CN108964895A - User-to-User identity authorization system and method based on group key pond and improvement Kerberos - Google Patents

User-to-User identity authorization system and method based on group key pond and improvement Kerberos Download PDF

Info

Publication number
CN108964895A
CN108964895A CN201810688658.4A CN201810688658A CN108964895A CN 108964895 A CN108964895 A CN 108964895A CN 201810688658 A CN201810688658 A CN 201810688658A CN 108964895 A CN108964895 A CN 108964895A
Authority
CN
China
Prior art keywords
key
user terminal
random number
group
true random
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201810688658.4A
Other languages
Chinese (zh)
Other versions
CN108964895B (en
Inventor
富尧
钟民
钟一民
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Ruban Quantum Technology Co Ltd
Original Assignee
Ruban Quantum Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Ruban Quantum Technology Co Ltd filed Critical Ruban Quantum Technology Co Ltd
Priority to CN201810688658.4A priority Critical patent/CN108964895B/en
Publication of CN108964895A publication Critical patent/CN108964895A/en
Application granted granted Critical
Publication of CN108964895B publication Critical patent/CN108964895B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/321Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority
    • H04L9/3213Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority using tickets or tokens, e.g. Kerberos
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0852Quantum cryptography
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0852Quantum cryptography
    • H04L9/0855Quantum cryptography involving additional nodes, e.g. quantum relays, repeaters, intermediate nodes or remote nodes

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Physics & Mathematics (AREA)
  • Electromagnetism (AREA)
  • Theoretical Computer Science (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

The invention discloses a kind of based on group key pond and improves the User-to-User identity authorization system and method for Kerberos, carries out including: that step A, the user terminal in masters group according to preset masters communication range apply for TGT to quantum network service station when authentication(A);A user terminal application TGT of the user terminal also into passive side group(B);Step B, the user terminal in masters group is again according to TGT(A)And TGT(B)Apply for masters session key and Ticket corresponding with preset passive side's communication range to quantum network service station, and shares the Ticket and masters session key in masters communication range;Step C, a user terminal B of the user terminal A in masters communication range into passive side's communication range sends the Ticket, it also include passive side's session key in the Ticket, so that user terminal A and user terminal B share the session key for implementing coded communication.

