CN108737383B - Anonymous authentication method capable of confusing - Google Patents
Anonymous authentication method capable of confusing Download PDFInfo
- Publication number
- CN108737383B CN108737383B CN201810368800.7A CN201810368800A CN108737383B CN 108737383 B CN108737383 B CN 108737383B CN 201810368800 A CN201810368800 A CN 201810368800A CN 108737383 B CN108737383 B CN 108737383B
- Authority
- CN
- China
- Prior art keywords
- authentication
- rand
- key
- system user
- outputting
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/083—Network architectures or network communication protocols for network security for authentication of entities using passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1458—Denial of Service
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/14—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols using a plurality of keys or algorithms
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Storage Device Security (AREA)
Abstract
The invention relates to an obfuscatable anonymous authentication method, which is used for protecting identity information and a private authentication key of a user in an authentication system, wherein the authentication system is provided with a system administrator and a tracker, the system administrator is provided with a global public parameter, a master key and a key pair for linear encryption and decryption, and the system user is provided with a private authentication key, and the anonymous authentication method specifically comprises the following steps: the system user performs confusion processing on the private authentication key to obtain a confusion key; the system user generates an authentication array containing the service request based on the obfuscation key and sends the authentication array to the server; the server side carries out validity authentication on the authentication array and carries out liveness verification on a system user; the server side provides service corresponding to the service request to the system user passing both the validity authentication and the liveness verification; when any one of the legality authentication and the liveness verification fails, the tracker tracks the corresponding system user. Compared with the prior art, the method has the advantages of traceability, low attack success probability and the like.
Description
Technical Field
The invention relates to the fields of cryptography, anonymous authentication and confusion theory, in particular to a confusable anonymous authentication method.
Background
Anonymous Authentication (AA) is an Authentication method based on digital signatures and capable of providing anonymity. In recent years, a series of anonymous authentication schemes have been proposed in succession to be suitable for various application fields. Traditional anonymous authentication generally possesses the following properties: 1) authentication/correctness, 2) unforgeability, 3) irreproducibility, 4) undeniability, 5) anonymity, 6) unlinkability, 7) conditional traceability. An anonymous authentication method may be based on different signature methods such as: blind signatures, ring signatures, traceable signatures, group signatures, etc.
In traditional anonymous authentication schemes, the user's private authentication key is often used directly to generate the user's authentication request, which requires that a key algorithm be run on a trusted terminal. However, in the present day where mobile terminals are widely spread, the easy-to-lose property of the smart phone will cause a white-box attack environment, which enables a malicious attacker who acquires the smart phone to easily acquire relevant information such as a private authentication key in some way. In order to ensure the security of the key data and the mobile application, mobile terminal manufacturers have taken various measures in a general operating environment (REE), such as mechanisms of data encryption, access control of authority, application operation isolation, and the like. However, many cases of system bugs and attacks show that these measures are still far from protecting sensitive data stored on the terminal device. To combat white-box attacks, researchers have combined obfuscation techniques with cryptography, and have proposed white-box features and white-box ciphers. Obfuscation transforms provide some kind of transformation mechanism to keep the transformed program functional, but at this time the program or its decompilation results are difficult to understand and analyze.
Disclosure of Invention
The present invention is directed to overcome the above-mentioned drawbacks of the prior art, and to provide an anonymous authentication method suitable for protecting user identity information and a private authentication key in a white-box attack environment (e.g., a mobile terminal is lost or a malicious host).
The purpose of the invention can be realized by the following technical scheme:
a confusable anonymous authentication method for protecting identity information and a private authentication key of a system user in a system, wherein the system is provided with a system administrator and a tracker, and the system administrator is provided with a global public parameter pub, a master key MK and a pair of key Pairs (PK) for linear encryption and decryptione,SKe) The system user is configured with a private authentication key KIDThe anonymous authentication method specifically comprises the following steps:
based on the key Pair (PK) by the system usere,SKe) For the private authentication key KIDPerforming obfuscation processing to obtain an obfuscated key z;
the system user generates an authentication array containing a service request based on the obfuscated key z and sends the authentication array to the server;
the server side carries out validity authentication on the authentication array and carries out liveness verification on a system user;
the server side provides service corresponding to the service request to the system user passing both the validity authentication and the liveness verification;
when any one of the validity authentication and the liveness verification fails, the tracker tracks the corresponding system user;
in the above step, the server performs validity authentication on the authentication array of at least one system user at the same time, and uses different authentication algorithms according to different authentication scenarios, where the authentication scenarios include one-to-one authentication scenario and many-to-one authentication scenario.
