Background
The key agreement is a method for two or more parties to agree on a shared key through a public network, and the execution of the agreement requires the cooperation of the participating parties. Before negotiation, each party typically holds some secret information. Among them, a password is a kind of commonly used secret information. Passwords are typically short in length, typically consisting of four to eight digits or letters, easy to remember, but are less secure and easily guessed by an exhaustive list of possible password combinations. Therefore, before the actual session, the session key needs to be negotiated through the password. Because the key usually has a long number of bits, the key is difficult to be obtained through exhaustion, and the security strength of the session is improved.
Invention patent application, application number: 201210349976.0 discloses a wireless network lightweight authentication key agreement protocol based on digital certificates, which relates to a lightweight authentication key agreement protocol applicable to wireless networks, based on a 'certificate private key-protection key' dual authentication system and a 'protection key' dynamic agreement mechanism, and combines public key cryptography and shared dynamic protection keys to perform dual authentication on user identities, and users verify session holding and private key possession by exchanging certificates and private key signatures, perform first re-authentication, and perform second re-authentication by sharing protection keys. The protocol utilizes the exchange of the important parameters protected by the shared protection key of the two parties after the last conversation is finished, and uses the protection key newly calculated by the current conversation to confirm the correctness of the key, and each round of communication can verify the correctness of the key while exchanging the parameters. The negotiation and parameter exchange of the key group adopt simple bit operation, and the confirmation of key updating is completed through Finished messages. The protocol sets the session ID to dynamically select whether to calculate the session key by using the shared old parameters, so that the flexibility of the protocol is enhanced while the security and the high efficiency are ensured.
Invention patent application, application number: 201080008115.5 discloses an identity-based authenticated key agreement protocol. A key agreement protocol between a first party and a second party comprises the following steps from the perspective of the first party. Sending an encrypted first random key component to the second party, the first random key component encrypted using a public key of the second party in accordance with an identity-based encryption operation. An encrypted random key component pair is received from the second party, the encrypted random key component pair being formed from a first random key component and a second random key component computed at the second party, and encrypted at the second party according to an identity-based encryption operation using a public key of the first party. Sending the second random key component in encrypted form to the second party, the second random key component being encrypted using the public key of the second party. Keys for subsequent communication between the first and second parties may be calculated at the first and second parties from the first and second random key components.
Invention patent application, application number: 201310226205.7 discloses a wireless local area network security communication method based on quantum key distribution, the invention provides a wireless local area network security communication method based on quantum key distribution, the method includes the following steps: (1) identity authentication based on the quantum key is carried out; (2) carrying out quantum key agreement; (3) encryption is started. The method of the invention avoids forging the access point and exchanging information with the applicant, wasting system resources or causing denial of service attack; the two-way authentication between the applicant and the authentication server and between the applicant and the authenticator is realized, and the safety of identity authentication is greatly improved; the message verification in the key agreement is protected by a key generated in the identity authentication, and attacks such as man-in-the-middle tampering and the like can be prevented; the key agreement based on the quantum technology ensures the safety by the physical law, has indecipherability, can resist the decoding of a quantum computer with strong computing power, and improves the safety of the whole system.
Invention patent application, application number: 201210304387.0 discloses a symmetric key agreement method for wireless body area network. The symmetric key negotiation method of the wireless body area network is characterized in that the node A acquires physiological signals at any moment and sets the physiological signals as the physiological signals; then, based on the generated shared secret key, the data is transmitted to the node B in a hidden form; the node B extracts physiological signals with the same time, performs noise removal processing and verifies whether the values are correct or not; if the key is correct, solving a negotiation key; if not, the physiological signal is acquired near the moment, and the key is continuously obtained.
The above patent applications are based on certificates, user identities, quanta, physiological signals, etc. respectively, and negotiate a session key between users, and most nodes transmit data in the key negotiation process, which increases energy consumption in the key negotiation process. The key agreement is related to the entropy of the signal and has no good anti-attack performance.
Disclosure of Invention
In order to solve the defects in the prior art, the invention aims to provide a password-based lightweight key agreement method, which avoids the requirement of accurate synchronization on time and solves the problem of high energy consumption of frequent broadcasting of synchronization signals; in the key negotiation process, most of the nodes only process data and do not transmit the data, so that the energy consumption in the key negotiation process is effectively reduced. The method has negotiation irrelevant to the entropy of the signal, adopts a weak time synchronization method and a preset key technology, and has good anti-attack performance.
The purpose of the invention is realized by adopting the following technical scheme:
the invention provides a lightweight key agreement method based on password, comprising two steps of forward transmission and backward transmission, and the improvement is that the key agreement method comprises the following steps:
A. initializing key negotiation;
B. the first round of forward transmission, data by user U1To user UnDelivery then user UnSending the data to a trusted server S;
C. the second round of reverse transmission, the data is transmitted to the user U after being verified by the credible server SnThen the data is transmitted by the user UnTo pass U1And (5) delivery.
Further, the step a comprises the steps of:
A1. the key agreement adopts a key agreement protocol which comprises n user U1,…,UnAnd a trusted serviceA device S; let user U1User U as initiator of key agreementnIs the last user and is adjacent to the trusted server S;
A2. trusted server S sends N users U1,…,UnPublishes its own public key PpubKeeps its own private key Ppri(ii) a N users U1,…,UnEncrypted information can be sent to the trusted server S, and the server is decrypted by a private key of the server; n users U1,…,UnNo information is shared between every two;
A3. each user UiSharing a password pw with the trusted server SiWherein i =1, …, n;
A4. defining a p-order finite circulation group G, and taking an element G on the p-order finite circulation group G;
A5. defining three hash functions h
1,h
2,h
3(ii) a Wherein the hash function h
1For generating session identities, hash functions h
2Hash function h for correctness verification
3For generating a session key;
l
1、l
2、l
3all represent fixed lengths; denotes an arbitrary length,/
1、l
2、l
3512bits and 1024bits are selected according to actual needs.
Further, the step B includes the steps of:
B1. for key agreement initiator user U
1: computing session identity sid = h
1(U
1,…,U
n) Then two random numbers x are selected
1,R
1∈Z
p,Z
pRepresenting the prime number field modulo p; computing
And handle (sid, U)
1,…,U
n,N
1,M
1) To the next user U
2(ii) a x1 denotes the prime number field Z modulo p
pE represents the encryption,
is made of P
pubFor encryption of the key, N
1、M
1Are all intermediate results of the calculation;
B2. for user U
iI =1, …, n-1: two random numbers x are selected
i,R
i,∈Z
pCalculating
And handle (sid, U)
1,…,U
n,N
1,M
1,…,N
i,M
i) To the next user U
i+1;
B3. For user Un: the final (sid, U) is operated as the other n-1 users1,…,Un,N1,M1,…,Nn,Mn) And sending to the trusted server S.
Further, the step C includes the steps of:
C1. for the trusted server S: receive (sid, U)
1,…,U
n,N
1,M
1,…,N
n,M
n) Then, the trusted server S decrypts the session identifier sid to the user U by using the private key thereof
1,
And a random number R
1First, the session identification sid = h is verified
1(U
1,…,U
n) (ii) a Then checking
Whether or not it is equal to received N
1With session identity sid and user U
1Shared pw
1The result of the exclusive or; if the two are equal, the credible server S continues to pair N
2,M
2,…,N
n,M
nThe same check is made; if there is a failure, the procedure terminates; after all checks have passed, the trusted server S acknowledges (sid, U)
1,…,U
n,N
1,M
1,…,N
n,M
n) Legality; and selecting a random number s ∈ Z
pCalculating
i=2,…,n,M′
i=h
2(sid||U
i||R
iN), i =1, …, N, will generate
Sent to user U
n;
C2. For user Un: upon receipt, the session identity sid = h is first verified1(U1,…,Un) Sequentially calculating and hashing function h2(sid||Un||RnN) and validating hash function h2(sid||Un||Rn||N)=M′n(ii) a If the verification is passed, sequentially calculating the session key K = h3(sid N) andi =1, …, n, to be sent to user Un-1(ii) a If the verification fails, sending error information;
C3. for user U
iI =2, …, n-1: upon receipt, the session identity sid = h is first verified
1(U
1,…,U
n) Sequentially calculating and hashing function h
2(sid||U
i||R
i| N) and verifying that the hash function passes verification, sequentially calculating a session key K = h
3(sid N) and
will be sent to user U
i-1(ii) a If the verification fails, sending error information;
C4. for user U
1: receive from
Thereafter, first the session identification sid = h is verified
1(U
1,…,U
n) Sequentially calculate
And a hash function h
2(sid||U
1||R
1N) and verifies the hash function h
2(sid||U
1||R
1||N)=M′
1(ii) a If the verification is passed, calculating the session key K = h
3(sid | | N); if the verification fails, sending error information;
wherein:
are all intermediate results of the calculation; x
1,…,x
nAll represent a prime number field Z modulo p
pThe random number of (1); g represents an element on the finite cyclic group G of order p.
Further, each user of the N users of the key agreement protocol sends data once and receives data once, and the key agreement protocol is ended after the initiator of the key agreement protocol receives the returned data.
The technical scheme provided by the invention has the following excellent effects:
1. according to the lightweight key agreement method based on the password, the key agreement protocol is based on the password which is easy to remember by the user, and a high-strength session key is agreed. When the method is used, communication connection between every two users is not required, one communication party only needs to be connected to one or more communication parties close to the communication party, and the method is particularly suitable for being used in the scene of networking communication point by point in power, telecommunication and the like. Common attacks aiming at key agreement, such as online dictionary attack, offline dictionary attack, man-in-the-middle attack and the like, can be resisted, and the method has high security strength.
2. The key negotiation method of the invention avoids the requirement of accurate synchronization for time and solves the problem of high energy consumption of frequent broadcasting of synchronous signals; in the key negotiation process, most of the nodes only process data and do not transmit the data, so that the energy consumption in the key negotiation process is effectively reduced.
Detailed Description
The following describes embodiments of the present invention in further detail with reference to the accompanying drawings.
The following description and the drawings sufficiently illustrate specific embodiments of the invention to enable those skilled in the art to practice them. Other embodiments may incorporate structural, logical, electrical, process, and other changes. The examples merely typify possible variations. Individual components and functions are optional unless explicitly required, and the sequence of operations may vary. Portions and features of some embodiments may be included in or substituted for those of others. The scope of embodiments of the invention encompasses the full ambit of the claims, as well as all available equivalents of the claims. Embodiments of the invention may be referred to herein, individually or collectively, by the term "invention" merely for convenience and without intending to voluntarily limit the scope of this application to any single invention or inventive concept if more than one is in fact disclosed.
The invention provides a password-based lightweight key agreement protocol to realize secure communication. The flow chart is shown in fig. 1, all operations of the protocol are performed on a p-order finite cyclic group G, and G is any element on G.
The three hash functions are respectively used for generating a session identifier, performing correctness verification and generating a session key. The system comprises N users U
1,…,U
nAnd a trusted server S. S discloses its public key P to all users
pubKeeps its own private key P
pri. The user can send the encrypted information to the server, and the server decrypts the information by using the private key of the server. n users do not share any information, and each user U
iShare a password pw with S
i. Without loss of generality, we assume U
1Being the initiator of the key agreement, U
nThe last user and adjacent to the server S. The execution of the protocol is divided into two rounds, the first round of data is divided by U
1To U
nThe second round is reversely transmitted back to U
1. All users send and receive once, and the protocol is in U
1And ending after receiving the returned data. l
1、l
2、l
3All represent fixed lengths; denotes an arbitrary length,/
1、l
2、l
3512bits and 1024bits are selected according to actual needs.
The first round is as follows:
U1: calculate a session identity sid = h1(U1,…,Un) Then two random numbers x are selected1,R1,∈ZpThen calculateAnd handle (sid, U)1,…,Un,N1,M1) To the next user U2。
U
iI =1, …, n-1: two random numbers x are selected
i,R
i,∈Z
pThen calculate
And handle(sid,U
1,…,U
n,N
1,M
1,…,N
i,M
i) To the next user U
i+1。
Un: the last (sid, U) is operated as the other users1,…,Un,N1,M1,…,Nn,Mn) And sending to the trusted server S.
The second round is as follows:
s: receive (sid, U)
1,…,U
n,N
1,M
1,…,N
n,M
n) Then S decrypts M with its private key
1To obtain sid to U
1And R
1First, sid = h is verified
1(U
1,…,U
n). S then checks whether it equals received N
1With oneself and U
1Shared pw
1The result of the exclusive or. If equal, S continues to pair N
2,M
2,…,N
n,M
nThe same check is made. If there is a failure, the routine terminates. After all checks passed, S confirms (sid, U)
1,…,U
n,N
1,M
1,…,N
n,M
n) And (4) legality. Then S selects random number S belonged to Zp and calculates
i=2,…,n,M′
i=h
2(sid||U
i||R
i| N), i =1, …, N, sends the generated to U
n。
U
n: receive from
After that, sid = h is first verified
1(U
1,…,U
n) Then calculate
Then calculate h
2(sid||U
n||R
nN) and verified
If the authentication is passed, calculating the session key K = h
3(sid | | N). Next, continue to calculate
i =1, …, n, will
Is sent to U
n-1. If the verification fails, an error message is sent.
U
iI =2, …, n-1: upon receipt, first verify sid = h
1(U
1,…,U
n) Then calculate h again
2(sid||U
i||R
iN) and verifies h
2(sid||U
i||R
i||N)=M′
i. If the authentication is passed, calculating the session key K = h
3(sid | | N). Next, continue to calculate
Will be sent to U
i-1. If the verification fails, an error message is sent.
U
1: receive from
After that, sid = h is first verified
1(U
1,…,U
n) Then calculate
Then calculate h
2(sid||U
1||R
1N) and verifies h
2(sid||U
1||R
1||N)=M′
1. If the authentication is passed, calculating the session key K ═ h
3(sid | | N). If the verification fails, an error message is sent.
Wherein: n is a radical of
1、M
1、N
2,M
2,…,N
n,M
n、
M′
1,…,M′
nAre all intermediate results of the calculation; x
1·…·x
nAll represent a prime number field Z modulo p
pThe random number of (1).