Description

User-to-User authentication system based on group key pond and improvement Kerberos System and method
Technical field
The present invention relates to Technique on Quantum Communication fields, more particularly to the identity authorization system based on quantum network.
Background technique
Authentication, i.e. authentication are to realize the basic fundamental of information security, and system is confirmed by examining the identity of user Whether the user has access and access right to certain resource, and the identity that can also equally carry out between system and system is recognized Card.
Identity authorization system generallys use kerberos authentication scheme in present communications network.Kerberos is a kind of network Authentication protocol, design object are that powerful authentication service is provided for client/server applications by cipher key system.It should Certification of the realization of verification process independent of host operating system, is not necessarily based on the trust of host address, does not require on network The physical security of All hosts, and assume that the data packet transmitted on network can read, modify and be inserted into data by arbitrary.? Under above situation, Kerberos as a kind of Third Party Authentication service trusty, be by traditional cryptographic technique (such as: altogether Enjoy key) execute authentication service.
In kerberos authentication scheme, timestamp timestamp is introduced to check Replay Attack, but ticket According to there is life cycle, still can be used within the effective time of its life cycle.If the time for receiving message is to provide Within the scope of permission, it is judged that the message has freshness.But the attacker after obtaining licensing can send In this case the message of forgery is hard to find within the time of permission.
Attacker is possible to attack encryption equipment, or is attacked using Malware, so many researchs Person is placed on the improvement to Kerberos in the improvement to hardware device.Currently, being suitble to make in the user terminal of kerberos system Trusted hardware device is smart card.Smart card is integrated into kerberos system, good effect is achieved.
With the continuous development of wireless communication technology, terminal direct communication (Device to Device, D2D) has become One of the hot spot of 3GPP Rel-12 standardized technique.D2D allows two user equipmenies (User Equipment, UE) to pass through spy Fixed channel (Sidelink Channel) directly carries out data transmission, without being subjected to evolved base station equipment (Evolutional Node B, eNB).Certainly, D2D is not limited to the transmission of the data between two user equipmenies, can be with Support the group communication (Group Communication) of single point-to-multipoint.Existing network authentication system is all based on greatly list The one-to-one authentication mode of a object, but the data of single point-to-multipoint are transmitted, group can be formed according to certain principle Group.Under these application scenarios, when the new terminal of access in group, according to existing one-to-one authentication mode, not only can Increase network signal, leads to network congestion, and a large amount of Internet resources can be occupied, therefore existing one-to-one network authentication system No longer it is applicable in.In this case, resource consumption is authenticated to reduce, reduces network congestion, needs corresponding group's authentication mechanism. The key that existing cluster communication system uses is traditional secrete key, and traditional secrete key is the pseudo random number as caused by program, it is pseudo- with Machine number has specific rule, is comparatively easier to be decrypted, and quantum key is truly random according to caused by Quantum Properties Number, next bit of quantum key are unforeseen, the drawbacks of effectively overcoming pseudo random number.
Publication No. CN106357649A, the patent document of entitled " user identity authentication system and method " are public A kind of identity identifying method of standard-key cryptography is opened.But authentication can be only done one-to-one identity and recognize in the invention Card, and its authentication be it is unidirectional, there are biggish security risks.
Problem of the existing technology:
(1) the existing identity identifying technology based on quantum key card can be only done one-to-one authentication, be unable to complete The authentication between the authentication or group of group.
(2) challenge information that authentication is transmitted in the prior art is usually the random number of exposure, may be by attacker Challenge and response are studied and crack out key.
(3) it in existing authentication and encryption technology based on quantum key card, is needed before executing authentication and encryption What key quantum key card and its side of issuing make an appointment using, and in execution authentication and ciphering process not more Change key.
(4) existing identity identifying technology causes to occur playback and attack based on kerberos authentication scheme to the use of timestamp The possibility hit.Kerberos protocol requirement is synchronized based on clock in network, height is required to whole system time synchronization, in large size It is difficult to realize in distributed system.
(5) Ticket is encrypted using the long term keys of user terminal B in second step in original Kerberos agreement, may be disliked Meaning network monitoring person intercepts and captures and cracks.
(6) in the prior art, user terminal key storage, can be by Malware or malicious operation in user terminal memory It steals.
(7) in the prior art, the long term keys of user terminal are constant, and safety is not high enough.
Summary of the invention
The present invention provides a kind of identity authorization system based on quantum network suitable for authentication between group.
A kind of User-to-User identity authorization system based on group key pond and improvement Kerberos, including quantum net Network service station, and respectively include the masters group and passive side group of a plurality of clients, carry out include: when authentication
Step A, the user terminal in masters group is according to preset masters communication range to quantum network service station Apply for TGT(A)
A user terminal application TGT of the user terminal also into passive side group(B)
Step B, the user terminal in masters group is again according to TGT(A)And TGT(B)To quantum network service station Shen Please masters session key and Ticket corresponding with preset passive side's communication range, and in masters communication range altogether Enjoy the Ticket and masters session key;
Step C, a user terminal B of the user terminal A in masters communication range into passive side's communication range sends institute Ticket is stated, also includes passive side's session key in the Ticket, so that user terminal A and user terminal B are shared for implementing The session key of coded communication;
Step A, the user terminal when user terminal in B in masters group is communicated with quantum network service station and in step C When A is communicated with user terminal B, the mode of true random number is respectively adopted as certificate data.
The TGT referred in the present invention(A)And TGT(B), footmark is different only for the purposes of describing and distinguishing acquisition channel, Meaning of TGT itself is not defined.
It can be any one user terminal in masters group in step A of the present invention and initiate certification request, masters communication Range can be regarded as some user terminal in masters group and possess Ticket and masters session key and can be with quilt User terminal in dynamic side's communication range carries out authentication and subsequent coded communication;Or masters group total user end is all Possess Ticket and masters session key respectively and authentication can be carried out with the user terminal in passive side's communication range And subsequent coded communication.
Similarly passive side's communication range can be regarded as some user terminal in passive side group can obtain from Ticket And use passive side's session key;Or total user end can all obtain from Ticket respectively and use quilt in passive side group Dynamic side's session key.
Step A, the true random number in B, C as certificate data is different, and step A, the true random number in B is by leading The matched quantum key card of user terminal in Dong Fang group generates, and is sent in an encrypted form together with the information for generating true random number Quantum network service station is verified for quantum network service station;
True random number in step C is generated by quantum network service station, together with generate true random number information to encrypt shape Formula is sent to the user terminal in masters group in stepb, in step C, when user terminal A is communicated with user terminal B, and user terminal A By the true random number in step C together with generate true random number information be sent to user terminal B in an encrypted form, for user terminal B into Row verifying.
Preferably, all user terminals of masters group and passive side group are each configured with quantum key card;
The quantum key card of each user terminal is independent to share privately owned pool of symmetric keys with quantum network service station;
The quantum key card of all user terminals is shared corresponding with the group with quantum network service station in same group Group key pond;
In step B, the masters session key is ciphertext form, and masters communication range is a certain in masters group When user terminal, masters session key is encrypted using pool of symmetric keys corresponding with the user terminal;Masters communication range For when total user end, masters session key is carried out using group key corresponding with masters group pond in masters group Encryption;
In step B, passive side's session key in the Ticket is ciphertext form, and passive side's communication range is passive side In group when a certain user terminal, passive side's session key is encrypted using pool of symmetric keys corresponding with the user terminal;Passively When square communication range is total user end in passive side group, passive side's session key utilizes group corresponding with passive side group Pool of keys is encrypted.
Masters session key is identical with passive side's session key content to be generated by quantum network service station for symmetrically adding Close, user terminal is transmitted directly in step B is known as masters session key, and is encapsulated in Ticket and is then known as passive side Session key.The transmission of masters session key and passive side's session key is all made of ciphertext form, and is selected according to communication range Corresponding cipher mode is selected, therefore the user terminal only in communication range can just be decrypted and be used.
When sharing the Ticket and masters session key in masters communication range, since masters session is close Key is ciphertext form, therefore also relevant information needed for shared unsigncryption masters session key.
It is the first security key for encrypting masters session key, is the second peace for encrypting passive side's session key Full key;
When step B shares the masters session key, shared content is the active using the first secure key encryption Square session key, and generate the information of the first security key;It include the letter for generating the second security key in the Ticket Breath.
When step B shares the masters session key, in order to improve safety, breath is not when shared unsigncryption relevant information Directly shared first security key, but the shared information for generating the first security key, only in masters communication range User terminal just possesses corresponding pool of keys, even if therefore outsider know generate first security key information, can not yet The first security key is generated, the safety of masters session key is further improved.
Same reason, does not directly include the second security key in Ticket, only includes that generate the second safety close The information of key, the only user terminal in passive side's communication range just possess corresponding pool of keys, even if therefore outsider obtain Know the information for generating second security key, can not also generate the second security key, further improve passive side's session key Safety.
When communication range be a certain user terminal and when not group's total user end, it can be understood as the user terminal is from quantum After network service station obtains Ticket and masters session key, namely complete shared.
In step B, the encryption of passive side's session key is all to measure in the encryption of masters session key and Ticket Sub-network is completed in service station, and quantum network service station is also based on the specified of user terminal in step A, step B, as excellent Choosing:
In step A, the user terminal to quantum network service station apply TGT(A)When carry identifier A, be used for notice amount Sub-network service station is using pool of symmetric keys corresponding with the user terminal or utilizes group key corresponding with masters group pond Generate the first security key;
In step B, the user terminal to quantum network service station apply for corresponding Ticket and masters session key When carry identifier B, for notify quantum network service station using it is corresponding with certain user terminal in passive side group symmetrically it is close Key pond generates the second security key using group key corresponding with passive side group pond.
The generating mode of first security key or the second security key is that quantum network service station generates true random number, The true random number combination key schedule obtains pointer, which is directed toward in the pool of keys specified by identifier A or identifier B A part, corresponding key is extracted in the pool of keys and is used as the first security key or the second security key.
True random number or pointer only need to be transmitted between user terminal and quantum network service station and between user terminal, i.e., The information for generating first or second security key, does not need directly to transmit first or second security key, therefore outsider Even if knowing that the information for generating first or second security key can not also be generated due to not having corresponding pool of keys First or second security key further improves the safety of session key.
Quantum network service station provides bill to the user terminal of masters group as believable third party in the present invention Ticket, during the bill that the user terminal is applied to quantum network service station and certification of the user terminal B to user terminal A In the process, it is directed to the use of identification authentication data.
In step A, the user terminal application TGT(A)When, using encryption true random number N1 as with quantum network service Identification authentication data between standing, true random number N1 are encrypted using transmission key, and the transmission key is by the user terminal benefit It is generated with matched quantum key card, and the information for generating transmission key is notified into quantum network service station;
Quantum network service station, which is generated true random number N1 ' in the way of corresponding and compared with true random number N1, to be recognized Card.
Preferably, the identification authentication data of step A further includes the true random number R for generating true random number N1N1
The generating mode of the true random number N1 is that the user terminal in step A in masters group is close using matched quantum Key card, which generates, generates true random number RN1, true random number RN1In conjunction with pre-defined algorithm obtain pointer and being directed toward specified by identifier A it is close Certain a part in key pond, the corresponding portion extracted in the pool of keys are used as true random number N1.
In step B, the user terminal application Ticket and when masters session key, using the true random number N2 of encryption As the identification authentication data between quantum network service station, true random number N2 is encrypted using the first security key;
Quantum network service station, which is generated true random number N2 ' in the way of corresponding and compared with true random number N2, to be recognized Card.
Preferably, the identification authentication data of step B further includes the true random number R for generating true random number N2N2
The production method of the true random number N2 is that the user terminal in step A in masters group is close using matched quantum Key card, which generates, generates true random number RN2, true random number RN2In conjunction with pre-defined algorithm obtain pointer and being directed toward specified by identifier A it is close Certain a part in key pond, the corresponding portion extracted in the pool of keys are used as true random number N2.
In step C, user terminal A to user terminal B send the Ticket when, using encryption true random number N3 as with Identification authentication data between the B of family end, true random number N3 use the second security key and masters session key double-encryption;
User terminal B is generated true random number N3 ' in the way of corresponding and compares certification with true random number N3.
Preferably, the identification authentication data of step C further includes the true random number R for generating true random number N3N3, and adopt It is encrypted with masters session key;
The production method of the true random number N3 is that quantum network service station generates true random number RN3, true random number RN3Knot Certain a part that pre-defined algorithm obtains pointer and is directed toward in the pool of keys specified by identifier B is closed, is extracted in the pool of keys Corresponding portion be used as true random number N3;
User terminal in step B, in masters group obtains Ticket and masters session from quantum network service station When key, also obtain use the second secure key encryption true random number N3, and using the first secure key encryption it is true with Machine number RN3
The generating mode of the transmission key is that the user terminal in step A generates generation very using matched quantum key card Random number RA, true random number RAPointer is obtained in conjunction with key schedule, which is directed toward the pool of keys specified by identifier A In a part, corresponding key is extracted in the pool of keys and is used as transmission key.
The information for generating transmission key is true random number RA, can negotiate in advance as key schedule etc..Quantum net Network service station receives true random number RAAfter can according to corresponding pool of keys generate transmission key to true random number N1 decryption verification.
In step A, the user terminal from quantum network service station receive TGT(A)When also receive using transmission key encryption True random number RQ-A, true random number RQ-AFor the generation of quantum network service station and for generating first security key.
The user terminal can utilize true random number RQ-AFirst security key is generated in conjunction with corresponding pool of keys, is used to True random number N2 in encrypting step B.
The quantum network service station includes authentication server and ticket-granting server, and one in masters group User terminal is to authentication server application TGT(A), and the user terminal application TGT into passive side group(B);Foundation again The TGT(A)And TGT(B)To ticket-granting server application Ticket.
In quantum key card pool of symmetric keys and group key pond be used for a long time or reuse have be cracked can Can property, for improve identity authorization system safety, as preferred:
Pool of symmetric keys and the timing of group key pond in the quantum key card update.
After user terminal and matched quantum key card establish communication connection when update, user terminal by upper level applications to Quantum key card, which is sent, updates application, which is also sent to quantum network service station simultaneously;
After update application is received in key storage clamping, by preset Policy Updates pool of symmetric keys or group key pond;
After quantum network service station receives update application, by Policy Updates quantum consensus with quantum key card in advance The pool of symmetric keys of respective stored or group key pond in network service station.
In the present invention, optional situation is, in masters group and passive side group, the quantum key card of all user terminals Belong to same quantum network service station.It is stored with corresponding quantum key with the quantum network service station, also can be considered Under LAN environment.
If the matched quantum key card of each user terminal of masters group belongs to quantum network clothes under wan environment Business station A, the matched quantum key card of each user terminal of passive side group belong to quantum network service station B;
In step A, the authentication server application TGT of the user terminal of masters group to quantum network service station A(A); And the user terminal application TGT into passive side group(B);In step B, the user terminal of masters group is again according to the TGT(A) And TGT(B)To quantum network service station A ticket-granting server application Ticket, the Ticket by quantum network service station B It assists to generate, and is sent to the user terminal of masters group by quantum network service station A.
Since passive side's session code key in Ticket uses the second secure key encryption, and second security key is benefit It is generated with pool of symmetric keys corresponding in passive side group or group key pond, it is therefore desirable to the assistance of quantum network service station B, The request that can be quantum network service station B response quantum network service station A generates Ticket and is sent to quantum network service station A;Either the second security key or necessary information of production are sent to quantum network service station A by quantum network service station B part, Ticket is voluntarily generated by quantum network service station A.
The present invention also provides a kind of based on group key pond and improves the authentication side User-to-User of Kerberos Method implements the User-to-User identity authorization system of the present invention based on group key pond and improvement Kerberos In.Related specific steps can be found in the related narration in identity authorization system of the invention.
The present invention is based on pool of symmetric keys and group key pond to realize that authentication can especially into group key pond Authentication is carried out between user and group or group to realize.After user and group complete authentication, which can be with It is securely communicated with group any user;After group and group complete authentication, in two groups between each user It can securely communicate.
Existing identity identifying technology causes to occur Replay Attack based on kerberos authentication scheme to the use of timestamp Possibility, and entire Kerberos protocol requirement be it is synchronous based on clock in network, whole system time synchronization is required it is high, It is difficult to realize in large-scale distributed system.The present invention replaces the timestamp of former scheme using quantum true random number, solves out The possibility of existing Replay Attack.Not using timestamp also requires system not system time synchronization.
The challenge information that authentication is transmitted in the present invention is only used for generating the random number of pointer, in no key In the case where pond even if by attacker to challenge and response study and crack out random number in addition obtain pointer and can not obtain To the key for encryption.
In the present invention in authentication, executes authentication and do not need quantum key card before encrypting to identity authentication message Make an appointment with its side of issuing using what key, and execute authentication every message can arbitrarily replace it is close Key, it is only necessary to point out the random number for calculating pointer, and the risk for announcing the random number is very small, in general It is utterly useless to attacker.
The encryption key of Ticket has been changed to ephemeral keys by the present invention, when so that malicious user decrypting it, the key It is no longer valid.The present invention is using quantum key card storage user terminal key rather than user terminal memory, quantum key card are only Vertical hardware device, a possibility that stealing key by Malware or malicious operation, substantially reduce.The length of user terminal in the present invention Phase key often changes, and safety greatly improves compared with user terminal long term keys are constant in the prior art.In addition to this, It is that message is transmitted by classic network between classical authentication server and server, under the current network environment, not It is safe, and ensure that the safety communicated in Wide Area Network in the present invention using QKD network.
Detailed description of the invention
Fig. 1 is the quantum key structure chart of single quantum network service station group type quantum key card.
Fig. 2 is the quantum key structure chart of multiple quantum network service station group type quantum key cards.
Fig. 3 is authentication process figure in local area network.
Fig. 4 is authentication process figure in wide area network.
Fig. 5 is 1 identity identifying method detailed step schematic diagram of embodiment.
Fig. 6 is 2 identity identifying method detailed step schematic diagram of embodiment.
Specific embodiment
Identity authorization system of the present invention may include multiple quantum network service stations, can between different quantum network service stations Quantum key between standing is shared in a manner of through QKD.
Quantum network service station includes:
Quantum service centre, be mainly used for by each user terminal of classic network and user side communicate to connect and and other The communication connection of quantum network service station;Classic network includes but is not limited to telecommunications network, internet, broadcasting and television network or other are logical Communication network etc..
Quantum key distribution equipment is mainly used for realizing the shared of quantum key between station by QKD mode.
Real random number generator, the application user side key for receiving the proposition of user side Key Management server are asked It asks, generates user side key, and be sent to user side Key Management server;Use herein is real random number generator.Its Preferably quantum real random number generator, or real random number generator based on circuit, based on the truly random of physical resource Number generator and other kinds of truly random generator.
User side Key Management server, the user side key that storage, management are generated from real random number generator, Ke Yijie Enter the quantum key card of packaged type, realizes hair fastener, registration, copy user side key, can be mentioned with reception amount sub-services center Application user side key request out, the user side key for sending corresponding length give quantum service centre.Quantum key card it is detailed Thin content also can be found in that application No. is the Patent Application Publications of " 201610846210.6 ".
Wherein quantum service centre includes: authentication server, it can be also set as needed in ticket-granting server His server, such as digital signature server, signature verification service device, encryption and decryption server etc..
Authentication server takes before the service such as received message certification, digital signature with quantum network for realizing user The mutual identity authentication at business station.There is the encrypted card using pci bus interface, for storing identity inside authentication server Authentication protocol, including key schedule, verification function, Encryption Transmission Protocol etc..
Ticket-granting server for realizing user obtain with after the mutual identity authentication in quantum network service station, for Distribute the license of its application for accessing a certain user in family.
User terminal is configured under each quantum network service station, such as user terminal 1~user terminal n, different clothes in this specification Business device or other devices also can according to need on hardware and integrated.
User terminal is the equipment for accessing quantum network service station, can be mobile terminal, or be fixed terminal.When be it is mobile eventually When end, quantum key card is preferably quantum SD card;When for fixed terminal, quantum key card is preferably USBkey or host encryption Board.
When client goes to the quantum network service station of region to register, quantum key card is obtained after granted (there is unique quantum key card ID).Quantum key card stores client enrollment register information, is also built-in with authentication association View includes at least key schedule and verification function or other algorithms relevant to authentication.
Also there is authentication protocol in each quantum network service station of network side accordingly, if there are two kinds for each algorithm in agreement More than, quantum key, which is stuck in, can be sent to algorithm label quantum network service station when communicating with quantum network service station, for amount It chooses in sub-network service station.
User side key in quantum key card may be downloaded from down different quantum network service stations, therefore can come by difference There are different key seeds concentration, user terminals to take key seed by preset rule to generate key in source.It is different Key seed collection have unique key seed ID, be directed toward quantum network service station in be stored with corresponding key kind Son.
Quantum key card is developed from smart card techniques, is combined with quantum physics technology, cryptological technique, hard The authentication product of part security isolation technology.The embedded chip and chip operating system of quantum key card can provide private key The functions such as secure storage and cryptographic algorithm.Since it is with independent data-handling capacity and good safety, quantum key Card becomes the safety barrier of quantum true random number private key.Each quantum key card has a protection of hardware PIN code, PIN code and hard Part constitutes two necessary factors that user uses quantum key card.I.e. so-called " double factor authentication ", user only have while obtaining The quantum key card and user's PIN code for saving relevant authentication information, just can be with login system.Even if the PIN code of user is let out Dew, as long as the quantum key card that user holds is not stolen, the identity of legitimate user would not be counterfeit;If the quantum of user Key card is lost, and the person of picking up also cannot counterfeit the identity of legitimate user due to not knowing user's PIN code.
Embodiment 1 belongs to two user terminal authentications in a quantum network service station in local area network
The scene of the present embodiment as shown in Figure 1, participate in the matched quantum key card of user terminal A of authentication containing pair Claim pool of keys KAWith group key pond KPA;It participates in containing symmetric key in the matched quantum key card of user terminal B of authentication Pond KBWith group key pond KPB;User terminal A and user terminal B belongs to quantum network service station Q, and user terminal A and user terminal B do not belong to In the same group.Quantum network service station Q contains the pool of symmetric keys and group key pond K of all membersPAAnd KPB。A、B Hold corresponding pool of keys (including pool of symmetric keys and group key pond) and all kinds of algorithms with the cryptography module of Q.With Pool of keys used in the authentication specific steps that family end A is participated in is specified by FlagA, the authentication that user terminal B is participated in Pool of keys used in specific steps is specified by FlagB.The value of FlagA, FlagB are determined by authenticating initiator, that is, user terminal A.
Following three kinds of situations can be divided into according to the difference of specified pool of keys:
1, when the FlagA pool of keys specified is pool of symmetric keys KA, FlagB specified pool of keys is group key pond KPB, Group where then referring to user terminal A application and user terminal B carries out authentication, and concrete condition can be group in data link system The group B where member B is added in member's A application in A, and after the completion of authentication, member A can be with the group B where member B In all members carry out safety communication.
2, when the FlagA pool of keys specified is group key pond KPA, FlagB specified pool of keys is pool of symmetric keys KB, Group's application where then referring to user terminal A carries out authentication with user terminal B, and concrete condition can be member in data link system Group's A application where A and a certain member B in another group carry out authentication, and after the completion of authentication, member B can be with The communication of safety is carried out with members all in the group A where member A.
3, when the FlagA pool of keys specified is group key pond KPA, FlagB specified pool of keys is group key pond KPB, Group's application where then referring to user terminal A carries out authentication with the group where user terminal B, and concrete condition can be data-link The group B where group's A application and member B in system where member A carries out authentication, after the completion of authentication, group A It can be carried out safe communication between members all in group B.
In following steps, add solution, close operation in many places that each user side is related to, all in matched quantum key card into Row.The Encrypt and Decrypt operation that authentication server and ticket-granting server are related to, is the encryption and decryption in quantum network service station It is completed in server.
Authentication process as shown in figure 3, when user terminal A, user terminal B belong to a quantum network service station, Quantum key involved in authentication procedures is stuck in local quantum network service station registration and issues.Specific steps are referring to figure 5, in figure, encrypted part is indicated in braces, followed by the key that uses of content representation, such as { RN1+N1}KAIt indicates Use KAEncrypt RN1And N1
Specific steps verbal description is as follows:
Step 1: user terminal A is to quantum network service station application license bill TGT(A)
A. user side authentication random number and key generate: the matched quantum key card of user terminal A according to card it is interior with Machine number generator generates true random number RN1(hereinafter referred to as RN1, other Chinese character parts that similarly save are as referred to as) and true random number RA。RN1、RAPointer P is obtained in conjunction with specific key schedule fN1、PA。PN1、PAIt is directed toward in the pool of keys specified by FlagA Certain a part, can extract corresponding authentication random number N in the pool of keys1With key KA(transmission key).
B. user terminal A sends pre- identity authentication service request: identity authentication service of the user terminal A to quantum network service station Device sends pre- identity authentication service request, and request content includes:
1. identity information Ainfo (including the ID of user terminal AAWith for specifying the FlagA of pool of keys) and RA
2. using KAThe R of encryptionN1And N1As pre- identification authentication data;
3. the identity information TGSinfo of ticket-granting server in quantum network service station.
C. quantum network service station and user terminal A carry out authentication: quantum network service station obtains RAAfterwards, in conjunction with specific Key schedule f obtain pointer PA', then use PA' extracted and key K from the pool of keys that FlagA is specifiedAIt is identical Key KA’。
For convenient for differentiation original cipher key KA, it is denoted as below the key extracted in the pool of keys different from original cipher key is generated KA'.Similarly hereinafter.
Use KA' the pre- identification authentication data of decryption obtains RN1And N1, by RN1Referred in conjunction with specific key schedule f Needle PN1', then use PN1' from FlagA specify pool of keys in extract N1'.By N1With N1' be compared, performance subnet Authentication between network service station and user terminal A.
D. quantum network service station sends identity authentication service and replys: being sent out according to true random number in standing in quantum network service station Raw device generates true random number RQ1, RQ1Pointer P is obtained in conjunction with specific key schedule fQ1, PQ1It is directed toward quantum network service station Certain a part in distinctive pool of keys, can extract corresponding key K in the pool of keysQ1.Quantum network service station root True random number R is generated according to real random number generator in standingQ-A, RQ-APointer P is obtained in conjunction with specific key schedule fQ-A, PQ-A Certain a part being directed toward in the pool of keys specified by FlagA, can extract corresponding key K in the pool of keysQ-A(first Security key).
After the completion of authentication between quantum network service station and user terminal A, quantum network service station is sent out to user terminal A A identity authentication service is sent to reply, reply content includes:
1. using KA' encryption RQ-A
2. permission ticket TGT(A)
TGT(A)Including RQ, Ainfo and use KQThe R of encryptionQ-AWith TGT expiration time TA.Expiration time can be maximum Period is also possible to maximum access times, or both and combines and take one first reached.TGT(A)Can be used for user terminal A to The application of quantum network service station, which obtains, accesses a certain user that the ticket-granting server in the quantum network service station is capable of providing The Ticket at end.
E. user terminal A, which is obtained, replys: user terminal A is received after identity authentication service is replied to get to TGT.Using with KA' phase Same KAFirst part is decrypted, R is obtainedQ-A, pointer P is obtained in conjunction with specific key schedule fQ-A, further according to PQ-AFrom It is extracted and key K in FlagA specified pool of keysQ-AIdentical key KQ-A’。
Step 2: user terminal A obtains the TGT of user terminal B to user terminal B application(B)
User terminal A issues the TGT for obtaining user terminal B to user terminal B(B)Request, if user terminal B has TGT(B), then directly User terminal A is given in sending and receiving, if not having, user terminal B by with the step of first step same principle from quantum network service station It is obtained at authentication server.
TGT(B)Including RQ2, Binfo and use KQ2The R of encryptionQ-BAnd TGT(B)Expiration time TB
Step 3: user terminal A passes through TGT(A)And TGT(B)Apply to quantum network service station for accessing user terminal B's Bill Ticket.
A. authentication true random number generates: the matched quantum key card of user terminal A generates true random number RN2.In conjunction with specific Key schedule f obtain pointer PN2, then use PN2True random number N is extracted from the pool of keys specified by FlagA2
B. user terminal A sends bill licensed service request: bill licensed service of the user terminal A into quantum network service station Device sends bill license request, and request content includes:
①TGT(A)
②TGT(B)
3. using KQ-A' encryption RN2And N2As identification authentication data;
4. identity information Binfo (the identity information ID including user terminal B for the user terminal B that user terminal A is wanted access toBWith For specifying the FlagB of pool of keys).
C. ticket-granting server carries out authentication: the bill licensed service in quantum network service station to user terminal A Device obtains TGT(A)Afterwards, using true random number RQ1Pointer P is obtained in conjunction with specific key schedule fQ1, then use PQ1From amount Key K is extracted in the distinctive pool of keys in sub-network service stationQ1
Use KQ1Decrypt TGT(A)Encryption unit separately wins to obtain RQ-A, use RQ-APointer is obtained in conjunction with specific key schedule f PQ-A, then use PQ-AKey K is extracted from the pool of keys specified by FlagAQ-A
Use KQ-ADecryption identity authentication data obtains RN2And N2.Use true random number RN2It generates and calculates in conjunction with specific key Method f obtains pointer PN2, then use PN2N is extracted from the pool of keys specified by FlagA2'.By N2With N2' be compared, it is complete At the authentication between quantum network service station and user terminal A.
D. quantum network service station generates N required for Ticket and user terminal A and user terminal B authentication3:
After the identity of quantum network service station certification user terminal A passes through, TGT is obtained(B)In RQ2, RQ2In conjunction with specific close Key generating algorithm f obtains pointer PQ2.Then P is usedQ2Key K is extracted from the pool of keys specified by FlagBQ2.Use KQ2Solution Close TGT(B)Encryption unit gets RQ-B, RQ-BPointer P is obtained in conjunction with specific key schedule fQ-B.Then P is usedQ-BFrom by Key K is extracted in FlagB specified pool of keysQ-B(the second security key).
Quantum network service station generates the session key K of user terminal A and user terminal B by real random number generatorA-B.So Quantum network service station generates Ticket afterwards.Ticket includes RQ-B, Binfo and use KQ-BThe K of encryptionA-B, user terminal A Identity information IDAWith Ticket expiration time T2
Quantum network service station generates true random number R according to real random number generator in standingN3, RN3In conjunction with specific key Generating algorithm f obtains pointer PN3.Then P is usedN3True random number N is extracted from the pool of keys specified by FlagB3
E. quantum network service station sends bill licensed service and replys: quantum network service station sends bill to user terminal A Licensed service is replied, and reply content includes:
1. using KQ-AThe K of encryptionA-BAnd RN3
2. using KQ-BThe N of encryption3
3. bill Ticket.
F. user terminal A, which is obtained, replys: user terminal A is received after bill licensed service is replied to get to Ticket, and is used KQ-AFirst part is decrypted, K is obtainedA-B(masters session key) and RN3
Step 4: user terminal A, which provides Ticket to user terminal B, completes authentication.
FlagA is for marking pool of keys, and IDA is for marking user terminal.
Since IDA encrypts partial interior in ticket, so while user terminal A may with before not to be same, but It is ticket is using same.
FlagB is for marking pool of keys, and IDB is for marking user terminal.
In secondary identification step, user terminal A can modify the IDB in Binfo, different according to being differently directed for IDB User terminal B.
A. user terminal A initiates a session request: user terminal A initiates a session request to user terminal B, and request content includes:
①Ticket;
2. the identity information ID of user terminal AA、RN3, K is used together with what is receivedQ-BThe N of encryption3One reinstates KA-BEncrypt conduct Identification authentication data;
3. Flag (for representing whether bi-directional verification).
B. user terminal B carries out authentication to user terminal A: after user terminal B obtains Ticket, using true random number RQ-BKnot It closes specific key schedule f and obtains pointer PQ-B, then use PQ-BExtracted from the pool of keys specified by FlagB with it is close Key KQ-BIdentical KQ-B’。
Use KQ-B' decryption Ticket encryption unit separately win to obtain KA-B' (passive side's session key), use KA-B' decryption identity Authentication data obtains RN3.Use true random number RN3Pointer P is obtained in conjunction with specific key schedule fN3, then use PN3From N is extracted in the pool of keys specified by FlagB3'.By N3' with use KQ-B' the obtained N of decryption identity authentication data3Compared It is right, complete the authentication between user terminal A.If be proved to be successful, the resource for allowing user terminal A access to need to access is no Then directly refuse the request of other side.
D. if necessary to bi-directional verification, user terminal B extracts the R in identification authentication dataN3, use KA-BEncryption, and sent out Give identity of the user terminal A for user terminal A verifying user terminal B.
Embodiment 2, the authentication of two user terminals in wide area network
In wide area network two user terminals authentication process as shown in figure 4, when user terminal A, user terminal B be not belonging to it is same When a quantum network service station, the quantum net belonging to the user terminal respectively of quantum key card involved in authentication procedures The registration of network service station is issued.System architecture in the present embodiment is different from place of embodiment 1 as application in the wide area network, and level-one is handed over Switching center9 is the quantum network core station of a prefecture-level city or suitable size area, and secondary switching center is a county-level city or phase When the quantum network core station of size area, quantum network service station is the suitable size area in a small towns or subdistrict office Quantum communications access website.
Primary centre is connected with multiple secondary switching centers of subordinate with Star Network structure, and secondary switching center can To be connected with the quantum network service station of multiple subordinaties with Star Network structure.
Due to needing interior communication, each switching centre and quantum network service station are respectively equipped with quantum key distribution Equipment can realize the shared of key between station by QKD mode.The other equipment in quantum network service station and pass in the present embodiment It can be found in embodiment 1 in the description of quantum key card.
Such as primary centre and the secondary switching center of subordinate are utilized respectively between quantum key distribution equipment realization station Quantum key is shared, and it is real that the quantum network service station of secondary switching center and subordinate are utilized respectively quantum key distribution equipment Quantum key is shared between now standing, and quantum key distribution equipment, which can be, a set of to be also possible at least two sets and integrate.
Between two primary centres due to distance farther out, can be used Quantum repeater station mode realize station between quantum it is close Key is shared.
The scene of the present embodiment as shown in Fig. 2, participate in the matched quantum key card of user terminal A of authentication containing pair Claim pool of keys KAWith group key pond KPA;It participates in containing symmetric key in the matched quantum key card of user terminal B of authentication Pond KBWith group key pond KPB;User terminal A belongs to quantum network service station A, i.e., current to measure for user terminal A Sub-network service station is the quantum network service station A communicated to connect with user terminal A;Similarly user terminal B belongs to quantum network clothes Business station B.User terminal A and user terminal B are not belonging to the same group.Quantum network service station A contains the symmetric key of all members Pond and group key pond KPA;Quantum network service station B contains the pool of symmetric keys and group key pond K of all membersPB。 User terminal A, user terminal B, quantum network service station A and quantum network service station B cryptography module hold it is corresponding close Key pond (including pool of symmetric keys and group key pond) and all kinds of algorithms.Institute in the authentication specific steps that user terminal A is participated in The pool of keys used is specified by FlagA, and pool of keys used in the authentication specific steps that user terminal B is participated in is by FlagB It is specified.The value of FlagA, FlagB are determined by authenticating initiator, that is, user terminal A.Practical feelings corresponding to specified pool of keys difference Condition and embodiment 1 describe unanimously.
In following steps, add solution, close operation in many places that each user side is related to, all in matched quantum key card into Row.The Encrypt and Decrypt operation that authentication server and ticket-granting server are related to, is the encryption and decryption in quantum network service station It is completed in server.
The specific part that the present embodiment is different from embodiment 1 is Ticket and true random number N3Acquisition and transmission side Formula.
For specific steps referring to Fig. 6, verbal description is as follows:
Step 1: user terminal A is to quantum network service station A application license bill TGT(A)
A. user side authentication random number and key generate: the matched quantum key card of user terminal A according to card it is interior with Machine number generator generates true random number RN1(hereinafter referred to as RN1, other Chinese character parts that similarly save are as referred to as) and true random number RA。RN1、RAPointer P is obtained in conjunction with specific key schedule fN1、PA。PN1、PAIt is directed toward in the pool of keys specified by FlagA Certain a part, can extract corresponding authentication random number N in the pool of keys1With key KA
B. user terminal A sends pre- identity authentication service request: user terminal A takes to the authentication of quantum network service station A Business device sends pre- identity authentication service request, and request content includes:
1. identity information Ainfo (including the ID of user terminal AAWith for specifying the FlagA of pool of keys) and RA
2. using KAEncrypt RN1And N1As pre- identification authentication data;
3. the identity information TGSinfo of ticket-granting server in the A of quantum network service station.
C. quantum network service station A and user terminal A carries out authentication: quantum network service station A obtains RAAfterwards, in conjunction with spy Fixed key schedule f obtains pointer PA', then use PA' extracted and key K from the pool of keys that FlagA is specifiedAPhase Same key KA’。
Use KA' the pre- identification authentication data of decryption obtains RN1And N1, by RN1Referred in conjunction with specific key schedule f Needle PN1', then use PN1' from FlagA specify pool of keys in extract N1'.By N1With N1' be compared, performance subnet Authentication between network service station A and user terminal A.
D. quantum network service station A sends identity authentication service and replys: quantum network service station A is according to true random number in standing Generator generates true random number RQ, RQPointer P is obtained in conjunction with specific key schedule fQ, PQIt is directed toward quantum network service station A Certain a part in distinctive pool of keys, can extract corresponding key K in the pool of keysQ.Quantum network service station A root True random number R is generated according to real random number generator in standingQ-A, RQ-APointer P is obtained in conjunction with specific key schedule fQ-A, PQ Certain a part being directed toward in the pool of keys specified by FlagA, can extract corresponding key K in the pool of keysQ-A
After the completion of authentication between quantum network service station A and user terminal A, quantum network service station A is to user terminal A It sends a identity authentication service to reply, reply content includes:
1. using KA' encryption RQ-A
2. permission ticket TGT(A)
TGT(A)Including RQ1, Ainfo and use KQ1The R of encryptionQ-AWith TGT expiration time TA.Expiration time can be most The big period is also possible to maximum access times, or both and combines and take one first reached.TGT(A)It can be used for applying obtaining The Ticket for a certain user terminal for taking the ticket-granting server of access quantum service station A to be capable of providing.
E. user terminal A, which is obtained, replys: user terminal A is received after identity authentication service is replied to get to TGT(A).Using with KA’ Identical KAFirst part is decrypted, R is obtainedQ-A, pointer P is obtained in conjunction with specific key schedule fQ-A, further according to PQ-AFrom It is extracted and key K in FlagA specified pool of keysQ-AIdentical key KQ-A’。
Step 2: user terminal A obtains the TGT of user terminal B to user terminal B application(B)
User terminal A issues the TGT for obtaining user terminal B to user terminal B(B)Request, if user terminal B has TGT(B), then directly User terminal A is given in sending and receiving, if not having, user terminal B by with the step of first step same principle from quantum network service station B's It is obtained at authentication server.
TGT(B)Including RQ2, Binfo and use KQ2The R of encryptionQ-BAnd TGT(B)Expiration time TB
Step 3: user terminal A passes through TGT(A)And TGT(B)To the A application of quantum network service station for accessing user terminal B's Bill Ticket.
A. authentication true random number generates: the matched quantum key card of user terminal A generates true random number RN2.In conjunction with specific Key schedule f obtain pointer PN2, then use PN2True random number N is extracted from the pool of keys specified by FlagA2
B. user terminal A sends the request of bill licensed service: bill of the user terminal A into quantum network service station A permits clothes Business device sends bill license request, and request content includes:
①TGT(A)
②TGT(B)
3. using KQ-A' encryption RN2And N2As identification authentication data;
4. identity information Binfo (including the ID for the user terminal B that user terminal A is wanted access toBWith for specifying pool of keys FlagB)。
C. ticket-granting server A carries out authentication to user terminal A: the bill in the A of quantum network service station permits clothes Business device obtains TGT(A)Afterwards, using true random number RQ1Pointer P is obtained in conjunction with specific key schedule fQ1, then use PQ1From Key K is extracted in the distinctive pool of keys of quantum network service station AQ1
Use KQ1Decrypt TGT(A)Encryption unit separately win to obtain RQ-A, use RQ-AReferred in conjunction with specific key schedule f Needle PQ-A, then use PQ-AKey K is extracted from the pool of keys specified by FlagAQ-A
Use KQ-ADecryption identity authentication data obtains RN2And N2.Use true random number RN2It generates and calculates in conjunction with specific key Method f obtains pointer PN2, then use PN2N is extracted from the pool of keys specified by FlagA2'.By N2With N2' be compared, it is complete At the authentication between quantum network service station A and user terminal A.
D. quantum network service station B generates N required for Ticket and user terminal A and user terminal B authentication3Concurrently Give quantum network service station A:
The Binfo of identity and specified pool of keys that quantum network service station A shall illustrate user terminal B is transmitted to quantum net Network service station B.The also ID of transmitting simultaneouslyAAnd TGT(B)
Quantum network service station A and quantum network service station B realizes the station area of a room using respective quantum key distribution equipment Sub-key is shared, so that Binfo, ID of plaintext versionAAnd TGT(B)Quantum is sent to after quantum network service station A encryption Network service station B, then decrypted Binfo, ID for recovering plaintext versionAAnd TGT(B)
If it will also be by other network node transfers, directly between quantum network service station A and quantum network service station B It connects between two quantum network service stations (or network node) of communication connection through the formation of corresponding quantum key distribution equipment Quantum key between standing, and successively transfer transmits ciphertext.
Between standing the distribution of quantum key be by the strange land key that fundamental principles of quantum mechanics is realized it is shared in the way of, preferably For BB84 agreement.
Quantum network service station B receives Binfo, IDAAnd TGT(B)Afterwards, TGT is obtained(B)In RQ2, RQ2In conjunction with specific close Key generating algorithm f obtains pointer PQ2.Then P is usedQ2Key K is extracted from the pool of keys specified by FlagBQ2.Use KQ2Solution Close TGT(B)Encryption unit get RQ-B, RQ-BPointer P is obtained in conjunction with specific key schedule fQ-B, then use PQ-BFrom Key K is extracted in the pool of keys specified by FlagBQ-B
Quantum network service station B generates the session key K of user terminal A and user terminal B by real random number generatorA-B.So Quantum network service station B generates Ticket afterwards.Ticket includes RQ-B, Binfo and use KQ-BThe K of encryptionA-B、IDAWith expire Time T.
Quantum network service station B generates true random number R according to real random number generator in standingN3, RN3In conjunction with specific key Generating algorithm f obtains pointer PN3.Then P is usedN3True random number N is extracted from the pool of keys specified by FlagB3
Quantum network service station B is by Ticket, KA-B、RN3And use KQ-BThe N of encryption3It is transmitted to quantum network service station A. Transfer mode is consistent between transfer mode and station above.
E. quantum network service station A sends bill licensed service and replys: quantum network service station A sends ticket to user terminal A It is replied according to licensed service, reply content includes:
1. using KQ-AThe K of encryptionA-BAnd RN3
2. using KQ-BThe N of encryption3
3. bill Ticket.
F. user terminal A, which is obtained, replys: user terminal A is received after bill licensed service is replied to get to Ticket, and is used KQ-AFirst part is decrypted, K is obtainedA-BAnd RN3
Step 4: user terminal A, which provides Ticket to user terminal B, completes authentication.
A. user terminal A initiates a session request: user terminal A initiates a session request to user terminal B, and request content includes:
①Ticket;
2. the identity information ID of user terminal AA、RN3, K is used together with what is receivedQ-BThe N of encryption3One reinstates KA-BEncrypt conduct Identification authentication data;
3. Flag (for representing whether bi-directional verification).
B. user terminal B carries out authentication to user terminal A: after user terminal B obtains Ticket, using true random number RQ-BKnot It closes specific key schedule f and obtains pointer PQ-B, then use PQ-BExtracted from the pool of keys specified by FlagB with it is close Key KQ-BIdentical KQ-B’。
Use KQ-B' decryption Ticket encryption unit separately win to obtain KA-B', use KA-B' decryption identity authentication data acquisition RN3。 Use true random number RN3Pointer P is obtained in conjunction with specific key schedule fN3, then use PN3It is close from being specified by FlagB Key extracts N in pond3'.By N3' with use KQ-B' decrypt obtained N3It is compared, the identity completed between user terminal A is recognized Card.If be proved to be successful, otherwise the resource for allowing user terminal A access to need to access directly refuses the request of other side.
D. if necessary to bi-directional verification, user terminal B extracts the R in identification authentication dataN3, use KA-BEncryption, and sent out Give identity of the user terminal A for user terminal A verifying user terminal B.
Disclosed above is only the embodiment of the present invention, but the present invention is not limited to this, those skilled in the art Various changes and modifications can be made to the invention without departing from the spirit and scope of the present invention.These obvious modification and variations are equal Should belong to the present invention claims protection scope protection in.In addition, although being used some specific terms in this specification, this A little terms merely for convenience of description, are not constituted the present invention any specifically limited.

