CN101030859A - Method and system for verifying distributed network - Google Patents

Abstract

The method comprises: generating the fragmentation key; when new user makes registration, the a group of authentication servers commonly provide a ticket for the user; when user logs on, the group of authentication commonly authenticates the log-on request message sent from user; the message passes the authentication, the member server and the users' device makes mutual two-way authentication. The system comprises: an initialization module, a registration module, a log-on module and an authentication module.

Description

A kind of authentication method of distributed network and system

Technical field

The present invention relates to network communication field, particularly a kind of authentication method and system in distributed network.

Background technology

Mobile Ad hoc network (MANET:Mobile Ad hoc Network also claims mobile ad-hoc network) is a kind of distributed network, and it dynamically is made up of a group mobile device (such as smart mobile phone).The foundation of Ad hoc network need be by means of the management of existing network infrastructure or central authorities.Because its deployment is efficient and convenient, applied environment is (join the army and use commercialization) extensively, and mobile Ad hoc network has become the research field of a hot topic.Set up communication network conveniently simultaneously bringing, mobile Ad hoc is owing to the characteristics of himself have been brought consideration on many safety.One of them is exactly how to ensure that resource do not visited by unauthorized user.

At present, the authentication based on password is to be used for one of the confidentiality of resolution system and the most popular substantive approach of safety issue.In traditional model based on the password authentication scheme, in order to apply for resource, the user at first sends request message to remote server, comprising user's the identity ID and the password value h (PW) of process Hash operation.After receiving request, whether search exists (ID, the h (PW)) of the request coupling of submitting to the user right in the access list of remote server in the database of this locality, if exist, server will be authorized the user ID access rights, otherwise denied access.But the mode that traditional single dependence the user name and password mates the authenticity of confirming the user has exposed a lot of safety defects, guessed easily or obtained such as password by approach such as communication engineering science etc., spied on by the people easily when entering password, password is cracked by a lot of instruments easily, exist the defective and the leak that are not detected, password can be spied out when internet off-line, and password and file are transferred or the like from PC and server easily.For these reasons, this method can not be used for the occasion high to security requirement.Therefore, in many applied environments, except adopting the factor (password) known to the individual, adopt the factor that the individual had (such as, smart card) to realize the two-factor authentication that security intensity is higher toward contact.

In several years, many certificate schemes based on password are suggested in the past, are target to strengthen fail safe and efficient.These schemes generally can be divided into user's registration phase, landing phase and authentication phase.At registration phase, server is signed and issued a digital ticket according to identity information and password that new user submits to, and this bill is stored in the smart card with anti-tamper function, at last smart card is issued the user.In landing phase, the user inserts beaching accommodation with smart card, enters password, and lands request message by smart card according to bill and password generation.In authentication phase, server verifies to landing request message whether decision allows the user to land.

Existing these schemes all are to be applied in the occasion of Single-Server, and at distributed network, in mobile Ad hoc network, in order to improve the availability of system, the process of authentication should be finished in the distributed mode of multiserver.One of important feature of mobile Ad hoc network difference and other network is the dynamic of height just.Mobile Ad hoc network is to be set up by wireless signal by many nodes that move freely.In the network that this mode is set up, the link that does not have point-to-point transmission is to guarantee be communicated with always unobstructedly, the wireless transmission scope of another node because node may break away, and perhaps transmission signals may be recruited the interference that is subjected to other signal.Therefore, will be a kind of way of risk according to adopting the realization of Single-Server in the cable network.In case individual server can't be accessed to, the service of whole system will be interrupted so.Thereby the scheme that prior art adopted can't directly be applied in the environment that needs distributed authentication, can not be applicable to the occasion that availability requirement is high.

Secondly, in cable network environment, server often all is furnished with enough jumbo memory device, is enough to store all registered users' password.Yet, in mobile Ad hoc network, may be the mobile device of a resource-constrained as the server of one of node.For resource-constrained mobile device, safeguard and the password table of storing all users will be a huge burden that particularly when number of users increases severely, problem will be more outstanding.And the password stored table makes server cause easily and steals and revise the attack of replacement proof list.

Once more, mobile Ad hoc network often is deployed in the open network environment (or even hostile environment).Compare with the node in the cable network, the protection that the node in the mobile Ad hoc network is subjected to still less, the easier attack, thereby need more security consideration.What at first need to consider is the situation of being attacked as server node.In traditional scheme, the key of system is maintained secrecy to be left in the single server, and this is that the assailant is difficult to break through server because the server in cable network environment all is subjected to protecting layer by layer.Yet in mobile Ad hoc network, the way of utilizing single service node to preserve key is unsafe, because node is relatively easily broken through.Secondly the situation that needs consideration domestic consumer node to be attacked.At present, in not needing the strong authentication scheme of password table, server can be signed and issued a bill to the registered user.Utilize this bill and password, the user can log on server.If the assailant has obtained this bill, the assailant can utilize the means conjecture user's of off-line dictionary attack password so, and then the fake user game server.In traditional scheme, bill all is stored in the smart card with tamper-resistance, and this has just increased the cost of using, and has reduced user's ease for use.And the limited operational capability of smart card also becomes the bottleneck of application easily.

In sum, for the consideration of availability and safety, traditional be not suitable in distributed network, using based on the Single-Server framework with by means of the scheme of anti-tamper smart card.

Summary of the invention

The purpose of the embodiment of the invention is to overcome the deficiencies in the prior art, with the availability and the fail safe of safeguards system.The embodiment of the invention has proposed (t, n) a thresholding authentication method and a system based on password.Total n server node shared a system key, have only ought be wherein arbitrarily t (t＜n) individual node coacts, and just can finish the authentication operation that the user is asked.The described technical scheme of the embodiment of the invention is as follows:

A kind of authentication method of distributed network, described method comprises:

Produce system key, will obtain the burst key behind the described system key burst, and described burst key is kept at respectively on the member server node of server group;

Certificate server group of received user's identify label and password are signed and issued a bill jointly according to described identify label, password and burst key, and described bill are sent to beaching accommodation;

Described beaching accommodation lands request message according to described bill and described user's identify label and password generation, and the described request message that lands is sent to described certificate server group;

Described certificate server group receive described land request message after, verify the described request message that lands, if described message by the checking, then described certificate server group and described user carry out two-way authentication.

The embodiment of the invention also provides a kind of Verification System of distributed network, and described system comprises:

Initialization module is used to produce system key, will obtain the burst key behind the described system key burst, and described burst key is kept at respectively on the member server node of server group;

Registering modules is used for server group of received user's identify label and password are authenticated, and signs and issues a bill jointly according to described identify label, password and burst key;

Land module, be used for landing request message, and the described request message that lands is sent to described certificate server group according to described bill and described user's identify label and password generation;

Authentication module, be used for described certificate server group receive described land request message after, verify the described request message that lands, if described message by the checking, then described certificate server group and described user carry out two-way authentication.

The beneficial effect of the embodiment of the invention is:

1, in the technical scheme that the embodiment of the invention provides, total n server node shared a system key, have only ought be wherein arbitrarily t (t＜n) individual node coacts, and just can finish the authentication operation that the user is asked.Even the assailant has broken up a spot of server node, the assailant still can't obtain key.Even there is minority (less than n-t) service node to be attacked or off-line, other remaining service node still can provide safe service, has strengthened the fail safe and the high availability of key.

2,, thereby do not need the password stored table in the server because the certificate server group is given user's issuance of a note.

3, can resist dictionary attack.In common off-line dictionary attack, the assailant utilizes the password of conjecture to calculate some median, these medians and the corresponding right value that obtained relatively, if coincide, illustrate and guesses that password is correct, success attack then.And in the described conceptual design of the embodiment of the invention, because getable right value of assailant and not contact of the median that can calculate can't compare, so the assailant can't determine to guess the correctness of password.So even the assailant obtains the bill in the user node, also can't utilize the method for off-line dictionary attack to obtain user password, more can't pretend to be the validated user game server.

4, because directly there is bill in the technical scheme that the embodiment of the invention provides in the beaching accommodation (being mobile terminal device), need not smart card, reduced cost, increased ease for use, also do not lose fail safe simultaneously.

5, the information exchange by twice reaches two-way authentication between member server and the beaching accommodation.Not only service node can authenticate user node, and user node also can authenticate service node, has strengthened the reliability of authentication.

Description of drawings

Fig. 1 is the flow chart of the authentication method of the described distributed network of the embodiment of the invention;

Fig. 2 is the structure chart of the Verification System of the described distributed network of the embodiment of the invention.

Embodiment

The invention will be further described with reference to corresponding drawings and Examples below.

The embodiment of the invention provides a kind of authentication method of distributed network, and described method mainly comprises four-stage: system initialisation phase, registration phase, landing phase and authentication phase.Referring to Fig. 1, concrete steps are as follows:

Step 101: system initialisation phase

A trusted third party produces system key x, and it is divided into n sheet burst key, and this n burst key is kept at all n member service node S of server group respectively ₁..., S _nOn.Specifically can take following mode to realize:

1) select two big prime number p and q, satisfy p=2p '+1 and q=2q '+1, wherein p ' and q ' are big prime numbers; Generally speaking, in this area, big prime number typically refers to uses the prime number of representing more than 512 bits, promptly such as 3,5 grades only by 1 and the number of itself dividing exactly.

2) several N=p * q are closed in calculating, select g ∈ Q at random _N, Q wherein _NIt is the set of mould N quadratic residue.

3) selective system key x at random in 1 to p ' q ' makes that x and p ' q ' are coprime, promptly $x\∈Z_{p^{\′}{q}^{\′}}^{*},$ Be chosen in Z at random _{P ' q '} ^*On t-1 order polynomial f (.), satisfy f (0)=xmodp ' q ', wherein Z _{P ' q '} ^*Be the set that integer mould p ' q ' of 1 to p ' q ' has multiplicative inverse, t is the number that is required to participate in the server node of authentication operation.

4) calculate n burst key x _i=f (i)/∏ _{J ∈ Φ, j ≠ i}(i-j) modp ' q ', then by back channel with x _iSend to n member server S of server group _i, wherein, Φ comprises numeral 1 to n set, promptly Φ=1 ..., n}, the back channel here can think this bill is encrypted the back transmission.

5) destroy x, p, q, and open N and g.

Step 102: registration phase

Identity ID and the password h (PW) after the hash conversion that the new user U of a needs registration sends oneself authenticate member server node S to comprising t _iThe certificate server group Ω of (f ∈ φ).Wherein φ be comprise f 1 ..., the set of element among the n}, promptly φ  1 ..., n}, and satisfy φ and comprise t element, t＜n, h () is a hash function.After having confirmed user identity, t member service node will be signed and issued a bill jointly, and this bill is sent to the user.Signing and issuing and send the step of bill can take following mode to realize:

1) t authentication member server node S _iCalculate and send following value to distribution node:

$B_i=g^{h\left(\mathrm{ID}\right)x_i}\mathrm{mod}N,$

Wherein distribution node can be t authentication in the member server, also can be node independently.

2) distribution node is collected t part B _iAfter, this distribution node calculates:

$\mathrm{\β}=\underset{i\∈\mathrm{\φ}}{\mathrm{\Π}}{B}_i^{L_i^0}-h\left(\mathrm{PW}\right)\mathrm{mod}N=g^{h\left(\mathrm{ID}\right)x}-h\left(\mathrm{PW}\right)\mathrm{mod}N,$

Wherein $L_i^{\′0}={\mathrm{\Π}}_{j\∈\mathrm{\Φ},j\∉\mathrm{\φ}}(i-j){\mathrm{\Π}}_{j\∈\mathrm{\φ},j\≠i}(0-j).$

3) last, distribution node will comprise that the bill of (ID, β, N, g, h ()) information issues beaching accommodation, and be stored in the beaching accommodation.In order to strengthen fail safe, this bill can send and be stored in the beaching accommodation by back channel.Whether in the process of transmitting of bill, needing the user to participate in directly can be determined by the specific implementation method.Can adopt directly to allow the user copy bill, oneself deposit the mode of beaching accommodation then in, also can adopt beaching accommodation directly to download the mode of bill by data circuit.

In the present embodiment, beaching accommodation can be a mobile terminal device.

In this step, can not be exposed to server, password has been passed through hash conversion in order to guarantee password.Under the certain believable situation of server, and register and do not undertaken, also can directly submit to password expressly by network.

In addition, the confirmation of identity can realize by non-technological means, shows identity card such as the user and gives the system manager, and the keeper just can give user's issuance of a note after agreeing.Also can not have the identity validation process, that is just to all issuance of a notes of any register requirement, in this case; The user also only can obtain the password that oneself is submitted to, and the password of other identity correspondences is still known nothing.

Step 103: landing phase:

When the user U that has registered thought debarkation authentication server group Ω, user U is input identify label ID and password PW on its individual bill's of storage beaching accommodation.Land request message by the beaching accommodation generation, and be sent to the certificate server group.Specifically can take following mode to realize:

1) selects random number r, and obtain the current time stamp T of beaching accommodation.

2) calculate B=β+h (PW)=g ^{H (ID) x}Mod N.

3) calculate E=B ^r=g ^{H (ID) xr}Mod N.

4) calculate D=g ^rMod N.

5) calculate C=h (T ‖ E ‖ B) mod N.

6) send and to land request message M=(D is C) to certificate server group Ω for ID, T.

Step 104: authentication phase

Distribution node among the certificate server group Ω receive land request message M=(ID, T, D, C) after, t authentication member server node answered concurrent the echoing of joint verification this request.For example, concrete operations are as follows:

Each participates in the authentication member server node S of checking _iAt first whether correctly produced according to following process check message M:

1) validity of inspection identity ID if form is incorrect, is then refused this and is landed request, and request message will be dropped.

2) check current time and the time difference of landing time T in the request, if this time difference greater than rational propagation delay time, so this refusal this land request.

If message M is by preliminary identification, t authenticates member server S so _i(i ∈ φ) carries out following agreement with user's beaching accommodation and finishes two-way authentication:

1) S _i(i ∈ φ) calculating and sending send following value to give distribution node:

$B_i^{\′}=g^{h\left(\mathrm{ID}\right)x_i}\mathrm{mod}N$

$E_i^{\′}=D^{h\left(\mathrm{ID}\right)x_i}\mathrm{mod}N;$

2) receive all E ' _iAnd B ' _iAfter, distribution node calculates:

$B^{\′}=\underset{i\∈\mathrm{\φ}}{\mathrm{\Π}}{B}_i^{\′L_i^0}\mathrm{mod}N$

$E^{\′}=\underset{i\∈\mathrm{\φ}}{\mathrm{\Π}}{E}_i^{\′L_i^0}\mathrm{mod}N;$

3) whether distribution node checking equation C=h (T ‖ E ' ‖ B ') sets up, if be false, request is rejected, otherwise accepts request.Distribution node calculates concurrent the echoing of C '=h (B ' ‖ T ' ‖ E ') and answers (ID, C ', T ') beaching accommodation to the user then, and wherein T ' is the current time stamp of distribution node.

4) receive server response (ID, C ', T ') after, beaching accommodation is at first checked ID and T ', checks whether message M is correctly produced identical in the step of inspection and the step 104.Verify then whether equation C '=h (B ‖ T ' ‖ E) sets up.If the verification passes, finished two-way authentication between U and the Ω, otherwise beaching accommodation abandons current sessions.

In the present embodiment, the time of supposing each node all is consistent.So just can utilize timestamp to simplify the process of agreement, guarantee the instantaneity of message.Under the skimble-scamble environment of each nodal clock, present embodiment can unfavorablely be used timestamp, and adopts the method for challenge random number to realize.

Referring to Fig. 2, the embodiment of the invention also provides a kind of distributed network Verification System, comprises initialization module 201, and Registering modules 202 lands module 203 and authentication module 204.Wherein:

Initialization module 201 is used to produce system key, with described system key burst, and the key behind the burst is kept at respectively on the member server node of server group.

Registering modules 202 is arranged in the certificate server group, is used to receive user's identify label and password, signs and issues a bill jointly according to described identify label, password and burst key, and described bill sent to lands module 203.

Land module 203 and be arranged in beaching accommodation, be used to receive the bill that Registering modules 202 sends, land request message according to described bill and described user's identify label and password generation, and the described request message that lands is sent to described authentication module 204.In the present embodiment, beaching accommodation can be a subscriber terminal equipment.

Authentication module 204 is arranged in the certificate server group, be used for receive described land that module sends land request message after, verify the described request message that lands, if described message is then carried out two-way authentication with described user by verifying.

In the technical scheme that the embodiment of the invention provides, total n server node shared a system key, have only ought be wherein arbitrarily t (t＜n) individual node coacts, and just can finish the authentication operation that the user is asked.Even the assailant has broken up a spot of server node, the assailant still can't obtain key.Even there is minority (less than n-t) service node to be attacked or off-line, other remaining service node still can provide safe service, has strengthened the fail safe and the high availability of key.

Because the certificate server group is given user's issuance of a note, thereby does not need the password stored table in the server.

The technical scheme that the embodiment of the invention provides can also be resisted dictionary attack.In common off-line dictionary attack, the assailant utilizes the password of conjecture to calculate some median, these medians and the corresponding right value that obtained relatively, if coincide, illustrate and guesses that password is correct, success attack then.And in the described scheme of the embodiment of the invention,,, more can't pretend to be the validated user game server so the assailant can't determine to guess the correctness of password because getable right value of assailant and not contact of the median that can calculate can't compare.

Because directly there is bill in the technical scheme that the embodiment of the invention provides in the beaching accommodation (being mobile terminal device), need not smart card, has reduced cost, has increased ease for use, do not lose fail safe simultaneously yet.

Because the information exchange by twice between member server and the beaching accommodation reaches two-way authentication, not only service node can authenticate user node, and user node also can authenticate service node, has strengthened the reliability of authentication.

Because the described technical scheme of the embodiment of the invention can be resisted the off-line dictionary attack, so the user can freely select and change simply, the short password of easy memory, and does not worry that password is guessd out.

Because user's password is through hash conversion, thereby user password can not be exposed to server.

The described technical scheme of the embodiment of the invention can be resisted Replay Attack, replaces and table attack of theft password and parallel session attack.

In the described technical scheme of the embodiment of the invention, owing to adopted timestamp, so can resist Replay Attack.Replay Attack is meant that the assailant at first intercepts and captures the correct request message that lands, and resends this message then to server node, reaches the legal purpose of landing with attempt.

In the described technical scheme of the embodiment of the invention, owing to do not exist user password table, server only to store a key burst, so can't start to replace and steal the attack of password table.Replacement and the attack of theft password table are meant at server node preserves under the situation of complete the user name and password table, and the assailant starts to attack by the means of revising or steal this password table.

Parallel session is attacked and is meant that the assailant intercepts and captures the response message that lands server among the session A, to serve as landing request message and (why carrying out simultaneously of the session B that carries out simultaneously, be in order to guarantee the validity of timestamp), the condition of this success attack is that response message and request message format are mated mutually.In the described technical scheme of the embodiment of the invention, the form of two kinds of message is different, so can resist this attack.

More than just preferred implementation of the present invention is described, common variation and replacement that those skilled in the art carries out in technical scheme scope of the present invention all should be included in protection scope of the present invention.

Claims (10)

1, a kind of authentication method of distributed network is characterized in that, described method comprises:

Produce system key, will obtain the burst key behind the described system key burst, and described burst key is kept at respectively on the member server node of server group;

Certificate server group of received user's identify label and password are signed and issued a bill jointly according to described identify label, password and burst key, and described bill are sent to beaching accommodation;

Described beaching accommodation lands request message according to described bill and described user's identify label and password generation, and the described request message that lands is sent to described certificate server group;

Described certificate server group receive described land request message after, verify the described request message that lands, if described message by the checking, then described certificate server group and described user carry out two-way authentication.

2, authentication method as claimed in claim 1 is characterized in that, described generation system key, and with described system key burst, and the step that the burst key is kept at respectively on a plurality of member server nodes of server group specifically comprises:

Select two big prime number p and q, satisfy p=2p '+1 and q=2q '+1, wherein p ' and q ' are big prime numbers;

Several N=p * q are closed in calculating, select g ∈ Q at random _N, Q wherein _NIt is the set of mould N quadratic residue;

Selective system key x at random in 1 to p ' q ' makes that x and p ' q ' are coprime, promptly $x\∈Z_{P^{\′}{q}^{\′}}^{*},$ Be chosen in Z at random _{P ' q '} ^*On t-1 order polynomial f (.), satisfy f (0)=x mod p ' q ', wherein Z _{P ' q '} ^*Be the set that integer mould p ' q ' of 1 to p ' q ' has multiplicative inverse, t is the number that is required to participate in the server node of authentication operation;

Calculate n burst key x _i=f (i)/∏ _{J ∈ Φ, j ≠ i}(i-j) mod p ' q ', then by back channel with x _iSend to n member server S of server group _i, wherein, Φ comprises numeral 1 to n set, promptly Φ=1 ..., n}, i get all over 1 to n;

Destroy x, p, q, and open N and g.

3, authentication method as claimed in claim 2, it is characterized in that, described certificate server group of received user's identify label and password are signed and issued a bill jointly according to described identify label, password and burst key, and the step that described bill sends to beaching accommodation is specifically comprised:

The user sends the identify label ID of oneself and the password h (PW) after the hash conversion and gives and comprise t member server node S _iThe certificate server group of (i ∈ φ), wherein φ be comprise t 1 ..., the set of element among the n}, promptly φ  1 ..., n}, and satisfy φ and comprise t element, h () is a hash function;

T member server node S _iAfter confirming user identity, calculate $B_i=g^{h\left(\mathrm{ID}\right)x_i}\mathrm{mod}N,$ And with the B that calculates _iValue sends to distribution node;

Described distribution node is collected t part B _iAfter, calculate:

$\mathrm{\β}=\underset{l\∈\mathrm{\φ}}{\mathrm{\Π}}{B}_i^{L_i^0}-h\left(\mathrm{PM}\right)\mathrm{mod}N=g^{h\left(\mathrm{ID}\right)x}-h\left(\mathrm{PW}\right)\mathrm{mod}N,$

Wherein $L_i^0={\mathrm{\Π}}_{j\∈\mathrm{\Φ},j\∉\mathrm{\φ}}(i-j){\mathrm{\Π}}_{j\∈\mathrm{\φ},j\≠i}(0-j);$

Described distribution node will comprise that the bill of (ID, β, N, g, h ()) information sends to the user.

4, authentication method as claimed in claim 3 is characterized in that, the step that request is landed in described generation specifically comprises:

Select random number r, and obtain the current time stamp T of beaching accommodation;

Calculate B=β+h (PW)=g ^{H (ID) x}Mod N;

Calculate E=B ^r=g ^{H (ID) xr}Mod N;

Calculate D=g ^rMod N;

Calculate C=h (T ‖ E ‖ B) mod N;

Generation land request message M=(ID, T, D, C).

5, authentication method as claimed in claim 4 is characterized in that, the step that request message is landed in described checking specifically comprises:

Check the validity of User Identity,, then refuse the described request of landing if form is incorrect;

Check current time and the time difference of landing time T in the request, if this time difference greater than rational propagation delay time, is then refused the described request of landing.

6, authentication method as claimed in claim 4 is characterized in that, the step of described two-way authentication specifically comprises:

Certificate server node S _i(i ∈ φ, φ  1 ..., n}) calculating and sending send following value to give distribution node:

${B^{\′}}_i=g^{h\left(\mathrm{ID}\right)x_i}\mathrm{mod}N$

${E^{\′}}_i=D^{h\left(\mathrm{ID}\right)x_i}\mathrm{mod}N;$

Described distribution node is received all E ' _iAnd B ' _iAfter, calculate:

$B^{\′}=\underset{i\∈\mathrm{\φ}}{\mathrm{\Π}}{B^{\′}}_i^{L_i^0}\mathrm{mod}N$

$E^{\′}=\underset{i\∈\mathrm{\φ}}{\mathrm{\Π}}{E^{\′}}_i^{L_i^0}\mathrm{mod}N;$

Whether distribution node checking equation C=h (T ‖ E ' ‖ B ') sets up, if be false, then refuses the described request of landing, otherwise accepts the described request of landing;

Described distribution node obtains the current time of distribution node and stabs T ', calculates concurrent the echoing of C '=h (B ' ‖ T ' ‖ E ') and answers (ID, C ', T ') beaching accommodation to the user;

Described beaching accommodation is received described response (ID, C ', T ') after, at first check the validity of ID and T ', verify then whether equation C '=h (B ‖ T ' ‖ E) sets up, if the verification passes, finished two-way authentication between user's beaching accommodation and the certificate server group, otherwise described beaching accommodation abandons current sessions.

As any described authentication method of claim in the claim 1 to 6, it is characterized in that 7, described bill sends and is stored in the described beaching accommodation by back channel.

8, the authentication method described in claim 3 or 6 is characterized in that, described distribution node is in node or t the member server independently.

9, the authentication method described in claim 3 or 6 is characterized in that, described beaching accommodation is a subscriber terminal equipment.

10, a kind of Verification System of distributed network is characterized in that, described system comprises:

Initialization module is used to produce system key, will obtain the burst key behind the described system key burst, and described burst key is kept at respectively on the member server node of server group;

Registering modules is used for server group of received user's identify label and password are authenticated, and signs and issues a bill jointly according to described identify label, password and burst key;

Land module, be used for landing request message, and the described request message that lands is sent to described certificate server group according to described bill and described user's identify label and password generation;

Authentication module, be used for described certificate server group receive described land request message after, verify the described request message that lands, if described message by the checking, then described certificate server group and described user carry out two-way authentication.

Images