CN106790075A - For the Verification System and authentication method of UDP transmission - Google Patents

For the Verification System and authentication method of UDP transmission Download PDF

Info

Publication number
CN106790075A
CN106790075A CN201611193827.4A CN201611193827A CN106790075A CN 106790075 A CN106790075 A CN 106790075A CN 201611193827 A CN201611193827 A CN 201611193827A CN 106790075 A CN106790075 A CN 106790075A
Authority
CN
China
Prior art keywords
client computer
bill
session key
cryptographic hash
key
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201611193827.4A
Other languages
Chinese (zh)
Inventor
黄鑫
张�杰
刘炜
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shanghai Cloud Entropy Network Technology Co Ltd
Original Assignee
Shanghai Cloud Entropy Network Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shanghai Cloud Entropy Network Technology Co Ltd filed Critical Shanghai Cloud Entropy Network Technology Co Ltd
Priority to CN201611193827.4A priority Critical patent/CN106790075A/en
Publication of CN106790075A publication Critical patent/CN106790075A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/06Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
    • H04L9/0643Hash functions, e.g. MD5, SHA, HMAC or f9 MAC

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Power Engineering (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer And Data Communications (AREA)

Abstract

The invention discloses a kind of Verification System and authentication method for UDP transmission, Verification System includes client computer, server and authentication center;Client computer sends first and asks to authentication center;Authentication center generates session key, generates the first bill and the second bill according to session key, and send to client computer;Client computer decrypts the first bill generation session key, and the first cryptographic Hash asked by session-key computation second is sent to server the second request, the second bill and the first cryptographic Hash;Server decrypts the second bill and obtains session key, and the first cryptographic Hash is verified by session key, and the second cryptographic Hash of service data is calculated after being verified, and service data and the second cryptographic Hash are sent to client computer;Client computer verifies whether the second cryptographic Hash is correct by session key, if so, receiving service data;If it is not, abandoning service data.The present invention provides client computer legitimate verification for server, for communicating pair provides data consistency checks.

Description

For the Verification System and authentication method of UDP transmission
Technical field
The present invention relates to a kind of information security field, more particularly to a kind of Verification System and certification for UDP transmission Method.
Background technology
UDP (User Datagram Protocol, UDP) is a fortune for simple datagram-oriented Defeated layer protocol.Because UDP is not used in setting up a connection between client and server before datagram is transmitted, and it is not timed-out weight The mechanism such as hair, therefore transmission speed is quickly, it is adaptable to it is required that the occasion that expense is small, transmission speed is fast, such as audio, video etc. are big The transmission of file data.
But in actual applications, during customer access network resource, in order to ensure that validated user obtains resource and service, service Device should be able to verify that the legitimacy of client requests.When user needs to obtain the large files such as audio, video from server When, although can ensure efficiency of transmission using UDP transmission, server cannot judge the legitimacy of user's request, user also without Method verifies whether received data are illegally distorted in transmitting procedure, and this brings certain safety hidden to user and server Suffer from.
The content of the invention
The technical problem to be solved in the present invention is in order in overcoming UDP transmitting procedures in the prior art, server cannot be sentenced The legitimacy of disconnected user's request, user cannot also verify the defect whether data for receiving illegally are distorted, there is provided one kind is used for The Verification System and authentication method of UDP transmission.
The present invention is to solve above-mentioned technical problem by following technical proposals:
The invention provides a kind of Verification System for UDP transmission, its feature is, including client computer, server with And authentication center;
The client computer is used to send the first request to the authentication center, and described first asks for asking and the clothes Business device is communicated;
The authentication center is used to generate session key after first request is received, and according to the session key The first bill and the second bill are generated, and first bill and second bill are sent to the client computer;
The client computer is used to decrypt first bill and obtain the session key, by the session-key computation the First cryptographic Hash of two requests, and the described second request, second bill and first cryptographic Hash are sent to the clothes Business device, described second asks for asking to obtain service from the server;
The server is used to decrypt second bill to obtain the session key, and is tested by the session key First cryptographic Hash is demonstrate,proved, by the second cryptographic Hash of the session-key computation service data after being verified, and by institute State service data and second cryptographic Hash is sent to the client computer;
The client computer is additionally operable to after the service data and second cryptographic Hash is received, close by the session Key verifies whether second cryptographic Hash is correct, if so, then receiving the service data;If it is not, then abandoning the service data.
It is preferred that the authentication center is additionally operable to the identity generation private key based on the client computer, the client computer is also used In the preservation private key.
It is preferred that the authentication center is additionally operable to after first request is received, the identity of the client computer is verified, And the session key is generated after being verified.
It is preferred that the authentication center is used to generate the session key by random number generator, and use the client Session key described in the identity ciphering of machine is generating first bill.
It is preferred that the authentication center is additionally operable to be encrypted with life the identity of the session key and the client computer Into second bill, and first bill and second bill are sent to the client computer.
It is preferred that the client computer is used to decrypt first bill to obtain the session key with the private key.
It is preferred that also including timestamp information in second bill.
It is an object of the invention to additionally provide a kind of authentication method for UDP transmission, its feature is, including following Step:
S1, client computer to authentication center send first ask, described first ask for ask communicated with server;
S2, the authentication center generate session key after first request is received, and according to the session key The first bill and the second bill are generated, and first bill and second bill are sent to the client computer;
S3, the client computer decrypt first bill and obtain the session key, by the session-key computation the First cryptographic Hash of two requests, and the described second request, second bill and first cryptographic Hash are sent to the clothes Business device, described second asks for asking to obtain service from the server;
S4, the server decrypted second bill to obtain the session key, and tested by the session key First cryptographic Hash is demonstrate,proved, by the second cryptographic Hash of the session-key computation service data after being verified, and by institute State service data and second cryptographic Hash is sent to the client computer;
S5, the client computer after the service data and second cryptographic Hash is received, by the session key Verify whether second cryptographic Hash is correct, if so, then receiving the service data;If it is not, then abandoning the service data.
It is preferred that step S1Also include before:
S01, the authentication center be based on the identity generation private key of the client computer, the client computer preserves the private key.
It is preferred that step S2Described in authentication center also after first request is received, verify the client computer Identity, and the session key is generated after being verified.
It is preferred that step S2Described in authentication center the session key is generated by random number generator, and with described Session key described in the identity ciphering of client computer is generating first bill.
It is preferred that step S2Described in identity of the authentication center also to the session key and the client computer be encrypted To generate second bill, and first bill and second bill are sent to the client computer.
It is preferred that step S3Described in the client computer private key to decrypt first bill close to obtain the session Key.
It is preferred that also including timestamp information in second bill.
Positive effect of the invention is:It is of the invention compared with traditional UDP is transmitted, efficiency of transmission can ensured On the premise of, the method that checking client computer legitimacy is provided for server, and for communicating pair provides data consistency checks, together When illegal client computer can be avoided to obtain server resource, ensure server for legitimate client machine provides service.
Brief description of the drawings
Fig. 1 is the module diagram of the Verification System for UDP transmission of presently preferred embodiments of the present invention.
Fig. 2 is the internal structure schematic diagram of the Verification System for UDP transmission of presently preferred embodiments of the present invention.
Fig. 3 is the flow chart of the authentication method for UDP transmission of presently preferred embodiments of the present invention.
Specific embodiment
The present invention is further illustrated below by the mode of embodiment, but does not therefore limit the present invention to described reality Apply among a scope.
As shown in figure 1, the Verification System for UDP transmission of the invention is including in client computer 1, server 2 and certification The heart 3, wherein the client computer 1 is communicated to connect with the server 2 and the authentication center 3 respectively;
The authentication center 3 can be located at the end of the server 2, and base is set up between the authentication center 3 and the client computer 1 In the system of identity, the authentication center 3 is based on the identity generation private key of the client computer 1, and the client computer 1 is then used to preserve The private key;
When user needs to be obtained from the server 2 to be serviced, client computer 1 described first can be sent out to the authentication center 3 Send the first request, described first asks for asking to be communicated with the server 2, its particular content may include " application with Server communication " etc.;
The authentication center 3 can verify the identity of the client computer 1, i.e., based on institute after first request is received The identity for stating client computer judges the legitimacy of first request, and it is the visitor to pass through random number generator after being verified Family machine 1 and the generation session key of the server 2, and the session key is encrypted using Identity based encryption algorithm To generate the first bill C, then using RC4 AESs the identity of the session key and the client computer is encrypted with The second bill T is generated, and the first bill C and the second bill T are sent to the client computer 1;Wherein it is preferred to, Timestamp information can also be included in the second bill T.
The client computer 1 can utilize the solution of identity-based after the first bill C and the second bill T is received Close algorithm is decrypted to obtain the session key to the first bill C, and then using SHA256 algorithms, (a kind of translations are pacified Full hashing algorithm) and the request of the session-key computation second the first cryptographic Hash, and described second will ask, first Kazakhstan Sent to the server 2 after uncommon value and second bill cascade;Wherein, described second ask for asking from the service Device obtains service, and its particular content may include " obtaining service " etc.;
The server 2 can decrypt second bill after message is received, first, to obtain the session key and institute The identity of client computer 1 is stated, then first cryptographic Hash is verified using SHA256 algorithms and the session key, if checking is logical Cross, then ask to provide respective service to the client computer 1 according to described second, specifically, i.e., using SHA256 algorithms and described Second cryptographic Hash of session-key computation service data, and the service data and second cryptographic Hash are sent to the visitor Family machine 1;
The client computer 1 after the service data and second cryptographic Hash is received, can using SHA256 algorithms and The session key verifies whether second cryptographic Hash is correct, if so, then showing to be verified, now just receives the service Data, if it is not, then showing that checking does not pass through, now just abandon the service data.
In specific implementation process of the invention, the authentication center 3 can generate random symmetric key, symmetric key by The authentication center and the server carry out secret preservation, wherein, the session key can use the identity of the client computer 1 to enter To obtain the first bill, the session key can use the authentication center 3 to be carried out with the symmetric key of the server 2 for row encryption Encrypt to obtain second bill.
In the present invention, as shown in Fig. 2 illustrated therein is visitor described in the Verification System based on UDP transmission of the invention The internal structure of family machine 1, the server 2 and the three of the authentication center 3, between the authentication center 3 and the client computer 1 The system for building identity-based is needed, therefore needed to lay the private key generating algorithm of identity-based inside the authentication center 3, be based on The AES of identity, and store the identity of the client computer 1;In addition RC4 AESs are also deployed with inside the authentication center 3 And random number generator.Random number between the authentication center 3 and the server 2 is generated by random number generator, and secret There is the authentication center 3 and the server 2 in password protection.The client computer 1 need to dispose identity-based decipherment algorithm and SHA256 algorithms, while the private key secret of corresponding oneself identity is stored.Need to dispose RC4 decipherment algorithms inside the server 2 With SHA256 algorithms.Also, because the client computer 1 is communicated to connect with the server 2 and the authentication center 3 respectively, institute Network interface is included with three;After above-mentioned deployment is completed, assisted based on UDP between the client computer 1 and the server 2 The identifiable communication of view needs 4 steps to communicate altogether:1. client computer sends first and asks to authentication center;2. authentication center is sent out to client computer Send the first bill and the second bill;3. client computer sends the second request and the second bill to server;4. server is to client computer Service (transmission data) is provided.
So as to the present invention introduces an authentication center by server end, taken when client computer needs to be obtained from server Business, and be that client computer provides the second bill that user obtains service by authentication center when transmitting data by udp protocol.Certification The system that identity-based is set up between center and client computer, is easy to the judgement of the management and request legitimacy to client identity. Containing the shared session key that authentication center is client computer and server-assignment in second bill, can be used to ensure communicating pair The uniformity of the data transmitted by UDP.Second bill is encrypted using stream cipher RC4, it is ensured that the lightweight of agreement.
As shown in figure 3, present invention also offers a kind of authentication method for UDP transmission, it utilizes above-mentioned for UDP The Verification System of transmission is realized, comprised the following steps:
Step 101, the authentication center are based on the identity generation private key of the client computer, and the client computer preserves the private Key;
Step 102, client computer send first and ask to authentication center, and described first asks for asking to be carried out with server Communication;
Step 103, the authentication center also after first request is received, verify the identity of the client computer, and The session key is generated after being verified;And the first bill and the second bill are generated according to the session key, and by institute State the first bill and second bill is sent to the client computer;
Step 104, the client computer private key decrypt first bill to obtain the session key, and pass through The session-key computation second request the first cryptographic Hash, and will described second ask, second bill and described first Cryptographic Hash is sent to the server, and described second asks for asking to obtain service from the server;
It is to obtain the session key and close by the session that step 105, the server decrypt second bill Key verifies first cryptographic Hash, by the second cryptographic Hash of the session-key computation service data after being verified, and The service data and second cryptographic Hash are sent to the client computer;
Step 106, the client computer after the service data and second cryptographic Hash is received, by the session Whether the second cryptographic Hash described in key authentication is correct, if so, then receiving the service data;If it is not, then abandoning the service number According to.
Wherein, in step 103, the authentication center generates the session key by random number generator, and to institute Session key is stated to be encrypted to generate the first bill;The authentication center is also to the session key and the body of the client computer Part is encrypted to generate second bill, and first bill and second bill are sent to the client computer, Preferably, timestamp information is also included in second bill.At step 104, the client computer decrypts first bill To obtain the session key.
Although the foregoing describing specific embodiment of the invention, it will be appreciated by those of skill in the art that these It is merely illustrative of, protection scope of the present invention is defined by the appended claims.Those skilled in the art is not carrying on the back On the premise of principle of the invention and essence, various changes or modifications can be made to these implementation methods, but these are changed Protection scope of the present invention is each fallen within modification.

Claims (14)

1. it is a kind of for UDP transmission Verification System, it is characterised in that including client computer, server and authentication center;
The client computer is used to send the first request to the authentication center, and described first asks for asking and the server Communicated;
The authentication center is used to generate session key after first request is received, and is generated according to the session key First bill and the second bill, and first bill and second bill are sent to the client computer;
The client computer obtains the session key for decrypting first bill, please by the session-key computation second The first cryptographic Hash asked, and the described second request, second bill and first cryptographic Hash are sent to the server, Described second asks for asking to obtain service from the server;
The server is used to decrypt second bill to obtain the session key, and verifies institute by the session key The first cryptographic Hash is stated, by the second cryptographic Hash of the session-key computation service data after being verified, and by the clothes Business data and second cryptographic Hash are sent to the client computer;
The client computer is additionally operable to after the service data and second cryptographic Hash is received, and is tested by the session key Whether correct second cryptographic Hash is demonstrate,proved, if so, then receiving the service data;If it is not, then abandoning the service data.
2. Verification System as claimed in claim 1, it is characterised in that the authentication center is additionally operable to based on the client computer Identity generates private key, and the client computer is additionally operable to preserve the private key.
3. Verification System as claimed in claim 2, it is characterised in that the authentication center is additionally operable to receiving described first After request, the identity of the client computer is verified, and the session key is generated after being verified.
4. Verification System as claimed in claim 3, it is characterised in that the authentication center is used to be given birth to by random number generator Into the session key, and with session key described in the identity ciphering of the client computer generating first bill.
5. Verification System as claimed in claim 4, it is characterised in that the authentication center be additionally operable to the session key and The identity of the client computer is encrypted to generate second bill, and first bill and second bill are sent To the client computer.
6. Verification System as claimed in claim 2, it is characterised in that the client computer is used for private key decryption described the One bill is obtaining the session key.
7. Verification System as claimed in claim 5, it is characterised in that also include timestamp information in second bill.
8. it is a kind of for UDP transmission authentication method, it is characterised in that comprise the following steps:
S1, client computer to authentication center send first ask, described first ask for ask communicated with server;
S2, the authentication center generate session key after first request is received, and according to session key generation the One bill and the second bill, and first bill and second bill are sent to the client computer;
S3, the client computer decrypt first bill and obtain the session key, asked by the session-key computation second The first cryptographic Hash, and the described second request, second bill and first cryptographic Hash are sent to the server, institute State the second request for ask from the server obtain service;
S4, the server decrypts second bill to obtain the session key, and verifies described by the session key First cryptographic Hash, by the second cryptographic Hash of the session-key computation service data after being verified, and by the service Data and second cryptographic Hash are sent to the client computer;
S5, the client computer after the service data and second cryptographic Hash is received, by the session key verify institute Whether correct the second cryptographic Hash is stated, if so, then receiving the service data;If it is not, then abandoning the service data.
9. authentication method as claimed in claim 8, it is characterised in that step S1Also include before:
S01, the authentication center be based on the identity generation private key of the client computer, the client computer preserves the private key.
10. authentication method as claimed in claim 9, it is characterised in that step S2Described in authentication center also receive it is described After first request, the identity of the client computer is verified, and the session key is generated after being verified.
11. authentication methods as claimed in claim 10, it is characterised in that step S2Described in authentication center by random number give birth to Grow up to be a useful person the generation session key, and with session key described in the identity ciphering of the client computer generating first bill.
12. authentication methods as claimed in claim 11, it is characterised in that step S2Described in authentication center also to the session The identity of key and the client computer is encrypted to generate second bill, and by first bill and second ticket According to transmission to the client computer.
13. authentication methods as claimed in claim 9, it is characterised in that step S3Described in client computer with the private key decrypt institute The first bill is stated to obtain the session key.
14. authentication methods as claimed in claim 12, it is characterised in that also include timestamp information in second bill.
CN201611193827.4A 2016-12-21 2016-12-21 For the Verification System and authentication method of UDP transmission Pending CN106790075A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201611193827.4A CN106790075A (en) 2016-12-21 2016-12-21 For the Verification System and authentication method of UDP transmission

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201611193827.4A CN106790075A (en) 2016-12-21 2016-12-21 For the Verification System and authentication method of UDP transmission

Publications (1)

Publication Number Publication Date
CN106790075A true CN106790075A (en) 2017-05-31

Family

ID=58897092

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201611193827.4A Pending CN106790075A (en) 2016-12-21 2016-12-21 For the Verification System and authentication method of UDP transmission

Country Status (1)

Country Link
CN (1) CN106790075A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112437436A (en) * 2020-12-07 2021-03-02 中国联合网络通信集团有限公司 Identity authentication method and device

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101340436A (en) * 2008-08-14 2009-01-07 普天信息技术研究院有限公司 Method and apparatus implementing remote access control based on portable memory apparatus
CN101420413A (en) * 2007-10-25 2009-04-29 华为技术有限公司 Session cipher negotiating method, network system, authentication server and network appliance
CN101742508A (en) * 2009-12-21 2010-06-16 中兴通讯股份有限公司 System and method for transmitting files between WAPI terminal and application server
CN103684798A (en) * 2013-12-31 2014-03-26 南京理工大学连云港研究院 Authentication system used in distributed user service
CN103780618A (en) * 2014-01-22 2014-05-07 西南交通大学 Method for cross-isomerism domain identity authentication and session key negotiation based on access authorization ticket
CN106209734A (en) * 2015-04-30 2016-12-07 阿里巴巴集团控股有限公司 The identity identifying method of process and device

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101420413A (en) * 2007-10-25 2009-04-29 华为技术有限公司 Session cipher negotiating method, network system, authentication server and network appliance
CN101340436A (en) * 2008-08-14 2009-01-07 普天信息技术研究院有限公司 Method and apparatus implementing remote access control based on portable memory apparatus
CN101742508A (en) * 2009-12-21 2010-06-16 中兴通讯股份有限公司 System and method for transmitting files between WAPI terminal and application server
CN103684798A (en) * 2013-12-31 2014-03-26 南京理工大学连云港研究院 Authentication system used in distributed user service
CN103780618A (en) * 2014-01-22 2014-05-07 西南交通大学 Method for cross-isomerism domain identity authentication and session key negotiation based on access authorization ticket
CN106209734A (en) * 2015-04-30 2016-12-07 阿里巴巴集团控股有限公司 The identity identifying method of process and device

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112437436A (en) * 2020-12-07 2021-03-02 中国联合网络通信集团有限公司 Identity authentication method and device
CN112437436B (en) * 2020-12-07 2023-05-02 中国联合网络通信集团有限公司 Identity authentication method and device

Similar Documents

Publication Publication Date Title
JP6844908B2 (en) Computer-based systems and computer-based methods for establishing secure sessions and exchanging encrypted data
JP4617763B2 (en) Device authentication system, device authentication server, terminal device, device authentication method, and device authentication program
US8732461B2 (en) Client apparatus, server apparatus, and program using entity authentication and biometric authentication
JP5345675B2 (en) Network helper for authentication between token and verifier
WO2019020051A1 (en) Method and apparatus for security authentication
CN108111301A (en) The method and its system for realizing SSH agreements are exchanged based on rear quantum key
CN108683501B (en) Multiple identity authentication system and method with timestamp as random number based on quantum communication network
CN106790261B (en) Distributed file system and method for authenticating communication between its interior joint
CN108809633B (en) Identity authentication method, device and system
WO2014166546A1 (en) Method and system for accessing device by a user
CN110247881A (en) Identity identifying method and system based on wearable device
CN112351037B (en) Information processing method and device for secure communication
CN111797427A (en) Block chain user identity supervision method and system considering privacy protection
TWI760546B (en) Computer-implemented system and method for highly secure, high speed encryption and transmission of data
CN106685983A (en) Data recovery method and device based on SSL protocol
CN111756530B (en) Quantum service mobile engine system, network architecture and related equipment
TW201537937A (en) Unified identity authentication platform and authentication method thereof
CN112332986B (en) Private encryption communication method and system based on authority control
CN113612797A (en) Kerberos identity authentication protocol improvement method based on state cryptographic algorithm
KR20120107326A (en) Method and system of one-time password authentication scheme provide enhanced randomness
JP2001344214A (en) Method for certifying terminal and cipher communication system
CN115766119A (en) Communication method, communication apparatus, communication system, and storage medium
CN106790075A (en) For the Verification System and authentication method of UDP transmission
CN112035820B (en) Data analysis method used in Kerberos encryption environment
CN113904830A (en) SPA authentication method and device, electronic equipment and readable storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
WD01 Invention patent application deemed withdrawn after publication

Application publication date: 20170531

WD01 Invention patent application deemed withdrawn after publication