Claims (11)

1. a kind of User-to-User identity authorization system based on group key pond and improvement Kerberos, which is characterized in that Including quantum network service station, and the masters group and passive side group of a plurality of clients are respectively included, carries out identity and recognize Include: when card
Step A, the user terminal in masters group is applied according to preset masters communication range to quantum network service station TGT(A)
A user terminal application TGT of the user terminal also into passive side group(B)
Step B, the user terminal in masters group is again according to TGT(A)And TGT(B)Apply leading to quantum network service station Dynamic side's session key and Ticket corresponding with preset passive side's communication range, and institute is shared in masters communication range State Ticket and masters session key;
Step C, described in a user terminal B of the user terminal A in masters communication range into passive side's communication range is sent It also include passive side's session key in Ticket, the Ticket, so that user terminal A and user terminal B are shared for implementing to add The session key of close communication;
Step A, when the user terminal in B in masters group is communicated with quantum network service station and in step C user terminal A with When user terminal B is communicated, the mode of true random number is respectively adopted as certificate data.
2. the User-to-User authentication system based on group key pond and improvement Kerberos as described in claim 1 System, which is characterized in that true random number step A, in B, C as certificate data is different, step A, truly random in B Number is generated by the matched quantum key cards of user terminal in masters group, together with generating the information of true random number in an encrypted form It is sent to quantum network service station, is verified for quantum network service station;
True random number in step C is generated by quantum network service station, is existed in an encrypted form together with the information for generating true random number The user terminal being sent in masters group in step B, in step C, when user terminal A is communicated with user terminal B, user terminal A will be walked True random number in rapid C is sent to user terminal B together with the information for generating true random number in an encrypted form, is tested for user terminal B Card.
3. the User-to-User authentication system based on group key pond and improvement Kerberos as claimed in claim 2 System, which is characterized in that all user terminals of masters group and passive side group are each configured with quantum key card;
The quantum key card of each user terminal is independent to share privately owned pool of symmetric keys with quantum network service station;
The quantum key card of all user terminals shares group corresponding with the group with quantum network service station in same group Pool of keys;
In step B, the masters session key is ciphertext form, and masters communication range is a certain user in masters group When end, masters session key is encrypted using pool of symmetric keys corresponding with the user terminal;Based on masters communication range In Dong Fang group when total user end, masters session key is added using group key corresponding with masters group pond It is close;
In step B, passive side's session key in the Ticket is ciphertext form, and passive side's communication range is passive side group In a certain user terminal when, passive side's session key is encrypted using pool of symmetric keys corresponding with the user terminal;Passive side is logical When believing that range is total user end in passive side group, passive side's session key utilizes group key corresponding with passive side group Pond is encrypted.
4. the User-to-User authentication system based on group key pond and improvement Kerberos as claimed in claim 3 System, which is characterized in that for encrypting masters session key be the first security key, be for encrypting passive side's session key Second security key;
When step B shares the masters session key, shared content is the masters meeting using the first secure key encryption Key is talked about, and generates the information of the first security key;It include the information for generating the second security key in the Ticket.
5. the User-to-User authentication system based on group key pond and improvement Kerberos as claimed in claim 4 System, which is characterized in that in step A, the user terminal to quantum network service station apply TGT(A)When carry identifier A, be used for Quantum network service station is notified using pool of symmetric keys corresponding with the user terminal or utilizes group corresponding with masters group Pool of keys generates the first security key;
In step B, the user terminal applies taking when corresponding Ticket and masters session key to quantum network service station With identifier B, for notify quantum network service station using pool of symmetric keys corresponding with certain user terminal in passive side group, Or the second security key is generated using group key corresponding with passive side group pond.
6. the User-to-User authentication system based on group key pond and improvement Kerberos as claimed in claim 5 System, which is characterized in that the generating mode of first security key or the second security key is that quantum network service station generates very Random number, the true random number combination key schedule obtain pointer, which is directed toward specified by identifier A or identifier B A part in pool of keys extracts corresponding key in the pool of keys and is used as the first security key or the second safety close Key.
7. the User-to-User authentication system based on group key pond and improvement Kerberos as claimed in claim 6 System, which is characterized in that in step A, the user terminal application TGT(A)When, using encryption true random number N1 as with quantum net Identification authentication data between network service station, true random number N1 are encrypted using transmission key, and the transmission key is by the use Family end is generated using matched quantum key card, and the information for generating transmission key is notified quantum network service station;
Quantum network service station is generated true random number N1 ' in the way of corresponding and compares certification with true random number N1;
The identification authentication data of step A further includes the true random number R for generating true random number N1N1;The true random number N1's Generating mode is that the user terminal in step A in masters group generates generation true random number R using matched quantum key cardN1, True random number RN1Certain a part for obtaining pointer in conjunction with pre-defined algorithm and being directed toward in the pool of keys specified by identifier A, it is close at this The corresponding portion extracted in key pond is used as true random number N1.
8. the User-to-User authentication system based on group key pond and improvement Kerberos as claimed in claim 7 System, which is characterized in that in step B, the user terminal application Ticket and when masters session key, using encryption it is true with Machine number N2 is added as the identification authentication data between quantum network service station, true random number N2 using the first security key It is close;
Quantum network service station is generated true random number N2 ' in the way of corresponding and compares certification with true random number N2;
The identification authentication data of step B further includes the true random number R for generating true random number N2N2;The true random number N2's Production method is that the user terminal in step A in masters group generates generation true random number R using matched quantum key cardN2, True random number RN2Certain a part for obtaining pointer in conjunction with pre-defined algorithm and being directed toward in the pool of keys specified by identifier A, it is close at this The corresponding portion extracted in key pond is used as true random number N2.
9. the User-to-User authentication system based on group key pond and improvement Kerberos as claimed in claim 8 System, which is characterized in that in step C, when user terminal A sends the Ticket to user terminal B, made using the true random number N3 of encryption For the identification authentication data between user terminal B, true random number N3 is using the second security key and masters session key pair Re-encryption;
User terminal B is generated true random number N3 ' in the way of corresponding and compares certification with true random number N3;
The identification authentication data of step C further includes the true random number R for generating true random number N3N3, and use masters session Key encryption;The production method of the true random number N3 is that quantum network service station generates true random number RN3, true random number RN3Knot Certain a part that pre-defined algorithm obtains pointer and is directed toward in the pool of keys specified by identifier B is closed, is extracted in the pool of keys Corresponding portion be used as true random number N3;
User terminal in step B, in masters group obtains Ticket and masters session key from quantum network service station When, also obtain the true random number N3 for using the second secure key encryption, and the true random number using the first secure key encryption RN3
10. the User-to-User authentication system based on group key pond and improvement Kerberos as claimed in claim 9 System, which is characterized in that the generating mode of the transmission key is that the user terminal in step A is generated using matched quantum key card Generate true random number RA, true random number RAPointer is obtained in conjunction with key schedule, pointer direction is specified by identifier A A part in pool of keys extracts corresponding key in the pool of keys and is used as transmission key;In step A, the user End receives TGT from quantum network service station(A)When also receive using transmission key encryption true random number RQ-A, true random number RQ-A For the generation of quantum network service station and for generating first security key.
11. a kind of User-to-User identity identifying method based on group key pond and improvement Kerberos is implemented such as weighing Benefit requires 1~10 described in any item User-to-User identity authorization systems based on group key pond and improvement Kerberos In.
CN201810688658.4A 2018-06-28 2018-06-28 User-to-User identity authentication system and method based on group key pool and improved Kerberos Active CN108964895B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201810688658.4A CN108964895B (en) 2018-06-28 2018-06-28 User-to-User identity authentication system and method based on group key pool and improved Kerberos

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201810688658.4A CN108964895B (en) 2018-06-28 2018-06-28 User-to-User identity authentication system and method based on group key pool and improved Kerberos

Publications (2)

Publication Number Publication Date
CN108964895A true CN108964895A (en) 2018-12-07
CN108964895B CN108964895B (en) 2021-04-06

Family

ID=64487635

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201810688658.4A Active CN108964895B (en) 2018-06-28 2018-06-28 User-to-User identity authentication system and method based on group key pool and improved Kerberos

Country Status (1)

Country Link
CN (1) CN108964895B (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109787763A (en) * 2019-03-05 2019-05-21 山东鲁能软件技术有限公司 A kind of Mobile Authentication method, system, terminal and storage medium based on quantum key
CN110868290A (en) * 2019-11-21 2020-03-06 成都量安区块链科技有限公司 Key service method and device without central control
CN114859691A (en) * 2022-03-25 2022-08-05 北京轩宇信息技术有限公司 Safe isolated wireless unidirectional time service system and method
CN116709316A (en) * 2023-07-06 2023-09-05 云南大学 Stateless group key updating method for large-scale dynamic group based on smart card

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102170440A (en) * 2011-03-24 2011-08-31 北京大学 Method suitable for safely migrating data between storage clouds
US20160191663A1 (en) * 2010-06-29 2016-06-30 At&T Intellectual Property I, L.P. Prioritization of protocol messages at a server
CN105959269A (en) * 2016-04-25 2016-09-21 北京理工大学 ID-based authenticated dynamic group key agreement method
US20160315772A1 (en) * 2015-04-24 2016-10-27 Red Hat, Inc. Kerberos preauthentication with j-pake
CN106375323A (en) * 2016-09-09 2017-02-01 浪潮软件股份有限公司 Method for carrying out kerberos identity authentication in multi-tenant mode
CN106411525A (en) * 2016-09-23 2017-02-15 浙江神州量子网络科技有限公司 Message authentication method and system

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20160191663A1 (en) * 2010-06-29 2016-06-30 At&T Intellectual Property I, L.P. Prioritization of protocol messages at a server
CN102170440A (en) * 2011-03-24 2011-08-31 北京大学 Method suitable for safely migrating data between storage clouds
US20160315772A1 (en) * 2015-04-24 2016-10-27 Red Hat, Inc. Kerberos preauthentication with j-pake
CN105959269A (en) * 2016-04-25 2016-09-21 北京理工大学 ID-based authenticated dynamic group key agreement method
CN106375323A (en) * 2016-09-09 2017-02-01 浪潮软件股份有限公司 Method for carrying out kerberos identity authentication in multi-tenant mode
CN106411525A (en) * 2016-09-23 2017-02-15 浙江神州量子网络科技有限公司 Message authentication method and system

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
张馨月: "《智慧城市中数据服务平台的研究与实现》", 《中国优秀硕士学位论文全文数据库 信息科技辑》 *

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109787763A (en) * 2019-03-05 2019-05-21 山东鲁能软件技术有限公司 A kind of Mobile Authentication method, system, terminal and storage medium based on quantum key
CN110868290A (en) * 2019-11-21 2020-03-06 成都量安区块链科技有限公司 Key service method and device without central control
CN110868290B (en) * 2019-11-21 2022-05-31 成都量安区块链科技有限公司 Key service method and device without central control
CN114859691A (en) * 2022-03-25 2022-08-05 北京轩宇信息技术有限公司 Safe isolated wireless unidirectional time service system and method
CN114859691B (en) * 2022-03-25 2023-12-12 北京轩宇信息技术有限公司 Wireless unidirectional time service system and method with safety isolation
CN116709316A (en) * 2023-07-06 2023-09-05 云南大学 Stateless group key updating method for large-scale dynamic group based on smart card
CN116709316B (en) * 2023-07-06 2024-01-26 云南大学 Stateless group key updating method for large-scale dynamic group based on smart card

Also Published As

Publication number Publication date
CN108964895B (en) 2021-04-06

Similar Documents

Publication Publication Date Title
CN106357396B (en) Digital signature method and system and quantum key card
Tan et al. A PUF-based and cloud-assisted lightweight authentication for multi-hop body area network
CN108768653A (en) Identity authorization system based on quantum key card
CN108683501B (en) Multiple identity authentication system and method with timestamp as random number based on quantum communication network
CN103685323B (en) A kind of Smart Home safe network implementation method based on intelligent cloud television gateway
CN108566273A (en) Identity authorization system based on quantum network
CN106357649A (en) User identity authentication system and method
CN108810895A (en) Wireless Mesh netword identity identifying method based on block chain
EP2665235B1 (en) Method for establishing secure communication between nodes in a network, network node, key manager, installation device and computer program product
CN108650028B (en) Multiple identity authentication system and method based on quantum communication network and true random number
Tan et al. Comments on “dual authentication and key management techniques for secure data transmission in vehicular ad hoc networks”
CN108964896A (en) A kind of Kerberos identity authorization system and method based on group key pond
CN106411525A (en) Message authentication method and system
CN108964897B (en) Identity authentication system and method based on group communication
CN108600152B (en) Improved Kerberos identity authentication system and method based on quantum communication network
CN106452739A (en) Quantum network service station and quantum communication network
CN108964895A (en) User-to-User identity authorization system and method based on group key pond and improvement Kerberos
CN109787761A (en) A kind of equipment certification and key distribution system and method based on physics unclonable function
CN108880799B (en) Multi-time identity authentication system and method based on group key pool
Chuang et al. PPAS: A privacy preservation authentication scheme for vehicle-to-infrastructure communication networks
CN107911211B (en) Two-dimensional code authentication system based on quantum communication network
Hou et al. Lightweight and privacy-preserving charging reservation authentication protocol for 5G-V2G
CN101192927A (en) Authorization based on identity confidentiality and multiple authentication method
CN116388995A (en) Lightweight smart grid authentication method based on PUF
Zhang et al. Is Today's End-to-End Communication Security Enough for 5G and Its Beyond?

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant