CN110069918B - Efficient double-factor cross-domain authentication method based on block chain technology - Google Patents

Efficient double-factor cross-domain authentication method based on block chain technology Download PDF

Info

Publication number
CN110069918B
CN110069918B CN201910287332.5A CN201910287332A CN110069918B CN 110069918 B CN110069918 B CN 110069918B CN 201910287332 A CN201910287332 A CN 201910287332A CN 110069918 B CN110069918 B CN 110069918B
Authority
CN
China
Prior art keywords
user
domain
information
client
authentication server
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201910287332.5A
Other languages
Chinese (zh)
Other versions
CN110069918A (en
Inventor
马小峰
徐晶晶
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Wutong Chain Digital Technology Research Institute Suzhou Co ltd
Original Assignee
Suzhou Tongji Blockchain Research Institute Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Suzhou Tongji Blockchain Research Institute Co ltd filed Critical Suzhou Tongji Blockchain Research Institute Co ltd
Priority to CN201910287332.5A priority Critical patent/CN110069918B/en
Publication of CN110069918A publication Critical patent/CN110069918A/en
Application granted granted Critical
Publication of CN110069918B publication Critical patent/CN110069918B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/45Structures or tools for the administration of authentication
    • G06F21/46Structures or tools for the administration of authentication by designing passwords or checking the strength of passwords
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • G06F21/6245Protecting personal data, e.g. for financial or medical purposes
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q30/00Commerce
    • G06Q30/06Buying, selling or leasing transactions
    • G06Q30/0645Rental transactions; Leasing transactions
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0876Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0838Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these
    • H04L9/0841Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these involving Diffie-Hellman or related key agreement protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords

Abstract

The invention relates to a block chain technology-based efficient double-factor cross-domain authentication method, which is characterized by comprising the following steps of: step 1: designing the overall architecture of the system; step 2: a system workflow; step 21: a user registration process; step 22: user local authentication; step 23: and (4) authenticating the user in a cross-domain way in a different place. The equipment number and password double-factor cross-domain authentication scheme of the invention improves the efficiency of user cross-domain authentication and ensures the safety of the user cross-domain authentication.

Description

Efficient double-factor cross-domain authentication method based on block chain technology
Technical Field
The invention belongs to the field of PKI authentication cross-domain authentication, and particularly relates to a high-efficiency two-factor cross-domain authentication method based on a block chain technology.
Background
In the electric automobile time-sharing leasing sharing platform, a user is required to use a vehicle in a cross-platform mode, namely the user of the A electric automobile time-sharing leasing company can use vehicles operated by other companies such as B, C, D in a alliance, so that daily travel requirements of the user can be met to the maximum extent, the user does not need to use APP of multiple electric automobile leasing companies and carry multiple deposit funds, and the company such as B, C, D does not need to spend high customer acquisition cost to obtain the vehicle leasing business of the user of the A company.
However, in a distributed environment, each company and each department set up a corresponding resource access control system to facilitate management of users, and form relatively independent domains. The traditional PKI cross-domain authentication has the problems of difficult certificate management, cross authentication of authentication servers and the like, and the problems of user identity privacy disclosure and the like caused by the fact that new technologies such as biological authentication adopt biological characteristics as key transactions, so that the key problem to be solved by the system is how to efficiently and safely realize the cross-domain authentication of the user.
When a user of one company realizes access and use of available resources of multiple companies through cross-domain authentication, transaction privacy information of the user needs to be protected. Although the transaction system represented by bitcoin has "pseudonymy", since the user repeatedly uses the public key hash as the transaction identifier, it is obvious that some relation can be established between transactions, and a malicious attacker can guess to steal the privacy of the user by attacking the system, analyzing the transaction information, and monitoring the transaction flow direction. At present, some schemes for protecting the privacy and the safety of users through a cryptography technology, a mixed currency mechanism and data partitioning exist, but the system is characterized in that the users may have traffic violation responsibility and need to trace, so that a double encryption mechanism based on authorization is designed for the system.
The current mature cross-domain authentication is generally by means of PKI authentication architecture. The PKI is established based on public key theory and has the service functions of public key management, authentication encryption, integrity detection, safety time stamp and the like. The PKI process is developed around the life cycle of the digital certificate, and its responsibility is to knead the public key information of the user and the identification information of the user together through a ca (certificate authority) certification authority to form a digital certificate capable of verifying the identity of the user, which is used to prove who the user is. Through digital signature, encryption and management of keys and certificates, information transmission is ensured to be safe.
Generally, there are three types of PKI authentication models that are mainstream, namely, a hierarchical authentication model, a mesh authentication model, and a bridge CA authentication model.
All users in the hierarchy rely on the root CA, this unique trust center. The hierarchical authentication model, as shown in fig. 1-1, threatens the entire PKI system if the root CA fails or is compromised. And it is difficult to build a root CA that is trusted by all authorities from a federation system.
The mesh authentication model, as shown in fig. 1-2, is more flexible than a hierarchical structure, and if a single CA fails, it will not cause the entire PKI system to crash. However, the construction of the bidirectional authentication model certificate path is too complex, which causes difficulty in finding the certificate path and a long certificate chain for verification during cross-domain authentication.
The bridge CA authentication model, as shown in FIGS. 1-3, is derived based on a hierarchical authentication model and a mesh authentication model, and can be used to connect different PKI systems. The difference from the hierarchical authentication model is that the bridge CA does not act as a trust center and a root of the certificate path in the entire system, and the certificate path is found more easily than the mesh authentication model and more difficult than the hierarchical authentication model.
Aiming at the problems of complex cross-domain identity authentication process, difficult certificate path management and the like of the traditional authentication system, the characteristics of decentralization, tamper resistance, traceability and the like of a block chain can effectively solve the problems of key management, trust, safety, privacy and the like in identity authentication and management, and provide support of credibility, transparency, distributed storage and the like for identity authentication and management. Currently, researchers have studied the block chain in the cross-domain authentication aspect, such as Zhongcheng and Zhang Haodi, and the like, based on the fuzzy extraction theory and combining the block chain technology, and a biological characteristic double-factor identity authentication mechanism scheme is provided, and the safety and the efficiency of the scheme are analyzed.
The scheme of people in the week and Zhang is not completely suitable for the system designed herein, wherein the most main reasons are three, namely, the electric vehicle time-sharing leasing sharing platform involves a plurality of users, the devices used by the users are uneven, and no uniform biological characteristic acquisition equipment is provided; the biological characteristics are different from other characteristics, and cannot be changed for the user, so that the user has worry about leakage of the biological characteristics when the biological characteristics are collected, and the system is not favorable for popularization; thirdly, a fuzzy extraction technology and a recovery algorithm are required to be frequently used in the authentication process, and the efficiency is low under the condition of high concurrent requests of a large number of users.
Disclosure of Invention
To solve the above technical problems, an object of the present invention is to provide an efficient two-factor cross-domain authentication method based on a block chain technique.
In order to achieve the purpose, the invention adopts the following technical scheme:
an efficient double-factor cross-domain authentication method based on a block chain technology comprises the following steps:
step 1: designing the overall architecture of the system;
the steps of the A and B session key negotiation mechanism according to the Diffie-Hellman algorithm are as follows:
and 11, step 11: randomly selecting a large prime number n and an original root g, disclosing two pieces of information, and defining the two pieces of information by A, B;
step 12: a randomly generates a number X, and calculates X as gxmodn, then sends X to B;
step 13: b randomly generating a number Y, and calculating Y ═ gymodn, then sends Y to a;
step 14: a is calculated as K ═ Yxmodn;
Step 15: b calculating K ═ Xymodn;
Step 2: a system workflow;
step 21: a user registration process;
step 1: a domain A user i inputs a user name ID and a static password PW on a local client ClientA;
step 2: client ClientA extracts user equipment number DID, carries out hash operation on the equipment number and static password respectively to generate H (DID), H (PW), deletes local cache, negotiates a session key with A domain authentication server ServerA through Diffie-Hellman algorithm, and encrypts and sends information of ID, H (PW), H (DID) and the like to the A domain authentication server ServerA through the session key;
and 3, step 3: the A domain authentication server ServerA receives the message sent by the client ClientA, decrypts the message by using the negotiated session key to obtain ID, H (PW), H (DID), inquires whether the ID exists, returns the registered information of the user if the ID exists, and otherwise, can register; when registering, firstly, user H (DID) is encrypted by using public key PUBA of A domain node to obtain EA(h (did)), then the ServerA node executes the intelligent contract, initiates a registration transaction and endorses; after the consensus node completes verification and generates the block, returning the information of successful registration to the client-side ClientA;
and 4, step 4: the client-side ClientA receives the message of successful registration, supplements other information Info of the user, and sends the Info to the A domain authentication server ServerA through a secure channel;
and 5, step 5: the A-domain authentication server ServerA encrypts other information Info supplemented by the user by using a-domain node public key PUBA to obtain EA(Info), then the ServerA node executes the intelligent contract, and initiates the user information updating transaction and endorsement;
step 22: local authentication of a user:
step 1: a domain A user i inputs a user name ID and a static password PW on a local client ClientA;
step 2: client ClientA extracts user equipment number DID, carries out hash operation on the equipment number and static password respectively to generate H (DID), H (PW), deletes local cache, negotiates a session key with A domain authentication server ServerA through Diffie-Hellman algorithm, and encrypts and sends information of ID, H (PW), H (DID) and the like to the A domain authentication server ServerA through the session key;
and 3, step 3: the A domain authentication server ServerA receives the message sent by the client ClientA, decrypts the message by using the negotiated session key to obtain ID, H (PW), H (DID), inquires whether the ID in the block chain public account book exists, returns a user unregistered message if the ID does not exist, and pulls the H (PW), E (digital) corresponding to the ID from the block chain public account book if the ID does existA(H (DID))', information such as a domain to which the domain belongs;
and 4, step 4: the A domain authentication server ServerA compares H (PW) sent by the client ClientA with H (PW) pulled from the block chain, and if the H (PW) is the same as the H (PW)', the A domain node public key PUBA is further used for encrypting the user H (DID) to obtain EA(H), (DID)), comparing EA(H (DID)) and EA(h (did)) if equal, returning an authentication success message;
step 23: user allopatric cross-domain authentication;
step 1: a domain A registered user i inputs login information ID and PW on a domain B client ClientB;
step 2: client ClientB extracts user equipment number DID, generates H (DID), H (PW) by Hash operation, deletes local cache, negotiates a session key with a B-domain authentication server ServerB through a Diffie-Hellman algorithm, encrypts information such as ID, H (PW), H (DID) and the like through the session key and sends the information to the B-domain authentication server ServerB;
and 3, step 3: the B domain authentication server ServerB receives the message sent by the client ClientB, decrypts the message by using the negotiated session key to obtain ID, H (PW), H (DID), inquires whether the ID in the block chain public account book exists, returns a user unregistered message if the ID does not exist, and pulls the H (PW), E (E) corresponding to the ID from the block chain public account book if the ID does existA(H (DID))', information such as a domain to which the domain belongs;
and 4, step 4: b domain authentication server ServerB compares H (PW) sent by client ClientB with H (PW) pulled from block chain, if the H (PW) is the same as the H (PW)', then E is obtained by further using A domain node public key PUBA to encrypt user H (DID)A(H), (DID)), comparing EA(H (DID)) and EA(h (did)) and, if equal, returns an authentication success message.
Preferably, in the efficient two-factor cross-domain authentication method based on the block chain technology, step 2 is further provided with step 24 of user equipment replacement authentication.
Preferably, in the efficient two-factor cross-domain authentication method based on the blockchain technology, the step 24 of authenticating the user replacing device includes the following steps:
step 1: after a domain A user i changes equipment, inputting a user name ID and a static password PW on a local client ClientA;
step 2: client clientA extracts user equipment number DID, respectively carries out hash operation to generate H (DID), H (PW), deletes local cache, negotiates a session key with A domain authentication server ServerA through Diffie-Hellman algorithm, and sends information of ID, H (PW), H (DID) and the like to A domain authentication server ServerA through session key encryption;
and 3, step 3: the A domain authentication server ServerA receives the message sent by the ClientA, decrypts the message by using the negotiated session key to obtain ID, H (PW), H (DID), inquires whether the ID in the block chain public account book exists, returns a user unregistered message if the ID does not exist, and pulls the H corresponding to the ID from the block chain public account book if the ID does exist(PW)’、EA(H (DID))', information such as a domain to which the domain belongs;
and 4, step 4: the A domain authentication server ServerA compares H (PW) sent by the client ClientA with H (PW) ', which is pulled from the block chain, if the H (PW) is the same as the H (PW)', further uses a domain node public key PUBA to encrypt the user H (DID) to obtain EA (H (DID)), and compares E with the EAA(H (DID)) and EA(H (DID))', because the user has changed the apparatus, ServerA uses A domain node private key PRIA to decipher user EA (Info), (Info) get Info, withdraw secret protection question QSecrect among them, and return to customer end ClientA through the trusted channel;
and 5, step 5: when a user i in the A domain answers a secret protection question ASecrect, a client ClientA hashes the secret protection question answers, and information such as ID, H (PW), H (DID), H (ASecrect) and the like is encrypted by a session key and sent to a ServerA of a domain authentication server;
and 6, step 6: the A domain authentication server ServerA compares H (ASecrect) sent by the client ClientA with secret key answers H (ASecrect) recorded in the block chain, if the answer is passed, the user information is executed to update the intelligent contract, H (DID) of the user is updated, and when the common identification node completes verification to generate the block, the binding equipment information is returned to the user to successfully replace the binding equipment information.
By the scheme, the invention at least has the following advantages:
the hash value of the equipment ID is encrypted by the public key of the registration domain server, and the equipment ID hash value can be decrypted only by holding the private key, so that the specific content of the second authentication factor of the user cannot be decrypted even if a hacker steals the database, and the Diffie-Hellman negotiation session key is adopted when the user and the server interact, so that the hacker is difficult to steal the real condition used by the user for authentication by eavesdropping, and the information security of the user is effectively ensured. The authentication domain server mainly interacts with the block chain link points in the process of crossing domains in different places, and because of numerous nodes in the block chain network of the alliance, when one node responds to timeout, the node can be quickly switched to another node to carry out information request, so that the reliability of the scheme is high.
The foregoing description is only an overview of the technical solutions of the present invention, and in order to make the technical solutions of the present invention more clearly understood and to implement them in accordance with the contents of the description, the following detailed description is given with reference to the preferred embodiments of the present invention and the accompanying drawings.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings needed to be used in the embodiments will be briefly described below, it should be understood that the following drawings only illustrate some embodiments of the present invention and therefore should not be considered as limiting the scope, and for those skilled in the art, other related drawings can be obtained according to the drawings without inventive efforts.
FIG. 1-1 is a hierarchical authentication model;
FIGS. 1-2 are mesh authentication models;
FIGS. 1-3 are schematic structural diagrams of a bridge CA authentication model;
FIG. 2 is a diagram of the two-factor cross-domain authentication architecture of the present invention;
FIG. 3 is a flow chart of a user registration process of the present invention;
FIG. 4 is a flow chart of the present invention for local authentication of a user;
FIG. 5 is a flow chart of the user remote cross-domain authentication of the present invention;
FIG. 6 is a flow chart of the present invention for a user to change devices;
FIG. 7 is a flow diagram of a weekly-induced scheme local authentication;
FIG. 8 is a flow diagram of a weekly-initiative strategy for remote cross-domain authentication;
FIG. 9 is a local authentication flow chart of the Changhandi scheme;
FIG. 10 is a flow chart of a Changhandi scheme for off-site cross-domain authentication;
FIG. 11 is a comparison of the time consumption of the computational overhead.
Detailed Description
The following detailed description of embodiments of the present invention is provided in connection with the accompanying drawings and examples. The following examples are intended to illustrate the invention but are not intended to limit the scope of the invention.
In order to make the technical solutions of the present invention better understood, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. The components of embodiments of the present invention generally described and illustrated in the figures herein may be arranged and designed in a wide variety of different configurations. Thus, the following detailed description of the embodiments of the present invention, presented in the figures, is not intended to limit the scope of the invention, as claimed, but is merely representative of selected embodiments of the invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments of the present invention without making any creative effort, shall fall within the protection scope of the present invention.
Examples
An efficient double-factor cross-domain authentication method based on a block chain technology comprises the following steps:
step 1: designing the overall architecture of the system;
step 2: a system workflow;
step 21: a user registration process;
step 22: local authentication of a user:
step 23: and (4) authenticating the user in a cross-domain way in a different place.
As shown in fig. 2, the overall architecture of the system is designed, and the steps of the session key agreement mechanism a and B according to the Diffie-Hellman algorithm are as follows:
and 11, step 11: randomly selecting a large prime number n and an original root g, disclosing two pieces of information, and defining the two pieces of information by A, B;
step 12: a randomly generates a number X, and calculates X as gxmodn, then sends X to B;
step 13: b randomly generating a number Y, and calculating Y ═ gymodn, then sends Y to a;
step 14: a is calculated as K ═ Yxmodn;
Step 15: b calculating K ═ Xymodn;
Obviously, K ═ Yxmodn=(gy)xmodn=(gx)ymodn=Xymod n K', i.e. A, B protocolThe same session encryption key is obtained after the quotient, and an eavesdropper can only hear n, g, X and Y, and can not calculate discrete logarithm to reversely deduce X and Y of two parties, so that the session key negotiated by the two parties is difficult to calculate.
As shown in fig. 3, step 21: a user registration process;
step 1: a domain A user i inputs a user name ID and a static password PW on a local client ClientA;
step 2: client ClientA extracts user equipment number DID, carries out hash operation on the equipment number and static password respectively to generate H (DID), H (PW), deletes local cache, negotiates a session key with A domain authentication server ServerA through Diffie-Hellman algorithm, and encrypts and sends information of ID, H (PW), H (DID) and the like to the A domain authentication server ServerA through the session key;
and 3, step 3: the A domain authentication server ServerA receives the message sent by the client ClientA, decrypts the message by using the negotiated session key to obtain ID, H (PW), H (DID), inquires whether the ID exists, returns the registered information of the user if the ID exists, and otherwise, can register; when registering, firstly, user H (DID) is encrypted by using public key PUBA of A domain node to obtain EA(h (did)), then the ServerA node executes the intelligent contract, initiates a registration transaction and endorses; after the consensus node completes verification and generates the block, returning the information of successful registration to the client-side ClientA;
and 4, step 4: the client-side ClientA receives the message of successful registration, supplements other information Info of the user, and sends the Info to the A domain authentication server ServerA through a secure channel;
and 5, step 5: the A-domain authentication server ServerA encrypts other information Info supplemented by the user by using a-domain node public key PUBA to obtain EA(Info), then the ServerA node executes the intelligent contract, and initiates the user information updating transaction and endorsement;
as shown in fig. 4, step 22: local authentication of a user:
step 1: a domain A user i inputs a user name ID and a static password PW on a local client ClientA;
step 2: client ClientA extracts user equipment number DID, carries out hash operation on the equipment number and static password respectively to generate H (DID), H (PW), deletes local cache, negotiates a session key with A domain authentication server ServerA through Diffie-Hellman algorithm, and encrypts and sends information of ID, H (PW), H (DID) and the like to the A domain authentication server ServerA through the session key;
and 3, step 3: the A domain authentication server ServerA receives the message sent by the client ClientA, decrypts the message by using the negotiated session key to obtain ID, H (PW), H (DID), inquires whether the ID in the block chain public account book exists, returns a user unregistered message if the ID does not exist, and pulls the H (PW), E (digital) corresponding to the ID from the block chain public account book if the ID does existA(H (DID))', information such as a domain to which the domain belongs;
and 4, step 4: the A domain authentication server ServerA compares H (PW) sent by the client ClientA with H (PW) pulled from the block chain, and if the H (PW) is the same as the H (PW)', the A domain node public key PUBA is further used for encrypting the user H (DID) to obtain EA(H), (DID)), comparing EA(H (DID)) and EA(h (did)) if equal, returning an authentication success message;
as shown in fig. 5, step 23: user allopatric cross-domain authentication;
step 1: a domain A registered user i inputs login information ID and PW on a domain B client ClientB;
step 2: client ClientB extracts user equipment number DID, generates H (DID), H (PW) by Hash operation, deletes local cache, negotiates a session key with a B-domain authentication server ServerB through a Diffie-Hellman algorithm, encrypts information such as ID, H (PW), H (DID) and the like through the session key and sends the information to the B-domain authentication server ServerB;
and 3, step 3: the B domain authentication server ServerB receives the message sent by the client ClientB, decrypts the message by using the negotiated session key to obtain ID, H (PW), H (DID), inquires whether the ID in the block chain public account book exists, returns a user unregistered message if the ID does not exist, and pulls the H (PW), E (E) corresponding to the ID from the block chain public account book if the ID does existA(H (DID))', information such as a domain to which the domain belongs;
and 4, step 4: the B domain authentication server ServerB compares H (PW) sent by the client ClientB with H (PW) sent by the client ClientBIf the H (PW) is the same as the PW (PW)', the user H (DID) is further encrypted by using a public key PUBA of the A domain node to obtain EA(H), (DID)), comparing EA(H (DID)) and EA(h (did)) and, if equal, returns an authentication success message.
As shown in fig. 6, step 2 is further provided with step 24 of user equipment replacement authentication, which includes the following steps:
step 1: after a domain A user i changes equipment, inputting a user name ID and a static password PW on a local client ClientA;
step 2: client clientA extracts user equipment number DID, respectively carries out hash operation to generate H (DID), H (PW), deletes local cache, negotiates a session key with A domain authentication server ServerA through Diffie-Hellman algorithm, and sends information of ID, H (PW), H (DID) and the like to A domain authentication server ServerA through session key encryption;
and 3, step 3: the A domain authentication server ServerA receives the message sent by the ClientA, decrypts the message by using the negotiated session key to obtain ID, H (PW), H (DID), inquires whether the ID in the block chain public account book exists, returns a user unregistered message if the ID does not exist, and pulls the H (PW)', E corresponding to the ID from the block chain public account book if the ID existsA(H (DID)) and information on the domain to which the domain belongs.
And 4, step 4: the A domain authentication server ServerA compares H (PW) sent by the client ClientA with H (PW) ', which is pulled from the block chain, if the H (PW) is the same as the H (PW)', further uses a domain node public key PUBA to encrypt the user H (DID) to obtain EA (H (DID)), and compares E with the EAA(H (DID)) and EA(H (DID))', because the user has changed the apparatus, ServerA uses A domain node private key PRIA to decipher user EA (Info), (Info), get Info, withdraw secret protection question QSecrect among them, and return to customer end ClientA through the trusted channel.
And 5, step 5: when a user i in the A domain answers a secret protection question ASecrect, a client ClientA hashes the secret protection question answers, and information such as ID, H (PW), H (DID), H (ASecrect) and the like is encrypted by a session key and sent to a ServerA of a domain authentication server;
and 6, step 6: the A domain authentication server ServerA compares H (ASecrect) sent by the client ClientA with secret key answers H (ASecrect) recorded in the block chain, if the answer is passed, the user information is executed to update the intelligent contract, H (DID) of the user is updated, and when the common identification node completes verification to generate the block, the binding equipment information is returned to the user to successfully replace the binding equipment information.
The safety and efficiency analysis of the above technique in the present invention is as follows:
security analysis
Replay attack resistance: replay Attacks (Replay Attacks) mainly refer to acquiring a packet which a system may receive by interception or eavesdropping, and then transmitting the packet with high frequency to make the system busy responding to a real request packet. In the process of user registration and authentication, the session key generates a random short key through a Diffie-Hellman algorithm, so that the key generated in each session is not unique, replay attack is further prevented, and the forward security of the key is ensured.
Resisting man-in-the-middle attack: Man-in-the-Middle Attack (MITM) mainly refers to intercepting or eavesdropping data in a communication process and tampering the real content of the data, and then retransmitting the tampered content to a receiver, wherein the receiver and the sender hardly find that the data is tampered without encrypting the data. The invention negotiates the session key between the user registration and the user through Diffie-Hellman, and the session key must be decoded before the man-in-the-middle wants to tamper the data, and the hard-to-decipher man-in-the-middle has difficulty in deciphering the session content due to the discrete logarithm in the finite field. On the other hand, since both the user static password and the device information are processed by hash encryption, and the device information is transmitted through a ciphertext obtained by an asymmetric encryption algorithm in cross-domain authentication, even if an attacker can intercept the information, the information cannot be tampered. Unless the authentication node is broken and the public and private keys are leaked, the user information of the node may be tampered. The application scene of the invention is a business alliance chain, the security level is higher, and the reliability between nodes is high, so that the special situation is not considered.
Password guessing attack resistance: the password guessing attack is a password guessing attack, in general, after an attacker obtains a password of a user through various conditions, the attacker can master all account information of the user, and the system is difficult to distinguish the attacker from a real user, so that the protection of the user login password from leakage is very important. In the design of the invention, after the user inputs the login password key, the client side immediately deletes the local cache after finishing the Hash operation, and an attacker cannot directly obtain the user login password. And the hashed password is difficult to reversely recover, so that even if an attacker cracks the session key to obtain the hashed login password of the user, the attacker is difficult to recover the user login password from the hashed login password.
Privacy protection and compliance: in the registration stage, the hash value of the binding equipment of the user and the supplementary information are asymmetrically encrypted through a public key of a registration domain, the encrypted information is stored in a block chain public account book, and the information can be decrypted only if the registration domain holds a corresponding private key. When cross-domain authentication is carried out, other domains do not need to know the specific hash value of the equipment and the privacy information of the user, and whether the user passes the authentication can be judged only by comparing whether the result of the value transmitted during the user authentication after being encrypted by the public key of the registration domain is consistent with the information on the link. The mechanism not only realizes the protection of user privacy data, but also ensures the data consistency and the open transparency of transaction.
Efficiency analysis
As shown in fig. 7 to fig. 10, compared with the schemes of the local authentication flow chart of two people, one man and another man in week and one man in other places and the cross-domain authentication flow chart in other places mentioned in the background art, since the device ID adopted in the present aspect has invariance and is determined in value as the second factor of user authentication, the user can be authenticated by directly comparing the ciphertext encrypted by the public key without decrypting the domain to which the user belongs into a plaintext, and the user does not need to register the domain to participate in the verification process during the cross-domain authentication of the user, thereby reducing the information interaction frequency and communication overhead during the cross-domain authentication of the user, as shown in table 1 (calculation overhead comparison during local authentication) and table 2 (calculation overhead comparison during cross-domain authentication in other places).
Table 1:
Figure GDA0002668809720000121
Figure GDA0002668809720000131
TABLE.2
Figure GDA0002668809720000132
Figure GDA0002668809720000141
As shown in table 3 below (comparison of typical algorithm operation rates), the time overhead of various types of calculation operations can be obtained through experiments by operating the system 10000 times in a Windows system with 8GB RAM and 3.6GB processor core 2 and 160bytes encryption plaintext length.
TABLE 3
Algorithm Time/s
AES symmetric encryption 0.027
AES symmetric decryption 0.105
RSA asymmetric encryption 2.25
RSA asymmetric decryption 98.757
SHA256 Hash operation 0.044
Exponential operation (101^500) 0.056
As can be seen from the above table, the symmetric encryption speed is fastest, the hash operation and exponent operation speed is faster, the AES decryption speed is about 1/2 of the hash operation and exponent operation, the asymmetric encryption speed is about 1/4 of the hash operation and exponent operation, and the asymmetric decryption speed is about 1/20 of the hash operation and exponent operation. The three schemes are time consuming to compute overhead without counting the fuzzy extraction operations as shown in figure 11.
In the above 3 schemes, the zhanghaodi scheme adopts asymmetric encryption and asymmetric decryption computation for multiple times, so that the scheme takes the most time and has the lowest efficiency. The scheme and the weekly result scheme of the invention do more hash operation and less fuzzy extraction operation during local authentication; when the cross-domain authentication is carried out in different places, the times of other types of operation are the same, and one fuzzy extraction operation is performed less. Even if the fuzzy extraction recovery operation without considering fingerprints is generally time-consuming, the efficiency of the present invention is comparable to the weekly-induced scheme.
Firstly, the static password hash value y of a user and a user random key R recovered by the user through fuzzy extraction in the scheme are directly stored in a server of a registration domain in a plaintext manner, and if the server of the registration domain is broken and the static password hash value y of the user and the random key R of the user are stolen by a hacker, the hacker can directly simulate a client to use information such as ID, y and R to pretend that the user logs in, so that the information security of the user is greatly threatened; secondly, in the process of cross-domain authentication in different places, the client directly sends information such as ID, y, R and the like to the authentication domain in a plain text mode, and if the information is monitored by a hacker in the process, the information of the user has a leakage risk. In the scheme of the invention, the hash value of the equipment ID is encrypted by the public key of the registration domain server, and the equipment ID hash value can be decrypted only by holding the private key, so that the specific content of the second authentication factor of the user cannot be decrypted even if a hacker steals the database, and the Diffie-Hellman negotiation session key is adopted when the user and the server interact, so that the hacker is difficult to steal the true condition used by the user for authentication by eavesdropping, and the information security of the user is effectively ensured. In addition, during cross-domain authentication in different places, a weekly-induced scheme requires an authentication server of a registered domain to participate in an authentication process, and because the registered domain server may have conditions such as busy, down, network delay and the like, actual cross-domain authentication time may be longer and reliability is weaker; the authentication domain server mainly interacts with the block chain link points in the process of crossing domains in different places, and because of numerous nodes in the block chain network of the alliance, when one node responds to timeout, the node can be quickly switched to another node to carry out information request, so that the reliability of the invention is high. From the above analysis, the safety, efficiency and reliability of the present invention are beyond the conventional scheme.
The above description is only a preferred embodiment of the present invention and is not intended to limit the present invention, it should be noted that, for those skilled in the art, many modifications and variations can be made without departing from the technical principle of the present invention, and these modifications and variations should also be regarded as the protection scope of the present invention.

Claims (3)

1. An efficient two-factor cross-domain authentication method based on a block chain technology is characterized by comprising the following steps:
step 1: designing the overall architecture of the system;
the steps of the A and B session key negotiation mechanism according to the Diffie-Hellman algorithm are as follows:
and 11, step 11: randomly selecting a large prime number n and an original root g, disclosing two pieces of information, and defining the two pieces of information by A, B;
step 12: a randomly generates a number X, and calculates X as gxmodn, then sends X to B;
step 13: b randomly generates a number y of bits,calculating Y ═ gymodn, then sends Y to a;
step 14: a is calculated as K ═ Yxmodn;
Step 15: b calculating K ═ Xymodn;
Step 2: a system workflow;
step 21: a user registration process;
step 1: a domain A user i inputs a user name ID and a static password PW on a local client ClientA;
step 2: client ClientA extracts user equipment number DID, carries out hash operation on the equipment number and static password respectively to generate H (DID), H (PW), deletes local cache, negotiates a session key with A domain authentication server ServerA through Diffie-Hellman algorithm, and sends ID, H (PW) and H (DID) information to A domain authentication server ServerA through session key encryption;
and 3, step 3: the A domain authentication server ServerA receives the message sent by the client ClientA, decrypts the message by using the negotiated session key to obtain ID, H (PW), H (DID), inquires whether the ID exists, returns the registered information of the user if the ID exists, and otherwise, can register; when registering, firstly, user H (DID) is encrypted by using public key PUBA of A domain node to obtain EA(h (did)), then the ServerA node executes the intelligent contract, initiates a registration transaction and endorses; after the consensus node completes verification and generates the block, returning the information of successful registration to the client-side ClientA;
and 4, step 4: the client-side ClientA receives the message of successful registration, supplements other information Info of the user, and sends the Info to the A domain authentication server ServerA through a secure channel;
and 5, step 5: the A-domain authentication server ServerA encrypts other information Info supplemented by the user by using a-domain node public key PUBA to obtain EA(Info), then the ServerA node executes the intelligent contract, and initiates the user information updating transaction and endorsement;
step 22: user local authentication;
step 1: a domain A user i inputs a user name ID and a static password PW on a local client ClientA;
step 2: client ClientA extracts user equipment number DID, carries out hash operation on the equipment number and static password respectively to generate H (DID), H (PW), deletes local cache, negotiates a session key with A domain authentication server ServerA through Diffie-Hellman algorithm, and sends ID, H (PW) and H (DID) information to A domain authentication server ServerA through session key encryption;
and 3, step 3: the A domain authentication server ServerA receives the message sent by the client ClientA, decrypts the message by using the negotiated session key to obtain ID, H (PW), H (DID), inquires whether the ID in the block chain public account book exists, returns a user unregistered message if the ID does not exist, and pulls the H (PW), E (digital) corresponding to the ID from the block chain public account book if the ID does existA(H (DID)) and domain information;
and 4, step 4: the A domain authentication server ServerA compares H (PW) sent by the client ClientA with H (PW) pulled from the block chain, and if the H (PW) is the same as the H (PW)', the A domain node public key PUBA is further used for encrypting the user H (DID) to obtain EA(H), (DID)), comparing EA(H (DID)) and EA(h (did)) if equal, returning an authentication success message;
step 23: user allopatric cross-domain authentication;
step 1: a domain A registered user i inputs login information ID and PW on a domain B client ClientB;
step 2: client ClientB extracts user equipment number DID, generates H (DID), H (PW) by Hash operation, deletes local cache, negotiates a session key with a B-domain authentication server ServerB through a Diffie-Hellman algorithm, and sends ID, H (PW) and H (DID) information to the B-domain authentication server ServerB through session key encryption;
and 3, step 3: the B domain authentication server ServerB receives the message sent by the client ClientB, decrypts the message by using the negotiated session key to obtain ID, H (PW), H (DID), inquires whether the ID in the block chain public account book exists, returns a user unregistered message if the ID does not exist, and pulls the H (PW), E (E) corresponding to the ID from the block chain public account book if the ID does existA(H (DID)) and domain information;
and 4, step 4: the B domain authentication server ServerB compares H (PW) sent by the client ClientB with the slave block chain pullIf the values are the same, the public key PUBA of the A domain node is further used for encrypting the user H (DID) to obtain EA(H), (DID)), comparing EA(H (DID)) and EA(h (did)) and, if equal, returns an authentication success message.
2. The method of claim 1, wherein the method comprises: the step 2 is also provided with a step 24: and the user replaces the equipment authentication.
3. The method of claim 2, wherein the method comprises: the step 24 of user replacement device authentication comprises the steps of:
step 1: after a domain A user i changes equipment, inputting a user name ID and a static password PW on a local client ClientA;
step 2: client clientA extracts user equipment number DID, respectively carries out hash operation to generate H (DID), H (PW), deletes local cache, negotiates a session key with A domain authentication server ServerA through Diffie-Hellman algorithm, and sends ID, H (PW) and H (DID) information to A domain authentication server ServerA through session key encryption;
and 3, step 3: the A domain authentication server ServerA receives the message sent by the ClientA, decrypts the message by using the negotiated session key to obtain ID, H (PW), H (DID), inquires whether the ID in the block chain public account book exists, returns a user unregistered message if the ID does not exist, and pulls the H (PW)', E corresponding to the ID from the block chain public account book if the ID existsA(H (DID)) and domain information;
and 4, step 4: the A domain authentication server ServerA compares H (PW) sent by the client ClientA with H (PW) ', which is pulled from the block chain, if the H (PW) is the same as the H (PW)', further uses a domain node public key PUBA to encrypt the user H (DID) to obtain EA (H (DID)), and compares E with the EAA(H (DID)) and EA(H (DID))', because the user has changed the apparatus, ServerA uses A domain node private key PRIA to decipher user EA (Info), (Info), get Info, withdraw secret protection question QSecrect among them, and return to the customer end through the credible channelClientA;
And 5, step 5: when the A domain user i answers the security question ASecrect, the client ClientA hashes the security question answers, and the information of ID, H (PW), H (DID) and H (ASecrect) is encrypted by a session key and sent to the A domain authentication server ServerA;
and 6, step 6: the A domain authentication server ServerA compares H (ASecrect) sent by the client ClientA with secret key answers H (ASecrect) recorded in the block chain, if the answer is passed, the user information is executed to update the intelligent contract, H (DID) of the user is updated, and when the common identification node completes verification to generate the block, the binding equipment information is returned to the user to successfully replace the binding equipment information.
CN201910287332.5A 2019-04-11 2019-04-11 Efficient double-factor cross-domain authentication method based on block chain technology Active CN110069918B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910287332.5A CN110069918B (en) 2019-04-11 2019-04-11 Efficient double-factor cross-domain authentication method based on block chain technology

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910287332.5A CN110069918B (en) 2019-04-11 2019-04-11 Efficient double-factor cross-domain authentication method based on block chain technology

Publications (2)

Publication Number Publication Date
CN110069918A CN110069918A (en) 2019-07-30
CN110069918B true CN110069918B (en) 2020-12-04

Family

ID=67367343

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910287332.5A Active CN110069918B (en) 2019-04-11 2019-04-11 Efficient double-factor cross-domain authentication method based on block chain technology

Country Status (1)

Country Link
CN (1) CN110069918B (en)

Families Citing this family (13)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110413649B (en) * 2019-08-01 2020-06-12 深圳前海大数金融服务有限公司 Financial big data processing method based on block chain and system platform thereof
CN110597883B (en) * 2019-09-19 2024-05-07 腾讯科技(深圳)有限公司 Vehicle leasing data processing method and device based on blockchain and storage medium
CN111083700A (en) * 2019-12-30 2020-04-28 全链通有限公司 5G terminal equipment access method, equipment and storage medium based on block chain
CN111132166A (en) * 2019-12-30 2020-05-08 江苏全链通信息科技有限公司 5G communication dual-channel access method, equipment and storage medium
CN111464535A (en) * 2020-03-31 2020-07-28 中国电子科技集团公司第三十研究所 Cross-domain trust transfer method based on block chain
CN111695152B (en) * 2020-05-26 2023-05-12 东南大学 MySQL database protection method based on security agent
CN113972991A (en) * 2020-07-23 2022-01-25 南京理工大学 Cross-domain identity authentication method based on multistage alliance chain
CN112019349B (en) * 2020-08-28 2022-12-13 南京工程学院 Cross-chain technology-based cross-domain authentication method for power internet of things
CN112765671B (en) * 2021-02-08 2021-09-21 上海万向区块链股份公司 Localized data privacy encryption method and system
CN112989317B (en) * 2021-03-24 2022-03-18 中国电子科技集团公司第三十研究所 Unified distributed PKI certificate identity management system
CN113569210A (en) * 2021-07-09 2021-10-29 远光软件股份有限公司 Distributed identity authentication method, equipment access method and device
CN114553527A (en) * 2022-02-22 2022-05-27 中国人民解放军78111部队 Block chain-based identity authentication service system crossing CA trust domain
CN116112167B (en) * 2023-04-13 2023-06-27 恒生电子股份有限公司 Key management system, method and device

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2018201147A2 (en) * 2017-04-28 2018-11-01 Neuromesh Inc. Methods, apparatus, and systems for controlling internet-connected devices having embedded systems with dedicated functions
CN107733657A (en) * 2017-10-24 2018-02-23 沈阳师范大学 A kind of high in the clouds is based on PTPM and without CertPubKey signature double factor authentication method
CN108737436B (en) * 2018-05-31 2020-02-21 西安电子科技大学 Cross-domain server identity authentication method based on trust alliance block chain
CN108989022B (en) * 2018-06-08 2021-11-09 中国科学院计算技术研究所 Intelligent object shared key establishment method and system based on block chain
CN109327457A (en) * 2018-11-09 2019-02-12 广州大学 A kind of internet of things equipment identity identifying method and system based on block chain

Also Published As

Publication number Publication date
CN110069918A (en) 2019-07-30

Similar Documents

Publication Publication Date Title
CN110069918B (en) Efficient double-factor cross-domain authentication method based on block chain technology
US11799656B2 (en) Security authentication method and device
KR100811419B1 (en) Countermeasure Against Denial-of-Service Attack in Authentication Protocols Using Public-Key Encryption
CN103118027B (en) The method of TLS passage is set up based on the close algorithm of state
CN109687965B (en) Real-name authentication method for protecting user identity information in network
CN109951513B (en) Quantum-resistant computing smart home quantum cloud storage method and system based on quantum key card
CN104270249A (en) Signcryption method from certificateless environment to identity environment
CN101695038A (en) Method and device for detecting SSL enciphered data safety
CN104901935A (en) Bilateral authentication and data interaction security protection method based on CPK (Combined Public Key Cryptosystem)
CA2949018C (en) Methods and devices for securing keys when key-management processes are subverted by an adversary
CN104301108A (en) Signcryption method based from identity environment to certificateless environment
CN108632251A (en) Authentic authentication method based on cloud computing data service and its Encryption Algorithm
CN108390866B (en) Trusted remote certification method and system based on double-agent bidirectional anonymous authentication
CN111416712B (en) Quantum secret communication identity authentication system and method based on multiple mobile devices
CN106657002A (en) Novel crash-proof base correlation time multi-password identity authentication method
CN106230840B (en) A kind of command identifying method of high security
Huang et al. A secure communication over wireless environments by using a data connection core
CN110572392A (en) Identity authentication method based on HyperLegger network
CN111245611A (en) Anti-quantum computing identity authentication method and system based on secret sharing and wearable equipment
Singh et al. Analysis of cryptographically replay attacks and its mitigation mechanism
CN113539523B (en) Internet of things equipment identity authentication method based on domestic commercial cryptographic algorithm
CN116633530A (en) Quantum key transmission method, device and system
Yang et al. Authentication scheme for distributed industrial control system terminals
CN110880969A (en) Method and system for generating QKD network authentication key based on alliance chain and implicit certificate
CN110572257A (en) Anti-quantum computing data source identification method and system based on identity

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
CP03 Change of name, title or address
CP03 Change of name, title or address

Address after: 11-12 / F, Lingyu Business Plaza, 66 qinglonggang Road, high speed rail new town, Xiangcheng District, Suzhou City, Jiangsu Province, 215100

Patentee after: Suzhou Shutong Digital Technology Co.,Ltd.

Address before: 11-12 / F, Lingyu Business Plaza, 66 qinglonggang Road, high speed rail new town, Xiangcheng District, Suzhou City, Jiangsu Province

Patentee before: SUZHOU TONGJI BLOCKCHAIN RESEARCH INSTITUTE Co.,Ltd.

CP03 Change of name, title or address
CP03 Change of name, title or address

Address after: 11-12 / F, Lingyu Business Plaza, 66 qinglonggang Road, high speed rail new town, Xiangcheng District, Suzhou City, Jiangsu Province

Patentee after: Wutong Chain Digital Technology Research Institute (Suzhou) Co.,Ltd.

Address before: 11-12 / F, Lingyu Business Plaza, 66 qinglonggang Road, high speed rail new town, Xiangcheng District, Suzhou City, Jiangsu Province, 215100

Patentee before: Suzhou Shutong Digital Technology Co.,Ltd.