CN101383823B - Network resource access control method in reliable access - Google Patents
Network resource access control method in reliable access Download PDFInfo
- Publication number
- CN101383823B CN101383823B CN2008101557286A CN200810155728A CN101383823B CN 101383823 B CN101383823 B CN 101383823B CN 2008101557286 A CN2008101557286 A CN 2008101557286A CN 200810155728 A CN200810155728 A CN 200810155728A CN 101383823 B CN101383823 B CN 101383823B
- Authority
- CN
- China
- Prior art keywords
- terminal
- key
- resource
- resource owner
- access server
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
Images
Abstract
The invention relates to an access control method of network resources in trusted access, which belongs to the field of network communication. The method comprises the following steps: a trusted access server carries out system initialization, key document distribution and resource access control; wherein the system initialization of the trusted access server comprises the steps of using an SEA algorithm to establish elliptic curves randomly and selecting a point G as a first base point on the elliptic curves randomly; the key document distribution comprises the steps of key distribution of resource owners st and key distribution of terminal mt'; the resource access control comprises the steps of using a private key kt'->t to carry out signing to request information when a terminal mt' accesses a resource owner st and using a public key Gx#-t and a second base point Gm#-t'->t to carry out checking to the terminal mt' when the resource owner st receives the request information. Only passing the checking, the terminal mt' can be proved to own the private key kt'->t, thereby being the terminal authorized by the trusted access server. The invention can effectively reduce the space occupied by the resource owner for storing the terminal information and reduce the expenditure of the checking calculation simultaneously.
Description
Technical field
The present invention relates to a kind of network resource access control method, relate in particular to the network resource access control method in a kind of credible access, belong to network communication field.
Background technology
In recent years, along with popularizing of various access technologies, number of network users also is explosive trend growth, and according to the statistics of China Internet association, by the end of the year 2006, China netizen number has reached 1.3 hundred million, and annual growth has reached 30%.The increase of network user's number, also make network increased greatly by the possibility of security attack, network hacker is stolen credit card number by computer network transmitted virus easily, and utilize cyberspace vulnerability to obtain commercial interest, brought a large amount of network crime activities thus.According to the data of China's public security issue, nearly 30,000 of China in 2005 coprocessing network security crime, about 1,000,000,000 yuans of the direct economic loss that causes.The Panda burning incense virus in the end of the year 2006 in a short period of time, has swept across whole the Internet, has caused the economic loss of more than one hundred million units to China.
The key that solves network security problem is how effectively to control disabled user's access, so Virtual network operator has adopted various access authentication techniques to come the access of limiting terminal node.Yet IETF NEA working group is thought: it is not enough only using traditional access authentication technique, and Malware may utilize infected legal terminal attacking network.Several credible access security technology have appearred thus, the main thought of these technology is to set about from terminal, security strategy by keeper's appointment, main frame to access network carries out the fail safe detection, automatically the unsafe main frame access network of refusal is till these main frames meet security strategy in the network.Representative technology comprises at present: the network insertion control technology NAC of Cisco, the network insertion resist technology NAP of Microsoft, and the trustable network interconnection technique of TNC tissue.The basic ideas of these credible access technologies are that terminal is carried out integrity detection and assessment, and on the basis of assessment terminal are carried out access control, and limiting terminal is to the visit of specific resources.
The elementary object of credible access is the access control to terminal.Access control is divided into two kinds of methods usually: a kind of is that key is shared in configuration between accessed Internet resources and the terminal, both sides authenticate by sharing key, and according to authentication result to the terminal control that conducts interviews, yet this method need be on network access equipment configurating terminal information, when network size is big, the encryption key distribution workload will be very big, causes the memory space requirements of key also can be very big; Another kind is based on digital certificate mechanism, have only the terminal use that digital certificate can be provided to visit the particular network resource, yet this method need be verified digital certificate, has increased the time delay of access control, and the transmission of digital certificate simultaneously also needs extra bandwidth.
Summary of the invention
The present invention proposes network resource access control method in a kind of credible access for the storage that solves existing credible access control technology and exist and the problem aspect the checking computing cost in large-scale network-estabilishing.
Network resource access control method in a kind of credible access is characterized in that comprising the steps:
The first step: trusted access server is carried out system initialization, and initialization procedure is as follows:
(1) creates Elliptic Curve y at random with the SEA algorithm
2=x
3+ ax+bmodp, and to calculate its rank be the first prime number n;
(2) choose 1 G as first basic point on elliptic curve, choosing method is:
A. select one second prime number G at random
x, make x=G
x
B. solving equation y
2=x
3+ ax+bmod p obtains corresponding y, first basic point G=<x then, y 〉;
Wherein: p is an odd prime, F
pBe the finite field in the SEA algorithm, coefficient a, b ∈ F
p
Second step: the key material distribution comprises Resource Owner s
tKey distribution and terminal m
T 'Key distribution:
(1) Resource Owner s
tKey distribution, comprise the steps:
A. for each Resource Owner s
t∈ S, one of trusted access server picked at random is the Resource Owner s of integer
t∈ Z
n
B. calculate PKI
That c. the trusted access server maintenance is chosen is the Resource Owner s of integer
tBe private information, and with PKI
Distribute to corresponding Resource Owner s
t
(2) terminal m
T 'Key distribution, for each terminal m
T '∈ M, trusted access server is determined its addressable resource collection S ' ∈ S according to its confidence level, at each the Resource Owner s among the addressable resource collection S '
t, trusted access server is carried out following operation:
A. produce a random number m
T ' → t∈ Z
n, because n is a prime number, so gcd (m
T ' → t, n)=1, thus m
T ' → t -1Mod n exists and can use the Euclidean algorithm of expansion to calculate.
B. calculate second basic point
C. calculate private key k
T ' → t=m
T ' → t* s
tMod n;
Wherein: S is the total resources set, Z
nBe the positive integer set less than n, M is the terminal set;
The 3rd step: resource access control comprises the steps:
(1) as terminal m
T 'Need access resources owner s
tThe time, terminal m
T 'Request message is comprised second basic point
Send to Resource Owner s with the time of current computer
t, and use private key k
T ' → tRequest message is signed;
(2) Resource Owner s
tReceive terminal m
T 'Behind the request message of sending, use public-key
With second basic point
To terminal m
T 'Verify to have only terminal m by checking
T 'Could prove and oneself have private key k
T ' → t
Described private key k
T ' → tIt promptly is the key that trusted access server is distributed to terminal.
Description of drawings
The present invention is the network resource access control method in a kind of credible access, and trusted access server is distributed a key material for each Resource Owner, and according to the confidence level of terminal, generates the access token of visit respective resources for terminal temporarily.Because each Resource Owner only need preserve the token that a key material just can be verified all terminals, so in the large-scale network-estabilishing communication, this method can effectively reduce the Resource Owner for preserving the end message occupation space, reduces to verify computing cost simultaneously.
Fig. 1: network resource accession controlling models figure;
Embodiment
Wherein: Resource Owner's 1 expression label is 1 Resource Owner.。。。。。The expression Resource Owner, Resource Owner t represents that label is the Resource Owner of t, terminal 1 expression label is 1 terminal.。。The expression terminal, terminal t ' expression label is the terminal of t '.
Network resource accession controlling models figure as shown in Figure 1, trusted access server is the security centre of whole system, also is the network entity that Resource Owner and terminal are all trusted, and is responsible for the management and the distribution of safe material.
For realizing this method, all must set up Security Association between trusted access server and Resource Owner and the terminal, trusted access server is to Resource Owner and terminal distributed key material under the protection of Security Association.Trusted access server is distributed a key material for each Resource Owner, and is the access token that terminal generates the visit respective resources temporarily according to the confidence level of terminal, and the terminal of only holding legal token just can access certain resources.
The present invention proposes the network resource access control method in a kind of credible access, its key step comprises: trusted access server is carried out system initialization, key material distribution and resource access control.Wherein, the trusted access server system initialization comprise again with the SEA algorithm create elliptic curve at random and on elliptic curve 1 G of picked at random as two steps of basic point; The key material distribution comprises Resource Owner s again
tKey distribution and terminal m
T 'Key distribution two step; Resource access control comprises again as terminal m
T 'Access resources owner s
tThe time use private key k
T ' → tRequest message is signed and worked as Resource Owner s
tUse PKI after receiving request message
And basic point
To terminal m
T 'Verified for two steps.Has only terminal m by checking
T 'Could prove and oneself have private key k
T ' → t, become terminal through the trusted access server mandate, reached effective reduction Resource Owner for preserving the end message occupation space, reduce to verify the purpose of computing cost simultaneously.
This method comprises following detailed step:
The first step: trusted access server is carried out system initialization, and initialization procedure is as follows:
(1) creates Elliptic Curve y at random with the SEA algorithm
2=x
3+ ax+b mod p, and to calculate its rank be the first prime number n;
(2) choose 1 G as first basic point on elliptic curve, choosing method is:
A. select one second prime number G at random
x, make x=G
x
B. solving equation y
2=x
3+ ax+b mod p obtains corresponding y, first basic point G=<x then, y 〉;
Wherein: p is an odd prime, F
pBe the finite field in the SEA algorithm, coefficient a, b ∈ F
p
Second step: the key material distribution comprises Resource Owner s
tKey distribution and terminal m
T 'Key distribution:
(1) Resource Owner s
tKey distribution, comprise the steps:
A. for each Resource Owner s
t∈ S, one of trusted access server picked at random is the Resource Owner s of integer
t∈ Z
n
B. calculate PKI
Because the calculating of the multiplication on the elliptic curve is to use addition to calculate, i.e. PKI
That c. the trusted access server maintenance is chosen is the Resource Owner s of integer
tBe private information, and with PKI
Distribute to corresponding Resource Owner s
t
(2) terminal m
T 'Key distribution, for each terminal m
T '∈ M, trusted access server is determined its addressable resource collection S ' ∈ S according to its confidence level, at each the Resource Owner s among the addressable resource collection S '
t, trusted access server is carried out following operation:
A. produce a random number m
T ' → t∈ Z
n, because n is a prime number, so gcd (m
T ' → t, n)=1 (the i.e. first prime number n and random number m
T ' → tGreatest common divisor be 1), thereby m
T ' → t -1Mod n exists and can use the Euclidean algorithm of expansion to calculate.
B. calculate second basic point
C. calculate private key k
T ' → t=m
T ' → t* s
tMod n;
Wherein: S is the total resources set, Z
nBe the positive integer set less than n, M is the terminal set;
Because PKI
Therefore
Constituted terminal m
T 'Access resources owner s
tThe time public private key pair;
The 3rd step: resource access control comprises the steps:
(1) as terminal m
T 'Need access resources owner s
tThe time, terminal m
T 'Request message is comprised second basic point
Send to Resource Owner s with the time of current computer
t, and use private key k
T ' → tRequest message is signed;
(2) Resource Owner s
tReceive terminal m
T 'Behind the request message of sending, use public-key
With second basic point
To terminal m
T 'Verify to have only terminal m by checking
T 'Could prove and oneself have private key k
T ' → t
Private key k wherein
T ' → tBe the key that trusted access server is distributed to terminal, other nodes can't obtain private key k
T ' → t, just can not use private key k
T ' → tSign.So can all be terminal by the terminal of checking through the trusted access server mandate.
Claims (1)
1. the network resource access control method in the credible access is characterized in that comprising the steps:
The first step: trusted access server is carried out system initialization, and initialization procedure is as follows:
(1) creates Elliptic Curve y at random with the SEA algorithm
2=x
3+ ax+b mod p, and to calculate its rank be the first prime number n;
(2) choose 1 G as first basic point on elliptic curve, choosing method is:
A. select one second prime number G at random
x, make x=G
x
B. solving equation y
2=x
3+ ax+b mod p obtains corresponding y, first basic point G=<x then, y 〉;
Wherein: p is an odd prime, F
pBe the finite field in the SEA algorithm, coefficient a, b ∈ F
p
Second step: the key material distribution comprises Resource Owner s
tKey distribution and terminal m
T 'Key distribution:
(1) Resource Owner s
tKey distribution, comprise the steps:
A. for each Resource Owner s
t∈ S, one of trusted access server picked at random is the Resource Owner s of integer
t∈ Z
n
B. calculate PKI
That c. the trusted access server maintenance is chosen is the Resource Owner s of integer
tBe private information, and with PKI
Distribute to corresponding Resource Owner s
t
(2) terminal m
T 'Key distribution, for each terminal m
T '∈ M, trusted access server is determined its addressable resource collection S ' ∈ S according to its confidence level, at each the Resource Owner s among the addressable resource collection S '
t, trusted access server is carried out following operation:
A. produce a random number m
T ' → t∈ Z
n, because n is a prime number, so gcd (m
T ' → t, n)=1, thus m
T ' → t -1Mod n exists and can use the Euclidean algorithm of expansion to calculate.
B. calculate second basic point
C. calculate private key k
T ' → t=m
T ' → t* s
tMod n;
Wherein: S is the total resources set, Z
nBe the positive integer set less than n, M is the terminal set;
The 3rd step: resource access control comprises the steps:
(1) as terminal m
T 'Need access resources owner s
tThe time, terminal m
T 'Request message is comprised second basic point
Send to Resource Owner s with the time of current computer
t, and use private key k
T ' → tRequest message is signed;
(2) Resource Owner s
tReceive terminal m
T 'Behind the request message of sending, use public-key
With second basic point
To terminal m
T 'Verify to have only terminal m by checking
T 'Could prove and oneself have private key k
T ' → t
Described private key k
T ' → tIt promptly is the key that trusted access server is distributed to terminal.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN2008101557286A CN101383823B (en) | 2008-10-08 | 2008-10-08 | Network resource access control method in reliable access |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN2008101557286A CN101383823B (en) | 2008-10-08 | 2008-10-08 | Network resource access control method in reliable access |
Publications (2)
Publication Number | Publication Date |
---|---|
CN101383823A CN101383823A (en) | 2009-03-11 |
CN101383823B true CN101383823B (en) | 2011-03-23 |
Family
ID=40463445
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN2008101557286A Expired - Fee Related CN101383823B (en) | 2008-10-08 | 2008-10-08 | Network resource access control method in reliable access |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN101383823B (en) |
Families Citing this family (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102984256B (en) * | 2012-11-28 | 2015-07-15 | 中国科学院计算技术研究所 | Processing method and system for metadata based on authorization manner |
CN104052721A (en) * | 2013-03-15 | 2014-09-17 | 南京理工大学常熟研究院有限公司 | Multi-internet integrated video security access system |
CN106385593B (en) * | 2016-09-14 | 2019-05-17 | 武汉斗鱼网络科技有限公司 | The statistical method and system of live streaming number are watched while based on elliptic curve |
CN114124944A (en) * | 2020-08-27 | 2022-03-01 | 阿里巴巴集团控股有限公司 | Data processing method and device of hybrid cloud and electronic equipment |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1599316A (en) * | 2004-09-17 | 2005-03-23 | 叶润国 | Asymmetic identification scheme and long-distance access safety protocol |
CN101079891A (en) * | 2007-06-15 | 2007-11-28 | 清华大学 | Wireless switching network re-authentication method based on wireless LAN secure standard WAPI |
CN101136928A (en) * | 2007-10-19 | 2008-03-05 | 北京工业大学 | Reliable network access framework |
CN101232378A (en) * | 2007-12-29 | 2008-07-30 | 西安西电捷通无线网络通信有限公司 | Authentication accessing method of wireless multi-hop network |
-
2008
- 2008-10-08 CN CN2008101557286A patent/CN101383823B/en not_active Expired - Fee Related
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1599316A (en) * | 2004-09-17 | 2005-03-23 | 叶润国 | Asymmetic identification scheme and long-distance access safety protocol |
CN101079891A (en) * | 2007-06-15 | 2007-11-28 | 清华大学 | Wireless switching network re-authentication method based on wireless LAN secure standard WAPI |
CN101136928A (en) * | 2007-10-19 | 2008-03-05 | 北京工业大学 | Reliable network access framework |
CN101232378A (en) * | 2007-12-29 | 2008-07-30 | 西安西电捷通无线网络通信有限公司 | Authentication accessing method of wireless multi-hop network |
Also Published As
Publication number | Publication date |
---|---|
CN101383823A (en) | 2009-03-11 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN111639361B (en) | Block chain key management method, multi-person common signature method and electronic device | |
JP7289298B2 (en) | Computer-implemented system and method for authorizing blockchain transactions using low-entropy passwords | |
Ruffing et al. | Liar, liar, coins on fire! Penalizing equivocation by loss of bitcoins | |
Tsai et al. | Novel anonymous authentication scheme using smart cards | |
US9495668B1 (en) | Computing solutions to a problem involving inversion of a one-way function | |
CN107483212A (en) | A kind of method of both sides' cooperation generation digital signature | |
CN110800250A (en) | Controlled distribution of encrypted private keys | |
CN104954390B (en) | It can restore the cloud storage integrality detection method and system of Lost Security Key | |
CN110830244B (en) | Anti-quantum computing Internet of vehicles method and system based on identity secret sharing and alliance chain | |
CN102546173B (en) | Digital signature system and signature method based on certificate | |
Shafeeq et al. | Curbing address reuse in the iota distributed ledger: A cuckoo-filter-based approach | |
CN104301108A (en) | Signcryption method based from identity environment to certificateless environment | |
CN112668028B (en) | Intelligent data quick encryption transmission system based on block chain | |
CN113393225B (en) | Digital currency encryption payment method and system | |
CN110599342A (en) | Block chain-based identity information authorization method and device | |
CN114580029A (en) | Block chain digital asset privacy protection method, device, equipment and storage medium | |
CN103916393B (en) | Cloud data-privacy protection public's auditing method based on symmetric key | |
CN108400962A (en) | A kind of Authentication and Key Agreement method under multiserver framework | |
Luo et al. | A security communication model based on certificateless online/offline signcryption for Internet of Things | |
CN108390866A (en) | Trusted remote method of proof based on the two-way anonymous authentication of dual-proxy | |
Xue et al. | DStore: A distributed system for outsourced data storage and retrieval | |
He et al. | A novel cryptocurrency wallet management scheme based on decentralized multi-constrained derangement | |
CN101383823B (en) | Network resource access control method in reliable access | |
Xu et al. | Efficient certificateless designated verifier proxy signature scheme using UAV network for sustainable smart city | |
CN107248997A (en) | Authentication method based on smart card under environment of multi-server |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
C14 | Grant of patent or utility model | ||
GR01 | Patent grant | ||
C17 | Cessation of patent right | ||
CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20110323 Termination date: 20131008 |