CN116506233A - Identity authentication model based on distributed group cooperation - Google Patents
Identity authentication model based on distributed group cooperation Download PDFInfo
- Publication number
- CN116506233A CN116506233A CN202310777436.0A CN202310777436A CN116506233A CN 116506233 A CN116506233 A CN 116506233A CN 202310777436 A CN202310777436 A CN 202310777436A CN 116506233 A CN116506233 A CN 116506233A
- Authority
- CN
- China
- Prior art keywords
- authentication
- ciphertext
- private key
- idp
- sub
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000004220 aggregation Methods 0.000 claims abstract description 21
- 230000002776 aggregation Effects 0.000 claims abstract description 21
- 238000000034 method Methods 0.000 claims abstract description 19
- 230000011218 segmentation Effects 0.000 claims abstract description 19
- 239000012634 fragment Substances 0.000 claims description 63
- 238000012795 verification Methods 0.000 claims description 19
- 238000005516 engineering process Methods 0.000 abstract description 10
- 230000000694 effects Effects 0.000 abstract description 3
- 230000006399 behavior Effects 0.000 abstract 5
- 238000010586 diagram Methods 0.000 description 3
- 101150040334 KLHL25 gene Proteins 0.000 description 2
- 101100065246 Mus musculus Enc1 gene Proteins 0.000 description 2
- 101100065251 Drosophila melanogaster enc gene Proteins 0.000 description 1
- 238000004891 communication Methods 0.000 description 1
- 230000008520 organization Effects 0.000 description 1
- 230000000379 polymerizing effect Effects 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
- H04L63/0442—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply asymmetric encryption, i.e. different keys for encryption and decryption
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/12—Applying verification of the received information
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/40—Network security protocols
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Collating Specific Patterns (AREA)
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
Abstract
The invention provides an identity authentication model based on distributed group cooperation, which expands an identity authentication component from a single behavior body to a plurality of behavior bodies by using a private key segmentation technology and a ciphertext aggregation technology, wherein the multiple behavior bodies are required to jointly determine in one identity authentication process of a user, and the authentication can be passed only when a plurality of identity providers agree on the authentication behavior, otherwise, the authentication is not passed. Thus, even if an attacker controls one or a part of identity providers, legal users cannot be forged because the identity providers have no agreement on authentication behaviors, so that the identity authentication process has the effects of resisting single-point faults and tolerating attacks by using the identity authentication model.
Description
Technical Field
The invention relates to identity authentication for network space security, in particular to an identity authentication model based on distributed group cooperation.
Background
In the network space, digital authentication of the accessing user/service is done by an identity provider (Identity Provider, idP, or referred to as an authentication component). The user provides credentials to an identity provider, which authenticates the user's digital identity according to the credential information. In current identity provider implementations, the identity provider is typically a single principal of behavior, facing a single point of failure risk. When the identity provider is controlled by a hacker, the hacker can forge any user of any authority to implement extremely dangerous post-penetration behavior with legal user identities.
The existing scheme for improving the security of the identity authentication component generally increases the credentials required to be provided when the user performs identity authentication by using technologies such as multi-factor authentication, dynamic passwords and the like, and the existing technology increases the credentials required to be provided when the user performs identity authentication by using security policies such as multi-factor authentication and the like so as to avoid that an attacker falsifies the credentials of the user to legal users and attacks the credentials. And the schemes for improving the security of the identity authentication component are not considered, wherein the schemes can be bypassed by the modes of closing additional security policies, falsifying authentication results or adding illegal users when the identity authentication component is controlled by an attacker. For this reason, in the existing authentication technology, the identity authentication component is usually a single behavior body, and the situation that an attacker controls the identity authentication component is not considered, so that the identity authentication component does not have the intrusion-tolerant and recoverable security attribute. In addition, there is currently no authentication scheme that uses group cooperative technology to improve identity authentication security.
Disclosure of Invention
The invention provides an identity authentication model based on distributed group cooperation, which expands an identity authentication component into a plurality of behavior subjects, wherein the behavior subjects of the authentication component realize the effects of joint participation, joint decision and cooperative authentication, and solve the problem of single-point failure faced by the existing identity authentication technology, and the technical scheme is as follows:
the utility model provides an identity authentication model based on distributed group cooperation, includes public and private key, authentication submitted's sub ciphertext, private key segmentation module and IdP cluster of user authentication, wherein:
public and private keys of the user authentication: in the identity authentication process based on an asymmetric encryption algorithm, a private key and a public key corresponding to the private key are generated by a user and used for verifying the identity validity;
the authentication submitted sub-ciphertext: when a user requests identity authentication from an IdP cluster, the IdP cluster randomly generates a character string src after receiving the identity authentication request and returns the character string src to the user who makes the identity authentication request, and the user uses a private key fragment K managed by the user after receiving the character string src m Sub-ciphertext enc obtained by encrypting character string src m And sub-ciphertext enc m Submitting to an IdP cluster for proving the user identity thereof;
the private key segmentation module: dividing a private key for user identity authentication into m private key fragments, wherein m is larger than or equal to 4, and the user keeps one private key fragment K m The rest m-1 private key fragments are transmitted to a secret receiving module of the IdP cluster through a secure channel;
the IdP cluster: and responding to the identity authentication request of the user, receiving the sub-ciphertext submitted by the user authentication, and outputting the result of whether the user passes the authentication.
The IdP cluster comprises a secret receiving module, m-1 IdP nodes and a consistency consensus module, wherein:
the secret receiving module: the authentication sub-ciphertext submitted by the user and m-1 private key fragments transmitted by the secure channel are received, the authentication sub-ciphertext submitted by the user is shared to m-1 IdP nodes, and the m-1 private key fragments are respectively transmitted to the m-1 IdP nodes;
the IdP node: the sub-ciphertext from the secret receiving module and other IdP nodes is received, the validity of the ciphertext can be verified, and a verification result is returned to the consistency consensus module;
the consistency consensus module: judging whether the identity authentication is successful or not by using a specified consensus rule, and if the identity authentication is agreed, passing the authentication; otherwise, authentication is not passed.
The consistency consensus module verifies the validity of the signature ciphertext encrypted/signed by the private key fragments, if and only if the private key fragments K managed by the user m Receiving the sub-ciphertext enc m After n+1 sub ciphertexts obtained by encrypting source data by using n IdPs managed by the private key, the validity of the signature ciphertext can be verified by using the public key corresponding to the private key, wherein n is the number of IdPs required in the authentication, and n<=m-1。
Each IdP node comprises four modules: the system comprises a sub-ciphertext signing module, a group cooperation module, a ciphertext aggregation module and a ciphertext verification module, wherein:
the sub-ciphertext signing module: using private key sharding K i Encryption source character string src generates sub-ciphertext enc i And sub-ciphertext enc i Delivering to a group collaboration module;
the group cooperation module: sub-ciphertext enc i (1 +.i +.n) is transmitted to the remaining n-1 IdP nodes participating in the authentication, and receives the sub-ciphertext enc from the other IdP nodes participating in the authentication j (1. Ltoreq. J. Ltoreq. N and i. Ltoreq. J);
the ciphertext aggregation module: the generated and received n+1 sub ciphertexts are aggregated into a complete ciphertext enc which can be verified by using an authentication public key, wherein n is the number of IdPs required during the authentication, and n < = m-1;
the ciphertext verification module: and verifying the validity of the aggregated ciphertext enc by using the authentication public key, and returning a verification result to the consistency consensus module.
The identity authentication model comprises the following steps of:
s1: the private key segmentation module segments the private key of user authentication into m fragments (m is greater than or equal to 4), and the user keeps one private key fragment K m The rest private key fragments are shared by a secret receiving module to m-1 IdP nodes for storage;
s2: at authentication, the user submits to the private key fragment K m Sub-ciphertext enc of signature-specific random string src m ,enc m Sharing the data to n (n is less than or equal to m-1) IdP nodes by a secret receiving module;
s3: receiving the sub-ciphertext enc m Is segmented K using its private key i (1.ltoreq.i.ltoreq.m-1) signing src to generate the corresponding sub-ciphertext enc i And shared by the group cooperative modules to the received sub-ciphertext enc m Other n-1 IdP nodes;
s4: after receiving the sub-ciphertexts of other IdP nodes, the ciphertext aggregation modules of the IdP nodes aggregate all the sub-ciphertexts into ciphertext enc, the verification module uses the public key of user authentication to verify whether the ciphertext enc is legal or not, and the result is returned to the consistency consensus module;
s5: if the verification results of all the IdP nodes participating in the authentication are ciphertext legal, the consistency consensus module judges that the authentication passes; otherwise, the authentication is not passed.
Further, in step S3, the group collaboration module uses the group collaboration algorithm to transfer ciphertext among the n identity providers participating in the authentication, so that each identity provider holds ciphertext signed by n+1 private key fragments (enc 1 , enc 2 , …, enc m )。
Further, in step S2, all identity providers keep public keys.
Further, in step S1, the user uses the private key to sign the ciphertext enc of the source data src, and uses n+1 pieces of private key to sign the source data src, and uses the ciphertext enc obtained by the aggregation algorithm to perform the signing respectively ’ Similarly, n+1 private key slices must contain the private key slices Km held by the user.
The invention uses the private key segmentation technology and the ciphertext aggregation technology to expand the identity authentication component from a single behavior body to a plurality of behavior bodies, thereby constructing an identity authentication model based on distributed group cooperation, and the identity authentication model is utilized to ensure that the identity authentication process has the effect of resisting single-point faults and attack tolerance.
The identity authentication model based on distributed group cooperation expands the identity provider from a single behavior main body to a plurality of behavior main bodies, the user needs to jointly decide a plurality of behavior main bodies in one identity authentication process, the authentication can be passed only when the plurality of identity providers agree on the authentication, and otherwise, the authentication is not passed. Thus, even if an attacker has control of one or a portion of the identity provider, it is not possible to forge a legitimate user because the identity provider is not agreed upon with respect to authentication. At present, a similar scheme has not been existed, wherein the key segmentation and aggregation method is used for expanding the identity authentication process into a plurality of distributed authenticators, so that a multiparty participation and collaborative authentication technical scheme is formed.
Drawings
FIG. 1 is an overall architecture diagram of the distributed community collaboration-based authentication model;
FIG. 2 is a schematic diagram of an embodiment of an authentication flow of the distributed community collaboration based identity authentication model.
Detailed Description
In the network space, authentication and distribution of the digital identity of the user is accomplished by an identity provider (IdP). Under existing authentication techniques, an identity provider is a single principal of behavior, which is at risk of a single point of failure. If the identity provider is controlled by an attacker, the attacker can forge any legitimate user to conduct the attack.
As shown in FIG. 1, the invention provides an identity authentication model based on distributed group cooperation by applying a key segmentation technology and a group cooperation algorithm, and the identity authentication model comprises a public and private key for user authentication, a sub-ciphertext submitted by authentication, a private key segmentation module and an IdP cluster.
1. Public and private keys of the user authentication
In the identity authentication process based on the asymmetric encryption algorithm, a private key and a public key corresponding to the private key are generated by a user and used for verifying the validity of the identity.
2. Authentication submitted sub-ciphertext
When a user requests identity authentication from the IdP cluster, the IdP cluster randomly generates a character string src after receiving the identity authentication request and returns the character string src to the user who makes the identity authentication request. After receiving the character string src, the user uses the private key fragment K managed by the user m Sub-ciphertext enc obtained by encrypting character string src m And sub-ciphertext enc m Is submitted to the IdP cluster for proving its user identity.
3. Private key segmentation module
The private key segmentation module segments a private key for user identity authentication into m private key fragments (m is larger than or equal to 4), wherein a user keeps one of the private key fragments K m The method comprises the steps of carrying out a first treatment on the surface of the Except for private key fragment K m The rest m-1 private key fragments are transmitted to a secret receiving module of the IdP cluster through a secure channel under the management of a user. In verifying the validity of a signature ciphertext encrypted/signed using a private key fragment, the user managed private key fragment K is, if and only m And the rest m sub-ciphertexts obtained by encrypting the source data by n (n is less than or equal to m-1) private key fragments are aggregated, and then the validity of the signature ciphertext can be verified by using the public key corresponding to the private key.
Wherein m is all IdPs, n is IdP needed in one authentication, n < = m-1; m is the key split into m shares, where m-1 is held by the IdP cluster. When the key is polymerized, the original ciphertext can be obtained only by polymerizing n+1 sub ciphertexts, and n+1 can be equal to m, so that two situations of partial IdP participation and all IdP participation authentication can be covered, and one example is as follows: the key is divided into 4 shares, K1 is held by the user, and K2, K3, K4 are held by the IdP. At aggregation, any two encrypted sub-ciphertexts, such as enc2, enc3, of the K1 encrypted sub-ciphertexts enc1 and < K2, K3, K4> are required. Ciphertext encrypted using (enc 1, enc2, enc 3) that can be aggregated into the source key can be verified with the public key.
4. IdP cluster
The IdP cluster comprises a secret receiving module, m-1 IdP nodes (m is larger than or equal to 4) and a consistency consensus module. And the IdP cluster responds to the identity authentication request of the user, receives the sub-ciphertext submitted by the user authentication, and outputs the result of whether the user passes the authentication.
(1) Secret receiving module
The secret receiving module is used for receiving authentication sub-ciphertext submitted by a user and m-1 private key fragments transmitted by a secure channel. The authentication sub-ciphertext submitted by a user is shared to m-1 IdP nodes, m-1 private key fragments are respectively transmitted to m-1 IdP nodes, namely each IdP node receives one private key fragment from a secret receiving module, and the private key fragments of each IdP are unique and different from each other.
(2) IdP node
Each IdP node includes four modules: the system comprises a sub-ciphertext signing module, a group cooperation module, a ciphertext aggregation module and a ciphertext verification module. The IdP node receives the sub-ciphertext from the secret receiving module and other IdP nodes, can verify the validity of the ciphertext, and returns the verification result to the consistency consensus module.
The sub-ciphertext signing module: the module uses a private keySlicing K i Encryption source character string src generates sub-ciphertext enc i And sub-ciphertext enc i Delivering to a group collaboration module;
the group cooperation module: the module converts the sub-ciphertext enc i (1 +.i +.n) is transmitted to n-1 IdP nodes participating in the authentication, and receives the sub-ciphertext enc from other IdP nodes participating in the authentication j (1. Ltoreq. J. Ltoreq. N and i. Ltoreq. J);
the ciphertext aggregation module: the module aggregates the generated and received n+1 sub-ciphertexts into a complete ciphertext enc which can be verified by using an authentication public key;
the ciphertext verification module: the module uses the authentication public key to verify the validity of the aggregated ciphertext enc, and returns a verification result to the consistency consensus module.
(3) Consistency consensus module
The consensus module uses the specified consensus rules to determine whether the identity authentication was successful. According to the consensus rule, if agreement is reached, the authentication is passed; otherwise, authentication is not passed.
When verifying the validity of the signature ciphertext encrypted/signed by using the private key fragments, the consistency consensus module can verify the validity of the signature ciphertext by using the public key corresponding to the private key if and only after the private key fragments Km managed by the user and n+1 sub ciphertexts obtained by encrypting source data by the private key fragments managed by n IdPs of sub ciphertexts encm are aggregated, wherein n is the number of IdPs required in the authentication, and n < = m-1.
When the identity authentication model based on distributed group cooperation is used, the method comprises the following steps:
s1: the private key segmentation module segments the private key of user authentication into m fragments (m is greater than or equal to 4), and the user keeps one private key fragment K m The rest private key fragments are shared by the secret receiving module to n (n.ltoreq.m-1) IdP (Identity Provider ) nodes for storage.
S2: at authentication, the user submits to the private key fragment K m Sub-ciphertext enc of signature-specific random string src m ,enc m And the secret receiving module shares the secret to n (n is less than or equal to m-1) IdP nodes.
When authentication is performed once, n IdPs participate, and not all m-1 IdPs participate. The method is determined by a key segmentation algorithm, and some key segmentation algorithms can segment the key into i parts, but only any j parts of the key can be aggregated (i > j) during aggregation authentication, and all the sub-keys which are i parts can be designated to be aggregated.
S3: receiving the sub-ciphertext enc m Is fragmented K using its private key for n IdP nodes i (1.ltoreq.i.ltoreq.m-1) signing src to generate the corresponding sub-ciphertext enc i And shared by the group cooperative modules to the received sub-ciphertext enc m Is a function of the other n-1 IdP nodes.
S4: after receiving the sub-ciphertexts of other IdP nodes, the ciphertext aggregation modules of the IdP nodes aggregate all the sub-ciphertexts into ciphertext enc, the verification module uses the public key of user authentication to verify whether the ciphertext enc is legal or not, and the result is returned to the consistency consensus module.
S5: if the verification results of all the IdP nodes are ciphertext legal, the consistency consensus module judges that the authentication passes; otherwise, the authentication is not passed.
As shown in fig. 2, in the schematic diagram of the authentication flow embodiment of the distributed group collaboration-based identity authentication model, the authentication flow of the IdP cluster formed by 3 IdP nodes during identity authentication is shown, and implementation details such as an organization architecture and a communication protocol between the IdP nodes can be adjusted according to service scene characteristics, so that only the authentication flow is focused on in the embodiment. The specific steps are as follows:
s11: configuration phase:
s111: the user generates a private key and a corresponding public key for identity authentication and submits the private key and the corresponding public key to the private key segmentation module;
s112: the private key segmentation module segments a private key submitted by a user into 4 fragments, and segments the private key into K fragments 4 Returning to the user for keeping, and slicing the rest private key 1 、K 2 And K 3 Transmitting the information to a secret receiving module through a secure channel;
s113: secret receiving moduleThe block fragments the received private key K 1 、K 2 、K 3 And the data are respectively transmitted to the IdP node 1, the IdP node 2 and the IdP node 3.
S12: authentication:
s121: the user requests identity authentication from the IdP cluster;
s122: after receiving the authentication request, the IdP cluster randomly generates a source character string src, and returns the source character string src to the user and all the IdP nodes;
s123: private key fragment K managed by user using the same 4 Encryption source character string src, generating sub-ciphertext enc 4 And delivers it to the IdP cluster;
s124: the secret receiving module of the IdP cluster receives the sub-ciphertext enc 4 Then, the sub-ciphertext enc 4 Broadcasting to all IdP nodes;
s125: the IdP node 1 receives the sub-ciphertext enc 4 Thereafter, src is encrypted using its managed private key fragment K1 to generate a sub-ciphertext enc 1 And sub-ciphertext enc 1 Transmitting to the IdP node 2 and the IdP node 3; meanwhile, the IdP node 2 receives the sub-ciphertext enc 4 Thereafter, private key fragment K managed using the same 2 Encryption of src to generate sub-ciphertext enc 2 And sub-ciphertext enc 2 Transmitting to the IdP node 1 and the IdP node 3; meanwhile, the IdP node 3 receives the sub-ciphertext enc 4 Thereafter, private key fragment K managed using the same 3 Encryption of src to generate sub-ciphertext enc 3 And sub-ciphertext enc 3 Transmitting to the IdP node 1 and the IdP node 2;
s126: the IdP node 1, the IdP node 2, and the IdP node 3 use the aggregation module to receive and generate all the sub-ciphertexts (enc 1 、enc 2 、enc 3 、enc 4 ) Aggregation into ciphertext enc;
s127: the IdP node 1, the IdP node 2 and the IdP node 3 respectively use the identity authentication public key to verify the validity of the aggregated ciphertext enc, and return the verification results to the consistency consensus module;
s128: the consensus module determines whether consensus among the IdP nodes is reached based on a consensus rule (e.g., 3 IdP nodes must all be authenticated). If agreement is reached, authentication is passed; otherwise, the authentication is not passed.
From the description of the above embodiments, it can be analyzed that:
(1) In the scenario of identity authentication using asymmetric encryption techniques, the private key used for authentication by a user is split into m (mR > 4) private key fragments (K 1 , K 2 , …, K m ). Ciphertext enc obtained by signing source data src by using a private key and ciphertext enc obtained by signing source data src by using n+1 private key fragments and then using an aggregation algorithm respectively ’ Is identical, the aggregated ciphertext enc may be verified using the corresponding public key ’ Is the legitimacy of (2). Wherein n+1 private key fragments must contain the private key fragment K held by the user m For example, the key split may be 3-out-of-3, meaning that the key split is 3 parts, the aggregate authentication must also be 3 parts, or the key split may be 2-out-of-3, i.e., the key split is 3 parts, the aggregate is any 2 of them, both types of algorithms are available.
(2) The identity provider is extended from a single principal of behavior to m-1 principal of behavior. Any 1 private key fragment K in m private key fragments after dividing the private key m The rest of m-1 private key fragments are transmitted by the user client to m-1 identity providers for escrow over a secure channel. All identity providers also keep public keys.
(3) In the identity authentication process, the user uses the stored private key fragment K m Signing the randomly generated source data src from any identity provider and signing the signed ciphertext enc m To m-1 identity providers. Private key fragment K kept by m-1 identity providers i Signing the source data src to generate ciphertext enc i 。
(4) Ciphertext is communicated between all identity providers using a group collaboration algorithm such that each identity provider holds ciphertext signed by n+1 private key fragments (enc 1 , enc 2 , …, enc m ). Each identity provider uses an aggregation algorithm to aggregate the ciphertext and uses the public key to verify the legitimacy of the aggregated ciphertext.
The invention has the following characteristics:
(1) The identity authentication behavior main body is expanded from one to a plurality of IdP nodes, and authentication can be passed only when the IdP nodes agree on the authentication behavior.
(2) By applying the key segmentation and aggregation method to the field of identity authentication, the segmented private key fragments are kept by a plurality of distributed IdP nodes, so that the fact that each authentication process is jointly participated, jointly decided and cooperatively authenticated by a plurality of designated IdP nodes is ensured, and an attacker cannot bypass the authentication process by sinking part of the IdP nodes is avoided, and therefore single-point fault risks are avoided.
Claims (8)
1. An identity authentication model based on distributed group cooperation is characterized in that: the authentication method comprises the steps of a public and private key of user authentication, a sub-ciphertext submitted by authentication, a private key segmentation module and an IdP cluster, wherein:
public and private keys of the user authentication: in the identity authentication process based on an asymmetric encryption algorithm, a private key and a public key corresponding to the private key are generated by a user and used for verifying the identity validity;
the authentication submitted sub-ciphertext: when a user requests identity authentication from an IdP cluster, the IdP cluster randomly generates a character string src after receiving the identity authentication request and returns the character string src to the user who makes the identity authentication request, and the user uses a private key fragment K managed by the user after receiving the character string src m Sub-ciphertext enc obtained by encrypting character string src m And sub-ciphertext enc m Submitting to an IdP cluster for proving the user identity thereof;
the private key segmentation module: dividing a private key for user identity authentication into m private key fragments, wherein m is larger than or equal to 4, and the user keeps one private key fragment K m The rest m-1 private key fragments are transmitted to a secret receiving module of the IdP cluster through a secure channel;
the IdP cluster: and responding to the identity authentication request of the user, receiving the sub-ciphertext submitted by the user authentication, and outputting the result of whether the user passes the authentication.
2. The distributed group collaboration-based authentication model of claim 1, wherein: the IdP cluster comprises a secret receiving module, m-1 IdP nodes and a consistency consensus module, wherein:
the secret receiving module: the authentication sub-ciphertext submitted by the user and m-1 private key fragments transmitted by the secure channel are received, the authentication sub-ciphertext submitted by the user is shared to m-1 IdP nodes, and the m-1 private key fragments are respectively transmitted to the m-1 IdP nodes;
the IdP node: the sub-ciphertext from the secret receiving module and other IdP nodes is received, the validity of the ciphertext can be verified, and a verification result is returned to the consistency consensus module;
the consistency consensus module: judging whether the identity authentication is successful or not by using a specified consensus rule, and if the identity authentication is agreed, passing the authentication; otherwise, authentication is not passed.
3. The distributed group collaboration-based authentication model of claim 2, wherein: the consistency consensus module verifies the validity of the signature ciphertext encrypted/signed by the private key fragments, if and only if the private key fragments K managed by the user m Receiving the sub-ciphertext enc m After n+1 sub ciphertexts obtained by encrypting source data by using n IdPs managed by the private key, the validity of the signature ciphertext can be verified by using the public key corresponding to the private key, wherein n is the number of IdPs required in the authentication, and n<=m-1。
4. The distributed group collaboration-based authentication model of claim 2, wherein: each IdP node comprises four modules: the system comprises a sub-ciphertext signing module, a group cooperation module, a ciphertext aggregation module and a ciphertext verification module, wherein:
the sub-ciphertext signing module: using private key sharding K i Encryption source character string src generates sub-ciphertext enc i And sub-ciphertext enc i Delivering to a group collaboration module;
the group cooperation module: sub-ciphertext enc i (1 +.i +.n) is transmitted to the remaining n-1 IdP nodes participating in the authentication, and receives the sub-ciphertext enc from the other IdP nodes participating in the authentication j (1. Ltoreq. J. Ltoreq. N and i. Ltoreq. J);
the ciphertext aggregation module: the generated and received n+1 sub ciphertexts are aggregated into a complete ciphertext enc which can be verified by using an authentication public key, wherein n is the number of IdPs required during the authentication, and n < = m-1;
the ciphertext verification module: and verifying the validity of the aggregated ciphertext enc by using the authentication public key, and returning a verification result to the consistency consensus module.
5. The distributed group collaboration-based authentication model of claim 2, wherein: the identity authentication model comprises the following steps of:
s1: the private key segmentation module segments the private key of user authentication into m fragments (m is greater than or equal to 4), and the user keeps one private key fragment K m The rest private key fragments are shared by a secret receiving module to m-1 IdP nodes for storage;
s2: at authentication, the user submits to the private key fragment K m Sub-ciphertext enc of signature-specific random string src m ,enc m Sharing the data to n (n is less than or equal to m-1) IdP nodes by a secret receiving module;
s3: receiving the sub-ciphertext enc m Is segmented K using its private key i (1.ltoreq.i.ltoreq.m-1) signing src to generate the corresponding sub-ciphertext enc i And shared by the group cooperative modules to the received sub-ciphertext enc m Other n-1 IdP nodes;
s4: after receiving the sub-ciphertexts of other IdP nodes, the ciphertext aggregation modules of the IdP nodes aggregate all the sub-ciphertexts into ciphertext enc, the verification module uses the public key of user authentication to verify whether the ciphertext enc is legal or not, and the result is returned to the consistency consensus module;
s5: if the verification results of all the IdP nodes participating in the authentication are ciphertext legal, the consistency consensus module judges that the authentication passes; otherwise, the authentication is not passed.
6. The distributed community collaboration-based authentication model of claim 5, wherein: in step S3, the group cooperative module uses the group cooperative algorithm to transfer ciphertext among n identity providers participating in the authentication, so that each identity provider holds ciphertext signed by n+1 private key fragments (enc 1 , enc 2 , …, enc m )。
7. The distributed community collaboration-based authentication model of claim 5, wherein: in step S2, all identity providers army keep public keys.
8. The distributed group collaboration-based authentication model of claim 1, wherein: in step S1, the user uses the private key to sign the ciphertext enc of the source data src, and uses n+1 pieces of private key to sign the source data src, and uses the ciphertext enc obtained by the aggregation algorithm to perform the signature on the source data src ’ Similarly, n+1 private key slices must contain the private key slices Km held by the user.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310777436.0A CN116506233A (en) | 2023-06-29 | 2023-06-29 | Identity authentication model based on distributed group cooperation |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310777436.0A CN116506233A (en) | 2023-06-29 | 2023-06-29 | Identity authentication model based on distributed group cooperation |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN116506233A true CN116506233A (en) | 2023-07-28 |
Family
ID=87323511
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202310777436.0A Pending CN116506233A (en) | 2023-06-29 | 2023-06-29 | Identity authentication model based on distributed group cooperation |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116506233A (en) |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20110173452A1 (en) * | 2008-05-28 | 2011-07-14 | Nan Xiang-Hao | Method of generating compound type combined public key |
| CN102984127A (en) * | 2012-11-05 | 2013-03-20 | 武汉大学 | User-centered mobile internet identity managing and identifying method |
| CN109934585A (en) * | 2019-03-08 | 2019-06-25 | 矩阵元技术(深圳)有限公司 | A kind of endorsement method based on multi-party computations, apparatus and system |
| CN110061828A (en) * | 2019-04-04 | 2019-07-26 | 西安电子科技大学 | Distributed digital endorsement method without trusted party |
| CN110784320A (en) * | 2019-11-04 | 2020-02-11 | 张冰 | Distributed key implementation method and system and user identity management method and system |
| CN112906039A (en) * | 2021-03-26 | 2021-06-04 | 成都卫士通信息产业股份有限公司 | Certificateless distributed signature method, certificateless distributed signature device, certificateless distributed signature medium and electronic equipment |
| CN115811406A (en) * | 2023-02-13 | 2023-03-17 | 南京畅洋科技有限公司 | Internet of things block chain authentication method and system based on ring signature consensus mechanism |
-
2023
- 2023-06-29 CN CN202310777436.0A patent/CN116506233A/en active Pending
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20110173452A1 (en) * | 2008-05-28 | 2011-07-14 | Nan Xiang-Hao | Method of generating compound type combined public key |
| CN102984127A (en) * | 2012-11-05 | 2013-03-20 | 武汉大学 | User-centered mobile internet identity managing and identifying method |
| CN109934585A (en) * | 2019-03-08 | 2019-06-25 | 矩阵元技术(深圳)有限公司 | A kind of endorsement method based on multi-party computations, apparatus and system |
| CN110061828A (en) * | 2019-04-04 | 2019-07-26 | 西安电子科技大学 | Distributed digital endorsement method without trusted party |
| CN110784320A (en) * | 2019-11-04 | 2020-02-11 | 张冰 | Distributed key implementation method and system and user identity management method and system |
| CN112906039A (en) * | 2021-03-26 | 2021-06-04 | 成都卫士通信息产业股份有限公司 | Certificateless distributed signature method, certificateless distributed signature device, certificateless distributed signature medium and electronic equipment |
| CN115811406A (en) * | 2023-02-13 | 2023-03-17 | 南京畅洋科技有限公司 | Internet of things block chain authentication method and system based on ring signature consensus mechanism |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111371730B (en) | Lightweight authentication method supporting anonymous access of heterogeneous terminal in edge computing scene | |
| CN112003889B (en) | Distributed cross-link system and cross-link information interaction and system access control method | |
| EP2984782B1 (en) | Method and system for accessing device by a user | |
| CN109687976A (en) | Fleet's establishment and management method and system based on block chain and PKI authentication mechanism | |
| CN111147460B (en) | Block chain-based cooperative fine-grained access control method | |
| Goldberg et al. | Multi-party off-the-record messaging | |
| US20090158394A1 (en) | Super peer based peer-to-peer network system and peer authentication method thereof | |
| Chattaraj et al. | A new two-server authentication and key agreement protocol for accessing secure cloud services | |
| Rasheed et al. | Adaptive group-based zero knowledge proof-authentication protocol in vehicular ad hoc networks | |
| CN113761582B (en) | Group signature-based supervision blockchain transaction privacy protection method and system | |
| CN105516119A (en) | Cross-domain identity authentication method based on proxy re-signature | |
| Chen et al. | Cross-domain password-based authenticated key exchange revisited | |
| Kilari et al. | Robust revocable anonymous authentication for vehicle to grid communications | |
| Kilari et al. | Revocable anonymity based authentication for vehicle to grid (V2G) communications | |
| Li et al. | Catfl: Certificateless authentication-based trustworthy federated learning for 6g semantic communications | |
| CN110784305B (en) | Single sign-on authentication method based on careless pseudorandom function and signcryption | |
| CN110752934B (en) | Method for network identity interactive authentication under topological structure | |
| CN116702191A (en) | Federally learned local model parameter aggregation method | |
| CN114389808B (en) | OpenID protocol design method based on SM9 blind signature | |
| Deng et al. | Designated-verifier anonymous credential for identity management in decentralized systems | |
| CN116506233A (en) | Identity authentication model based on distributed group cooperation | |
| CN114154125A (en) | Certificateless identity authentication scheme of blockchain under cloud computing environment | |
| CN110492993B (en) | Novel certificateless group signature method | |
| Rawat et al. | PAS-TA-U: PASsword-based threshold authentication with password update | |
| Kim et al. | A privacy-preserving secure service discovery protocol for ubiquitous computing environments |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |