CN106790075A - For the Verification System and authentication method of UDP transmission - Google Patents
For the Verification System and authentication method of UDP transmission Download PDFInfo
- Publication number
- CN106790075A CN106790075A CN201611193827.4A CN201611193827A CN106790075A CN 106790075 A CN106790075 A CN 106790075A CN 201611193827 A CN201611193827 A CN 201611193827A CN 106790075 A CN106790075 A CN 106790075A
- Authority
- CN
- China
- Prior art keywords
- client computer
- bill
- session key
- cryptographic hash
- key
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/06—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
- H04L9/0643—Hash functions, e.g. MD5, SHA, HMAC or f9 MAC
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Power Engineering (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer And Data Communications (AREA)
Abstract
The invention discloses a kind of Verification System and authentication method for UDP transmission, Verification System includes client computer, server and authentication center;Client computer sends first and asks to authentication center;Authentication center generates session key, generates the first bill and the second bill according to session key, and send to client computer;Client computer decrypts the first bill generation session key, and the first cryptographic Hash asked by session-key computation second is sent to server the second request, the second bill and the first cryptographic Hash;Server decrypts the second bill and obtains session key, and the first cryptographic Hash is verified by session key, and the second cryptographic Hash of service data is calculated after being verified, and service data and the second cryptographic Hash are sent to client computer;Client computer verifies whether the second cryptographic Hash is correct by session key, if so, receiving service data;If it is not, abandoning service data.The present invention provides client computer legitimate verification for server, for communicating pair provides data consistency checks.
Description
Technical field
The present invention relates to a kind of information security field, more particularly to a kind of Verification System and certification for UDP transmission
Method.
Background technology
UDP (User Datagram Protocol, UDP) is a fortune for simple datagram-oriented
Defeated layer protocol.Because UDP is not used in setting up a connection between client and server before datagram is transmitted, and it is not timed-out weight
The mechanism such as hair, therefore transmission speed is quickly, it is adaptable to it is required that the occasion that expense is small, transmission speed is fast, such as audio, video etc. are big
The transmission of file data.
But in actual applications, during customer access network resource, in order to ensure that validated user obtains resource and service, service
Device should be able to verify that the legitimacy of client requests.When user needs to obtain the large files such as audio, video from server
When, although can ensure efficiency of transmission using UDP transmission, server cannot judge the legitimacy of user's request, user also without
Method verifies whether received data are illegally distorted in transmitting procedure, and this brings certain safety hidden to user and server
Suffer from.
The content of the invention
The technical problem to be solved in the present invention is in order in overcoming UDP transmitting procedures in the prior art, server cannot be sentenced
The legitimacy of disconnected user's request, user cannot also verify the defect whether data for receiving illegally are distorted, there is provided one kind is used for
The Verification System and authentication method of UDP transmission.
The present invention is to solve above-mentioned technical problem by following technical proposals:
The invention provides a kind of Verification System for UDP transmission, its feature is, including client computer, server with
And authentication center;
The client computer is used to send the first request to the authentication center, and described first asks for asking and the clothes
Business device is communicated;
The authentication center is used to generate session key after first request is received, and according to the session key
The first bill and the second bill are generated, and first bill and second bill are sent to the client computer;
The client computer is used to decrypt first bill and obtain the session key, by the session-key computation the
First cryptographic Hash of two requests, and the described second request, second bill and first cryptographic Hash are sent to the clothes
Business device, described second asks for asking to obtain service from the server;
The server is used to decrypt second bill to obtain the session key, and is tested by the session key
First cryptographic Hash is demonstrate,proved, by the second cryptographic Hash of the session-key computation service data after being verified, and by institute
State service data and second cryptographic Hash is sent to the client computer;
The client computer is additionally operable to after the service data and second cryptographic Hash is received, close by the session
Key verifies whether second cryptographic Hash is correct, if so, then receiving the service data;If it is not, then abandoning the service data.
It is preferred that the authentication center is additionally operable to the identity generation private key based on the client computer, the client computer is also used
In the preservation private key.
It is preferred that the authentication center is additionally operable to after first request is received, the identity of the client computer is verified,
And the session key is generated after being verified.
It is preferred that the authentication center is used to generate the session key by random number generator, and use the client
Session key described in the identity ciphering of machine is generating first bill.
It is preferred that the authentication center is additionally operable to be encrypted with life the identity of the session key and the client computer
Into second bill, and first bill and second bill are sent to the client computer.
It is preferred that the client computer is used to decrypt first bill to obtain the session key with the private key.
It is preferred that also including timestamp information in second bill.
It is an object of the invention to additionally provide a kind of authentication method for UDP transmission, its feature is, including following
Step:
S1, client computer to authentication center send first ask, described first ask for ask communicated with server;
S2, the authentication center generate session key after first request is received, and according to the session key
The first bill and the second bill are generated, and first bill and second bill are sent to the client computer;
S3, the client computer decrypt first bill and obtain the session key, by the session-key computation the
First cryptographic Hash of two requests, and the described second request, second bill and first cryptographic Hash are sent to the clothes
Business device, described second asks for asking to obtain service from the server;
S4, the server decrypted second bill to obtain the session key, and tested by the session key
First cryptographic Hash is demonstrate,proved, by the second cryptographic Hash of the session-key computation service data after being verified, and by institute
State service data and second cryptographic Hash is sent to the client computer;
S5, the client computer after the service data and second cryptographic Hash is received, by the session key
Verify whether second cryptographic Hash is correct, if so, then receiving the service data;If it is not, then abandoning the service data.
It is preferred that step S1Also include before:
S01, the authentication center be based on the identity generation private key of the client computer, the client computer preserves the private key.
It is preferred that step S2Described in authentication center also after first request is received, verify the client computer
Identity, and the session key is generated after being verified.
It is preferred that step S2Described in authentication center the session key is generated by random number generator, and with described
Session key described in the identity ciphering of client computer is generating first bill.
It is preferred that step S2Described in identity of the authentication center also to the session key and the client computer be encrypted
To generate second bill, and first bill and second bill are sent to the client computer.
It is preferred that step S3Described in the client computer private key to decrypt first bill close to obtain the session
Key.
It is preferred that also including timestamp information in second bill.
Positive effect of the invention is:It is of the invention compared with traditional UDP is transmitted, efficiency of transmission can ensured
On the premise of, the method that checking client computer legitimacy is provided for server, and for communicating pair provides data consistency checks, together
When illegal client computer can be avoided to obtain server resource, ensure server for legitimate client machine provides service.
Brief description of the drawings
Fig. 1 is the module diagram of the Verification System for UDP transmission of presently preferred embodiments of the present invention.
Fig. 2 is the internal structure schematic diagram of the Verification System for UDP transmission of presently preferred embodiments of the present invention.
Fig. 3 is the flow chart of the authentication method for UDP transmission of presently preferred embodiments of the present invention.
Specific embodiment
The present invention is further illustrated below by the mode of embodiment, but does not therefore limit the present invention to described reality
Apply among a scope.
As shown in figure 1, the Verification System for UDP transmission of the invention is including in client computer 1, server 2 and certification
The heart 3, wherein the client computer 1 is communicated to connect with the server 2 and the authentication center 3 respectively;
The authentication center 3 can be located at the end of the server 2, and base is set up between the authentication center 3 and the client computer 1
In the system of identity, the authentication center 3 is based on the identity generation private key of the client computer 1, and the client computer 1 is then used to preserve
The private key;
When user needs to be obtained from the server 2 to be serviced, client computer 1 described first can be sent out to the authentication center 3
Send the first request, described first asks for asking to be communicated with the server 2, its particular content may include " application with
Server communication " etc.;
The authentication center 3 can verify the identity of the client computer 1, i.e., based on institute after first request is received
The identity for stating client computer judges the legitimacy of first request, and it is the visitor to pass through random number generator after being verified
Family machine 1 and the generation session key of the server 2, and the session key is encrypted using Identity based encryption algorithm
To generate the first bill C, then using RC4 AESs the identity of the session key and the client computer is encrypted with
The second bill T is generated, and the first bill C and the second bill T are sent to the client computer 1;Wherein it is preferred to,
Timestamp information can also be included in the second bill T.
The client computer 1 can utilize the solution of identity-based after the first bill C and the second bill T is received
Close algorithm is decrypted to obtain the session key to the first bill C, and then using SHA256 algorithms, (a kind of translations are pacified
Full hashing algorithm) and the request of the session-key computation second the first cryptographic Hash, and described second will ask, first Kazakhstan
Sent to the server 2 after uncommon value and second bill cascade;Wherein, described second ask for asking from the service
Device obtains service, and its particular content may include " obtaining service " etc.;
The server 2 can decrypt second bill after message is received, first, to obtain the session key and institute
The identity of client computer 1 is stated, then first cryptographic Hash is verified using SHA256 algorithms and the session key, if checking is logical
Cross, then ask to provide respective service to the client computer 1 according to described second, specifically, i.e., using SHA256 algorithms and described
Second cryptographic Hash of session-key computation service data, and the service data and second cryptographic Hash are sent to the visitor
Family machine 1;
The client computer 1 after the service data and second cryptographic Hash is received, can using SHA256 algorithms and
The session key verifies whether second cryptographic Hash is correct, if so, then showing to be verified, now just receives the service
Data, if it is not, then showing that checking does not pass through, now just abandon the service data.
In specific implementation process of the invention, the authentication center 3 can generate random symmetric key, symmetric key by
The authentication center and the server carry out secret preservation, wherein, the session key can use the identity of the client computer 1 to enter
To obtain the first bill, the session key can use the authentication center 3 to be carried out with the symmetric key of the server 2 for row encryption
Encrypt to obtain second bill.
In the present invention, as shown in Fig. 2 illustrated therein is visitor described in the Verification System based on UDP transmission of the invention
The internal structure of family machine 1, the server 2 and the three of the authentication center 3, between the authentication center 3 and the client computer 1
The system for building identity-based is needed, therefore needed to lay the private key generating algorithm of identity-based inside the authentication center 3, be based on
The AES of identity, and store the identity of the client computer 1;In addition RC4 AESs are also deployed with inside the authentication center 3
And random number generator.Random number between the authentication center 3 and the server 2 is generated by random number generator, and secret
There is the authentication center 3 and the server 2 in password protection.The client computer 1 need to dispose identity-based decipherment algorithm and
SHA256 algorithms, while the private key secret of corresponding oneself identity is stored.Need to dispose RC4 decipherment algorithms inside the server 2
With SHA256 algorithms.Also, because the client computer 1 is communicated to connect with the server 2 and the authentication center 3 respectively, institute
Network interface is included with three;After above-mentioned deployment is completed, assisted based on UDP between the client computer 1 and the server 2
The identifiable communication of view needs 4 steps to communicate altogether:1. client computer sends first and asks to authentication center;2. authentication center is sent out to client computer
Send the first bill and the second bill;3. client computer sends the second request and the second bill to server;4. server is to client computer
Service (transmission data) is provided.
So as to the present invention introduces an authentication center by server end, taken when client computer needs to be obtained from server
Business, and be that client computer provides the second bill that user obtains service by authentication center when transmitting data by udp protocol.Certification
The system that identity-based is set up between center and client computer, is easy to the judgement of the management and request legitimacy to client identity.
Containing the shared session key that authentication center is client computer and server-assignment in second bill, can be used to ensure communicating pair
The uniformity of the data transmitted by UDP.Second bill is encrypted using stream cipher RC4, it is ensured that the lightweight of agreement.
As shown in figure 3, present invention also offers a kind of authentication method for UDP transmission, it utilizes above-mentioned for UDP
The Verification System of transmission is realized, comprised the following steps:
Step 101, the authentication center are based on the identity generation private key of the client computer, and the client computer preserves the private
Key;
Step 102, client computer send first and ask to authentication center, and described first asks for asking to be carried out with server
Communication;
Step 103, the authentication center also after first request is received, verify the identity of the client computer, and
The session key is generated after being verified;And the first bill and the second bill are generated according to the session key, and by institute
State the first bill and second bill is sent to the client computer;
Step 104, the client computer private key decrypt first bill to obtain the session key, and pass through
The session-key computation second request the first cryptographic Hash, and will described second ask, second bill and described first
Cryptographic Hash is sent to the server, and described second asks for asking to obtain service from the server;
It is to obtain the session key and close by the session that step 105, the server decrypt second bill
Key verifies first cryptographic Hash, by the second cryptographic Hash of the session-key computation service data after being verified, and
The service data and second cryptographic Hash are sent to the client computer;
Step 106, the client computer after the service data and second cryptographic Hash is received, by the session
Whether the second cryptographic Hash described in key authentication is correct, if so, then receiving the service data;If it is not, then abandoning the service number
According to.
Wherein, in step 103, the authentication center generates the session key by random number generator, and to institute
Session key is stated to be encrypted to generate the first bill;The authentication center is also to the session key and the body of the client computer
Part is encrypted to generate second bill, and first bill and second bill are sent to the client computer,
Preferably, timestamp information is also included in second bill.At step 104, the client computer decrypts first bill
To obtain the session key.
Although the foregoing describing specific embodiment of the invention, it will be appreciated by those of skill in the art that these
It is merely illustrative of, protection scope of the present invention is defined by the appended claims.Those skilled in the art is not carrying on the back
On the premise of principle of the invention and essence, various changes or modifications can be made to these implementation methods, but these are changed
Protection scope of the present invention is each fallen within modification.
Claims (14)
1. it is a kind of for UDP transmission Verification System, it is characterised in that including client computer, server and authentication center;
The client computer is used to send the first request to the authentication center, and described first asks for asking and the server
Communicated;
The authentication center is used to generate session key after first request is received, and is generated according to the session key
First bill and the second bill, and first bill and second bill are sent to the client computer;
The client computer obtains the session key for decrypting first bill, please by the session-key computation second
The first cryptographic Hash asked, and the described second request, second bill and first cryptographic Hash are sent to the server,
Described second asks for asking to obtain service from the server;
The server is used to decrypt second bill to obtain the session key, and verifies institute by the session key
The first cryptographic Hash is stated, by the second cryptographic Hash of the session-key computation service data after being verified, and by the clothes
Business data and second cryptographic Hash are sent to the client computer;
The client computer is additionally operable to after the service data and second cryptographic Hash is received, and is tested by the session key
Whether correct second cryptographic Hash is demonstrate,proved, if so, then receiving the service data;If it is not, then abandoning the service data.
2. Verification System as claimed in claim 1, it is characterised in that the authentication center is additionally operable to based on the client computer
Identity generates private key, and the client computer is additionally operable to preserve the private key.
3. Verification System as claimed in claim 2, it is characterised in that the authentication center is additionally operable to receiving described first
After request, the identity of the client computer is verified, and the session key is generated after being verified.
4. Verification System as claimed in claim 3, it is characterised in that the authentication center is used to be given birth to by random number generator
Into the session key, and with session key described in the identity ciphering of the client computer generating first bill.
5. Verification System as claimed in claim 4, it is characterised in that the authentication center be additionally operable to the session key and
The identity of the client computer is encrypted to generate second bill, and first bill and second bill are sent
To the client computer.
6. Verification System as claimed in claim 2, it is characterised in that the client computer is used for private key decryption described the
One bill is obtaining the session key.
7. Verification System as claimed in claim 5, it is characterised in that also include timestamp information in second bill.
8. it is a kind of for UDP transmission authentication method, it is characterised in that comprise the following steps:
S1, client computer to authentication center send first ask, described first ask for ask communicated with server;
S2, the authentication center generate session key after first request is received, and according to session key generation the
One bill and the second bill, and first bill and second bill are sent to the client computer;
S3, the client computer decrypt first bill and obtain the session key, asked by the session-key computation second
The first cryptographic Hash, and the described second request, second bill and first cryptographic Hash are sent to the server, institute
State the second request for ask from the server obtain service;
S4, the server decrypts second bill to obtain the session key, and verifies described by the session key
First cryptographic Hash, by the second cryptographic Hash of the session-key computation service data after being verified, and by the service
Data and second cryptographic Hash are sent to the client computer;
S5, the client computer after the service data and second cryptographic Hash is received, by the session key verify institute
Whether correct the second cryptographic Hash is stated, if so, then receiving the service data;If it is not, then abandoning the service data.
9. authentication method as claimed in claim 8, it is characterised in that step S1Also include before:
S01, the authentication center be based on the identity generation private key of the client computer, the client computer preserves the private key.
10. authentication method as claimed in claim 9, it is characterised in that step S2Described in authentication center also receive it is described
After first request, the identity of the client computer is verified, and the session key is generated after being verified.
11. authentication methods as claimed in claim 10, it is characterised in that step S2Described in authentication center by random number give birth to
Grow up to be a useful person the generation session key, and with session key described in the identity ciphering of the client computer generating first bill.
12. authentication methods as claimed in claim 11, it is characterised in that step S2Described in authentication center also to the session
The identity of key and the client computer is encrypted to generate second bill, and by first bill and second ticket
According to transmission to the client computer.
13. authentication methods as claimed in claim 9, it is characterised in that step S3Described in client computer with the private key decrypt institute
The first bill is stated to obtain the session key.
14. authentication methods as claimed in claim 12, it is characterised in that also include timestamp information in second bill.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201611193827.4A CN106790075A (en) | 2016-12-21 | 2016-12-21 | For the Verification System and authentication method of UDP transmission |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201611193827.4A CN106790075A (en) | 2016-12-21 | 2016-12-21 | For the Verification System and authentication method of UDP transmission |
Publications (1)
Publication Number | Publication Date |
---|---|
CN106790075A true CN106790075A (en) | 2017-05-31 |
Family
ID=58897092
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201611193827.4A Pending CN106790075A (en) | 2016-12-21 | 2016-12-21 | For the Verification System and authentication method of UDP transmission |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN106790075A (en) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN112437436A (en) * | 2020-12-07 | 2021-03-02 | 中国联合网络通信集团有限公司 | Identity authentication method and device |
Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101340436A (en) * | 2008-08-14 | 2009-01-07 | 普天信息技术研究院有限公司 | Method and apparatus implementing remote access control based on portable memory apparatus |
CN101420413A (en) * | 2007-10-25 | 2009-04-29 | 华为技术有限公司 | Session cipher negotiating method, network system, authentication server and network appliance |
CN101742508A (en) * | 2009-12-21 | 2010-06-16 | 中兴通讯股份有限公司 | System and method for transmitting files between WAPI terminal and application server |
CN103684798A (en) * | 2013-12-31 | 2014-03-26 | 南京理工大学连云港研究院 | Authentication system used in distributed user service |
CN103780618A (en) * | 2014-01-22 | 2014-05-07 | 西南交通大学 | Method for cross-isomerism domain identity authentication and session key negotiation based on access authorization ticket |
CN106209734A (en) * | 2015-04-30 | 2016-12-07 | 阿里巴巴集团控股有限公司 | The identity identifying method of process and device |
-
2016
- 2016-12-21 CN CN201611193827.4A patent/CN106790075A/en active Pending
Patent Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101420413A (en) * | 2007-10-25 | 2009-04-29 | 华为技术有限公司 | Session cipher negotiating method, network system, authentication server and network appliance |
CN101340436A (en) * | 2008-08-14 | 2009-01-07 | 普天信息技术研究院有限公司 | Method and apparatus implementing remote access control based on portable memory apparatus |
CN101742508A (en) * | 2009-12-21 | 2010-06-16 | 中兴通讯股份有限公司 | System and method for transmitting files between WAPI terminal and application server |
CN103684798A (en) * | 2013-12-31 | 2014-03-26 | 南京理工大学连云港研究院 | Authentication system used in distributed user service |
CN103780618A (en) * | 2014-01-22 | 2014-05-07 | 西南交通大学 | Method for cross-isomerism domain identity authentication and session key negotiation based on access authorization ticket |
CN106209734A (en) * | 2015-04-30 | 2016-12-07 | 阿里巴巴集团控股有限公司 | The identity identifying method of process and device |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN112437436A (en) * | 2020-12-07 | 2021-03-02 | 中国联合网络通信集团有限公司 | Identity authentication method and device |
CN112437436B (en) * | 2020-12-07 | 2023-05-02 | 中国联合网络通信集团有限公司 | Identity authentication method and device |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
JP6844908B2 (en) | Computer-based systems and computer-based methods for establishing secure sessions and exchanging encrypted data | |
JP4617763B2 (en) | Device authentication system, device authentication server, terminal device, device authentication method, and device authentication program | |
US8732461B2 (en) | Client apparatus, server apparatus, and program using entity authentication and biometric authentication | |
JP5345675B2 (en) | Network helper for authentication between token and verifier | |
WO2019020051A1 (en) | Method and apparatus for security authentication | |
CN108111301A (en) | The method and its system for realizing SSH agreements are exchanged based on rear quantum key | |
CN108683501B (en) | Multiple identity authentication system and method with timestamp as random number based on quantum communication network | |
CN106790261B (en) | Distributed file system and method for authenticating communication between its interior joint | |
CN108809633B (en) | Identity authentication method, device and system | |
WO2014166546A1 (en) | Method and system for accessing device by a user | |
CN110247881A (en) | Identity identifying method and system based on wearable device | |
CN112351037B (en) | Information processing method and device for secure communication | |
CN111797427A (en) | Block chain user identity supervision method and system considering privacy protection | |
TWI760546B (en) | Computer-implemented system and method for highly secure, high speed encryption and transmission of data | |
CN106685983A (en) | Data recovery method and device based on SSL protocol | |
CN111756530B (en) | Quantum service mobile engine system, network architecture and related equipment | |
TW201537937A (en) | Unified identity authentication platform and authentication method thereof | |
CN112332986B (en) | Private encryption communication method and system based on authority control | |
CN113612797A (en) | Kerberos identity authentication protocol improvement method based on state cryptographic algorithm | |
KR20120107326A (en) | Method and system of one-time password authentication scheme provide enhanced randomness | |
JP2001344214A (en) | Method for certifying terminal and cipher communication system | |
CN115766119A (en) | Communication method, communication apparatus, communication system, and storage medium | |
CN106790075A (en) | For the Verification System and authentication method of UDP transmission | |
CN112035820B (en) | Data analysis method used in Kerberos encryption environment | |
CN113904830A (en) | SPA authentication method and device, electronic equipment and readable storage medium |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20170531 |
|
WD01 | Invention patent application deemed withdrawn after publication |