Further, the system is constructed and initialized by a system administrator, and the initialization comprises a message length m and an upper limit of the number of users 2rAnd setting of a security parameter λ and a global public parameter pub, a master key MK, a tracking key TK and a key Pair (PK)e,SKe) Generating;
the global public parameter pub, the master key MK, the tracking key TK and the key Pair (PK)e,SKe) The expression of (a) is as follows:
PP=(Ω,A,v1,…,vm,v',g,h,u)
MK=(gα,ω)
TK=q
SKe=(a,b)
PKe=(ga,gb)
where n ═ p · q is the sum of the large prime number p and the large prime number q multiplied by G, GTFor the n-order cyclic group, the cyclic group is,is G → GTThe PP is for the series of parameters. In the series of parameters PP, g ═ ΩωAre elements of the group G and are,is a group GTThese two parameters can be regarded as public keys required in the authentication process. g isGenerator in group G, cyclic subgroup G of order q with h being GqThe generator of (1), u, v', v1,…,vmAre all random elements in group G, and α, ω, a and b are modulo n, residual ring class ZnA random element of (1);
upper limit of the number of users 2rThe parameters r and lambda in (2) satisfy the constraint condition: firstly, the magnitude of r and lambda are in a linear relation; second, there is a positive coefficient d1And d2Has a d1·λ≤log2p≤d2λ and d1·λ≤log2q≤d2λ holds.
Further, when the system user joins the system, the system administrator allocates the private authentication key, and the specific process is as follows:
the global public parameter pub, the master key MK and the system user ID are used as input to calculate a private authentication key KID:
KID=(K1,K2,K3)
Wherein s isIDFor the remaining class ring Z of mode nnA random element of (1);
at the same time will sIDAs secret identity information of a system user, andstored as key-value pairs into a hash map HashMap.
Further, the obfuscation process is specifically:
12) Are respectively paired with KIDAnd PKeAnd transforming to obtain an obfuscated key z:
wherein x is1,y1,x2,y2,x3,y3Is ZnOf the parameters selected randomly.
Further, the generation process of the authentication array specifically includes:
21) obtaining the request message R, judging whether the request message R is empty, if yes, directly outputting (pub, PK)e) If not, executing step 22);
22) obtaining current time TS, generating session key CK by AES-128 key generation algorithm, and selecting a 128-bit random number randU;
23) Request message R, current time TS, random number randUSplicing the session key CK into a message mu, and adding the session key CK and the random number rand in the message muUAnd (3) carrying out encryption and packaging to obtain the CT, protecting a session key and further ensuring the confidentiality of the authentication scheme:
μ=(μ1,…,μm)=(R||TS||randU||CK)
wherein Encode is a function that encodes a bit string as an element in group G;
24) calculating an authentication request Σ:
Σ=(c1,c2,c3,σ4,c4,π2)
wherein, s, x0,y0,x1 *…,x4 *,y1 *,…,y4 *,t1,…t4Are all ZnSelecting parameters randomly;
25) and generating an authentication array < R, TS, CT and sigma >.
Further, for the one-to-one authentication scenario, the validity authentication specifically includes:
311) taking CT as (CT 1)],CT[2],CT[3]) Calculating (CK | | rand)U):
(CK||randU)=Decode(CT[3]/(CT[1]1/a·CT[2]1/b))
Wherein Decode is a function that decodes elements in a group G into a bit string;
312) splicing R, TS, randUAnd CK to give μ:
μ=(μ1,…,μm)=(R||TS||randU||CK)
313) calculating T1And T2:
c={ci|ci=(ci[1],ci[2],ci[3]),i=1,2,3}
σ={σi|σi=DecSKe(ci)=ci[3]/(ci[1]1/a·ci[2]1/b),i=1,2,3}
c4=(c4[1],c4[2],c4[3])
π1=DecSKe(c4)=c4[3]/(c4[1]1/a·c4[2]1/b)
315) select a 128-bit random number randSUsing CK as key to call AES-128 encryption algorithm BCCKEncrypted randS||randUTo obtain Q ═ BCCK(randS||randU);
316) And outputting the triplet < TS, R, Q >.
Further, for the many-to-one authentication scenario, the number of system users is l, and validity authentication is performed on l system users at the same time, and the specific steps are as follows:
421) four-tuple containing authentication request generated for each system user k<Rk,TSk,CTk,∑k>Taking out CTk=(CTk[1],CTk[2],CTk[3]) And calculate
Wherein k is a number, and k is more than or equal to 1 and less than or equal to l;
424) calculating T1And T2:
426) selecting 128 bits of random numberCalling AES-128 encryption algorithm by taking CK as keyEncryptionTo obtain
427) Output triplets<TSk,Rk,Qk>。
Further, in the liveliness verification, the server sends query information to the system user, the system user generates a response message to send to the server, and the server judges whether the liveliness verification passes according to the response message, wherein the generating step of the response message includes:
51) according to<R,TS>Obtaining a binary set<randU,CK>;
52) If it is<randU,CK>Null, output 0, otherwise go to step 53);
53) calling AES-128 decryption algorithm BC.Dec by taking CK as keyCKDecrypting Q to obtain (r)S||rU)=BC.DecCK(Q);
54) If rU≠randUOutputting 0, otherwise, performing step 55);
55) calculating a user response C:
C=(C[1],C[2],C[3])=(PKe,0 x,PKe,1 y,gx+y·Encode(rS||rU))
wherein x, y are ZnSelecting parameters randomly;
56) the response triplet < R, TS, C > is output as response information.
Further, the server side judges whether the liveliness verification passes according to the response information specifically as follows:
61) taking C ═ C1, C2, C3, calculating:
(rS||rU)=Decode(C[3]/(C[1]1/a·C[2]1/b));
62) according to<R,TS>Obtaining a binary set<randS,randU>;
63) If it is<randS,randU>Null, output 0, otherwise go to step 74);
64) if randS≠rSOr randU≠rUOutputting 0, otherwise outputting 1;
where 0 indicates verification failure and 1 indicates verification pass.
Further, the specific steps of the tracker to track are as follows:
71) get SKeSigma and c2Calculating σ2=c2[3]/(c2[1]1/a·c2[2]1/b),c2[1]、c2[2]、c2[3]Is c2The elements of (1);
72) step 73) is performed for each system user ID in HashMap;
73) derived from HashMap based on system user IDIf (σ)2)TKAndand if the ID is equal, outputting the ID, and finishing the algorithm, otherwise outputting null.
Compared with the prior art, the invention has the following advantages:
firstly, from the functional aspect, the invention has traceability, and the batch verification algorithm is suitable for the scene of simultaneously authenticating a large number of users, which is not possessed by the existing many other anonymous authentication schemes.
In the aspect of efficiency, the invention is tested by experiments on different mobile terminals, and the test result shows that the operation efficiency of the invention is acceptable, and the confusion can not generate obvious influence on the original system performance.
Thirdly, from the aspect of security, the most obvious characteristic of the invention is obfuscation, and the property enables the obfuscated algorithm to hide the private authentication key, so that even if the mobile terminal is completely controlled by a malicious attacker, the attacker can hardly obtain the private authentication key of the system user. Strictly speaking, within the time complexity of the polynomial of λ, whatever the attack method used, the probability of an attacker obtaining this private authentication key is negligible compared to the security parameter λ. The negligible mathematical definition is: for any polynomial f, the probability of attack success is less than 1/f (λ). In fact, to obtain higher security, λ ═ n ═ 1024 may be taken, and in this case, about 2 is required for attacking the present invention512And therefore the obfuscated implementation has higher security. In addition, the invention can resist DoS attacks which can not be resisted by other anonymous authentication schemes.
Drawings
FIG. 1 is a flow chart of the method of the present invention.
Fig. 2 is a flow diagram of an obfuscatable anonymous authentication scheme in an embodiment.
Detailed Description
The invention is described in detail below with reference to the figures and specific embodiments. The present embodiment is implemented on the premise of the technical solution of the present invention, and a detailed implementation manner and a specific operation process are given, but the scope of the present invention is not limited to the following embodiments.
The invention realizes an anonymous authentication method capable of being confused, which is used for realizing the protection of user identity information and a private authentication key under a white-box attack environment (such as the condition that a mobile terminal is lost or a malicious host).
As shown in fig. 1, the obfuscatable anonymous authentication method includes the steps of:
1) the system administrator constructs an authentication system, and after a tracker is determined, a Setup algorithm is run to obtain a local public parameter and variable pub, a master key MK, a tracking key TK and a pair of key Pairs (PK) for linear encryption and decryptione,SKe). The Setup algorithm sets the message length to m bits and the upper limit of the number of users to 2rAnd a security parameter λ, and generates a global public parameter pub, a master key MK, a tracking key TK, and a pair of key pairs for linear encryption and decryption (PK)e,SKe) The specific expression is as follows:
PP=(Ω,A,v1,…,vm,v',g,h,u)
MK=(gα,ω)
TK=q
SKe=(a,b)
PKe=(ga,gb)
where n ═ p · q is the sum of the large prime number p and the large prime number q, GTFor the n-order cyclic group, the cyclic group is,is G → GTPP is a series of parameters for the subsequent algorithm, where Ω ═ gωAre elements of the group G and are,is a group GTThese two parameters can be regarded as public keys required in the authentication process. G is a generator in group G, h is a cyclic subgroup G of order q of GqThe generator of (1), u, v' and v1,…,vmAll are random elements in G, alpha, omega, a and b are model n residual ring ZnThe random element(s) in (c),
and the parameters r and lambda satisfy the constraint condition: firstly, the magnitude of r and lambda are in a linear relation; second, there is a positive integer c1And c2Has c of1×λ≤log2p≤c2X λ and c1×λ≤log2q≤c2X λ holds.
2) The system administrator runs the registration algorithm Reg to generate a secret identity information s for the new memberIDAnd a private authentication key KIDAnd will beAdded to the hash map (HashMap) as a key-value pair and sent to the tracker. The Reg algorithm takes pub, MK and system user ID as input, and K is obtained through calculationID:
KID=(K1,K2,K3)
Wherein s isIDIs ZnRandom elements in (1).
3) The system user runs the obfuscation algorithm ObfAAInputting the original algorithm for generating the authentication request, and using the member private authentication key KIDPerforming obfuscation processing, and finally outputting an obfuscated function-invariant authentication request algorithm obfAuthReq, obfuscation algorithm ObfAAThe process is as follows:
31) obtaining input of an original algorithm generating an authentication requestPKe=(PKe,0,PKe,1) And KID=(K1,K2,K3);
32) Are respectively paired with KIDAnd PKeAnd transforming to obtain a secret key z of the obfuscated authentication request generation algorithm:
wherein x1,y1,x2,y2,x3,y3Is ZnSelecting parameters randomly;
33) discard KIDAnd outputs the algorithm ObfAuthReq.
4) The system user runs the ObfAuthReq algorithm to generate a quadruplet containing an authentication request<R,TS,CT,∑>The ObfAuthReq algorithm uses pub, z, PKeAnd a request message R as input, generating a quadruplet containing an authentication request<R,TS,CT,∑>The method comprises the following specific steps:
41) determining whether the request message R is empty, and outputting (pub, PK) if it is emptye) Otherwise, step 42) is performed;
42) calling a function getTimeStamp () to obtain the current time TS (getTimeStamp ()), calling a classic AES-128 key generation algorithm BCU;
43) R, TS, randUSplicing with CK to obtain m bit message mu, and using session key CK and random number rand in message muUAnd (3) carrying out encryption and packaging to obtain the CT, protecting a session key and further ensuring the confidentiality of the authentication scheme:
μ=(μ1,…,μm)=(R||TS||randU||CK)
wherein Encode is a function that encodes a bit string as an element in group G, and CT is an intermediate parameter;
44) calculating an authentication request Σ:
Σ=(c1,c2,c3,σ4,c4,π2)
wherein s, x0,y0,x1 *…,x4 *,y1 *,…,y4 *,t1,…t4Are all ZnSelecting parameters randomly;
45) call operation addtomep (<<R,TS>,<randU,CK>>) Pair of key values<<R,TS>,<randU,CK>>Adding the data into a HashMap locally;
46) the algorithm finally outputs the authentication quadruplet < R, TS, CT, sigma >.
5) The server side runs different algorithms for different authentication scenarios: aiming at the one-to-one authentication condition, an SPResp algorithm is operated to verify the validity of an authentication request, if the authentication request is not legal, 0 is output to finish the authentication, otherwise, a triple < R, TS, Q > is output; and running SPResp with BV aiming at a many-to-one authentication scene to realize the authentication of a plurality of system users at one time.
SPResp algorithm with pub, SKeAnd quadruple<R,TS,CT,∑>As input, the steps are:
511) taking CT in quadruple as (CT [1]],CT[2],CT[3]) Calculating (CK | | rand)U):
(CK||randU)=Decode(CT[3]/(CT[1]1/a·CT[2]1/b))
Wherein Decode is a function that decodes elements in a group G into a bit string;
512) splicing R, TS, randUAnd CK to give μ:
μ=(μ1,…,μm)=R||TS||randU||CK
513) calculating T1And T2:
c={ci|ci=(ci[1],ci[2],ci[3]),i=1,2,3}
c4=(c4[1],c4[2],c4[3])
515) select a 128-bit random number randSUsing CK as key to call AES-128 encryption algorithm BCCKEncrypted randS||randUTo obtain Q ═ BCCK(randS||randU);
516) Call addtomep (<<R,TS>,<randS,randU>>) Will be provided with<<R,TS>,<randS,randU>>Putting the triples into a HashMap and outputting the triples<TS,R,Q>。
SPResp with BV algorithm pub, SKeThe number of system users simultaneously requesting authentication, and the corresponding pair of quadruplets<Rk,TSk,CTk,∑k>And k is more than or equal to 1 and less than or equal to l as input, and the l authentication quadruplets are subjected to batch processing. Compared to calling a normal SP one timeThe Resp algorithm realizes the verification of the users, and the SPResp with BV algorithm reduces bilinear pairings calculationThe number of operations. The method comprises the following specific steps:
521) steps 522), 523) and 524) are performed for each member of the l system users (numbered k,1 ≦ k ≦ l);
525) calculating T1And T2The method comprises the following steps:
527) selecting 128 bits of random numberCalling AES-128 encryption algorithm by taking CK as keyEncryptionTo obtain
528) InvokingWill be provided with<<Rk,TSk>,Putting the triples into a HashMap and outputting the triples<TSk,Rk,Qk>。
6) The system user runs a UResp algorithm to verify the liveliness to the server and sends a triple < R, TS, C > containing the response C to the server as a response. The UResp algorithm takes pub, PK and the triple < TS, R, Q > as input, and sends the triple < R, TS, C > containing the response C to the server as a response, and the algorithm steps are:
61) calling GetFromMap function to key words<R,TS>As input, fetch and key words from HashMap maintained in local store<R,TS>Corresponding value<randU,CK>;
62) If it is<randU,CK>If the result is null, 0 is output, otherwise, step 63) is carried out;
63) calling AES-128 decryption algorithm BC.Dec by taking CK as keyCKDecrypting Q to obtain (r)S||rU)=BC.DecCK(Q);
64) If rU≠randUOutputting 0, otherwise, performing step 65;
65) calculating a user response C, wherein the method comprises the following steps:
C=(PKe,0 x,PKe,1 y,gx+y·Encode(rS||rU))
wherein x, y are ZnSelecting parameters randomly;
66) the response triplet < R, TS, C > is output.
7) The server side runs AuthPermit algorithm which takes pub, SK as input to determine whether to allow authentication to pass so as to provide certain serviceeAnd response triplets<R,TS,C>As input, the steps are:
71) taking C ═ C1, C2, C3 in the triplet, calculating:
(rS||rU)=Decode(C[3]/(C[1]1/a·C[2]1/b));
72) from HashMap to<R,TS>As input, calling the GetFromMap function gets<randS,randU>;
73) If it is<randS,randU>Null, output 0, otherwise go to step 74;
74) if randS≠rSOr randU≠rUOutputting 0, otherwise outputting 1;
8) if the system user with bad behavior is found, the tracker appointed by the system administrator runs the Trace algorithm to track the real ID of the user corresponding to the authentication request sigma. Trace algorithm using pub, sigma, SKeTK andthe HashMap is used as input to obtain a system user ID corresponding to the authentication request sigma, and the steps are as follows:
81) get SKe=(a,b)、Σ=(c1,c2,c3,σ4,c4,π2)、c2=(c2[1],c2[2],c2[3]) Calculating σ2:
σ2=c2[3]/(c2[1]1/a·c2[2]1/b)
82) Step 83) is performed for each system user ID in HashMap;
83) derived from HashMap based on system user IDIf (σ)2)TKAndand if the ID is equal, outputting the ID, and finishing the algorithm, otherwise outputting null.
The invention has wider application prospect in the security scheme related to privacy protection, wherein the generated encrypted authentication request does not expose the identity of a specific system user (unless the encrypted authentication request is decrypted and is specially investigated by a tracker by using Open operation).
Examples
As shown in fig. 2, in this embodiment, the method is applied to a mobile intelligent group sensing system for finding a parking space, a user in the system first needs to register identity information with a system administrator, a registered legal user can initiate an anonymous authentication request to a server in the system, and the server authenticates the validity of the user and provides information of an available parking space to the user. The anonymous authentication request guarantees that the privacy information of the user is not exposed, but if the user executes illegal operation which does not accord with the system regulation, a tracker in the system can search the user identity through the authentication request of the user.
The application comprises the following specific steps:
1 System administrator initialize the System (Setup)
2 New Member registering user
2.1 when a user requests to join the system, it sends its ID to the system administrator
2.2 System Administrator performs Reg operation, assigns private authentication Key K to the IDID
2.3 to KIDNew member
3 obfuscating means obfuscates the algorithm
3.1 System user (System user) sends original authentication request Generation Algorithm to obfuscator
3.2 obfuscating K of a device to a MemberIDTransformation to generate obfuscated authentication request algorithm
3.3 sending the algorithm to the corresponding System user
4 executing authentication request generating algorithm
4.1 System user invocation component execution Algorithm Generation of quadruplets containing authentication request ∑
4.2 System Users send tetrads to System Server
5 System Server side response authentication request
5.1 the System Server invokes different algorithms to verify the legitimacy of the authentication request according to the number of users (verification is assumed to be passed in the following)
5.2 the System Server sends a query to the System user to verify if the user is alive
6 the system user responds to the inquiry of the system server and returns the response information to the system server
7 the system server determines whether to allow the authentication to pass through or not to provide the available parking space information for the system user through the system user response information
8 tracker in system carries out system user identity tracking (when user executing illegal operation appears)
8.1 the System Server sends an authentication request ∑ to the in-System tracker
8.2 trackers in the System execute the Trace algorithm to look up the ID of the corresponding System user
The foregoing detailed description of the preferred embodiments of the invention has been presented. It should be understood that numerous modifications and variations could be devised by those skilled in the art in light of the present teachings without departing from the inventive concepts. Therefore, the technical solutions available to those skilled in the art through logic analysis, reasoning and limited experiments based on the prior art according to the concept of the present invention should be within the scope of protection defined by the claims.
Claims (6)
1. A confusable anonymous authentication method for protecting identity information and a private authentication key of a system user in an authentication system, wherein the authentication system is provided with a system administrator and a tracker, and the system administrator is configured with a global public parameter pub, a master key MK and a pair of keys for linear encryption and decryption (PK)e,SKe) The system user is configured with a private authentication key KID=(K1,K2,K3) The anonymous authentication method specifically comprises the following steps:
based on the key Pair (PK) by the system usere,SKe) For the private authentication key KIDPerforming obfuscation to obtain obfuscated key
The system user generates an authentication array containing a service request based on the obfuscated key z and sends the authentication array to the server;
the server side carries out validity authentication on the authentication array and carries out liveness verification on a system user;
the server side provides service corresponding to the service request to the system user passing both the validity authentication and the liveness verification;
when any one of the validity authentication and the liveness verification fails, the tracker tracks the corresponding system user;
in the above steps, the server side performs validity authentication on the authentication array of at least one system user at the same time, and uses different authentication algorithms according to different authentication scenarios, where the authentication scenarios include one-to-one authentication scenario and many-to-one authentication scenario;
the generation process of the authentication array specifically comprises the following steps:
21) obtaining the request message R, judging whether the request message R is empty, if yes, directly outputting (pub, PK)e) If not, executing step 22);
22) obtaining current time TS, generating session key CK by AES-128 key generation algorithm, and selecting a 128-bit random number randU;
23) Request message R, current time TS, random number randUSplicing the session key CK into a message mu, and adding the session key CK and the random number rand in the message muUAnd (3) carrying out encryption and packaging to obtain the CT, protecting a session key and further ensuring the confidentiality of the authentication scheme:
μ=(μ1,…,μm)=(R||TS||randU||CK)
wherein, | | represents an operation symbol in which different bit strings are connected in series, and Encode is a function of encoding one bit string as one element in the group G;
24) calculating an authentication request Σ:
Σ=(c1,c2,c3,σ4,c4,π2)
wherein, Ω is gωIs an element in the group G, G is a generator in the group G, G is an n-order cyclic group, h is a cyclic subgroup G with the order of G and qqU, v', v1,…,vmAre random elements in group G, s, x0,y0,x1 *…,x4 *,y1 *,…,y4 *,t1,…t4All are modulo n residual class rings ZnSelecting parameters randomly;
25) and generating an authentication array < R, TS, CT and sigma >.
2. The obfuscatable anonymous authentication method of claim 1, wherein for the one-to-one authentication scenario, the legitimacy authentication specifically comprises:
311) taking CT as (CT 1)],CT[2],CT[3]) Calculating (CK | | rand)U):
(CK||randU)=Decode(CT[3]/(CT[1]1/a·CT[2]1/b))
Wherein Decode is a function that decodes elements in a group G into a bit string;
312) splicing R, TS, randUAnd CK to give μ:
μ=(μ1,…,μm)=(R||TS||randU||CK)
313) calculating T1And T2:
c={ci|ci=(ci[1],ci[2],ci[3]),i=1,2,3}
c4=(c4[1],c4[2],c4[3])
315) select a 128-bit random number randSUsing CK as key to call AES-128 encryption algorithm BCCKEncrypted randS||randUTo obtain Q ═ BCCK(randS||randU);
316) And outputting the triplet < TS, R, Q >.
3. The confusable anonymous authentication method according to claim 1, wherein for the many-to-one authentication scenario, the number of system users is l, and the legal authentication is performed on l system users at the same time, and the specific steps are as follows:
421) four-tuple containing authentication request generated for each system user k<Rk,TSk,CTk,∑k>Taking out element CTk=(CTk[1],CTk[2],CTk[3]) And calculate
Wherein k is a number, and k is more than or equal to 1 and less than or equal to l;
424) calculating T1And T2:
426) selecting 128 bits of random numberCalling AES-128 encryption algorithm by taking CK as keyEncryptionTo obtain
427) Output triplets<TSk,Rk,Qk>。
4. The obfuscatable anonymous authentication method of claim 1, wherein in the liveliness verification, the server sends query information to the system user, the system user generates a response message to send to the server, the server determines whether the liveliness verification passes or not according to the response message, and the generating step of the response message includes:
51) according to<R,TS>Obtaining a binary set<randU,CK>;
52) If it is<randU,CK>Null, output 0, otherwise go to step 53);
53) calling AES-128 decryption algorithm BC.Dec by taking CK as keyCKDecrypting Q to obtain (r)S||rU)=BC.DecCK(Q);
54) If rU≠randUOutputting 0, otherwise, performing step 55);
55) calculating a user response C:
C=(C[1],C[2],C[3])=(PKe,0 x,PKe,1 y,gx+y·Encode(rS||rU))
wherein x, y are ZnSelecting parameters randomly;
56) the response triplet < R, TS, C > is output as response information.
5. The obfuscatable anonymous authentication method of claim 4, wherein the server determines, according to the response information, whether the liveliness verification passes, specifically:
61) taking C ═ C1, C2, C3, calculating:
(rS||rU)=Decode(C[3]/(C[1]1/a·C[2]1/b));
62) according to<R,TS>Obtaining a binary set<randS,randU>;
63) If it is<randS,randU>Null, output 0, otherwise go to step 74);
64) if randS≠rSOr randU≠rUOutputting 0, otherwise outputting 1;
where 0 indicates verification failure and 1 indicates verification pass.
6. The obfuscatable anonymous authentication method of claim 1, wherein the tracing comprises the steps of:
71) get SKeSigma and c2Calculating σ2=c2[3]/(c2[1]1/a·c2[2]1/b),c2[1]、c2[2]、c2[3]Is c2The elements of (1);
72) step 73) is performed for each system user ID in HashMap;
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201810368800.7A CN108737383B (en) | 2018-04-23 | 2018-04-23 | Anonymous authentication method capable of confusing |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201810368800.7A CN108737383B (en) | 2018-04-23 | 2018-04-23 | Anonymous authentication method capable of confusing |
Publications (2)
Publication Number | Publication Date |
---|---|
CN108737383A CN108737383A (en) | 2018-11-02 |
CN108737383B true CN108737383B (en) | 2021-05-11 |
Family
ID=63939773
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201810368800.7A Active CN108737383B (en) | 2018-04-23 | 2018-04-23 | Anonymous authentication method capable of confusing |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN108737383B (en) |
Families Citing this family (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111835516B (en) * | 2020-06-14 | 2021-11-23 | 西安电子科技大学 | Public key repudiatable encryption method and system |
CN111785077B (en) * | 2020-09-07 | 2020-11-24 | 城云科技(中国)有限公司 | Smart city parking service system |
CN113315628B (en) * | 2021-04-09 | 2022-12-16 | 中国科学院信息工程研究所 | Key packaging method, device, equipment and storage medium |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101345619A (en) * | 2008-08-01 | 2009-01-14 | 清华大学深圳研究生院 | Electronic data protection method and device based on biological characteristic and mobile cryptographic key |
CN101459509A (en) * | 2008-12-18 | 2009-06-17 | 上海交通大学 | Password protocol safety detection method based on novelty verification condition |
CN104917617A (en) * | 2015-05-26 | 2015-09-16 | 同济大学 | Confounding method of encrypted group signatures |
CN105306483A (en) * | 2015-11-13 | 2016-02-03 | 厦门安胜网络科技有限公司 | Safe and rapid anonymous network communication method and system |
CN105429941A (en) * | 2015-10-27 | 2016-03-23 | 西安电子科技大学 | Multi-receiver identity anonymity signcryption method |
Family Cites Families (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US8607305B2 (en) * | 2008-09-01 | 2013-12-10 | Microsoft Corporation | Collecting anonymous and traceable telemetry |
-
2018
- 2018-04-23 CN CN201810368800.7A patent/CN108737383B/en active Active
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101345619A (en) * | 2008-08-01 | 2009-01-14 | 清华大学深圳研究生院 | Electronic data protection method and device based on biological characteristic and mobile cryptographic key |
CN101459509A (en) * | 2008-12-18 | 2009-06-17 | 上海交通大学 | Password protocol safety detection method based on novelty verification condition |
CN104917617A (en) * | 2015-05-26 | 2015-09-16 | 同济大学 | Confounding method of encrypted group signatures |
CN105429941A (en) * | 2015-10-27 | 2016-03-23 | 西安电子科技大学 | Multi-receiver identity anonymity signcryption method |
CN105306483A (en) * | 2015-11-13 | 2016-02-03 | 厦门安胜网络科技有限公司 | Safe and rapid anonymous network communication method and system |
Non-Patent Citations (1)
Title |
---|
An Obfuscatable Aggregatable Signcryption Scheme for Unattended Devices in IoT Systems;Yang Shi,etc;《IEEE INTERNET OF THINGS JOURNAL》;20170831;全文 * |
Also Published As
Publication number | Publication date |
---|---|
CN108737383A (en) | 2018-11-02 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN110235409B (en) | Method for protected RSA signature or decryption using homomorphic encryption | |
US9646161B2 (en) | Relational database fingerprinting method and system | |
Wang et al. | Privacy-preserving public auditing for data storage security in cloud computing | |
Kaptchuk et al. | Giving state to the stateless: Augmenting trustworthy computation with ledgers | |
Yu et al. | On the security of auditing mechanisms for secure cloud storage | |
Cheon et al. | Ghostshell: Secure biometric authentication using integrity-based homomorphic evaluations | |
US10700849B2 (en) | Balanced encoding of intermediate values within a white-box implementation | |
Al-Zubaidie et al. | RAMHU: A new robust lightweight scheme for mutual users authentication in healthcare applications | |
CN108737383B (en) | Anonymous authentication method capable of confusing | |
TWI776404B (en) | Method of authenticating biological payment device, apparatus, electronic device, and computer-readable medium | |
Subha et al. | Efficient privacy preserving integrity checking model for cloud data storage security | |
Yu et al. | A lightweight three-factor authentication protocol for digital rights management system | |
Rehman et al. | A secure and improved multi server authentication protocol using fuzzy commitment | |
Irshad et al. | An improved lightweight multiserver authentication scheme | |
US9264234B2 (en) | Secure authentication of identification for computing devices | |
Yang et al. | Cryptanalysis and improvement of a biometrics-based authentication and key agreement scheme for multi-server environments | |
Abidin | On privacy-preserving biometric authentication | |
Nimmy et al. | A novel multi-factor authentication protocol for smart home environments | |
Shin et al. | A Survey of Public Provable Data Possession Schemes with Batch Verification in Cloud Storage. | |
Yu et al. | Veridedup: A verifiable cloud data deduplication scheme with integrity and duplication proof | |
Mishra et al. | MPoWS: Merged proof of ownership and storage for block level deduplication in cloud storage | |
Mandal et al. | Comprehensive and improved secure biometric system using homomorphic encryption | |
Kaptchuk et al. | Managing Secrets with Consensus Networks: Fairness, Ransomware and Access Control. | |
Shi et al. | An obfuscatable designated verifier signature scheme | |
Talkhaby et al. | Cloud computing authentication using biometric-Kerberos scheme based on strong Diffi-Hellman-DSA key exchange |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |