WO2009062373A1 - Method of implementing network genuine identification - Google Patents

Method of implementing network genuine identification Download PDF

Info

Publication number
WO2009062373A1
WO2009062373A1 PCT/CN2008/001687 CN2008001687W WO2009062373A1 WO 2009062373 A1 WO2009062373 A1 WO 2009062373A1 CN 2008001687 W CN2008001687 W CN 2008001687W WO 2009062373 A1 WO2009062373 A1 WO 2009062373A1
Authority
WO
WIPO (PCT)
Prior art keywords
authentication
network
user
server
encryption
Prior art date
Application number
PCT/CN2008/001687
Other languages
French (fr)
Chinese (zh)
Inventor
Yongjin Li
Tong Liu
Ying Li
Guifen Zhao
Jiya Jiang
Guanning Xu
Liping Du
Suyan Wu
Yu Liu
Xiangyi Hu
Original Assignee
Beijing Jinaobo Digital Information Technology Co., Ltd.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Jinaobo Digital Information Technology Co., Ltd. filed Critical Beijing Jinaobo Digital Information Technology Co., Ltd.
Publication of WO2009062373A1 publication Critical patent/WO2009062373A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3234Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving additional secure or trusted devices, e.g. TPM, smartcard, USB or software token
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0435Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply symmetric encryption, i.e. same key used for encryption and decryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0823Network architectures or network communication protocols for network security for authentication of entities using certificates

Definitions

  • the invention relates to the field of information security, and uses computer network, password and chip technology to realize network identity authentication.
  • the invention is applicable to national or regional governments to establish a real name system on the network.
  • a real-name system implementation method uses computer, network, password and chip technology to establish a CA authentication center for each network node to identify the network user.
  • the implementation steps are as follows:
  • the network node is: network WEB server Establish a CA certificate center.
  • the legal user can enter the resource server or application server and pre-store the authentication server on each CA certificate center.
  • the identification of the entire network user in the country or the region - the user number and the corresponding authentication parameters, and the establishment of the authentication parameter database, the authentication parameters of each network user are different, accounting for about 1. 312 K ⁇ 1.
  • the encryption card hardware is set on each authentication server end of each CA certification center, and a set of encryption authentication protocol is stored in the encryption card hardware chip, and the WEB server evenly distributes the task of network user identity authentication to each of the CA certification centers according to the user number.
  • Taiwan authentication server to complete in Network authentication client hardware end is provided, to store the user number, a network authentication parameter in authentication hardware chips, plus Confidential authentication protocol and network user information, the network user has a network authentication hardware device, and the network authentication is performed by the CA client of each network node through different clients, and the two-way authentication is adopted at both ends of the client and each CA certification center.
  • the symmetric key selection parameters generated by the WEB server, the timestamp and the random number are symmetrically generated by the client and each CA authentication center according to a symmetric key generation algorithm consisting of a symmetric key selection parameter and an authentication parameter. Key, and generate a one-time symmetric key and authentication password in each authentication process.
  • the network authentication hardware device of the network user is produced and issued by the public security department, and the encryption card hardware used by the CA certification center and the whole country or the region.
  • the user number and authentication parameters of the network user are also produced by the public security department and sent to the network node unit.
  • the network authentication hardware device is used in the corresponding CA authentication.
  • the center performs authentication, and the encryption authentication system sends the legitimate user Resource or application server on the network node, thus, achieve national or regional government network real-name system management, the whole process with a combination of software and hardware manner, as follows -
  • the network nodes are: WEB server, CA authentication center authentication, and resource server or application server.
  • the methods are connected together, and the user must be authenticated by the CA certification center, and the legitimate user can break into the resource server or the application server, thereby preventing the hacker from using the "trojan" virus control recommendation server to directly enter the resource or the application server.
  • the CA certification center consists of 1 to 30 authentication servers. Each authentication server is connected in "parallel" mode. Each authentication server is inserted with 1 to 8 encryption card hardware, according to the number of network node users and user concurrency. Size, to increase or decrease the number of CA certificate authority authentication server and encryption card hardware.
  • the network WEB server distributes the user identity authentication task to each authentication server of the CA certificate center on average according to the concurrent quantity of the user, and each authentication server evenly distributes the user identity authentication task to different encryption cards inserted into the authentication server.
  • the task quantity is allocated according to the serial number of the encryption card hardware, wherein: each encryption card hardware has a serial number, and the serial number of each encryption card hardware is different and unique.
  • the encryption card is based on the PCI interface built-in CPU smart chip hardware equipment, unified by the public security department
  • the identity of the entire network user in the country or the region—the user number and the corresponding authentication parameters are also uniformly produced by the public security department.
  • the network node unit obtains the encryption card hardware and the home country in the CA authentication center authentication server by applying to the public security department. Or the user number and authentication parameters of all network users in the region.
  • the user number of the network user consists of 18 ⁇ 36 digits, each digit occupies 4 bits, occupying 9 ⁇ 18 bytes, among which:
  • the network user is composed of personal network users and legal person network users, the whole country or the whole region network
  • the user's user number is uniformly numbered in order of size. Each network user has a different user number and is unique and continuous.
  • the authentication parameters of the network user are composed of two-digit system.
  • the random number function is used to generate garbled characters, and has randomness.
  • Each network user has a set of authentication parameters, and each user number corresponds to a set of authentication parameters, and each network user
  • the authentication parameters of each network user are 1. 312 K to 1. 68 K bytes, and constitute the MXN authentication parameter table A. Each element of the table A is 0.5 or 1 byte.
  • the client-side encryption authentication protocol includes: A set of symmetric password calculations
  • the method is: block cipher algorithm or sequence cipher algorithm, a set of symmetric key generation algorithm and comparison protocol, wherein: The comparison protocol is to encrypt the user number with the symmetric cryptographic algorithm and a set of symmetric keys at both ends of the client and the CA authentication center.
  • the generated authentication password is compared to determine the authenticity of the network user, and the network user information is also stored in the network authentication hardware device chip, wherein: the personal network user information includes: a name and an address, the corporate network user information includes : The name and address of the legal entity.
  • the network authentication hardware equipment is uniformly produced by the public security department.
  • the public security department produces the equipment according to the application of the equipment by the network user, and creates different authentication parameters for each network user.
  • the user number of the network user corresponds to the authentication parameter. If an individual network user loses the network authentication hardware device and applies to the public security department, the public security department regenerates a set of authentication parameters, and writes a user ID, network user information, and client-side encryption authentication protocol with the original network user.
  • the new network authentication hardware device is then sent to the network user.
  • a set of encryption authentication protocol is stored, and the encryption authentication protocol of the CA authentication center includes: a set of symmetric cryptographic algorithms - block cipher algorithm or sequence cipher algorithm, a group A fixed symmetric key Kq, a set of symmetric key generation algorithms, and a set of comparison protocols, where: The comparison protocol is to encrypt the user number or random number with the symmetric cryptographic algorithm and a set of symmetric keys at both ends of the client and the CA authentication center. The generated authentication passwords are compared to determine the authenticity of the network users.
  • the encryption authentication protocols stored in the different encryption card hardware chips of the same CA certification center are the same, including: a set of fixed symmetric keys Kq Similarly, in the encryption card hardware chip of different CA certification centers, the stored encryption authentication protocol is the same except for a set of fixed symmetric keys, and a set of fixed symmetric keys Kq stored in the encryption card hardware of different CA certification centers are different. .
  • each CA certification center authentication server store the user number and authentication parameters of all network users in the country or the region, and use a fixed set of symmetric key Kq stored in the encryption card hardware to connect all network users in the country or the region.
  • the authentication parameters are encrypted into cipher texts - the authentication parameters are stored in cipher text.
  • each CA certification center the entire Internet users of the country or the region are stored.
  • the user number and the authentication parameters are the same.
  • each group of CA authentication center authentication server encryption card hardware has a different set of fixed symmetric key Kq, and the authentication parameter ciphertext generated by encrypting the same authentication parameter is different.
  • each CA certification center the user number and authentication parameter ciphertext of all network users in the country or the region are stored in the authentication parameter database, and the database is composed of an ID number field and an authentication parameter ciphertext field, wherein: the ID number field The user ID is stored.
  • Each CA certificate center stores the records of the user's authentication parameter database in the X authentication server according to the size of the network user, where: 30 ⁇ X ⁇ 1, divides the number of records into X shares, and stores them in X respectively.
  • the records of the authentication parameter database are stored in order according to the size of the user number.
  • the ID number field in the authentication parameter database is defined as a digital type, and a "cluster" index is established on the digital ID number field, and each ID number field corresponds to a set of authentication parameter ciphertext fields, and the CA authentication center is based on the user. No. directly locates the user number in the authentication parameter database and the authentication parameter ciphertext of the corresponding record, and can quickly locate the user number and the authentication parameter ciphertext to be selected, and does not need to retrieve and locate the database, thereby greatly improving the authentication efficiency.
  • the length of the symmetric key is 128 bits according to the national regulations.
  • the symmetric cryptographic algorithm uses SSF33, SCB2 or SMS33 according to national regulations.
  • the timestamp is: 8 ⁇ 10 digits, that is: "Year” consists of 4 digits: XXX0 year ⁇ XXX9 year takes 10 years, "month” consists of 2 digits: January ⁇ 12 Month, “day” consists of 2 digits: 1 0 ⁇ 31, “hour” consists of 2 digits: 0:00 to 23:00, such as: 2007101819, which means 19:00 on October 18, 2007, when time
  • the random number is 160 bits
  • the symmetric key selects the authentication parameter table by using a time stamp and a random number. And by generating a random number calculation with one change, the symmetric key is changed once and for all, that is: each authentication process uses a set of symmetric keys, which are cleared after use, are not reused, and the symmetric key generated by the combination has Temporary - Temporary symmetric key, realize symmetric key update without manual maintenance. At the same time, encrypt the random number or user number with a symmetric key once, and the generated authentication password also changes once.
  • the client sends an authentication request and sends a user number to the network WEB server.
  • the network WEB server generates a timestamp and a random number, and assigns the authentication task to the authentication server of the CA certificate center according to the user number.
  • the authentication server is based on the user number. Select the corresponding authentication parameter ciphertext, and input the encryption card hardware chip together with the time stamp and the random number.
  • the encryption authentication protocol of the CA authentication center end uses a fixed symmetric key Kq to authenticate the authentication parameter ciphertext.
  • Decryption generate a set of symmetric keys K1 according to the symmetric key generation algorithm, encrypt the user number with K1 to generate the authentication password 1, and send it to the client side together with the timestamp and the random number, and then generate the authentication password by encrypting the random number with K1. 4.
  • the network WEB server generates the authentication life cycle ⁇ ;
  • the symmetric key generation algorithm in the client-side encryption authentication protocol generates a set of symmetric keys ⁇ 2 according to the received timestamp and the random number, and encrypts the user with ⁇ 2.
  • No. Generate authentication password 2, and compare authentication password 1 with authentication password 2? If they are not the same, the network node is an illegal website. If the same, the one-way authentication is passed, and then the encrypted password is generated by using the ⁇ 2 encrypted random number, and then the user number, time stamp, random number, authentication password 3, name or legal entity The name and address are sent to the authentication server;
  • the network WEB server After receiving the information sent by the client, the network WEB server first compares whether the user number, timestamp and random number at both ends of the client and the network WEB server are the same? Recalculate the certification life cycle ⁇ Is it over? If both pass, enter the authentication password 3 into the authentication server encryption card hardware chip corresponding to the CA certificate authority. The comparison protocol in the chip compares the authentication password 3 with the authentication password 4 to determine the identity of the user, and the legitimate user.
  • the authentication parameters of all network users in the country or the region are stored in cipher text, protected by the encryption system in the encryption card hardware chip, greatly improving the security level of the encryption authentication protocol of the present invention, unlike some based on asymmetric
  • the encryption authentication protocol of the cryptographic algorithm is as follows: ⁇ technology, in the CA certification center, the public key and certificate of all network users are stored in the database of the authentication server, which is vulnerable to hackers using the "trojan" virus to tamper with the public key and certificate. Attack on the "impersonation” method .
  • the network node obtains the user's real name and detailed personal information through the authentication process of the network user. At the same time, the authenticity of the network node is also confirmed, and the real name system at both ends of the client and the network node is reached.
  • the CA authentication center authentication server and the client respectively generate a set of symmetric keys at the same time to encrypt different sets of parameters to complete the two-way authentication, which not only ensures the security of the encryption system but also saves time.
  • the current mainstream authentication protocol such as the certificate used by the PKI technology
  • the present invention uses the user number as the identifier of the network user to guide the encryption system to select the correct authentication parameter.
  • the user number and the temporarily generated random number are encrypted to generate an authentication password, and the identity of the user is determined by comparing the authentication password, thereby reducing the complexity of the encryption authentication system, reducing the resources occupied by the encryption authentication system and improving the CA authentication center. Certification speed.
  • the cryptographic authentication protocol established by the symmetric cryptographic algorithm and the combined symmetric key technology occupies less CA resources, runs fast, and has low construction cost.
  • the CA certification center established by investing RMB 42,000, of which: An authentication server with a value of RMB 13,000/set and four encryption card hardware worth RMB 40,000/block, totaling: RMB 20,000, capable of marking and authentication parameters of 300 million network users. About 393. 6G ⁇ 504 Gbytes, stored in the authentication server of the CA certification center, ⁇ : Register 300 million network users, and can achieve 2000 network users concurrent authentication, greatly improve the authentication efficiency, and achieve establishment on the network node Low-cost CA certification center solves the worldwide problem of large-scale network identity authentication.
  • All network users in the country or the region can use their own network authentication hardware devices to perform identity authentication on all network nodes in the country or region. That is: network users use one of their own network authentication hardware devices to be available on all networks.
  • the node is authenticated and logged in, and the network real name system is implemented.
  • the network users authenticated in the CA certificate center of each network node are random and not fixed, but are all one of the network users in the country or the region.
  • the public security department is responsible for updating the data of the CA certification center of each network node, creating the user number and authentication parameters of the new network user, and encrypting the whole country or the whole region with a set of fixed symmetric key Kq in the corresponding encryption card hardware.
  • the network user includes: the authentication parameters of the new and old network users, generates the authentication parameter ciphertext, and sends it to the authentication server of the corresponding CA certificate center together with the corresponding user number, or stores the user number and the authentication parameter ciphertext in the public security department.
  • the corresponding network node unit is authenticated and safely logged into the website of the public security department and downloaded.
  • the CA certificate center of each network node replaces the content of the updated network user user number and the authentication parameter ciphertext with the content of the original authentication server authentication parameter database, and re-establishes the clustering of the ID number field. "Index, thereby completing the routine maintenance of network user data updates for each CA certification center.
  • Figure 1 Topology diagram of establishing a CA certificate center on a network node
  • Figure 2 Flowchart of application and production of client-side network authentication hardware device for network real-name system
  • Figure 3 Flow chart for establishment of CA authentication center for network real-name system
  • FIG. 1 The architecture of the network real-name system to establish a CA certificate center on the network node.
  • Each network user on the client side has a network authentication hardware device and inserts it into the client.
  • the WEB server is logged into the network node through the INTERNET network.
  • the WEB server will be the network.
  • the identity authentication task is submitted to the CA certification center. Only the legitimate users authenticated by the CA certification center can enter the resources or application servers on the network node.
  • the WEB server, the CA authentication center, and the resource or application server are connected in series.
  • the CA authentication center is composed of 1 ⁇ K ( ⁇ 30) authentication servers, and each piece of authentication server is inserted with multiple blocks (1 ⁇ 8 pieces) of encryption card hardware, and the resources or application servers on the network nodes are also composed of 1 ⁇ ⁇ ( ⁇ ) consists of a network domain name on the WEB server. There is no network domain name on each authentication server and resource or application server of the CA certificate center.
  • Figure 2 Describes the process of applying and manufacturing the client-side network authentication hardware device of the network real-name system.
  • the network user (including: personal network user or legal person network user) applies to the public security department for network authentication hardware equipment, and the public security department applies for the device according to the network user.
  • the device is created successively. First, the user number of the network user is generated in order of size, and then the random number function is used to generate the authentication parameters of 1.312 K to 1.68 Kbytes, and one-to-one correspondence with the network user information is generated.
  • the user number, authentication parameters and network user information including: name or legal entity name and address, written into the chip of the network authentication hardware device, and then the client-side encryption authentication protocol is written into the chip of the network authentication hardware device,
  • the network authentication hardware device that has been created is sent to the network user. If the network user loses the network authentication hardware device, the application is re-applied.
  • the public security department regenerates the authentication parameters corresponding to the user number, and the user number, network user information, and client-side encryption.
  • the authentication protocol is unchanged, and the user number, network User information, client-side encryption and authentication protocol regenerated authentication parameters, together to write a new network authentication hardware devices, and then distributed to network with Household.
  • FIG. 3 The process of establishing the CA certification center of the network real name system.
  • the network node unit applies to the public security department to establish the encryption card, user number and authentication parameters of the CA certification center.
  • the public security department makes one or more encryption card hardware according to the requirements of the user.
  • the device writes the encryption authentication protocol of the CA authentication center in the encryption card hardware chip. If the network user applies for multiple encryption card hardware, write the same encryption authentication protocol to the chip of multiple encryption card hardware, and then use the encryption card.
  • a set of fixed symmetric key Kq in the encryption authentication protocol of the hardware chip respectively encrypts the authentication parameters of the entire network user of the home country or the local area into a ciphertext, and establishes the ciphertext of the authentication parameter together with the corresponding user number.
  • a set of authentication parameter database, the authentication parameter database and the encryption card hardware device are sent to the network node unit, and the network node unit obtains the user number and the authentication parameter of the encryption card hardware device and all network users in the country or the region, in the unit WEB server and resource or application server of the network node Establish a CA certification center.
  • the CA certification center consists of X authentication servers, where: 30 ⁇ 1 , divide the number of records in the authentication parameter database by X, that is, divide the number of records into X shares and store them in X-certification.
  • a "cluster" index is established on the ID number field of the authentication parameter database.
  • the public security department When the CA certificate center updates the data of the network user every time, the public security department will update the network user authentication parameters with the country or the local Together with the authentication parameters of all the original network users in the area, the fixed authentication key Kq in the CA authentication center encryption card hardware is used to encrypt the ciphertext, and the authentication parameter database is established with the corresponding user number and sent to the network node.
  • the network node unit replaces the original record with the new authentication parameter database record, and re-establishes the "cluster" index on the numeric ID field of the authentication parameter database.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Storage Device Security (AREA)
  • Computer And Data Communications (AREA)

Abstract

A method of network genuine identification for native country or region government to supervise network is implemented, which includes: establishing authentication(CA) centre on network nodes i.e. web servers respectively; connecting web server, CA centre and network resource or application server serially; pre-storing all net user's ID and CA parameters of native country or region in CA servers of CA centres; establishing encryption authentication protocol based on symmetric key arithmetic and compounding symmetric key technique in hardware chip of client and CA centre; providing all network identification authentication for native country or region network users in each network node CA centre; logging on resource or application servers in network nodes with having one network authentication hardware device in each network user to pass authentication of CA centre in network nodes.

Description

一种网络实名制的实现方法 技术领域:  A method for realizing network real name system
本发明涉及信息安全领域, 是运用计算机网络、 密码和芯片技术, 来实现网 络身份认证, 本发明适用于各国或地区政府在网络上建立实名制。 背 :  The invention relates to the field of information security, and uses computer network, password and chip technology to realize network identity authentication. The invention is applicable to national or regional governments to establish a real name system on the network. Back:
目前, 国内外能完全解决网络实名制的实用产品还没有, 一些厂商生产的基 于密码技术的网络认证产品都存在安全漏洞, 如: KEYB0RES、 RADIUS, PPP, 另 外一些厂商生产的网络认证产品安全性较高, 如: PKI/CA、 IBE, 但是, 建立成 本和维护成本都很高, 它们就象"銥星"技术一样即使技术先进, 但是, 高昂的 价格仍然被市场无情的淘汰, 总之, 现有的网络身份认证产品都不能实现规模化 认证, 都不能满足市场对网络实名制的需求。  At present, there are no practical products that can completely solve the real-name system of the network at home and abroad. Some of the cryptographic-based network authentication products produced by some manufacturers have security vulnerabilities, such as: KEYB0RES, RADIUS, PPP, and other vendors' network authentication products are more secure. High, such as: PKI/CA, IBE, however, the establishment cost and maintenance cost are very high, they are just like the "Iridium" technology, even if the technology is advanced, but the high price is still ruthlessly eliminated by the market. In short, the existing The network identity authentication products can not achieve large-scale certification, and can not meet the market demand for network real-name system.
发明内容: Summary of the invention:
一种网络实名制的实现方法是运用计算机、 网络、 密码和芯片技术, 为各个 网络节点分别建立 CA认证中心进行网络用户的身份识别, 其实施步骤如下: 以网络节点即: 网络 WEB服务器为单位分别建立 CA认证中心, 当用户登录 WEB服务器并希望进入资源服务器或应用服务器时, 必须经过 CA认证中心的认 证, 合法用户可以进入资源服务器或应用服务器, 在各 CA认证中心的认证服务 器端, 预先存放本国或本地区全体网络用户的标识——用户号和对应的认证参 数, 并建立认证参数数据库, 每个网络用户的认证参数都不同, 约占存储空间 1. 312 K〜1. 68 Κ /人, 在各 CA认证中心的各台认证服务器端设置加密卡硬件, 在加密卡硬件芯片中存储一套加密认证协议, WEB服务器根据用户号将网络用户 身份认证的任务平均分配给 CA认证中心的各台认证服务器来完成, 在客户机端 设置网络认证硬件设备, 在网络认证硬件设备芯片中存放用户号、认证参数、加 密认证协议和网络用户信息, 网络用户人手一把网络认证硬件设备, 通过不同的 客户机在各网络节点的 CA认证中心进行网络身份认证,在客户机与各 CA认证中 心两端,采用双向认证模式, 由 WEB服务器产生对称密钥选取参数——时间戳和 随机数, 客户机与各 CA认证中心两端, 根据对称密钥选取参数和认证参数组成 的对称密钥生成算法, 来组合生成对称密钥, 并在每次认证进程中产生一次性的 对称密钥和认证口令, 网络用户的网络认证硬件设备由公安部门制作并下发, CA 认证中心使用的加密卡硬件和本国或本地区全体网络用户的用户号和认证参数, 也由公安部门制作并下发给网络节点单位,当网络用户登录网络节点并需进入网 络资源服务器或网络应用服务器时, 使用网络认证硬件设备在对应的 CA认证中 心进行认证,加密认证系统将合法用户送给网络节点上的资源服务器或应用服务 器, 从而, 实现本国或本地区政府对网络进行实名制管理, 全部过程用软件和硬 件结合方式实现, 具体方法如下-A real-name system implementation method uses computer, network, password and chip technology to establish a CA authentication center for each network node to identify the network user. The implementation steps are as follows: The network node is: network WEB server Establish a CA certificate center. When a user logs in to the web server and wants to enter the resource server or application server, the user must be authenticated by the CA certificate center. The legal user can enter the resource server or application server and pre-store the authentication server on each CA certificate center. The identification of the entire network user in the country or the region - the user number and the corresponding authentication parameters, and the establishment of the authentication parameter database, the authentication parameters of each network user are different, accounting for about 1. 312 K~1. 68 Κ / person The encryption card hardware is set on each authentication server end of each CA certification center, and a set of encryption authentication protocol is stored in the encryption card hardware chip, and the WEB server evenly distributes the task of network user identity authentication to each of the CA certification centers according to the user number. Taiwan authentication server to complete, in Network authentication client hardware end is provided, to store the user number, a network authentication parameter in authentication hardware chips, plus Confidential authentication protocol and network user information, the network user has a network authentication hardware device, and the network authentication is performed by the CA client of each network node through different clients, and the two-way authentication is adopted at both ends of the client and each CA certification center. In the mode, the symmetric key selection parameters generated by the WEB server, the timestamp and the random number, are symmetrically generated by the client and each CA authentication center according to a symmetric key generation algorithm consisting of a symmetric key selection parameter and an authentication parameter. Key, and generate a one-time symmetric key and authentication password in each authentication process. The network authentication hardware device of the network user is produced and issued by the public security department, and the encryption card hardware used by the CA certification center and the whole country or the region. The user number and authentication parameters of the network user are also produced by the public security department and sent to the network node unit. When the network user logs in to the network node and needs to enter the network resource server or the network application server, the network authentication hardware device is used in the corresponding CA authentication. The center performs authentication, and the encryption authentication system sends the legitimate user Resource or application server on the network node, thus, achieve national or regional government network real-name system management, the whole process with a combination of software and hardware manner, as follows -
1、在网络节点上分别建立 CA认证中心, 为本国或本地区全体网络用户提供 身份识别, 将网络节点即: WEB服务器、 CA认证中心认证和资源服务器或应用服 务器三部分网络设备以 "串联"的方式连接在一起, 用户必须经过 CA认证中心 的认证,合法用户才能迸入资源服务器或应用服务器,从而, 防止黑客用"木马" 病毒控制薦服务器来直接进入资源或应用服务器。 1. Establish a CA authentication center on the network node to provide identification for all network users in the country or the region. The network nodes are: WEB server, CA authentication center authentication, and resource server or application server. The methods are connected together, and the user must be authenticated by the CA certification center, and the legitimate user can break into the resource server or the application server, thereby preventing the hacker from using the "trojan" virus control recommendation server to directly enter the resource or the application server.
2、 CA认证中心由 1 〜 30台认证服务器组成, 各认证服务器之间是以 "并 联"方式连接, 每台认证服务器插入 1 〜 8块加密卡硬件, 根据网络节点用户 量和用户并发量的大小, 来增减 CA认证中心认证服务器和加密卡硬件的数量。 2. The CA certification center consists of 1 to 30 authentication servers. Each authentication server is connected in "parallel" mode. Each authentication server is inserted with 1 to 8 encryption card hardware, according to the number of network node users and user concurrency. Size, to increase or decrease the number of CA certificate authority authentication server and encryption card hardware.
3、 网络 WEB服务器根据用户的并发量, 将用户身份认证任务平均分配给 CA 认证中心的各台认证服务器,各台认证服务器再将用户身份认证任务平均分配给 插入认证服务器中的不同加密卡, 并根据加密卡硬件的序列号来进行任务量分 配, 其中: 每块加密卡硬件都编有序列号, 每块加密卡硬件的序列号都不同, 具 有唯一性。 3. The network WEB server distributes the user identity authentication task to each authentication server of the CA certificate center on average according to the concurrent quantity of the user, and each authentication server evenly distributes the user identity authentication task to different encryption cards inserted into the authentication server. The task quantity is allocated according to the serial number of the encryption card hardware, wherein: each encryption card hardware has a serial number, and the serial number of each encryption card hardware is different and unique.
4、 加密卡是基于 PCI接口内置 CPU智能芯片的硬件设备, 由公安部门统一 制作,本国或本地区全体网络用户的标识——用户号和对应的认证参数也由公安 部门统一制作, 网络节点单位通过向公安部门申请, 获得建立 CA认证中心认证 服务器中的加密卡硬件和本国或本地区全体网络用户的用户号和认证参数。 4, the encryption card is based on the PCI interface built-in CPU smart chip hardware equipment, unified by the public security department The identity of the entire network user in the country or the region—the user number and the corresponding authentication parameters are also uniformly produced by the public security department. The network node unit obtains the encryption card hardware and the home country in the CA authentication center authentication server by applying to the public security department. Or the user number and authentication parameters of all network users in the region.
5、 网络用户的用户号由 18〜 36数字组成,每位数字占 4比特, 共占 9 〜 18字节, 其中: 网络用户由个人网络用户和法人机构网络用户组成, 本国或本 地区全体网络用户的用户号是按大小顺序统一编号,每个网络用户的用户号都不 同, 并具有唯一性和连续性。  5. The user number of the network user consists of 18~36 digits, each digit occupies 4 bits, occupying 9~18 bytes, among which: The network user is composed of personal network users and legal person network users, the whole country or the whole region network The user's user number is uniformly numbered in order of size. Each network user has a different user number and is unique and continuous.
6、 网络用户的认证参数由二迸制数组成, 是用随机数函数来生成乱码, 并 具有随机性, 每个网络用户拥有套认证参数, 每个用户号对应一套认证参数, 各 网络用户的认证参数都不相同, 每个网络用户的认证参数占 1. 312 K 〜 1. 68 K 字节, 并组成 MXN认证参数表 A, 表 A的每个元素为 0. 5或 1 字节, 6. The authentication parameters of the network user are composed of two-digit system. The random number function is used to generate garbled characters, and has randomness. Each network user has a set of authentication parameters, and each user number corresponds to a set of authentication parameters, and each network user The authentication parameters of each network user are 1. 312 K to 1. 68 K bytes, and constitute the MXN authentication parameter table A. Each element of the table A is 0.5 or 1 byte.
,0 0, V 0 1, , o N-1 l 0, Vi i, Vl N-1 , 0 0, V 0 1, , o N-1 l 0, Vi i, Vl N-1
A A
VM-I 0, M-1 l, VM-1 N-1 VM-I 0, M-1 l, VM-1 N-1
其中: 表 A的元素为: Vi ] , i=0 〜 M- 1, 就 j=0 〜 N-l Where: The elements of Table A are: Vi ] , i=0 ~ M- 1, then j=0 ~ N-l
7、 在客户机端设置网络认证硬件设备, 如: 基于 USB接口的智能卡或在居 民身份证上嵌入一块智能芯片, 在网络认证硬件设备芯片中存放用户号、认证参 数和客户机端的加密认证协议, 客户机端的加密认证协议包括: 一套对称密码算 法即:分组密码算法或序列密码算法、一套对称密钥生成算法和对比协议,其中: 对比协议是将客户机和 CA认证中心两端, 用对称密码算法和一组对称密钥加密 用户号或随机数, 生成的认证口令进行对比, 来判断网络用户的真伪, 在网络认 证硬件设备芯片中还存放网络用户信息, 其中: 个人网络用户信息包括: 姓名和 住址, 法人机构网络用户信息包括: 法人机构名称和住址。 7. Set the network authentication hardware device on the client side, such as: a smart card based on the USB interface or a smart chip embedded in the resident ID card, and store the user number, the authentication parameter, and the encryption authentication protocol of the client end in the network authentication hardware device chip. The client-side encryption authentication protocol includes: A set of symmetric password calculations The method is: block cipher algorithm or sequence cipher algorithm, a set of symmetric key generation algorithm and comparison protocol, wherein: The comparison protocol is to encrypt the user number with the symmetric cryptographic algorithm and a set of symmetric keys at both ends of the client and the CA authentication center. Or the random number, the generated authentication password is compared to determine the authenticity of the network user, and the network user information is also stored in the network authentication hardware device chip, wherein: the personal network user information includes: a name and an address, the corporate network user information includes : The name and address of the legal entity.
8、 网络认证硬件设备由公安部门统一制作, 公安部门按网络用户申请该设 备的先后来制作, 并为每个网络用户制作不同的认证参数, 网络用户的用户号与 和认证参数一一对应, 若个别网络用户丢失网络认证硬件设备后, 也向公安部门 申请, 公安部门重新生成一组认证参数, 并与原网络用户的用户号、 网络用户信 息以及客户机端的加密认证协议一起写入一个新的网络认证硬件设备中,再发给 网络用户。 8. The network authentication hardware equipment is uniformly produced by the public security department. The public security department produces the equipment according to the application of the equipment by the network user, and creates different authentication parameters for each network user. The user number of the network user corresponds to the authentication parameter. If an individual network user loses the network authentication hardware device and applies to the public security department, the public security department regenerates a set of authentication parameters, and writes a user ID, network user information, and client-side encryption authentication protocol with the original network user. The new network authentication hardware device is then sent to the network user.
9、在各 CA认证中心认证服务器的加密卡硬件芯片中, 都存放一套加密认证 协议, CA认证中心端的加密认证协议包括: 一套对称密码算法——分组密码算 法或序列密码算法、 一组固定对称密钥 Kq、 一套对称密钥生成算法和一套对比 协议, 其中: 对比协议是将客户机和 CA认证中心两端, 用对称密码算法和一组 对称密钥加密用户号或随机数, 生成的认证口令进行对比, 来判断网络用户的真 伪, 在同一个 CA认证中心的不同加密卡硬件芯片中, 存放的加密认证协议都相 同, 其中: 包括一组固定对称密钥 Kq也都相同, 在不同 CA认证中心的加密卡硬 件芯片中, 存放的加密认证协议除一组固定对称密钥 外都相同, 在不同 CA认证中心的加密卡硬件中存放的一组固定对称密钥 Kq不同。 9. In the encryption card hardware chip of each CA certification center authentication server, a set of encryption authentication protocol is stored, and the encryption authentication protocol of the CA authentication center includes: a set of symmetric cryptographic algorithms - block cipher algorithm or sequence cipher algorithm, a group A fixed symmetric key Kq, a set of symmetric key generation algorithms, and a set of comparison protocols, where: The comparison protocol is to encrypt the user number or random number with the symmetric cryptographic algorithm and a set of symmetric keys at both ends of the client and the CA authentication center. The generated authentication passwords are compared to determine the authenticity of the network users. The encryption authentication protocols stored in the different encryption card hardware chips of the same CA certification center are the same, including: a set of fixed symmetric keys Kq Similarly, in the encryption card hardware chip of different CA certification centers, the stored encryption authentication protocol is the same except for a set of fixed symmetric keys, and a set of fixed symmetric keys Kq stored in the encryption card hardware of different CA certification centers are different. .
10、 在各 CA认证中心认证服务器里, 存放本国或本地区全体网络用户的用 户号和认证参数, 并用加密卡硬件中存发的一组固定对称密钥 Kq, 将本国或本 地区全体网络用户的认证参数分别加密成密文——认证参数密文存放。  10. In each CA certification center authentication server, store the user number and authentication parameters of all network users in the country or the region, and use a fixed set of symmetric key Kq stored in the encryption card hardware to connect all network users in the country or the region. The authentication parameters are encrypted into cipher texts - the authentication parameters are stored in cipher text.
11、 在各 CA认证中心认证服务器里, 存放的本国或本地区全体上网用户的 用户号和认证参数都相同, 但是, 分别用各 CA认证中心认证服务器加密卡硬件 中一组不同固定对称密钥 Kq, 加密相同认证参数生成的认证参数密文都不相同。 11. In the authentication server of each CA certification center, the entire Internet users of the country or the region are stored. The user number and the authentication parameters are the same. However, each group of CA authentication center authentication server encryption card hardware has a different set of fixed symmetric key Kq, and the authentication parameter ciphertext generated by encrypting the same authentication parameter is different.
12、 在各 CA认证中心, 将本国或本地区全体网络用户的用户号和认证参数 密文存放在认证参数数据库中,该数据库由 ID号字段和认证参数密文字段组成, 其中: ID号字段存放用户号, 各 CA认证中心根据网络用户量大小, 将用户的认 证参数数据库的记录分别存放在 X 台认证服务器中, 其中: 30^X^ 1, 将记录 数分成 X份,分别存放在 X台认证服务器里, 并根据用户号的大小按顺序存放认 证参数数据库的记录。  12. In each CA certification center, the user number and authentication parameter ciphertext of all network users in the country or the region are stored in the authentication parameter database, and the database is composed of an ID number field and an authentication parameter ciphertext field, wherein: the ID number field The user ID is stored. Each CA certificate center stores the records of the user's authentication parameter database in the X authentication server according to the size of the network user, where: 30^X^ 1, divides the number of records into X shares, and stores them in X respectively. In the authentication server, the records of the authentication parameter database are stored in order according to the size of the user number.
13、将认证参数数据库中的 ID号字段, 定义为数字型, 在数字型 ID号字段 上建立 "聚簇"索引, 每个 ID号字段对应一组认证参数密文字段, CA认证中心 根据用户号直接定位认证参数数据库中该用户号和对应记录的认证参数密文,能 快速定位拟选取的用户号和认证参数密文,不需要对数据库进行检索定位,从而, 大大提高认证效率。  13. The ID number field in the authentication parameter database is defined as a digital type, and a "cluster" index is established on the digital ID number field, and each ID number field corresponds to a set of authentication parameter ciphertext fields, and the CA authentication center is based on the user. No. directly locates the user number in the authentication parameter database and the authentication parameter ciphertext of the corresponding record, and can quickly locate the user number and the authentication parameter ciphertext to be selected, and does not need to retrieve and locate the database, thereby greatly improving the authentication efficiency.
14、 对称密钥长度按照国家规定为 128 比特 , 对称密码算法按照国家规定 使用 SSF33、 SCB2或 SMS33 。  14. The length of the symmetric key is 128 bits according to the national regulations. The symmetric cryptographic algorithm uses SSF33, SCB2 or SMS33 according to national regulations.
15、建立对称密钥生成算法, 该算法是根据对称密钥选取参数——时间戳和 随机数, 对认证参数表 A进行选取, 将选出的认证参数合并后, 生成一组对称密 钥!^, 其方法如下: 15. Establish a symmetric key generation algorithm, which selects the authentication parameter table A according to the symmetric key selection parameters—timestamp and random number, and combines the selected authentication parameters to generate a set of symmetric keys! ^, The method is as follows:
( 1 ) 时间戳为: 8 ~ 10位数字组成, 即: "年" 由 4位数字组成即: XXX0 年〜 XXX9年共取 10年, "月" 由 2位数字组成即: 1月〜 12月, "日" 由 2位 数字组成即: 1 0~ 31日,"时"由 2位数字组成即: 0时〜 23时,如: 2007101819, 表示 2007年 10月 18日 19点, 当时间戳为 8位时, M=82, 当时间戳为 10位时, M=105, 随机数由 N组二进制数组成, 为 64或 160比特, 每组随机数为: 4或 5 比特, 当随机数为 64 比特时, 取随机数每 4比特组成 1组, 共 16组即: N=16, 当随机数为 160 比特时, 取随机数每 5比特组成 1组, 共 32组即: N=32; (1) The timestamp is: 8 ~ 10 digits, that is: "Year" consists of 4 digits: XXX0 year ~ XXX9 year takes 10 years, "month" consists of 2 digits: January ~ 12 Month, "day" consists of 2 digits: 1 0~31, "hour" consists of 2 digits: 0:00 to 23:00, such as: 2007101819, which means 19:00 on October 18, 2007, when time When the stamp is 8 bits, M=82, when the timestamp is 10 bits, M=105, the random number is composed of N sets of binary numbers, which are 64 or 160 bits, and each set of random numbers is: 4 or 5 bits, when random When the number is 64 bits, take a random number every 4 bits to form a group, a total of 16 groups: N=16, When the random number is 160 bits, the random number is composed of 5 groups every 5 bits, and a total of 32 groups are: N=32 ;
(2)用]^ 12 〜 1680组认证参数组成 M行 N列认证参数表 A, M=82或 105, N=16或 32 , 当取时间戳为 10位数字时, M=105, g : 时间戳为年、 月、 日、 时,(2) Use the ^^ 12 to 1680 group authentication parameters to form M rows and N columns of authentication parameter table A, M=82 or 105, N=16 or 32. When the timestamp is 10 digits, M=105, g : Timestamps are year, month, day, hour,
"年"对应表 A中的第 1 〜 10行, 共 10行, "月"对应表 A中的第 11 〜 22 行, 共 12行, "日"对应表 A中的第 23 〜 53行, 共 31行, "时"对应表 A中 的第 54 〜 77行, 共 24行, 表 A还有 28行不对应时间戳, 当取时间戳为 8位 数字时, M=82, 即: 时间戳为年、 月、 日, "年"对应表 A中的第 1 〜 10行, 共 10行, "月"对应表 A中的第 11 〜 22行, 共 12行, "日"对应表 A中的第 23 〜 53行, 共 31行, 表 A还有 29行不对应时间戳; "Year" corresponds to the 1st to 10th rows in Table A, a total of 10 rows, "Month" corresponds to the 11th to 22nd rows in Table A, a total of 12 rows, and "Day" corresponds to the 23rd to 53rd rows in Table A, A total of 31 lines, "hour" corresponds to the 54th to 77th lines in Table A, a total of 24 lines, Table A and 28 lines do not correspond to the timestamp, when the timestamp is 8 digits, M=82, namely: time Poke for year, month, day, "year" corresponds to the first to ten rows in table A, a total of 10 rows, "month" corresponds to the 11th to 22th rows in table A, a total of 12 rows, "day" corresponds to table A In the 23rd to 53rd lines, a total of 31 lines, Table A and 29 lines do not correspond to timestamps;
( 3)表 A的认证参数总量∑= MXN组, 当 M=82, N=16时, 表 A的元素取 1 字节, Z-1312组,占 1312字节,当 M二 105, N=16时,表 A的元素取 1字节, Z=1680 组, 占 1680字节, 当 M=82, N=32时, 表 A的元素取 0. 5字节, Z=2624组, 占 1312字节, 当 M=i05, N=32时, 表 A的元素取 0. 5字节, Z二 3360组, 占 1680字 节;  (3) The total number of authentication parameters in Table A is ∑ = MXN group. When M=82, N=16, the elements of Table A take 1 byte, Z-1312 group, accounting for 1312 bytes, when M 2 105, N ===================================================================================================== 1312 bytes, when M=i05, N=32, the elements of Table A take 0.5 bytes, Z 2360 groups, accounting for 1680 bytes;
(4) 根据时间戳从认证参数表 A的元素中选取 "行", 共 N行, 其方法是: 从表 A的第: T 10行共 10行中取 1行即: 用时间戳 "年"数字中个位数的数值, 作为取表 A中 "年"对应的行数, 如: 时间戳为: 2009XXXXXX, 则: 取表 A中的 第 9行, 从表 A的第 11 〜 22行共 12行中取 1行即: 用时间戳"月"数字的数 值, 作为取表 A中 "月"对应的 "行 ", 如: 时间戳为: 20ΧΧ11ΧΠΧ, 则: 取表 A中的第 21行, 从表 A的第 23 〜 53行共 31行中取 1行即: 用时间戳 "曰" 数字的数值, 作为取表 A中 "日"对应的 "行", 如: 时间戳为: 20XXXX30XX, 则: 取表 A中的第 52行, 从表 A的第 54 〜 77行共 24行中取 1行即: 用时间 戳"时"数字的数值,作为取表 A中"时"对应的"行",如:时间戳为: 20XXXXXX21 , 则: 取表 A中的第 74行, 再将表 A的第 78行 〜 第 M行共 M-78+1行取出, 共 计- 32行; (4) Select "row" from the elements of the authentication parameter table A according to the timestamp, for a total of N lines. The method is: Take 1 line from the 10th line of the T:10 line of the table A: "The number of single digits in the number, as the number of rows corresponding to "year" in Table A, such as: Timestamp: 2009XXXXXX, then: Take the 9th row in Table A, from the 11th to 22nd rows of Table A Take 1 line out of 12 lines: Use the value of the timestamp "month" as the "row" corresponding to "month" in table A, such as: Timestamp: 20ΧΧ11ΧΠΧ, then: take the 21st in table A Line, take 1 line from the 23rd to 53rd line of Table A, a total of 31 lines: Use the value of the time stamp "曰" as the "row" corresponding to the "day" in Table A, such as: The timestamp is: 20XXXX30XX, then: Take the 52nd line in Table A, take 1 line from the 54th to 77th lines of Table A, a total of 24 lines: The value of the "time" number is used as the "row" corresponding to "time" in Table A. For example, the timestamp is: 20XXXXXX21, then: take the 74th line in Table A, and then the 78th line of Table A~ Line M is taken out in total M-78+1 lines, totaling - 32 lines;
( 5)用时间戳选出了表 A的"行"后即:共选取了 32行,设为: Qi, Q2,……,(5) After selecting the "row" of table A by timestamp: a total of 32 rows are selected, set to: Qi, Q 2 , ...,
Q32, 再根据随机数从 Ql, Q2, ……, Q32的每行中选取列, 得到行与列交叉处表 A的元素——认证参数, 其方法是: 当随机数为 64 比特时, 取随机数每 4位组 成 1组, 共 16组即: N= L6, 用这 16组随机数的二进制数值即: 0〜15种数值, 1 设为: Li、 L2、 … 、 L16, 来对表 A的 "列"进行选取, 即: 用 L 来选取 行 的第 1 列, 再用 L2来选取 Q2行的第 L2列, ……, 用 L16来选取 Q16行的第 L16 列, 共选出 16组认证参数, 用 1 来选取 Q17行的第 Li列, 用 L2来选取 Q18行的 第 L2列, ……, 用 L16来选取 Q32行的第 Li6列, 共选出 16组认证参数, 并将这 两部分 16组认证参数合并成 32组认证参数, 当随机数为 160 比特时, 取随机 数每 5位一组, 共 32组即: N二 32, 用这 32组随机数的二进制数值即: 0 〜 31 种数值, 设为: 、 L2、 … 、 L32, 来对表 A的 "列"进行选取, 即: 用 1 来 选取 Ql的第 列, 用 L2来选取 Q2的第 L2列, ···., 用 L32来选取 Q32的第 L32 列, 共选出 N=32组认证参数; Q32, and then select the column from each row of Ql, Q2, ..., Q32 according to the random number, and obtain the element of the table A at the intersection of the row and the column - the authentication parameter, by: when the random number is 64 bits, The random number consists of 1 group of 4 digits, a total of 16 groups: N= L6, and the binary values of the 16 random numbers are: 0~15 kinds of values, 1 is set to: Li, L 2 , ..., L 16 , Select the "column" of table A, that is: use L to select the first column of the row, then use L 2 to select the L2 column of the Q 2 row, ..., use L 16 to select the L of the 16 row 16 columns, a total of 16 sets of authentication parameters are selected, 1 is used to select the Li column of Q 17 rows, L 2 is used to select the L2 column of Q 18 rows, ..., L 16 is used to select the Li2 of Q 32 rows Columns, a total of 16 sets of authentication parameters are selected, and the 16 sets of authentication parameters are combined into 32 sets of authentication parameters. When the random number is 160 bits, the random number is taken every 5 groups, and a total of 32 groups are: N II 32, using the binary values of the 32 sets of random numbers: 0 ~ 31 kinds of values, set to:, L 2 , ..., L 32 , to select the "column" of the table A, that is: use 1 to select Take the column of Ql, use L 2 to select the L 2 column of Q 2 , ···., use L 32 to select the L 32 column of Q 32 , and select N=32 group authentication parameters;
(6) 将从表 A中选出的 32组认证参数合并成 KK, 若认证参数为: 8比特, ΚΚ为 256比特, 再将 ΚΚ对折并进行模二加变成 128比特, 若认证参数为: 4比 特, ΚΚ为 128比特, 则 ΚΚ不变, 再与随机数对位模二加, 生成一组对称密钥 Κ, 当随机数为 64 比特时, 取该随机数两次并首尾相连合成 128 比特 , 再与 ΚΚ对 位模二加,生成一组对称密钥 Κ,当隨机数为 160 比特 时,取该随机数前 128 比 特 , 与 ΚΚ对位模二加, 生成一组对称密钥 Κ。 (6) Combine the 32 sets of authentication parameters selected from Table A into KK. If the authentication parameters are: 8 bits, ΚΚ is 256 bits, then fold ΚΚ and perform modulo two addition to 128 bits, if the authentication parameter is : 4 bits, ΚΚ is 128 bits, then ΚΚ is unchanged, and then added with the random number alignment modulo to generate a set of symmetric keys Κ. When the random number is 64 bits, the random number is taken twice and connected end to end. 128 bits, and then ΚΚ ΚΚ modulo modulo, to generate a set of symmetric keys Κ, when the random number is 160 bits, take the first 128 bits of the random number, and ΚΚ ΚΚ modulo modulo, to generate a set of symmetric Key key.
16、 对称密钥是通过一次一变的时间戳和随机数对认证参数表 Α进行选取, 并通过与一次一变的随机数计算生成, 达到对称密钥一次一变, 即: 每次认证进 程使用一组对称密钥, 使用后就清除, 不重复使用, 该组合生成的对称密钥具有 临时性——临时对称密钥, 实现对称密钥更新免人工维护, 同时, 用一次一变的 对称密钥加密随机数或用户号, 生成的认证口令也一次一变。 16. The symmetric key selects the authentication parameter table by using a time stamp and a random number. And by generating a random number calculation with one change, the symmetric key is changed once and for all, that is: each authentication process uses a set of symmetric keys, which are cleared after use, are not reused, and the symmetric key generated by the combination has Temporary - Temporary symmetric key, realize symmetric key update without manual maintenance. At the same time, encrypt the random number or user number with a symmetric key once, and the generated authentication password also changes once.
17、 建立加密认证协议, 采用客户机端与 CA认证中心端双向认证模式, 进 行两端的认证, 具体实施过程如下- 17. Establish an encryption authentication protocol, adopt the two-way authentication mode of the client end and the CA authentication center, and perform authentication at both ends. The specific implementation process is as follows -
( 1 ) 客户机端发出认证请求并发送用户号给网络 WEB服务器, 由网络 WEB 服务器产生时间戳和随机数, 根据用户号将认证任务分配给 CA认证中心的认证 服务器, 该认证服务器根据用户号选出对应的认证参数密文, 并与时间戳和随机 数一同输入加密卡硬件的芯片里, 在芯片里 CA认证中心端的加密认证协议, 用 一组固定对称密钥 Kq将认证参数密文解密, 根据对称密钥生成算法生成一组对 称密钥 Kl, 用 K1来加密用户号生成认证口令 1, 并与时间戳和随机数一起发送 给客户机端, 再用 K1加密随机数生成认证口令 4, 同时, 网络 WEB服务器产生 认证生命周期 Τ; (1) The client sends an authentication request and sends a user number to the network WEB server. The network WEB server generates a timestamp and a random number, and assigns the authentication task to the authentication server of the CA certificate center according to the user number. The authentication server is based on the user number. Select the corresponding authentication parameter ciphertext, and input the encryption card hardware chip together with the time stamp and the random number. In the chip, the encryption authentication protocol of the CA authentication center end uses a fixed symmetric key Kq to authenticate the authentication parameter ciphertext. Decryption, generate a set of symmetric keys K1 according to the symmetric key generation algorithm, encrypt the user number with K1 to generate the authentication password 1, and send it to the client side together with the timestamp and the random number, and then generate the authentication password by encrypting the random number with K1. 4. At the same time, the network WEB server generates the authentication life cycleΤ;
(2) 在客户机端网络认证硬件设备的芯片中, 客户机端加密认证协议中的 对称密钥生成算法, 根据收到时间戳和随机数生成一组的对称密钥 Κ2, 用 Κ2加 密用户号生成认证口令 2, 并将认证口令 1和认证口令 2进行对比?若不相同, 则该网络节点为非法网站, 若相同则单向认证通过, 再用 Κ2加密随机数生成认 证口令 3, 再将用户号、 时间戳、 随机数、 认证口令 3、 姓名或法人机构名称和 住址发送给认证服务器端;  (2) In the chip of the client-side network authentication hardware device, the symmetric key generation algorithm in the client-side encryption authentication protocol generates a set of symmetric keys 根据2 according to the received timestamp and the random number, and encrypts the user with Κ2. No. Generate authentication password 2, and compare authentication password 1 with authentication password 2? If they are not the same, the network node is an illegal website. If the same, the one-way authentication is passed, and then the encrypted password is generated by using the Κ2 encrypted random number, and then the user number, time stamp, random number, authentication password 3, name or legal entity The name and address are sent to the authentication server;
( 3 ) 网络 WEB服务器端收到客户机端发来的信息后, 首先对比客户机和网 络 WEB服务器两端的用户号、 时间戳和随机数是否相同?再计算认证生命周期 Τ 是否结束?如果两者都通过, 将认证口令 3输入 CA认证中心对应的认证服务器 加密卡硬件芯片中, 在芯片里的对比协议将认证口令 3与认证口令 4进行对比, 来确定用户的身份, 将合法用户送给网络资源或应用服务器, 在网络资源或应用 服务器上建立认证日志, §P: 登记网络用户的有关信息, 个人网络用户登记: 用 户号、 登录时间、 姓名和住址, 法人机构网络用户登记: 用户号、 登录时间、 法 人机构名称和住址。 (3) After receiving the information sent by the client, the network WEB server first compares whether the user number, timestamp and random number at both ends of the client and the network WEB server are the same? Recalculate the certification life cycle Τ Is it over? If both pass, enter the authentication password 3 into the authentication server encryption card hardware chip corresponding to the CA certificate authority. The comparison protocol in the chip compares the authentication password 3 with the authentication password 4 to determine the identity of the user, and the legitimate user. Send to a network resource or application server, in a network resource or application Establish the authentication log on the server, §P: Register the information about the network user, personal network user registration: user number, login time, name and address, legal person network user registration: user number, login time, legal entity name and address.
18、 在 WEB服务器上建立认证生命周期 T, Τ=10 〜 30秒, 当双向认证过程 超出 Τ的取值, 认证进程中断, WEB服务器给出认证失败提示, 从而, 防止黑客 利用 "重放"攻击加密认证系统。 18. Establish the authentication life cycle T on the WEB server, Τ=10 〜 30 seconds. When the two-way authentication process exceeds the value of Τ, the authentication process is interrupted, and the WEB server gives an authentication failure prompt, thereby preventing hackers from using "replay". Attack the encryption authentication system.
19、 建立认证服务器和客户机两端芯片级的认证体系, gp : 在硬件芯片中存 储和运行加密认证协议, 客户机端的对称密码算法、对称密钥生成算法、认证参 数和对比协议的存储和运行过程, 都受到网络认证硬件设备芯片的保护, CA认 证中心认证服务器端的对称密码算法、 对称密钥生成算法、 一组固定对称密钥 Kq和对比协议的存储和运行, 也受到加密卡硬件芯片的保护, 另外, 本国或本 地区全体网络用户的认证参数是以密文方式存储,受到加密卡硬件芯片中加密系 统的保护, 大大提高本发明加密认证协议的安全等级, 不像一些基于非对称密码 算法的加密认证协议如: ΡΠ技术那样, 在 CA认证中心都是将全体网络用户的 公钥和证书存放在认证服务器的数据库里, 容易受到黑客利用 "木马 "病毒来篡 改公钥和证书, 进行 "冒名顶替"方式的攻击。  19. Establish a chip-level authentication system at both ends of the authentication server and the client, gp: store and run the encryption authentication protocol in the hardware chip, store the symmetric cryptographic algorithm, symmetric key generation algorithm, authentication parameters and comparison protocol storage. The operation process is protected by the network authentication hardware device chip. The symmetric authentication algorithm of the CA authentication center authentication server, the symmetric key generation algorithm, the storage and operation of a set of fixed symmetric keys Kq and the comparison protocol are also subjected to the encryption card hardware chip. Protection, in addition, the authentication parameters of all network users in the country or the region are stored in cipher text, protected by the encryption system in the encryption card hardware chip, greatly improving the security level of the encryption authentication protocol of the present invention, unlike some based on asymmetric The encryption authentication protocol of the cryptographic algorithm is as follows: ΡΠ technology, in the CA certification center, the public key and certificate of all network users are stored in the database of the authentication server, which is vulnerable to hackers using the "trojan" virus to tamper with the public key and certificate. Attack on the "impersonation" method .
20、网络节点通过网络用户的认证过程获得用户的真实姓名和详细的个人信 息, 同时, 网络节点的真实性也得到了证实, 达到客户机和网络节点两端的实名 制。  20. The network node obtains the user's real name and detailed personal information through the authentication process of the network user. At the same time, the authenticity of the network node is also confirmed, and the real name system at both ends of the client and the network node is reached.
21、 CA认证中心认证服务器和客户机两端分别同时生成一组对称密钥,来加 密不同的两组参数, 完成双向认证, 既保证加密系统的安全, 又节约了时间。 21. The CA authentication center authentication server and the client respectively generate a set of symmetric keys at the same time to encrypt different sets of parameters to complete the two-way authentication, which not only ensures the security of the encryption system but also saves time.
22、 在加密认证协议中, 取消了当前主流认证协议如: PKI技术使用的证书 来作为网络用户身份的标识, 本发明使用用户号作为网络用户的标识, 来引导加 密系统选择正确的认证参数,对用户号和临时产生的随机数进行加密生成认证口 令, 并通过对比认证口令来判别用户的身份, 从而, 降低了加密认证系统的复杂 度, 减少了加密认证系统占用 CA认证中心的资源, 提高认证速度。 23、 采用对称密码算法和组合对称密钥技术建立的加密认证协议, 占用 CA 认证中心资源较少, 运行速度快, 建设成本低, 投入 4. 2万元人民币建立的 CA 认证中心, 其中: 两台价值 1. 3万元人民币 /台的认证服务器和 4块价值 0. 4万 元 /块的加密卡硬件, 合计: 4. 2万元人民币, 能将 3亿网络用户的标识和认证 参数, 约占 393. 6G 〜 504 G字节, 存放在 CA认证中心的认证服务器里, 艮卩: 注册 3亿网络用户, 并能实现 2000网络用户并发认证, 大大提高认证效率, 实 现在网络节点上建立低成本 CA认证中心, 解决网络身份认证规模化这一世界性 难题。 22. In the encryption authentication protocol, the current mainstream authentication protocol, such as the certificate used by the PKI technology, is removed as the identifier of the network user identity. The present invention uses the user number as the identifier of the network user to guide the encryption system to select the correct authentication parameter. The user number and the temporarily generated random number are encrypted to generate an authentication password, and the identity of the user is determined by comparing the authentication password, thereby reducing the complexity of the encryption authentication system, reducing the resources occupied by the encryption authentication system and improving the CA authentication center. Certification speed. 23. The cryptographic authentication protocol established by the symmetric cryptographic algorithm and the combined symmetric key technology occupies less CA resources, runs fast, and has low construction cost. The CA certification center established by investing RMB 42,000, of which: An authentication server with a value of RMB 13,000/set and four encryption card hardware worth RMB 40,000/block, totaling: RMB 20,000, capable of marking and authentication parameters of 300 million network users. About 393. 6G ~ 504 Gbytes, stored in the authentication server of the CA certification center, 艮卩: Register 300 million network users, and can achieve 2000 network users concurrent authentication, greatly improve the authentication efficiency, and achieve establishment on the network node Low-cost CA certification center solves the worldwide problem of large-scale network identity authentication.
24、本国或本地区的全体网络用户使用各自的网络认证硬件设备, 能在本国 或本地区的所有网络节点上进行身份认证, 即: 网络用户使用自己的一个网络认 证硬件设备能在所有的网络节点上进行认证和登录, 实现网络实名制, 在各网络 节点的 CA认证中心进行认证的网络用户是随机的、 不固定的, 但是, 都是本国 或本地区的网络用户之一。 24. All network users in the country or the region can use their own network authentication hardware devices to perform identity authentication on all network nodes in the country or region. That is: network users use one of their own network authentication hardware devices to be available on all networks. The node is authenticated and logged in, and the network real name system is implemented. The network users authenticated in the CA certificate center of each network node are random and not fixed, but are all one of the network users in the country or the region.
25、 公安部门负责对各网络节点的 CA认证中心的数据进行更新, 制作新网 络用户的用户号和认证参数, 用对应加密卡硬件中一组固定对称密钥 Kq, 加密 本国或本地区的全体网络用户包括: 新老网络用户的认证参数, 生成认证参数密 文, 并与对应的用户号一同发送给对应 CA认证中心的认证服务器里, 或将用户 号和认证参数密文存放在公安部门的网站里,由对应网络节点单位经过认证安全 登录公安部门的网站后下载。  25. The public security department is responsible for updating the data of the CA certification center of each network node, creating the user number and authentication parameters of the new network user, and encrypting the whole country or the whole region with a set of fixed symmetric key Kq in the corresponding encryption card hardware. The network user includes: the authentication parameters of the new and old network users, generates the authentication parameter ciphertext, and sends it to the authentication server of the corresponding CA certificate center together with the corresponding user number, or stores the user number and the authentication parameter ciphertext in the public security department. In the website, the corresponding network node unit is authenticated and safely logged into the website of the public security department and downloaded.
26、 各网络节点 CA认证中心, 将收到的更新后的网络用户的用户号和认证 参数密文后, 来替代原认证服务器认证参数数据库中的内容, 并对 ID号字段重 新建立 "聚簇"索引, 从而, 完成各 CA认证中心网络用户数据更新的日常维护 工作。  26. The CA certificate center of each network node replaces the content of the updated network user user number and the authentication parameter ciphertext with the content of the original authentication server authentication parameter database, and re-establishes the clustering of the ID number field. "Index, thereby completing the routine maintenance of network user data updates for each CA certification center.
附图说明: 图 1: 网络节点上建立 CA认证中心的拓扑图 BRIEF DESCRIPTION OF THE DRAWINGS: Figure 1: Topology diagram of establishing a CA certificate center on a network node
图 2: 网络实名制的客户机端网络认证硬件设备申请和制作的流程图 图 3: 网络实名制的 CA认证中心建立的流程图  Figure 2: Flowchart of application and production of client-side network authentication hardware device for network real-name system Figure 3: Flow chart for establishment of CA authentication center for network real-name system
具体实施方式- 以下结合附图说明网络实名制的实现步骤: BEST MODE FOR CARRYING OUT THE INVENTION - The following describes the implementation steps of the network real name system in conjunction with the drawings:
图 1 : 说明网络实名制在网络节点上建立 CA认证中心的架构, 在客户 机端每个网络用户人手一个网络认证硬件设备并插入客户机, 通过 INTERNET网 络登录网络节点的 WEB服务器, WEB服务器将网络身份认证任务交给 CA认证中 心完成, 只有经 CA认证中心认证通过的合法用户才能进入网络节点上的资源或 应用服务器, WEB服务器、 CA认证中心和资源或应用服务器三部分是以串联的方 式联接, 其中: CA认证中心由 1〜K (Κ^30) 台认证服务器组成, 每台认证服务 器上插入多块(1〜8块)加密卡硬件, 网络节点上的资源或应用服务器也由 1〜 Μ (Μ^ΙΟ)台组成, WEB服务器上设有网路域名, CA认证中心的各台认证服务器 和资源或应用服务器上都没有设网路域名。  Figure 1: The architecture of the network real-name system to establish a CA certificate center on the network node. Each network user on the client side has a network authentication hardware device and inserts it into the client. The WEB server is logged into the network node through the INTERNET network. The WEB server will be the network. The identity authentication task is submitted to the CA certification center. Only the legitimate users authenticated by the CA certification center can enter the resources or application servers on the network node. The WEB server, the CA authentication center, and the resource or application server are connected in series. , where: The CA authentication center is composed of 1~K (Κ^30) authentication servers, and each piece of authentication server is inserted with multiple blocks (1~8 pieces) of encryption card hardware, and the resources or application servers on the network nodes are also composed of 1~ Μ (Μ^ΙΟ) consists of a network domain name on the WEB server. There is no network domain name on each authentication server and resource or application server of the CA certificate center.
图 2: 说明网络实名制的客户机端网络认证硬件设备申请和制作的过程, 网络用户(包括: 个人网络用户或法人网络用户)向公安部门申请网络认证硬件 设备, 公安部门按网络用户申请该设备的先后来制作该设备, 首先, 按大小顺序 生成网络用户的用户号, 再使用随机数函数生成 1. 312 K 〜 1. 68K字节的认证 参数,并与网络用户信息一一对应,将生成的用户号、认证参数和网络用户信息, 包括: 姓名或法人机构名称和住址, 写入网络认证硬件设备的芯片里, 再将客户 机端的加密认证协议写入网络认证硬件设备的芯片里,把已制作完毕的网络认证 硬件设备发给网络用户, 若网络用户丢失网络认证硬件设备, 则重新进行申请, 公安部门将用户号对应的认证参数重新生成, 用户号、 网络用户信息和客户机端 的加密认证协议都不变, 并将用户号、 网络用户信息、客户机端的加密认证协议 和重新生成的认证参数, 一并写入一个新的网络认证硬件设备里, 再发给网络用 户。 Figure 2: Describes the process of applying and manufacturing the client-side network authentication hardware device of the network real-name system. The network user (including: personal network user or legal person network user) applies to the public security department for network authentication hardware equipment, and the public security department applies for the device according to the network user. The device is created successively. First, the user number of the network user is generated in order of size, and then the random number function is used to generate the authentication parameters of 1.312 K to 1.68 Kbytes, and one-to-one correspondence with the network user information is generated. The user number, authentication parameters and network user information, including: name or legal entity name and address, written into the chip of the network authentication hardware device, and then the client-side encryption authentication protocol is written into the chip of the network authentication hardware device, The network authentication hardware device that has been created is sent to the network user. If the network user loses the network authentication hardware device, the application is re-applied. The public security department regenerates the authentication parameters corresponding to the user number, and the user number, network user information, and client-side encryption. The authentication protocol is unchanged, and the user number, network User information, client-side encryption and authentication protocol regenerated authentication parameters, together to write a new network authentication hardware devices, and then distributed to network with Household.
图 3: 说明网络实名制的 CA认证中心建立的过程, 网络节点单位向公安部 门申请建立 CA认证中心的加密卡、 用户号和认证参数, 公安部门根据用户的要 求, 制作一块或多块加密卡硬件设备, 在加密卡硬件芯片中写入 CA认证中心端 的加密认证协议 , 若网络用户申请多块加密卡硬件, 将相同的加密认证协议分 别写入多块加密卡硬件的芯片中,再用加密卡硬件芯片里加密认证协议中的一组 固定对称密钥 Kq , 将已经申请的本国或本地区全体网络用户的认证参数分别加 密成密文, 并将认证参数的密文和对应的用户号一起建立一套认证参数数据库, 把认证参数数据库和加密卡硬件设备发给该网络节点单位,网络节点单位获得加 密卡硬件设备和本国或本地区全体网络用户的用户号及认证参数后,在本单位的 网络节点的 WEB服务器和资源或应用服务器之间建立 CA认证中心,若 CA认证中 心由 X台认证服务器组成, 其中: 30 Χ 1 , 则将认证参数数据库的记录数除 以 X, 即: 将记录数分成 X份, 分别存放在 X台认证服务器里, 并在认证参数数 据库的 ID数字型字段上建立 "聚簇"索引, 当 CA认证中心每次进行网络用户的 数据更新时, 公安部门都将更新的网络用户认证参数, 与本国或本地区全体原网 络用户的认证参数一起, 再用该 CA认证中心加密卡硬件中的一组固定对称密钥 Kq , 统一加密成密文, 再与对应的用户号建立认证参数数据库并发给网路节点 单位, 网络节点单位将收到的新认证参数数据库记录代替原记录, 并在认证参数 数据库的数字型 ID字段上重新建立 "聚簇"索引。  Figure 3: The process of establishing the CA certification center of the network real name system. The network node unit applies to the public security department to establish the encryption card, user number and authentication parameters of the CA certification center. The public security department makes one or more encryption card hardware according to the requirements of the user. The device writes the encryption authentication protocol of the CA authentication center in the encryption card hardware chip. If the network user applies for multiple encryption card hardware, write the same encryption authentication protocol to the chip of multiple encryption card hardware, and then use the encryption card. A set of fixed symmetric key Kq in the encryption authentication protocol of the hardware chip, respectively encrypts the authentication parameters of the entire network user of the home country or the local area into a ciphertext, and establishes the ciphertext of the authentication parameter together with the corresponding user number. A set of authentication parameter database, the authentication parameter database and the encryption card hardware device are sent to the network node unit, and the network node unit obtains the user number and the authentication parameter of the encryption card hardware device and all network users in the country or the region, in the unit WEB server and resource or application server of the network node Establish a CA certification center. If the CA certification center consists of X authentication servers, where: 30 Χ 1 , divide the number of records in the authentication parameter database by X, that is, divide the number of records into X shares and store them in X-certification. In the server, a "cluster" index is established on the ID number field of the authentication parameter database. When the CA certificate center updates the data of the network user every time, the public security department will update the network user authentication parameters with the country or the local Together with the authentication parameters of all the original network users in the area, the fixed authentication key Kq in the CA authentication center encryption card hardware is used to encrypt the ciphertext, and the authentication parameter database is established with the corresponding user number and sent to the network node. Unit, the network node unit replaces the original record with the new authentication parameter database record, and re-establishes the "cluster" index on the numeric ID field of the authentication parameter database.

Claims

权利要求书 Claim
1、 一种网络实名制的实现方法是运用计算机、 网络、 密码和芯片技术, 以 网络节点即: 网络 WEB服务器为单位分别建立 CA认证中心, 当用户登录 WEB服 务器并希望进入资源服务器或应用服务器时, 必须经过 CA认证中心的认证, 合 法用户可以进入资源服务器或应用服务器, 在各 CA认证中心的认证服务器端, 预先存放本国或本地区全体网络用户的标识——用户号和对应的认证参数,并建 立认证参数数据库, 每个网络用户的认证参数都不同, 约占存储空间 1. 312 K〜 1. 68 K /人, 在各 CA认证中心的各台认证服务器端设置加密卡硬件, 在加密卡 硬件芯片中存储一套加密认证协议, WEB服务器根据用户号将网络用户身份认证 的任务平均分配给 CA认证中心的各台认证服务器来完成, 在客户机端设置网络 认证硬件设备, 在网络认证硬件设备芯片中存放用户号、认证参数、加密认证协 议和网络用户信息, 网络用户人手一把网络认证硬件设备, 通过不同的客户机在 各网络节点的 CA认证中心进行网络身份认证, 在客户机与各 CA认证中心两端, 采用双向认证模式, 由 WEB服务器产生对称密钥选取参数——时间戳和随机数, 客户机与各 CA认证中心两端, 根据对称密钥选取参数和认证参数组成的对称密 钥生成算法,来组合生成对称密钥, 并在每次认证进程中产生一次性的对称密钥 和认证口令, 网络用户的网络认证硬件设备由公安部门制作并下发, CA认证中 心使用的加密卡硬件和本国或本地区全体网络用户的用户号和认证参数,也由公 安部门制作并下发给网络节点单位,当网络用户登录网络节点并需进入网络资源 服务器或网络应用服务器时, 使用网络认证硬件设备在对应的 CA认证中心进行 认证, 加密认证系统将合法用户送给网络节点上的资源服务器或应用服务器, 从 而, 实现本国或本地区政府对网络进行实名制管理。 1. A method for realizing a real-name network system is to use a computer, a network, a password, and a chip technology to establish a CA authentication center as a network node, that is, a network WEB server, when the user logs in to the WEB server and wants to enter the resource server or the application server. It must be authenticated by the CA certification center. Legal users can enter the resource server or application server. In the authentication server end of each CA certificate center, the identifiers of all network users in the country or the region - user numbers and corresponding authentication parameters are pre-stored. And establish a database of authentication parameters, each network user's authentication parameters are different, accounting for about 1.312 K~ 1. 68 K / person, setting encryption card hardware on each authentication server end of each CA certification center, in encryption The card hardware chip stores a set of encryption authentication protocol, and the WEB server distributes the task of network user identity authentication to each authentication server of the CA certification center according to the user number, and sets the network authentication hardware device on the client side, and performs network authentication. Storage in hardware device chip The account number, the authentication parameter, the encryption authentication protocol, and the network user information, the network user has a network authentication hardware device, and the network identity authentication is performed by the CA client of each network node through different clients, and the client and each CA authentication center At both ends, the two-way authentication mode is adopted, and the symmetric key selection parameters generated by the WEB server, the timestamp and the random number, are generated by the client and each CA authentication center according to symmetric key selection parameters and authentication parameters. The algorithm combines to generate a symmetric key, and generates a one-time symmetric key and authentication password in each authentication process. The network authentication hardware device of the network user is produced and issued by the public security department, and the encryption card hardware used by the CA authentication center is used. The user number and authentication parameters of all network users in the country or the region are also produced by the public security department and sent to the network node unit. When the network user logs in to the network node and needs to enter the network resource server or network application server, the network authentication hardware is used. The device is authenticated at the corresponding CA certificate center. Secret authentication system will give users a legitimate resource or application server on the network node, thus, achieve national or regional government network real-name system management.
2、 根据权利要求 1的方法, 其特征在于:  2. A method according to claim 1, characterized in that:
( 1) 将网络 WEB服务器、 CA认证中心认证服务器群和资源或应用服务器三 部分设备以 "串联"的方式联接在一起, 用户必须经过 CA认证中心的认证, 合 法者才能进入资源或应用服务器, 从而, 防止黑客用 "木马"病毒控制 WEB服务 器来直接进入资源或应用服务器; (1) The network WEB server, the CA authentication center authentication server group, and the resource or application server are connected in a "series" manner. The user must be authenticated by the CA certification center, and the legal person can enter the resource or the application server. Thus, to prevent hackers from using the "trojan" virus to control the WEB service. To access the resource or application server directly;
( 2) CA认证中心的各认证服务器之间是以 "并联 "方式联接, 根据网络节 点用户量和用户并发量的大小来增减 CA认证中心认证服务器的数量, 网络 WEB 服务器根据用户的并发量, 将用户身份认证任务平均分配给 CA认证中心的各台 认证服务器,各台认证服务器再将用户身份认证任务平均分配给插入认证服务器 中的不同加密卡, 并根裾加密卡硬件的序列号来进行任务量的分配。  (2) The authentication servers of the CA certification center are connected in a "parallel" manner. The number of CA authentication center authentication servers is increased or decreased according to the number of network node users and the amount of concurrent users. The network WEB server is based on the concurrent amount of users. The user identity authentication task is evenly distributed to each authentication server of the CA certificate center, and each authentication server evenly distributes the user identity authentication task to different encryption cards inserted into the authentication server, and based on the serial number of the encryption card hardware. Assign the amount of tasks.
3、 根据权利要求 1和权利要求 2的方法, 其特征在于: 3. A method according to claim 1 and claim 2, characterized in that:
( 1 ) 客户机端网络用户使用由公安部门统一制作的基于智能芯片的网络认 证硬件设备, 如:基于 USB接口的智能卡或在居民身份证上嵌入一块智能芯片, 网络用户通过向公安部门申请获得网络认证硬件设备,在网络认证硬件设备的芯 片中存储网络用户的用户号、认证参数、 网络用户信息和一套客户机端的加密认 证协议, 客户机端的加密认证协议包括; 一套对称密码算法 ~ ^分组密码算法或 序列密码算法、一套对称密钥生成算法和对比协议, 若个别网络用户丢失网络认 证硬件设备后, 也向公安部门提出申请, 公安部门重新生成认证参数, 并与原网 络用户的用户号、网络用户信息以及客户机端的加密认证协议一起写入一个新的 网路认证硬件设备中, 再发给网络用户; (1) The client-side network user uses a smart chip-based network authentication hardware device uniformly produced by the public security department, such as a smart card based on a USB interface or a smart chip embedded in a resident ID card, and the network user obtains an application from the public security department. The network authentication hardware device stores the user number, authentication parameter, network user information and a set of client-side encryption authentication protocol of the network user in the chip of the network authentication hardware device, and the client-side encryption authentication protocol includes: a set of symmetric cryptographic algorithms~ ^ Block cipher algorithm or sequence cipher algorithm, a set of symmetric key generation algorithm and comparison protocol. If individual network users lose network authentication hardware equipment, they also apply to the public security department, and the public security department regenerates the authentication parameters and the original network users. The user number, network user information, and the client-side encryption authentication protocol are written together in a new network authentication hardware device and then sent to the network user;
( 2 ) CA认证中心的认证服务器里, 都插入公安部门统一制作的基于 PCI 接口内置 CPU智能芯片的硬卡, 每台认证服务器插入 1 〜 8块加密卡硬件, 网 络节点单位通过向公安部门申请, 获得建立 CA认证中心认证服务器中的加密卡 硬件和本国或本地区全体网络用户的用户号和认证参数,在加密卡硬件的芯片中 存放一套 CA认证中心端的加密认证协议, 包括: 一套对称密码算法——分组密 码算法或序列密码算法、 一套对称密钥生成算法、 一组固定对称密钥 Kq和对比 协议; (3) 在各 CA认证中心认证服务器里, 存放本国或本地区全体网络用户的 用户号和认证参数密文, SP : 用加密卡硬件中存发的一组固定对称密钥 , 将 本国或本地区全体网络用户的认证参数分别加密成密文——认证参数密文存放; (2) The authentication server of the CA certification center is inserted into the hard card based on the PCI interface built-in CPU intelligent chip uniformly prepared by the public security department. Each authentication server inserts 1 to 8 encryption card hardware, and the network node unit applies to the public security department. Obtain the user ID and authentication parameters of the encryption card hardware in the CA certification center authentication server and all network users in the country or the region, and store a set of encryption authentication protocols of the CA certification center in the chip of the encryption card hardware, including: Symmetric cryptographic algorithm - block cipher algorithm or sequence cipher algorithm, a set of symmetric key generation algorithm, a set of fixed symmetric key Kq and comparison protocol; (3) In each CA certification center authentication server, store the user number and authentication parameter ciphertext of all network users in the country or the region, SP: use a fixed set of symmetric keys stored in the encryption card hardware to The authentication parameters of all network users in the area are encrypted into cipher texts - the authentication parameters are stored in cipher text;
(4) 在各 CA认证中心认证服务器加密卡硬件中, 存放的对称密码算法、 对称密钥生成算法和对比协议都相同, 不同的是一组固定对称密钥 Kq, 在同一 CA认证中心的多块加密卡硬件中, 一组固定对称密钥 Kq都相同, 在各 CA认证 中心认证服务器里存放的本国或本地区全体网络用户的用户号和认证参数都相 同, 但是, 分别用各 CA认证中心认证服务器加密卡硬件中一组不同固定对称密 钥 Kq, 加密相同认证参数生成的认证参数密文都不相同。 (4) In each CA authentication center authentication server encryption card hardware, the symmetric cryptographic algorithm, symmetric key generation algorithm and comparison protocol are the same, except that a fixed symmetric key Kq is used in the same CA authentication center. In the block encryption card hardware, a set of fixed symmetric keys Kq are the same. The user numbers and authentication parameters of all network users in the home country or the local area stored in each CA certificate authority authentication server are the same, but each CA certificate center is used separately. A set of different fixed symmetric keys Kq in the authentication server encryption card hardware, and the authentication parameters generated by encrypting the same authentication parameters are different.
4、 根据权利要求 1、 2和 3的方法, 其特征在于- 在各 CA认证中心建立用户号和认证参数快速选取法,将本国或本地区全体 网络用户的认证参数存放在认证参数数据库中, 该数据库由 ID号字段和认证参 数密文字段组成,其中: ID号字段存放用户号,各 CA认证中心根据用户量大小, 将用户的认证参数数据库的记录分别存放在 1 〜 30台认证服务器中,并根据用 户号的大小按顺序存放认证参数数据库的记录, 再将认证参数数据库中的 ID号 字段, 定义为数字型, 在数字型 ID号字段上建立 "聚簇"索引, 每个 ID号字段 对应一组认证参数密文字段, CA认证中心加密认证协议, 根据用户号直接定位 认证参数数据库中该用户号对应记录的认证参数密文,能快速定位拟选取的认证 参数密文, 不需要对数据库进行检索定位, 从而, 大大提高认证速度。 4. The method according to claims 1, 2 and 3, characterized in that - a user number and a quick selection method for the authentication parameters are established in each CA certification center, and the authentication parameters of all network users in the country or the region are stored in the authentication parameter database. The database consists of an ID number field and an authentication parameter ciphertext field, wherein: the ID number field stores the user number, and each CA authentication center stores the records of the user's authentication parameter database in 1 to 30 authentication servers according to the size of the user. And storing the records of the authentication parameter database in order according to the size of the user number, and then defining the ID number field in the authentication parameter database as a numeric type, and establishing a "cluster" index on the digital ID number field, each ID number The field corresponds to a set of authentication parameter ciphertext fields, and the CA authentication center encryption authentication protocol directly locates the authentication parameter ciphertext corresponding to the user number in the authentication parameter database according to the user number, and can quickly locate the ciphertext of the authentication parameter to be selected. The database is searched and located, thereby greatly improving the authentication speed.
5、 根据权利要求 1、 3和 4的方法, 其特征在于:  5. A method according to claims 1, 3 and 4, characterized in that:
( 1 ) 公安部门负责对各网络节点的 CA认证中心网络用户的信息和认证参 数进行更新,公安部门将新申请网络认证硬件设备的网络用户和原本国或本地区 全体网络用户的认证参数, 用对应加密卡硬件中一组固定对称密钥 Kq加密, 生 成认证参数密文, 并与对应的用户号一同发送给对应 CA认证中心的认证服务器 里, 或将用户号和认证参数密文存放在公安部门的网站里, 由对应网络节点单位 经过认证安全登录公安部门的网站后下载; (1) The public security department is responsible for updating the information and authentication parameters of the network users of the CA certification centers of each network node. The public security department will use the network users of the newly applied network authentication hardware devices and the authentication parameters of the entire national or local network users. Corresponding to a set of fixed symmetric key Kq in the encryption card hardware, generating an authentication parameter ciphertext, and sending it to the corresponding authentication server of the CA certification center together with the corresponding user number. In, or store the user number and the authentication parameter ciphertext in the website of the public security department, and the corresponding network node unit is authenticated and safely logged into the website of the public security department and downloaded;
(2) 各网络节点 CA认证中心, 将收到的新更新网络用户的用户号和认证 参数密文, 来代替原认证参数数据库中的内容, 并对 ID号字段重新建立"聚簇" 索引, 从而, 完成新增网络用户的数据日常维护。  (2) Each network node CA authentication center replaces the user number and authentication parameter ciphertext of the newly updated network user with the content in the original authentication parameter database, and re-establishes the "cluster" index on the ID number field. Thus, the daily maintenance of data of newly added network users is completed.
6、 根据权利要求 1、 2、 3、 4和 5的方法, 其特征在于:  6. A method according to claims 1, 2, 3, 4 and 5, characterized in that:
( 1 ) 客户机端发出认证请求并发送用户号给网络 WEB服务器, 由网络 WEB 服务器产生时间戳和随机数, 根据用户号将认证任务分配给 CA认证中心的认证 服务器, 该认证服务器根据用户号选出对应的认证参数密文, 并与用户号、 时间 戳和随机数一同输入加密卡硬件的芯片里, 在芯片里用固定对称密钥 Kq将认证 参数密文解密, 根据对称密钥生成算法生成一组对称密钥 Kl, 用 K1来加密用户 号生成认证口令 1, 并与时间戳和随机数一起发送给客户机端, 再用 K1加密随 机数生成认证口令 4, 同时, 网络 WEB服务器产生认证生命周期 Τ;  (1) The client sends an authentication request and sends a user number to the network WEB server. The network WEB server generates a timestamp and a random number, and assigns the authentication task to the authentication server of the CA certificate center according to the user number. The authentication server is based on the user number. Select the corresponding authentication parameter ciphertext, and input the encryption card hardware chip together with the user number, time stamp and random number, decrypt the authentication parameter ciphertext with the fixed symmetric key Kq in the chip, and generate according to the symmetric key. The algorithm generates a set of symmetric keys Kl, encrypts the user number with K1 to generate the authentication password 1, and sends it to the client side together with the timestamp and the random number, and then generates the authentication password 4 by using the K1 encrypted random number. Meanwhile, the network WEB server Generate a certification life cycleΤ;
(2) 在客户机端网络认证硬件设备的芯片中, 对称密钥生成算法根据收到 时间戳和随机数生成一组的对称密钥 Κ2, 用 Κ2加密用户号生成认证口令 2, 对 比认证口令 1和认证口令 2是否相同?若不相同, 则该网络节点为非法网站, 若 相同则单向认证通过, 再用 Κ2加密随机数生成认证口令 3, 再将用户号、 时间 戳、随机数、认证口令 3、姓名或法人机构名称以及住址, 发送给认证服务器端; (2) In the chip of the client-side network authentication hardware device, the symmetric key generation algorithm generates a set of symmetric keys 根据2 according to the received timestamp and the random number, and encrypts the user number with Κ2 to generate the authentication password 2, and compares the authentication password. 1 Is the authentication password 2 the same? If they are not the same, the network node is an illegal website. If the same, the one-way authentication is passed, and then the 认证2 encrypted random number is used to generate the authentication password 3, and then the user number, time stamp, random number, authentication password 3, name or legal person institution The name and address are sent to the authentication server;
( 3) 网络 WEB服务器端收到客户机端发来的信息后, 首先, 对比客户机和 网络 WEB服务器两端的用户号、时间戳和随机数是否相同?再计算认证生命周期 Τ是否结束?如果两者都通过, 将认证口令 3输入 CA认证中心对应的认证服务 器加密卡硬件芯片中, 在芯片里认证协议将认证口令 3与认证口令 4进行对比, 来确定用户的身份, 将合法用户送给网络资源或应用服务器, 在网络资源或应用 服务器上建立认证日志, 即: 登记用户的用户号、 登录时间、 姓名或法人机构名 称以及住址。 (3) After the network WEB server receives the information sent by the client, first, compare the user number, timestamp and random number between the client and the network WEB server. Does it calculate the end of the certification life cycle? If both pass, enter the authentication password 3 into the authentication server encryption card hardware chip corresponding to the CA certificate authority. In the chip, the authentication protocol compares the authentication password 3 with the authentication password 4 to determine the identity of the user, and send the legitimate user. To the network resource or application server, establish an authentication log on the network resource or application server, namely: the user number of the registered user, the login time, the name or the name of the legal entity, and the address.
7、 根据权利要求 1、 3、 4和 6的方法, 其特征在于: 7. A method according to claims 1, 3, 4 and 6, characterized in that:
( 1) 建立认证服务器和客户机两端芯片级的认证体系, 即: 在硬件芯片中 存储和运行加密认证协议, 客户机端的对称密码算法、对称密钥生成算法、认证 参数和对比协议的存储和运行过程, 都受到网络认证硬件设备芯片的保护, CA 认证中心认证服务器端的对称密码算法、对称密钥生成算法、一组固定对称密钥 Kq和对比协议的存储和运行, 也受到加密卡硬件芯片的保护, 另外, 本国或本 地区全体网络用户的认证参数是以密文方式存储,大大提高了并发明加密认证协 议的安全等级,不像一些基于非对称密码算法的加密认证协议如: PKI技术那样, 在 CA认证中心都是将非对称密码算法、公钥和证书存放在认证服务器的硬盘里, 容易受到黑客利用 "木马"病毒来篡改公钥和证书, 进行 "冒名顶替"方式的攻 击; (1) Establish a chip-level authentication system at both ends of the authentication server and client, namely: store and run the encryption authentication protocol in the hardware chip, the symmetric cryptographic algorithm on the client side, the symmetric key generation algorithm, the authentication parameter and the comparison protocol storage. And the running process, both protected by the network authentication hardware device chip, the CA authentication center authentication server side symmetric cryptographic algorithm, symmetric key generation algorithm, a set of fixed symmetric key Kq and comparison protocol storage and operation, also received by the encryption card hardware Chip protection, in addition, the authentication parameters of all network users in the country or the region are stored in cipher text, greatly improving the security level of the encryption authentication protocol, unlike some encryption authentication protocols based on asymmetric cryptographic algorithms such as: PKI As with technology, the CA authentication center stores asymmetric cryptographic algorithms, public keys, and certificates on the hard disk of the authentication server. It is vulnerable to hackers using the "trojan" virus to tamper with public keys and certificates, and to perform "impersonation" attacks. ;
(2) 采用对称密码算法和组合对称密钥技术建立的加密认证协议, 占用 CA 认证中心的资源少, 运行速度快, 建设成本低, 投入 4. 2万元人民币建立的 CA 认证中心, 其中: 两台价值 1. 3万元人民币 /台的认证服务器和 4块价值 0. 4万 元 /块的加密卡硬件, 合计: 4. 2万元人民币, 能为 3亿网络用户提供网络认证 注册, 实现 2000网络用户并发认证, 大大提高认证效率, 实现在网络节点上建 立低成本 CA认证中心, 解决网络身份认证规模化这一世界性难题。  (2) Encryption authentication protocol established by symmetric cryptographic algorithm and combined symmetric key technology, occupying CA certification center with less resources, fast running speed and low construction cost. The CA certification center established by investing RMB 42,000, among which: Two authentication servers worth RMB 13,000/set and four encryption card hardware worth RMB 40,000/block, totaling: RMB 20,000, which can provide network certification registration for 300 million network users. Realize the concurrent authentication of 2000 network users, greatly improve the authentication efficiency, realize the establishment of a low-cost CA certification center on the network node, and solve the worldwide problem of large-scale network identity authentication.
8、 根据权利要求 1、 2和 6的方法, 其特征在于: 8. A method according to claims 1, 2 and 6, characterized in that:
( 1) 网络节点通过网络用户的认证过程获得网络用户的真实姓名或名称, 以及住址, 同时, 网络节点的真实性也得到了证实, 达到客户机和网络节点两端 的实名制; (1) The network node obtains the real name or name of the network user and the address through the authentication process of the network user, and the authenticity of the network node is also confirmed, reaching the real name system at both ends of the client and the network node;
(2) CA认证中心认证服务器和客户机两端分别生成一组对称密钥,来加密 不同的两组参数, 完成双向认证, 既保证加密系统的安全, 又节约了时间; (2) The CA authentication center authentication server and the client respectively generate a set of symmetric keys to encrypt different sets of parameters and complete two-way authentication, which not only ensures the security of the encryption system, but also saves time;
(3) 在加密认证协议中, 取消了当前主流认证协议如: PKI技术使用的证 书来作为网络用户身份的标识,本发明使用用户号作为网络用户的标识, 来引导 加密系统选取正确的认证参数,组合生成对称密钥, 将用户号和临时生成的随机 数进行加密生成认证口令, 并通过对比认证口令来判断网络用户的身份, 从而, 降低了加密认证协议的复杂度, 提高了认证效率。 (3) In the encryption authentication protocol, the current mainstream authentication protocol, such as the certificate used by the PKI technology, is removed as the identifier of the network user identity. The present invention uses the user number as the identifier of the network user to guide the encryption system to select the correct authentication parameter. , combined to generate a symmetric key, the user number and the randomly generated random The number is encrypted to generate an authentication password, and the identity of the network user is judged by comparing the authentication password, thereby reducing the complexity of the encryption authentication protocol and improving the authentication efficiency.
9、 根据权利要求 1、 2、 3和 6的方法, 其特征在于:  9. A method according to claims 1, 2, 3 and 6, characterized in that:
( 1 ) 本国或本地区的全体网络用户使用各自的网络认证硬件设备, 能在本 国或本地区的所有网络节点上进行身份认证, 即:用户使用自己的一个网络认证 硬件设备能在所有的网络节点上进行认证和登录, 实现网络实名制; (1) All network users in the country or the region can use their own network authentication hardware devices to perform identity authentication on all network nodes in the country or region, that is, users can use one of their own network authentication hardware devices to be available on all networks. Perform authentication and login on the node to implement the real-name system of the network;
(2) 在各网络节点的 CA认证中心进行认证的网络用户是随机的、 不固定 的, 但是, 都是本国或本地区的网络用户之一。  (2) The network users who authenticate at the CA certificate center of each network node are random and not fixed, but they are all one of the network users in the country or the region.
10、 根据权利要求 1、 3、 4和 6的方法, 其特征在于:  10. A method according to claims 1, 3, 4 and 6, characterized in that:
( 1) 对称密钥由对称密钥生成算法组合生成, 即: 对称密钥是根据时间戳 和随机数,对认证参数表 A进行控制选取, 将选出的认证参数元素合并再与随机 数模二加后生成; (1) The symmetric key is generated by a combination of symmetric key generation algorithms, that is, the symmetric key is based on the timestamp and the random number, and the authentication parameter table A is controlled and selected, and the selected authentication parameter elements are combined with the random number model. Generated after two additions;
( 2 ) 对称密钥是通过一次一变的时间戳和随机数对认证参数表 A进行选取, 并通过与一次一变的随机数计算生成, 达到对称密钥一次一变, 即: 每次认证进 程使用一组对称密钥, 使用后就清除, 不重复使用, 该组合生成的对称密钥具有 临时性——临时对称密钥, 实现对称密钥更新免人工维护, 同时, 用一次一变的 对称密钥加密随机数或用户号, 生成的认证口令也一次一变。  (2) The symmetric key selects the authentication parameter table A by using a time-varying time-stamp and a random number, and generates and converts the symmetric key by one-time variable random number, that is, each authentication The process uses a set of symmetric keys, which are cleared after use and are not reused. The symmetric key generated by the combination has a temporary-temporary symmetric key, which realizes symmetric key update without manual maintenance. At the same time, it uses one change. The symmetric key encrypts the random number or the user number, and the generated authentication password also changes once.
PCT/CN2008/001687 2007-10-15 2008-09-28 Method of implementing network genuine identification WO2009062373A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN 200710175846 CN101136750A (en) 2007-10-15 2007-10-15 Network real-name system implementing method
CN200710175846.9 2007-10-15

Publications (1)

Publication Number Publication Date
WO2009062373A1 true WO2009062373A1 (en) 2009-05-22

Family

ID=39160608

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2008/001687 WO2009062373A1 (en) 2007-10-15 2008-09-28 Method of implementing network genuine identification

Country Status (2)

Country Link
CN (1) CN101136750A (en)
WO (1) WO2009062373A1 (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107276884A (en) * 2017-08-21 2017-10-20 江苏北弓智能科技有限公司 A kind of autonomous encrypting and deciphering system of social software based on intelligent terminal
CN108228219A (en) * 2018-02-28 2018-06-29 郑州云海信息技术有限公司 The method and device of BIOS legitimacies is verified when refreshing BIOS outside a kind of band
US20220141204A1 (en) * 2019-07-15 2022-05-05 Siaobai Inc. Network encryption method

Families Citing this family (18)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101136750A (en) * 2007-10-15 2008-03-05 胡祥义 Network real-name system implementing method
CN101860540B (en) * 2010-05-26 2013-03-13 吴晓军 Method and device for identifying legality of website service
CN103139172B (en) * 2011-11-30 2016-01-13 阿里巴巴集团控股有限公司 A kind of service implementation method and device
CN103259768B (en) * 2012-02-17 2018-06-19 中兴通讯股份有限公司 A kind of message authentication method, system and device
CN103260157B (en) * 2012-05-07 2015-12-16 中国交通通信信息中心 Towards Subscriber Management System and the using method thereof of satellite communications services
CN102932138A (en) * 2012-10-10 2013-02-13 浪潮齐鲁软件产业有限公司 Encryption server based on cipher key pool
CN102932149B (en) * 2012-10-30 2015-04-01 武汉理工大学 Integrated identity based encryption (IBE) data encryption system
CN103516798A (en) * 2013-09-27 2014-01-15 无锡柏瑞科技有限公司 Client information management device based on Cloud computing
CN105591744B (en) * 2014-10-24 2019-03-05 金联汇通信息技术有限公司 A kind of genuine cyber identification authentication method and system
CN104363217A (en) * 2014-11-03 2015-02-18 深圳市远行科技有限公司 CA digital signature authentication system and method of Web system
CN104780170A (en) * 2015-04-16 2015-07-15 宁波保税区攀峒信息科技有限公司 Security verification method and device
CN106358184A (en) * 2016-08-31 2017-01-25 天津灵创智恒软件技术有限公司 Point-to-point identity authentication method
CN106713305B (en) * 2016-12-20 2019-12-03 浪潮通用软件有限公司 It is a kind of that Replay Attack method is prevented based on the configuration of functional level time-out
CN106534196A (en) * 2016-12-22 2017-03-22 国云科技股份有限公司 Identity verification method for resisting password-guessing replay attack
CN108259407B (en) * 2016-12-28 2020-09-11 航天信息股份有限公司 Symmetric encryption method and system based on timestamp
CN108897624B (en) * 2018-07-06 2021-07-20 北京奇艺世纪科技有限公司 Encryption calculation method and device for HTTPS server
CN109727032A (en) * 2018-12-29 2019-05-07 杭州趣链科技有限公司 A kind of alliance's block chain access control method of identity-based id password
CN109829722B (en) * 2019-02-22 2021-01-29 兴唐通信科技有限公司 User identity real-name authentication method of electronic payment system

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1972306A (en) * 2006-12-01 2007-05-30 浙江大学 Implementation method of secure socket layer protocol secure proxy multiple authentication
CN1972237A (en) * 2006-12-06 2007-05-30 胡祥义 VPN system based on dynamic encryption algorithm
CN101051292A (en) * 2007-01-08 2007-10-10 中国信息安全产品测评认证中心 Reliable U disc, method for realizing reliable U disc safety and its data communication with computer
CN101136750A (en) * 2007-10-15 2008-03-05 胡祥义 Network real-name system implementing method

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1972306A (en) * 2006-12-01 2007-05-30 浙江大学 Implementation method of secure socket layer protocol secure proxy multiple authentication
CN1972237A (en) * 2006-12-06 2007-05-30 胡祥义 VPN system based on dynamic encryption algorithm
CN101051292A (en) * 2007-01-08 2007-10-10 中国信息安全产品测评认证中心 Reliable U disc, method for realizing reliable U disc safety and its data communication with computer
CN101136750A (en) * 2007-10-15 2008-03-05 胡祥义 Network real-name system implementing method

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
HU XIANGYI ET AL.: "The Use of Symmetric Cipher in Identification", NETWORK SECURITY TECHNOLOGY & APPLICATION, MONTHLY, March 2007 (2007-03-01), pages 86,87,90 *

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107276884A (en) * 2017-08-21 2017-10-20 江苏北弓智能科技有限公司 A kind of autonomous encrypting and deciphering system of social software based on intelligent terminal
CN108228219A (en) * 2018-02-28 2018-06-29 郑州云海信息技术有限公司 The method and device of BIOS legitimacies is verified when refreshing BIOS outside a kind of band
CN108228219B (en) * 2018-02-28 2021-11-19 郑州云海信息技术有限公司 Method and device for verifying BIOS validity during in-band refreshing of BIOS
US20220141204A1 (en) * 2019-07-15 2022-05-05 Siaobai Inc. Network encryption method
US11968192B2 (en) * 2019-07-15 2024-04-23 Siaobi Inc. Network encryption method

Also Published As

Publication number Publication date
CN101136750A (en) 2008-03-05

Similar Documents

Publication Publication Date Title
WO2009062373A1 (en) Method of implementing network genuine identification
US8966276B2 (en) System and method providing disconnected authentication
EP2957063B1 (en) Policy enforcement with associated data
EP2020797B1 (en) Client-server Opaque token passing apparatus and method
CN108965338B (en) Three-factor identity authentication and key agreement method under multi-server environment
CN101282222B (en) Digital signature method based on CSK
US20170142082A1 (en) System and method for secure deposit and recovery of secret data
US11372993B2 (en) Automatic key rotation
CN109040067A (en) A kind of user authentication device and authentication method based on the unclonable technology PUF of physics
WO2006130991A1 (en) Method of and system for encryption and authentication
CA2551113A1 (en) Authentication system for networked computer applications
CN107920052B (en) Encryption method and intelligent device
WO2008031301A1 (en) A method for the point to point online identity authenticaiton
CN114244508B (en) Data encryption method, device, equipment and storage medium
CN106936579A (en) Cloud storage data storage and read method based on trusted third party agency
CN110602083B (en) Secure transmission and storage method of digital identity authentication data
CN106713256A (en) Method for authenticating software and hardware binding of computer special for tax control
CN115865520B (en) Authentication and access control method with privacy protection in mobile cloud service environment
Olanrewaju et al. Enhancing cloud data security using hybrid of advanced encryption standard and blowfish encryption algorithms
CN114510734B (en) Data access control method, device and computer readable storage medium
Bui et al. Key exchange with the help of a public ledger
CN114254284A (en) Digital certificate generation and identity authentication method and quantum CA authentication center and system
Mishra et al. Authenticated content distribution framework for digital rights management systems with smart card revocation
CN109450641A (en) A kind of high-end die information management system access control method
Roopa SSO-key distribution center based implementation using serpent encryption algorithm for distributed network (securing SSO in distributed network)

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 08848609

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 08848609

Country of ref document: EP

Kind code of ref document: A1