CN101247224A - Public key promising concurrent MQV cryptographic key exchange protocol without being able to forging safety - Google Patents
Public key promising concurrent MQV cryptographic key exchange protocol without being able to forging safety Download PDFInfo
- Publication number
- CN101247224A CN101247224A CNA200810032507XA CN200810032507A CN101247224A CN 101247224 A CN101247224 A CN 101247224A CN A200810032507X A CNA200810032507X A CN A200810032507XA CN 200810032507 A CN200810032507 A CN 200810032507A CN 101247224 A CN101247224 A CN 101247224A
- Authority
- CN
- China
- Prior art keywords
- user
- key
- agreement
- session
- pki
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Landscapes
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
Abstract
The present invention belongs to cipher code agreement technology field, specially is a MQV cipher key exchange agreement of concurrent incoagulable forge work safe public key. based on MQV and HMQV consultative conversation, cipher key computing formula (YB<SUP>c</SUP>)<SUP>x+da</SUP>=(XA<SUP>d</SUP>)<SUP>y+cb</SUP> and MQV and HMQV consultative concurrent intermediator attack discovered by inventor, in the invention agreement, input of function c must contain public key B of user B, DH cipher key ingredient Y and user A identity I<SUB>A</SUB>; input of function d must contain public key A of user A, DH cipher key ingredient X and user B identity I<SUB>B</SUB>. The key of the present invention is: function d must promises public key of user A, and function c must promises public key of user B. The present invention agreement provides stronger concurrent incoagulable forge work safety, still more suitable for protecting cipher key exchange agreement safety operating in concurrent surroundings such as internet etc.
Description
Technical field
The invention belongs to cipher protocol, be specifically related to the concurrent of a kind of PKI promise and can not forge safe MQV IKE.
Background technology
At present, the Diffie-Hellman IKE of the most frequently used in the world (simultaneously by extensively standardization) is MQV and HMQV agreement.The operational mode of MQV and HMQV agreement is as follows:
Has identity I
AUser " A " have PKI A=g
a, have identity I
BUser " B " have PKI B=g
bUser " A " sends X=g in the agreement first round
xUser " B " takes turns in agreement second and sends Y=g
yThis is basic Diffie-Hellman IKE.User " A " checks that the rank of Y are q and session key K=H
K((YB
c)
X+da), user " B " checks that the rank of X are q and calculating K=H
K((XA
d)
Y+cb).D=2 in MQV wherein
l+ (X mod 2
l), c=2
l+ (Ymod 2
l), l equals half of x or y length.D=H in HMQV (X, I
B), c=H (Y, I
A).
The up-to-date research work of inventor shows that there are bigger security breaches in MQV and HMQV agreement.Specifically, we find the concurrent man-in-the-middle attack at MQV and HMQV of some danger, show that MQV and HMQV can not accomplish can not forge fail safe fully.The MQV that we find and the security breaches of HMQV agreement can be saved with the following method: function c must promise to undertake PKI B, the DH key composition Y of user bound " B " and user's " A " identity I
AFunction d must be promised to undertake PKI A, DH key component X and the user's " B " of user bound " A " identity I
BCompare with MQV and HMQV, the crucial difference of agreement of the present invention is: user's " A " PKI A must be as the input of function d, and user's " B " PKI B must be as the input of function c; That is: function c must promise to undertake that the PKI B of user bound " B " and function d must promise to undertake the PKI A of user bound " A ".
Summary of the invention
The objective of the invention is to propose that a kind of PKI promises to undertake concurrently can not forge safe MQV IKE, more strong can not forge fail safe to improve.
Agreement of the present invention has following characteristics:
On the basis of MQV and HMQV agreement; promise to undertake user's " A " PKI by making function d; and function c promises to undertake user's " B " PKI; the concurrent man-in-the-middle attack that agreement of the present invention can be resisted the inventor effectively and found at MQV and HMQV agreement; can provide more strong and concurrently can not forge fail safe, the fail safe when being more suitable for protecting IKE in concurrent environment such as the Internet, to move.
The system works environment of agreement of the present invention is:
(1). system parameters: system parameters: (p, q, g, H, H
KMAC), wherein p and q are big prime number, and q aliquot p-1, and g is a Z
* pScala media (order) is the element of q, makes at Z
* pIn by discrete logarithm (discrete logarithm DL) on the subgroup of g definition and to calculate Diffie-Hellman (computational Diffie-Hellman CDH) problem be difficult.Generally speaking, the length of p is 1024 or 2048, and the length of q is 160 or 1024.All exponent arithmetics and (not on index) multiplying be mould (mod) p computing, and the multiplication on addition and the index is that mould (mod) q computing is (such as g
DaExpression g
Da mod qMod p).Here, Z
* pRefer to all than p little and with the set of the coprime positive integer of p, i.e. Z
* p=1,2 ..., p-1}.Defined function DL:Z
q→ Z
* p, make h=DL (w)=g
wMod p.W is called the discrete logarithm of h.We require the given h that calculates at random, do not have polynomial time algorithm to calculate the discrete logarithm w of h, and this is called discrete logarithm problem.Calculating the Diffie-Hellman problem refers to: given g at random
xWith g
y, do not have polynomial time algorithm to calculate g
XyGenerally speaking, for the people who is familiar with this area, discrete logarithm problem and calculating Diffie-Hellman problem also can be defined in by elliptic curve or bilinearity on the group to (bilineartity) definition.H be from 0,1}
*→ 0,1,2 ..., the hash function of q-1}.For increasing computational speed, the output length of H can be l=( log
2Q +1)/2.H
KBe from 0,1}
*→ 0,1}
kHash function, k is the length of session key, such as k=128 or 160; For character string s
1..., s
m, m>1, H (s
1, s
2..., s
m) expression be: with s
1..., s
mRepresent that with Binary Zero-1 string then all 0-1 polyphones are connect (that is, series connection) and get up, the string that will obtain after will connecting at last is as the input (series sequence of element can change) of H.MAC is a message authentication code calculation.(p, q, g, H, H
KMAC) both can be the overall situation or part common parameter of overall importance, can also hold consultation by the user of any a pair of this agreement of execution.
(2). unless otherwise specified, have identity ID I
AUser " A " a PKI A=g is arranged
a, wherein a by user " A " at Z
qMiddle picked at random.Correspondingly, has ID I
BUser's " B " PKI be designated as B=g
b, by that analogy; Here, Z
q=0,1,2 ..., q-1}.
(3). agreement is based on the Diffie-Hellman IKE; Note X=g
xMod p is user's a " A " DH key composition, and x is the discrete logarithm of DH key component X, x by user " A " from Z
q=0,1 ..., picked at random among the q-1}.Note Y=g
yMod p is user's a " B " DH key composition, and y is the discrete logarithm of DH key composition Y, y by user " B " from Z
q=0,1 ..., picked at random among the q-1}.
(4). a believable certificate authority CA is arranged, issue certificate CERT, be used for identity and corresponding PKI thereof the user, such as: (I
A, A=g
a), carry out the binding that can openly verify.Binding realizes with the electronic signature of CA.The CA verification public key is Z during binding
* pScala media is the element of q and non-1.User's " A " certificate is designated as CERT
A, comprise that user's " A " PKI and CA are to (I
A, A=g
a) electronic signature.
(5). the execution each time of agreement is called a session (session).We suppose that the execution each time (that is, session each time) of agreement has one to indicate number (session-identifier): sid, and the agreement that is used for the mark concurrent running is carried out.The formulation of sid with consult can be with the running environment of agreement different and change to some extent: such as sid can be that the merging of two random trains of agreement operation two sides transmission is connected.Generally speaking, sid is included in the information of agreement operation user's exchange before or the Ha Xi value of exchange message.Sid can produce in the agreement running in some environment; Sid also can omit when session can be indicated automatically by linguistic context in some environment, for example (X=g in some cipher key change is used
x, Y=g
y) can hold concurrently indicates number when session.
(6). carry out relevant out of Memory pub with agreement: except (sid, I
A, A=g
a, I
B, B=g
b, X=g
x, Y=g
y) outside, other is carried out relevant information with agreement and represents with pub.Pub is a character string, generally is user's IP address, public key certificate, the information that other need authenticate, the series connection of timestamp etc.Pub can be sky.In all agreements with MAC realize, in order to improve computational efficiency, can be only with the input part of pub as MAC, and not as H, H
KInput.
This agreement implementation method:
User " A " reaches " B " and exchanges their DH key component X=g separately mutually
xAnd Y=g
yAnd public key certificate.Suppose that user " A " is the promoter of agreement, user " B " is the respondent of agreement.That is: user " A " sends X in the first round, and user after receiving X " B " checks X ∈ Z
* pAnd take turns second and to send Y; After receiving Y, user " A " checks Y ∈ Z
* p
With user's identity ID, their DH key composition, particularly their PKI are promised to undertake binding with two function c and d.Promise to undertake that binding realizes by hash function H.The point of promising to undertake the key of binding is: function c must promise to undertake PKI B, the DH key composition Y of user bound " B " and user's " A " identity I
AFunction d must be promised to undertake PKI A, DH key component X and the user's " B " of user bound " A " identity I
B
Session-key computation comprises citation form and simple form:
The citation form of session-key computation: user " A " calculating K
A=(YB
c)
Tx+tda, check K
A≠ 1 and session key K=H
K(K
A); User " B " calculating K
B=(XA
d)
Ty+tcb, check K
B≠ 1 and session key K=H
K(K
B); Wherein, d=H (A, X, I
B), c=H (B, Y, I
A), t=(p-1)/q.
The simple form of session-key computation: user " A " sends X, calculating K in the first round
A=B
X+daAnd session key K=H
K(K
A); User " B " checks that X is Z after receiving X
* pScala media is non-1 element of q, calculating K
B=X
bA
DbAnd session key K=H
K(K
B); Wherein, d=H (I
A, A, I
B, B, X).
Session-key computation form with identity and key confirmation function: in order further to confirm identity and session key mutually, user " A " calculates the MAC-key K
m=H
K(K
A, 0), " B " calculating K
m=H
K(K
B, 0); Protocol responses person " B " takes turns second and sends MAC
Km(0).For the citation form of session-key computation, agreement initiator " A " sends MAC in the third round that other adds
Km(1); For the simple form of session-key computation, " A " sends MAC in the first round
Km(1), user " B " takes turns second and sends MAC
Km(0).When following identity and key confirmation function, session key is set to K=H
K(K
A, 1)=H
K(K
B, 1).
The specific implementation step of agreement of the present invention:
In following protocol description, the information that the value representation in the braces sends.The PKI of noting user " A " is A=g
aAnd has a certificate CERT that CA issues
AUser's " B " PKI is B=g
bAnd has a certificate CERT that CA issues
BSuppose that user " A " is agreement operation initiator, user " B " is agreement operation respondent.
Agreement-1: the agreement performing step of session-key computation citation form:
The first round, from " A " to " B ": { sid, I
A, A, CERT
A, X=g
x(mod p) }.
Wherein x is from Z
qMiddle picked at random; X is called the DH key composition of " A ".After receiving the information of " A " transmission, identity, PKI and the certificate of " B " checking " A ", X are Z
* pIn element; Checking is unsuccessful, and " B " refusal continues to carry on an agreement, otherwise, enter next round.
Second takes turns, from " B " to " A ": { sid, I
B, B, CERT
B, Y=g
y.
Y is from Z
qMiddle picked at random and Y are called the DH key composition of " B ".After receiving the information of " B " transmission, identity, PKI and the certificate of " A " checking " B ", Y are Z
* pIn element; Checking is unsuccessful, " A " termination protocol.
Session-key computation: user " A " calculating K
A=(YB
c)
Tx+tda, check K
A≠ 1 and session key K=H
K(K
A).User " B " calculating K
B=(XA
d)
Ty+tcb, check K
B≠ 1 and session key K=H
K(K
B).Wherein, d=H (A, X, I
B), c=H (B, Y, I
A), t=(p-1)/q.Here, d=H (A, X, I
B) that represent is d=H (A ‖ X ‖ I
B), c=H (B, Y, I
A) that represent is c=H (B ‖ Y ‖ I
A), what " ‖ " represented is being linked in sequence of character string.Session key is in case calculating finishes, and user " B " deletes (y, K
B), user " A " deletes (x, K
A).
Agreement-2: the agreement performing step of session-key computation simple form:
The first round: from " A " to " B ": { sid, I
A, A, CERT
A, X=g
x(mod p) }.
Wherein x is from Z
qMiddle picked at random; X is called the DH key composition of " A "; User " A " calculating K
A=B
X+da, session key K=H
K(K
A) and deletion (x, K
A); Wherein, d=H (I
A‖ A ‖ I
B‖ B ‖ X).
After receiving the information of " A " transmission, identity, PKI and the certificate of " B " checking " A ", X are Z
* pIn rank be non-1 element of q; Checking is unsuccessful, and " B " terminate agreement is carried out; Otherwise, user " B " calculating K
B=X
bA
Db, session key K=H
K(K
B) and deletion (y, K
B).
Agreement-3: agreement performing step with identity and key confirmation function:
The first round, from " A " to " B ": { sid, I
A, A, CERT
A, X=g
x(mod p) }.
Wherein x is from Z
qMiddle picked at random; X is called the DH key composition of " A ".After receiving the information of " A " transmission, identity, PKI and the certificate of " B " checking " A ", X are Z
* pIn element; Checking is unsuccessful, and " B " refusal continues to carry on an agreement; Otherwise, enter next round.
Second takes turns, from " B " to " A ": { sid, I
B, B, CERT
B, Y=g
y, MAC
Km(0) }.
Y is from Z
qMiddle picked at random and Y are called the DH key composition of " B ".User " B " calculating K
B=(XA
d)
Ty+tcbAnd inspection K
B≠ 1, calculate the MAC-key K
m=H
K(K
B, 0) and MAC
Km(0); At last, user " B " session key K=H
K(K
B, 1), delete (y, K
B) and enter next round.Here H
K(K
B, 0) and that represent is H
K(K
B‖ 0), K=H
K(K
B, 1) and that represent is K=H
K(K
B‖ 1).
After receiving the information of " B " transmission, identity, PKI and the certificate of " A " checking " B ", Y are Z
* pIn element; Checking is unsuccessful, " A " termination protocol; Be proved to be successful user " A " calculating K
A=(YB
c)
Tx+tdaAnd inspection K
A≠ 1, calculate the MAC-key K
m=H
K(K
A, 0) and verify MAC
Km(0) correctness; Checking is unsuccessful, and user " A " terminate agreement is carried out; Be proved to be successful user " A " session key K=H
K(K
A, 1), calculate MAC
Km(1), deletes (x, K
A, K
m) and enter next round.
Third round, from " A " to " B ": { sid, MAC
Km(1) }.
After receiving the information of " A " transmission, " B " verifies MAC
Km(1) correctness; Checking is unsuccessful, and user " A " terminate agreement is carried out, otherwise, delete K
mAnd protocol finishes is carried out.
Among the present invention, agreement-1, agreement-2 and agreement-3 can have following variant:
(1). in agreement-1 and agreement-3, other method to set up of function d and c: d=H (I
A, A, I
B, B, X, Y), c=H (d); Perhaps, d=H (I
A, A, X, I
B), c=H (I
B, B, Y, I
A); Perhaps, d=H (A, X, Y, I
B), c=H (B, Y, X, I
A).No matter be which kind of method to set up, its key point is: user's " A " PKI A must be as the input of function d, and user's " B " PKI B must be as the input of function c.
In actual applications, with (I
A, A) be changed to user's " A " public key certificate Cert
AThe Ha Xi value, with (I
B, B) be changed to user's " B " public key certificate Cert
BThe Ha Xi value; Perhaps, with (I
A, A, I
B, B) be changed to Cert
A, Cert
BAnd the Ha Xi value of other cookie, random number and IP address information that before the agreement operation, is exchanged; With the part of sid as function c and d input.
(2). in agreement-1 and agreement-3, the t in session key and the MAC-cipher key calculation is saved; That is: K
A=(YB
c)
X+da, K
B=(XA
d)
Y+cbAt this moment, user " B " must check that X is Z
* pIn rank be non-1 element of q, user " A " must check that Y is Z
* pIn rank be non-1 element of q; Realize that for agreement the user can only check that X and Y are the point of the non-infinity on the corresponding elliptic curve based on elliptic curve.
(3). in the session-key computation and MAC-cipher key calculation of agreement-1, agreement-2 and agreement-3, with c and d as H
KThe part of input.
(4). with hash function H and H
KInput in the order of element change.
Embodiment
Suppose to have identity I
AUser's " A " PKI be A=g
aAnd has a certificate CERT
A, have identity I
BUser's " B " PKI be B=g
bAnd has a certificate CERT
BCertificate CERT
ARefer to the identity I of CA to A
AAnd PKI A=g
aAn electronic signature, all the other with.We suppose that A is agreement operation initiator (initiator), and B is agreement operation respondent (responder).
In the concrete enforcement of following agreement, No. 2104 the Internet suggestion that message authentication code MAC employing is announced by IETF (Internet Engineering TaskForce) solicited the HMAC authentication code described in the document (Internet RFC 2104).HMAC only need do two and breathe out western computings, and be proved to be message authentication code be again pseudo-random function.In the concrete enforcement of agreement, HMAC and hash function H, H
KRealize by the SHA-1 hash function.In the concrete enforcement of following agreement, session indications sid saves.
Agreement-1: the agreement embodiment of session-key computation citation form:
The first round, from " A " to " B ": { I
A, A, CERT
A, X=g
x(mod p) }.
Wherein x is from Z
qMiddle picked at random; X is called the DH key composition of " A ".After receiving the information of " A " transmission, (that is: authentication certificate issuing organization CA is to (I for identity, PKI and the certificate of " B " checking " A "
A, A) Qian Ming validity), X is Z
* pIn element (that is: 1≤X≤p-1); Checking is unsuccessful, and " B " refusal continues to carry on an agreement, otherwise, enter next round.
Second takes turns, from " B " to " A ": { I
B, B, CERT
B, Y=g
y.
Y is from Z
qMiddle picked at random and Y are called the DH key composition of " B ".After receiving the information of " B " transmission, identity, PKI and the certificate of " A " checking " B ", Y are Z
* pIn element; Checking is unsuccessful, " A " termination protocol.
Session-key computation: user " A " calculating K
A=(YB
c)
Tx+tda mod qModp checks K
A≠ 1 and session key K=H
K(K
A).User " B " calculating K
B=(XA
d)
Ty+tcb mod qModp checks K
B≠ 1 and session key K=H
K(K
B).Wherein, d=H (A ‖ X ‖ I
B), c=H (B ‖ Y ‖ I
A), t=(p-1)/q.Here, " ‖ " expression is being linked in sequence of character string.Session key is in case calculating finishes, and user " B " deletes (y, K
B), user " A " deletes (x, K
A).
Agreement-2: the agreement embodiment of session-key computation simple form:
The first round: from " A " to " B ": { I
A, A, CERT
A, X=g
x(mod p) }.
Wherein x is from Z
qMiddle picked at random; X is called the DH key composition of " A "; User " A " calculating K
A=B
X+da mod qMod p, session key K=H
K(K
A) and deletion (x, K
A); Wherein, d=H (I
A‖ A ‖ I
B‖ B ‖ X).
After receiving the information of " A " transmission, identity, PKI and the certificate of " B " checking " A ", X are Z
* pIn non-1 element and X
q=1 mod p (that is: the rank of X are q); Checking is unsuccessful, and " B " terminate agreement is carried out; Otherwise, user " B " calculating K
B=X
bA
Db, session key K=H
K(K
B) and deletion (y, K
B).
Agreement-3: agreement embodiment with identity and key confirmation function:
The first round, from " A " to " B ": { I
A, A, CERT
A, X=g
x(mod p) }.
Wherein x is from Z
qMiddle picked at random; X is called the DH key composition of " A ".After receiving the information of " A " transmission, identity, PKI and the certificate of " B " checking " A ", X are Z
* pIn element; Checking is unsuccessful, and " B " refusal continues to carry on an agreement; Otherwise, enter next round.
Second takes turns, from " B " to " A ": { I
B, B, CERT
B, Y=g
y, HMAC
Km(0) }.
Y is from Z
qMiddle picked at random and Y are called the DH key composition of " B ".User " B " calculating K
B=(XA
d)
Ty+tcb mod qMod p also checks K
B≠ 1, calculate the MAC-key K
m=H
K(K
B‖ 0) and HMAC
Km(0); At last, user " B " session key K=H
K(K
B‖ 1), delete (y, K
B) and enter next round.
After receiving the information of " B " transmission, identity, PKI and the certificate of " A " checking " B ", Y are Z
* pIn element; Checking is unsuccessful, " A " termination protocol; Be proved to be successful user " A " calculating K
A=(YB
c)
Tx+tda mod qMod p also checks K
A≠ 1, calculate the MAC-key K
m=H
K(K
A‖ 0) and verify HMAC
Km(0) correctness; Checking is unsuccessful, and user " A " terminate agreement is carried out; Be proved to be successful user " A " session key K=H
K(K
A‖ 1), calculate HMAC
Km(1), deletes (x, K
A, K
m) and enter next round.
Third round, from " A " to " B ": { HMAC
Km(1) }.
After receiving the information of " A " transmission, " B " verifies HMAC
Km(1) correctness; Checking is unsuccessful, and user " A " terminate agreement is carried out, otherwise, delete K
mAnd protocol finishes is carried out.
The embodiment of protocol variations:
(1). in agreement-1 and agreement-3, function d and c can have other method to set up: d=H (I
A‖ A ‖ I
B‖ B ‖ X ‖ Y), c=H (d); Perhaps, d=H (I
A‖ A ‖ X ‖ I
B), c=H (I
B‖ B ‖ Y ‖ I
A); Perhaps, d=H (A ‖ X ‖ Y ‖ I
B), c=H (B ‖ Y ‖ X ‖ I
A).No matter be which kind of method to set up, its key point is: user's " A " PKI A must be as the input of function d, and user's " B " PKI B must be as the input of function c.
In concrete enforcement, can be with (I
A‖ A) is changed to user's " A " public key certificate Cert
AThe Ha Xi value, with (I
B‖ B) is changed to user's " B " public key certificate Cert
BThe Ha Xi value; The execution mode of another recommendation is: with (I
A‖ A ‖ I
B‖ B) is changed to Cert
A, Cert
BAnd the Ha Xi value (being the cryptographic Hash of pub) of the series connection (being pub) of other information such as cookie, random number and IP address that before the agreement operation, exchanged or series connection information.
(2). in agreement-1 and agreement-3, the t in session key and the MAC-cipher key calculation is saved; That is: K
A=(YB
c)
X+damod qMod p, K
B=(XA
d)
Y+cb mod qMod p.At this moment, user " B " is except checking that X is Z
* pIn non-1 element outside, also must check X
q=1 mod p (that is: the rank of X are q); User " A " is except checking that Y is Z
* pIn non-1 element outside, also must check Y
q=1 mod p (that is: the rank of Y are q).Realize that for agreement the user can only check that X and Y are the point of the non-infinity on the corresponding elliptic curve based on elliptic curve.
(3). in the session-key computation and MAC-cipher key calculation of agreement-1, agreement-2 and agreement-3, with c and d as H
KThe part of input.Such as, K
m=H
K(c ‖ d ‖ K
A‖ 0)=H
K(c ‖ d ‖ K
B‖ 0), K=H
K(c ‖ d ‖ K
A‖ 1)=H
K(c ‖ d ‖ K
B‖ 1).
(4). with hash function H and H
KInput in the order of element change.Such as: K=H
K(1 ‖ K
A‖ c ‖ d)=H
K(1 ‖ K
B‖ c ‖ d), etc.
Claims (3)
1. the concurrent of a PKI promise can not be forged safe MQV IKE, it is characterized in that:
The system works environment is:
(1). system parameters: (p, q, g, H, H
K, MAC), wherein p and q are big prime number, and q aliquot p-1, g is a Z
* pScala media is the element of q, makes at Z
* pIn by discrete logarithm DL on the subgroup of g definition and to calculate Diffie-Hellman CDH problem be difficult; MAC is a message authentication code calculation; It is mod p computing that all exponent arithmetics reach the not multiplying on index, and the multiplication on addition and the index is mod q computing; Here, Z
* p=1,2 ..., p-1}; H be from 0,1}
*→ 0,1,2 ..., (q-1)/hash function of 2}; H
KBe from 0,1}
*→ 0,1}
kHash function, k is the length of session key; For character string s
1..., s
m, m>1, H (s
1, S
2..., s
m) expression be: with s
1..., s
mRepresent that with Binary Zero-1 string all 0-1 strings are linked in sequence is together in series then, the 0-1 string that will obtain after will connecting at last is as the input of H;
(2). unless otherwise specified, have identity ID I
AUser " A " a PKI A=g is arranged
a, wherein a by user " A " at Z
qMiddle picked at random; Correspondingly, has ID I
BUser's " B " PKI be designated as B=g
b, by that analogy; Here, Z
q=0,1,2 ..., q-1};
(3). agreement is based on the Diffie-Hellman IKE; Note X=g
xMod p is user's a " A " DH key composition, and x is the discrete logarithm of DH key component X, x by user " A " from Z
q=0,1 ..., picked at random among the q-1}; Note Y=g
yMod p is user's a " B " DH key composition, and y is the discrete logarithm of DH key composition Y, y by user " B " from Z
q=0,1 ..., picked at random among the q-1};
(4). a believable certificate authority CA is arranged, issue certificate CERT, be used for user's identity and corresponding PKI thereof are carried out the binding that can openly verify; Binding realizes with the electronic signature of CA; The CA verification public key is Z during binding
* pScala media is the element of q and non-1; User's " A " certificate is designated as CERT
A
(5). the execution each time of supposition agreement has one to indicate number: sid; Sid is a character string, and the agreement that is used for the mark concurrent running is carried out; The formulation of sid with consult can be with the running environment of agreement different and variation to some extent; Generally speaking, sid is included in the information of agreement operation user's exchange before or the Ha Xi value of exchange message;
(6). carry out relevant out of Memory pub with agreement: except sid, I
A, A=g
a, I
B, B=g
b, X=g
x, Y=g
yOutward, other information relevant with the agreement execution is represented with pub; Pub is a character string, is the series connection of user's IP address, public key certificate, other information that need authenticate, timestamp;
The concrete grammar that agreement realizes is: user " A " reaches " B " and exchanges their DH key component X=g separately mutually
xAnd Y=g
yAnd public key certificate; Suppose that user " A " is the promoter of agreement, user " B " is the respondent of agreement; That is: user " A " sends X in the first round, and user after receiving X " B " checks X ∈ Z
* pAnd take turns second and to send Y; After receiving Y, user " A " checks Y ∈ Z
* p
With user's identity ID, their DH key composition is so that their PKI is promised to undertake binding with two function c and d; Promise to undertake that binding realizes by hash function H; Wherein, function c must promise to undertake PKI B, the DH key composition Y of user bound " B " and user's " A " identity I
AFunction d must be promised to undertake PKI A, DH key component X and the user's " B " of user bound " A " identity I
B
Session-key computation comprises citation form and simple form:
The citation form of session-key computation: user " A " calculating K
A=(YB
c)
Tx+tda, check K
A≠ 1 and session key K=H
K(K
A); User " B " calculating K
B=(XA
d)
Ty+tcb, check K
B≠ 1 and session key K=H
K(K
B); Wherein, d=H (A, X, I
B), c=H (B, Y, I
A), t=(p-1)/q;
The simple form of session-key computation: user " A " sends X, calculating K in the first round
A=B
X+daAnd session key K=H
K(K
A); User " B " checks that X is Z after receiving X
* pScala media is non-1 element of q, calculating K
B=X
bA
DbAnd session key K=H
K(K
B); Wherein, d=H (I
A, A, I
B, B, X);
Session-key computation form with identity and key confirmation function: in order further to confirm identity and session key mutually, user " A " calculates the MAC-key K
m=H
K(K
A, 0), " B " calculating K
m=H
K(K
B, 0); Protocol responses person " B " takes turns second and sends MAC
Km(0); For the citation form of session-key computation, agreement initiator " A " sends MAC in the third round that other adds
Km(1); For the simple form of session-key computation, " A " sends MAC in the first round
Km(1), user " B " takes turns second and sends MAC
Km(0); When following identity and key confirmation function, session key is set to K=H
K(K
A, 1)=H
K(K
B, 1).
2. the concurrent of PKI promise according to claim 1 can not be forged safe MQV IKE, it is characterized in that the performing step of agreement is:
In following protocol description, the information that the value representation in the braces sends; Wherein, user's " A " PKI is A=g
aAnd has a certificate CERT that CA issues
A, user's " B " PKI is B=g
bAnd has a certificate CERT that CA issues
BSuppose that user " A " is agreement operation initiator, user " B " is agreement operation respondent;
Agreement-1: the agreement performing step of session-key computation citation form:
The first round, from " A " to " B ": { sid, I
A, A, CERT
A, X=g
x(mod p) };
Wherein x is from Z
qMiddle picked at random; X is called the DH key composition of " A "; After receiving the information of " A " transmission, identity, PKI and the certificate of " B " checking " A ", X are Z
* pIn element; Checking is unsuccessful, and " B " refusal continues to carry on an agreement, otherwise, enter next round;
Second takes turns, from " B " to " A ": { sid, I
B, B, CERT
B, Y=g
y;
Y is from Z
qMiddle picked at random and Y are called the DH key composition of " B "; After receiving the information of " B " transmission, identity, PKI and the certificate of " A " checking " B ", Y are Z
* pIn element; Checking is unsuccessful, " A " termination protocol;
Session-key computation: user " A " calculating K
A=(YB
c)
Tx+tda, check K
A≠ 1 and session key K=H
K(K
A); User " B " calculating K
B=(XA
d)
Ty+tcb, check K
B≠ 1 and session key K=H
K(K
B); Wherein, d=H (A, X, I
B), c=H (B, Y, I
A), t=(p-1)/q; Here, d=H (A, X, I
B) that represent is d=H (A ‖ X ‖ I
B), c=H (B, Y, I
A) that represent is c=H (B ‖ Y ‖ I
A), what " ‖ " represented is being linked in sequence of character string; Session key is in case calculating finishes, and user " B " deletes (y, K
B), user " A " deletes (x, K
A);
Agreement-2: the agreement performing step of session-key computation simple form:
The first round: from " A " to " B ": { sid, I
A, A, CERT
A, X=g
x(mod p) };
Wherein x is from Z
qMiddle picked at random; X is called the DH key composition of " A "; User " A " calculating K
A=B
X+da, session key K=H
K(K
A) and deletion (x, K
A); Wherein, d=H (I
A‖ A ‖ I
B‖ B ‖ X);
After receiving the information of " A " transmission, identity, PKI and the certificate of " B " checking " A ", X are Z
* pIn rank be non-1 element of q; Checking is unsuccessful, and " B " terminate agreement is carried out; Otherwise, user " B " calculating K
B=X
bA
Db, session key K=H
K(K
B) and deletion (y, K
B);
Agreement-3: agreement performing step with identity and key confirmation function:
The first round, from " A " to " B ": { sid, I
A, A, CERT
A, X=g
x(mod p) };
Wherein x is from Z
qMiddle picked at random; X is called the DH key composition of " A "; After receiving the information of " A " transmission, identity, PKI and the certificate of " B " checking " A ", X are Z
* pIn element; Checking is unsuccessful, and " B " refusal continues to carry on an agreement; Otherwise, enter next round;
Second takes turns, from " B " to " A ": { sid, I
B, B, CERT
B, Y=g
y, MAC
Km(0) };
Y is from Z
qMiddle picked at random and Y are called the DH key composition of " B "; User " B " calculating K
B=(XA
d)
Ty+tcbAnd inspection K
B≠ 1, calculate the MAC-key K
m=H
K(K
B, 0) and MAC
Km(0); At last, user " B " session key K=H
K(K
B, 1), delete (y, K
B) and enter next round; Here H
K(K
B, 0) and that represent is H
K(K
B‖ 0), K=H
K(K
B, 1) and that represent is K=H
K(K
B‖ 1);
After receiving the information of " B " transmission, identity, PKI and the certificate of " A " checking " B ", Y are Z
* pIn element; Checking is unsuccessful, " A " termination protocol; Be proved to be successful user " A " calculating K
A=(YB
c)
Tx+tdaAnd inspection K
A≠ 1, calculate the MAC-key K
m=H
K(K
A, 0) and verify MAC
Km(0) correctness; Checking is unsuccessful, and user " A " terminate agreement is carried out; Be proved to be successful user " A " session key K=H
K(K
A, 1), calculate MAC
Km(1), deletes (x, K
A, K
m) and enter next round;
Third round, from " A " to " B ": { sid, MAC
Km(1) };
After receiving the information of " A " transmission, " B " verifies MAC
Km(1) correctness; Checking is unsuccessful, and user " A " terminate agreement is carried out, otherwise, delete K
mAnd protocol finishes is carried out.
3. the concurrent of PKI promise according to claim 2 can not be forged safe MQV IKE, it is characterized in that agreement-1, agreement-2 and agreement-3 have following variant:
(1). in agreement-1 and agreement-3, other method to set up of function d and c: d=H (I
A, A, I
B, B, X, Y), c=H (d); Perhaps, d=H (I
A, A, X, I
B), c=H (I
B, B, Y, I
A); Perhaps, d=H (A, X, Y, I
B), c=H (B, Y, X, I
A); No matter be which kind of method to set up, wherein: user's " A " PKI A must be as the input of function d, and user's " B " PKI B must be as the input of function c;
With (I
A, A) be changed to user's " A " public key certificate Cert
AThe Ha Xi value, with (I
B, B) be changed to user's " B " public key certificate Cert
BThe Ha Xi value; Perhaps, with (I
A, A, I
B, B) be changed to Cert
A, Cert
BAnd the Ha Xi value of the series connection of other cookie, random number and IP address information that before the agreement operation, is exchanged or series connection information; With the part of sid as function c and d input;
(2). in agreement-1 and agreement-3, the t in session key and the MAC-cipher key calculation is saved; That is: K
A=(YB
c)
X+da, K
B=(XA
d)
Y+cbAt this moment, user " B " must check that X is Z
* pIn rank be non-1 element of q, user " A " must check that Y be Z
* pIn rank be non-1 element of q;
(3). in the session-key computation and MAC-cipher key calculation of agreement-1, agreement-2 and agreement-3, with c and d as H
KThe part of input;
(4). with hash function H and H
KInput in the order of element change.
Priority Applications (5)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNA200810032507XA CN101247224A (en) | 2008-01-10 | 2008-01-10 | Public key promising concurrent MQV cryptographic key exchange protocol without being able to forging safety |
| PCT/CN2008/072794 WO2009056048A1 (en) | 2007-10-23 | 2008-10-23 | Method and structure for self-sealed joint proof-of-knowledge and diffie-hellman key-exchange protocols |
| CN2008801222327A CN102017510B (en) | 2007-10-23 | 2008-10-23 | Method and structure for self-sealed joint proof-of-knowledge and Diffie-Hellman key-exchange protocols |
| US12/766,431 US8464060B2 (en) | 2007-10-23 | 2010-04-23 | Method and structure for self-sealed joint proof-of-knowledge and diffie-hellman key-exchange protocols |
| HK11110843.5A HK1156750A1 (en) | 2007-10-23 | 2011-10-12 | Method and structure for self-sealed joint proof-of-knowledge and diffie- hellman key-exchange protocols |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNA200810032507XA CN101247224A (en) | 2008-01-10 | 2008-01-10 | Public key promising concurrent MQV cryptographic key exchange protocol without being able to forging safety |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN101247224A true CN101247224A (en) | 2008-08-20 |
Family
ID=39947456
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CNA200810032507XA Pending CN101247224A (en) | 2007-10-23 | 2008-01-10 | Public key promising concurrent MQV cryptographic key exchange protocol without being able to forging safety |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101247224A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2009056048A1 (en) * | 2007-10-23 | 2009-05-07 | Yao Andrew C | Method and structure for self-sealed joint proof-of-knowledge and diffie-hellman key-exchange protocols |
-
2008
- 2008-01-10 CN CNA200810032507XA patent/CN101247224A/en active Pending
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2009056048A1 (en) * | 2007-10-23 | 2009-05-07 | Yao Andrew C | Method and structure for self-sealed joint proof-of-knowledge and diffie-hellman key-exchange protocols |
| US8464060B2 (en) | 2007-10-23 | 2013-06-11 | Andrew C. Yao | Method and structure for self-sealed joint proof-of-knowledge and diffie-hellman key-exchange protocols |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN102017510B (en) | Method and structure for self-sealed joint proof-of-knowledge and Diffie-Hellman key-exchange protocols | |
| KR102024531B1 (en) | Apparatus and method for anonymity-based authentication and key agreement with message binding properties | |
| US7908482B2 (en) | Key confirmed authenticated key exchange with derived ephemeral keys | |
| US7694141B2 (en) | Extended authenticated key exchange with key confirmation | |
| CN101247394A (en) | Improved cryptographic key exchanging protocol | |
| EP2120393A1 (en) | Shared secret verification method | |
| CN101626364A (en) | Method for authentication for resisting secrete data disclosure and key exchange based on passwords | |
| CN101175076B (en) | High-efficiency, deniable, safety-unforgeable cryptographic key exchanging method of on-line computation | |
| CN111447065B (en) | Active and safe SM2 digital signature two-party generation method | |
| CN101060530A (en) | Repudiation Internet key exchange protocol | |
| CN110278088A (en) | A kind of SM2 collaboration endorsement method | |
| CN102883325B (en) | Authentication server, mobile terminal and end to end authentication communication channel method for building up | |
| CN1260664C (en) | Method for exchanging pins between users' computers | |
| CN101116281A (en) | Challenge-response signatures and secure diffie-hellman protocols | |
| WO2022116176A1 (en) | Method and device for generating digital signature, and server | |
| CN101217549A (en) | A SSH transport layer certification protocol of high efficiency, non-forging and without digital signature | |
| CN101247224A (en) | Public key promising concurrent MQV cryptographic key exchange protocol without being able to forging safety | |
| CN101645870B (en) | Method for exchanging secret key effectively and fairly | |
| Bohli et al. | Deniable group key agreement | |
| CN101938491B (en) | Password-based three-party key exchange method | |
| Park et al. | Classification of authentication protocols: A practical approach | |
| US9054861B2 (en) | Enhanced key agreement and transport protocol | |
| Youn et al. | Signcryption with fast online signing and short signcryptext for secure and private mobile communication | |
| Ni et al. | A pairing-free identity-based authenticated key agreement mechanism for sip | |
| Martínez-Peláez et al. | Efficient and secure dynamic ID-based remote user authentication scheme with session key agreement for multi-server environment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C02 | Deemed withdrawal of patent application after publication (patent law 2001) | ||
| WD01 | Invention patent application deemed withdrawn after publication |
Open date: 20080820 |