u x &SubsetEqual; { X &prime; , Y &prime; , aux A , aux B }
Wherein, KDF is key derivation functions, K ' ∈ { 0,1} *represent extra key derivation, can be sky;
Session cipher key setting is { K by described first equipment and the second equipment a, K b, K ' } or { K a, K bor K ', or, session key by K ' or S and aux K &SubsetEqual; { X &prime; , Y &prime; , I A , I B , A , B , x , Y , Data A , Data B , aux A , aux B } Derive.
5. method as claimed in claim 4, is characterized in that,
Described second equipment determines S according to following expression:
S=X ' (b+ye) tor S=X ' (be+y) t
Described first equipment determines S according to following expression:
S=Y ' (a+x) tor S=Y ' (axt)
Wherein, t represents association factor, and namely the rank of group G ' are divided by the business on the rank of group G.
6. method as claimed in claim 4, is characterized in that,
Described second equipment determines S according to following expression:
S=X ' (b+ye)or S=X ' (be+y),
Described first equipment determines S according to following expression:
S=Y ' (a+x)or S=Y ' (ax).
7. method as claimed in claim 6, is characterized in that,
Whether described first equipment, before determining S, first detects the second parameter Y ' ∈ G and sets up, if be false, then stops performing subsequent step;
And/or whether described second equipment, before determining S, first detects the first parameter X ' ∈ G and set up, if be false, then stop performing subsequent step.
8. the method according to any one of claim 5 ~ 7, is characterized in that,
The method of the validity of described first device authentication second parameter Y ' is as follows: calculate e=h (I according to method agreement b, B, Y=g y, X ', aux e) or e=h (I b, B, Y=g y, aux e), then verify Y '=BY e∈ G ' or Y '=B ey ∈ G ';
The method of the validity of described second device authentication first parameter X ' is as follows: check x ∈ Z q, and then verify X '=Ag according to method agreement x∈ G or X '=A x∈ G.
CN201610111129.9A 2016-02-29 2016-02-29 Authentication key agreement method applied in client-server environment Pending CN105577370A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201610111129.9A CN105577370A (en) 2016-02-29 2016-02-29 Authentication key agreement method applied in client-server environment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201610111129.9A CN105577370A (en) 2016-02-29 2016-02-29 Authentication key agreement method applied in client-server environment

Publications (1)

Publication Number Publication Date
CN105577370A true CN105577370A (en) 2016-05-11

Family

ID=55887088

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201610111129.9A Pending CN105577370A (en) 2016-02-29 2016-02-29 Authentication key agreement method applied in client-server environment

Country Status (1)

Country Link
CN (1) CN105577370A (en)

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107169344A (en) * 2017-05-10 2017-09-15 威盛电子股份有限公司 Stop the method and the device using this method of unauthorized application program
CN107294712A (en) * 2017-07-24 2017-10-24 北京中测安华科技有限公司 A kind of method and device of key agreement
CN107566121A (en) * 2016-11-18 2018-01-09 赵运磊 A kind of efficient secret common recognition method
CN109617916A (en) * 2019-01-16 2019-04-12 北京云中融信网络科技有限公司 Code key processing method and instant communicating system
CN113037484A (en) * 2021-05-19 2021-06-25 银联商务股份有限公司 Data transmission method, device, terminal, server and storage medium

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101175076A (en) * 2007-10-23 2008-05-07 赵运磊 High-efficiency, deniable, safety-unforgeable cryptographic key exchanging protocol of on-line computation
CN101247394A (en) * 2008-01-10 2008-08-20 赵运磊 Improved cryptographic key exchanging protocol
WO2009076811A1 (en) * 2007-12-14 2009-06-25 Huawei Technologies Co., Ltd. A method, a system, a client and a server for key negotiating
CN105099671A (en) * 2015-08-20 2015-11-25 赵运磊 Authentication key negotiation method enabling identity privacy and non-malleable security
CN105162585A (en) * 2015-08-25 2015-12-16 清华大学 Efficient privacy protecting session key agreement method
CN105306212A (en) * 2015-08-31 2016-02-03 赵运磊 Signcryption method with hidden identity and strong security

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101175076A (en) * 2007-10-23 2008-05-07 赵运磊 High-efficiency, deniable, safety-unforgeable cryptographic key exchanging protocol of on-line computation
WO2009076811A1 (en) * 2007-12-14 2009-06-25 Huawei Technologies Co., Ltd. A method, a system, a client and a server for key negotiating
CN101247394A (en) * 2008-01-10 2008-08-20 赵运磊 Improved cryptographic key exchanging protocol
CN105099671A (en) * 2015-08-20 2015-11-25 赵运磊 Authentication key negotiation method enabling identity privacy and non-malleable security
CN105162585A (en) * 2015-08-25 2015-12-16 清华大学 Efficient privacy protecting session key agreement method
CN105306212A (en) * 2015-08-31 2016-02-03 赵运磊 Signcryption method with hidden identity and strong security

Cited By (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107566121A (en) * 2016-11-18 2018-01-09 赵运磊 A kind of efficient secret common recognition method
WO2018090947A1 (en) * 2016-11-18 2018-05-24 赵运磊 Efficient secret consensus method
CN107566121B (en) * 2016-11-18 2020-03-10 上海扈民区块链科技有限公司 Efficient secret consensus method
CN107169344A (en) * 2017-05-10 2017-09-15 威盛电子股份有限公司 Stop the method and the device using this method of unauthorized application program
CN107294712A (en) * 2017-07-24 2017-10-24 北京中测安华科技有限公司 A kind of method and device of key agreement
CN107294712B (en) * 2017-07-24 2020-01-31 北京中测安华科技有限公司 key negotiation method and device
CN109617916A (en) * 2019-01-16 2019-04-12 北京云中融信网络科技有限公司 Code key processing method and instant communicating system
CN113037484A (en) * 2021-05-19 2021-06-25 银联商务股份有限公司 Data transmission method, device, terminal, server and storage medium
CN113037484B (en) * 2021-05-19 2021-08-24 银联商务股份有限公司 Data transmission method, device, terminal, server and storage medium

Similar Documents

Publication Publication Date Title
CN106961336B (en) A kind of key components trustship method and system based on SM2 algorithm
CN112822014B (en) Data processing method and device, electronic equipment and storage medium
CN108667625B (en) Digital signature method of cooperative SM2
US6064741A (en) Method for the computer-aided exchange of cryptographic keys between a user computer unit U and a network computer unit N
CN104270249B (en) It is a kind of from the label decryption method without certificate environment to identity-based environment
CN107437993A (en) One kind is based on without the side&#39;s authentication key agreement method of certificate two and device
US6952475B1 (en) Method and arrangement for the computer-aided exchange of cryptographic keys between a first computer unit and a second computer unit
CN105577370A (en) Authentication key agreement method applied in client-server environment
CN104753917A (en) System and method for identity-based key management
CN110113150B (en) Encryption method and system based on non-certificate environment and capable of repudiation authentication
CN104301108A (en) Signcryption method based from identity environment to certificateless environment
CN101286849A (en) Authentication system and method of a third party based on engagement arithmetic
CN110402560B (en) System and method for computing public session keys in identity-based authenticated key exchange scheme with forward security
CN105099671A (en) Authentication key negotiation method enabling identity privacy and non-malleable security
CN110138567A (en) A kind of collaboration endorsement method based on ECDSA
CN105162585B (en) A kind of session cipher negotiating method of secret protection
CN105306212A (en) Signcryption method with hidden identity and strong security
US11044081B2 (en) System and method for obtaining a common session key between devices
CN111698238A (en) Management method, system and storage medium for terminal layer equipment key of power internet of things
CN105763333A (en) Method and system for negotiating asymmetric key
CN104113420A (en) Identity based aggregate signcryption method
CN106850584B (en) A kind of anonymous authentication method of curstomer-oriented/server network
CN109831305B (en) Anti-quantum computation signcryption method and system based on asymmetric key pool
CN108055134A (en) Elliptic curve, which is counted, multiplies and matches the cooperated computing method and system of computing
KR100456624B1 (en) Authentication and key agreement scheme for mobile network

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
WD01 Invention patent application deemed withdrawn after publication

Application publication date: 20160511

WD01 Invention patent application deemed withdrawn after publication