CN101431414A - Authentication group key management method based on identity - Google Patents

Abstract

The present invention discloses a identity-based authentication group key management method which comprises the following steps: embedding ID into key with bilinear pairing in elliptic curve; generating C<SUB>i</SUB> as part of main key u<SUB>i</SUB> according to the secret key and ID of group member u<SUB>i</SUB> by key generating center, and transmitting the C<SUB>i</SUB> to u<SUB>i</SUB> through overt channel; generating main key according to C<SUB>i</SUB> and its own secret key by each group member u<SUB>i</SUB>; calculating overt key verification information according to Hash value of main key and over key by each group member, and broadcasting the link between over key and verification information inside the group; calculating the secret value sharing with left and right neighbors when the received information is verified to be true by each group member, and calculating the group member information X<SUB>i</SUB> included in group session key according to the secret value, and then broadcasting the X<SUB>i</SUB> inside the group; calculating group session key K according to all X<SUB>j</SUB>, j=1, ...,n, by each group member. The invention has the advantages of no key escrow and no need of secure channel, which can be applied in coordination and distributed network as secure reliable group communication.

Description

Authentication group key management method based on identity

Technical field

The present invention relates to the network security technology field, specifically, be that a kind of authentication group key based on identity is shared and management method, be used in collaborative and distributed network carries out safe and reliable group communication in using, as multicast, audio-video conferencing, network cooperating recreation.

Background technology

Known in the industry, in many collaborative and distributed networks were used, as multicast, audio-video conferencing, network cooperating recreation, safe and reliable group communication was a key issue.The cluster conversation key is shared and management can finely address this problem.The basic security service that secure group communication system provides comprises data security, integrality, member authentication and access control.Realization is that the message of group is encrypted to the common method that adopts of the limiting access of information.If all group members are all shared a common key, just can realize these security services very easily, this cipher key shared is called as group key.The mechanism of generation, distribution and the updating maintenance of research group key is the subject matter that group key management mechanism needs solution.

Realize authentication property, can simplify the key distribution process greatly based on the system of PKIX PKI relatively based on the authentication mechanism of identity.Chinese scholars has proposed many methods in this respect, and main problem concentrates on following several respects: (1) generates between center KGC and the group membership at key needs to exist in advance a safe lane, and this is a very harsh requirement in practice;

(2) have recessive key escrow, this point is undesirable sometimes; (3) cipher key agreement process generally needs O (n 1gn) or the communication of O (n) wheel, and the network service burden is bigger; (4) calculating validity is relatively poor, generally needs O (n 1gn) or the inferior pairing computing of O (n).

Summary of the invention

The object of the invention is to avoid above-mentioned technical deficiency, propose a kind of efficient, practical share and the method for management, share to realize group key low communication expense and low computing cost, that do not need safe lane and do not have a key escrow based on the authentication group key.

For achieving the above object, technical process of the present invention is as follows:

(1) key generates center KGC and moves the group G of BDH parameter generator generation rank for first prime number q with all group memberships ₁, second group G that rank are prime number q ₂With bilinearity mapping e:G ₁* G ₁→ G ₂

(2) key generates center KGC and selects secret keys and the open parameter of oneself, and generates the open key of oneself, will disclose parameter and announce to all group memberships with open key;

(3) each group membership u _i, i=1 ..., n selects oneself secret keys si and secret parameter

According to secret keys and the identify label ID of oneself _iGenerate open key Q _i

(4) key generates center KGC secret keys and each group membership u according to oneself _i, i=1 ..., n, identify label ID _iGenerate u _iA part of C of master key _i, and by overt channel with this C _iSend to group membership u _i

(5) each group membership u _i, i=1 ..., n is according to the secret keys s of oneself _iAnd secret parameter

Generate the master key of oneself $k_i=C_i+s_i{h}_i^{\&prime;}{P}_i^{\&prime;},$ Wherein $P_i^{\&prime;}=H_1\left({\mathrm{ID}}_i\right),$ H ₁Be to be mapped to second group G from the 0 and 1 bit sequence set of forming ₂H ash function;

(6) each group membership u _i, i=1 ..., n is according to the master key k of oneself _iWith the open key Q of oneself _iHash value h _iComposition is to open key Q _iAuthorization information T _i=s _iP _Pub+ h _ik _i, and key Q will be disclosed _iWith this authorization information T _iLink is broadcast to every other group membership, wherein P _PubBe the open key that key generates center KGC, this is first round broadcasting;

(7) each group membership u _i, i=1 ..., n receives its left neighbours u _I-1With right neighbours u _I+1First round broadcast after, the authenticity of checking broadcast if real, is calculated the secret median L that itself and left neighbours share earlier _iAnd the secret median of sharing with right neighbours

Calculate this group membership's who is comprised in the cluster conversation key information X again according to these two medians _i, and broadcast this X _i, this is second to take turns broadcasting;

(8) each group membership u _i, i=1 ..., n is according to the X that calculates _iAnd the message X of every other group membership's broadcasting of receiving _j, j=1 ..., n, j ≠ i calculates the cluster conversation key K of this session;

(9) if the member leaves arbitrarily, this member's left neighbours and right neighbours delete them respectively and leave the secret median that the member shares, and share new secret median, group membership u again by two side's key agreement protocols _j, j=1 ..., n-1, this group membership's who is comprised in the calculating cluster conversation key information X _j, and broadcast this X _j, execution in step (8) again;

(10) if newcomer u is arranged _N+1Add this newcomer u _N+1By two side's key agreement protocols, respectively with n member u _nWith the 1st member u ₁The shared secret median, group membership u _j, j=1 ..., n+1 calculates this group membership's who is comprised in the cluster conversation key information X separately _j, and at this X of broadcasting _jBack execution in step (8).

The present invention has following advantage:

(1) the present invention respectively has a part of information of secret keys, thereby has avoided key escrow because group membership's secret keys is produced jointly by KGC and member, and secret keys has only group membership oneself to have.

(2) the present invention can send by overt channel, so not need between KGC and the group membership to have safe lane in advance because key generates the not need to be keep secret of key that center KGC sends to the group membership, has solved in the application process a very stubborn problem;

(3) the present invention has stopped any illegal person without the KGC approval and has added cluster conversation owing in the identity information embedded key with the group membership, make key both be used for encrypting and also be used for authentication.

(4) compare existing method, the present invention has improvement greatly on the amount of calculation and the traffic, has only two-wheeled broadcasting in its key distribution process, and the broadcasting of group key distribution approach before wheel number or and number of users be directly proportional, or and the logarithm of number of users be directly proportional; On calculating with the present invention based on the binary addition, each user only needs respectively to calculate 5 pairing computings, and scheme generally all needs to match in a large number computing before, O (n 1g n) or O (n).

Prove through theoretical derivation that the inventive method is a forward secrecy under DBDH hypothesis and CDH hypothesis.

Description of drawings

Fig. 1 is that the authentication group key based on identity of the present invention is shared the step schematic diagram;

Fig. 2 is that new group key was shared the step schematic diagram again after any group membership of the present invention left group;

Fig. 3 is that new group membership of the present invention adds the shared again step schematic diagram of the new group key in back.

Embodiment

One, applied mathematical theory of the present invention and technical term explanation:

1, Hash function

The Hash function is exactly a kind of function that long arbitrarily input message is varied to the output message of fixed length, and this output is called the hash value of this message.The Hash function of a safety should satisfy following condition at least; 1. importing length is arbitrarily; 2. export length and fix, it is long generally to get 128bits at least, so that the opposing birthday attack; 3. to each given input, can calculate its output, i.e. hash value at an easy rate; The description of 4. given Hash function, finding two different input message Hash is that calculating is gone up infeasible to same value, or the description of given Hash function and a message of selecting at random, find another message different with this message, make their Hash to same value be calculate go up infeasible.The Hash function is mainly used in completeness check and improves the validity of digital signature.

Have three Hash functions among the present invention, H1:{0 wherein, 1} ^*→ G ₁, be to be mapped to crowd G from the 0 and 1 bit sequence set of forming ₁H ₂: 0,1} ^*→ Z _q, be to be mapped to addition cyclic group Z from the 0 and 1 bit sequence set of forming _qH:G ₂→ 0,1} ^m, from group G ₂Being mapped to by 0 and 1 length of forming is the bit sequence set of m, and m is a positive integer.

2, tolerable bilinearity mapping

If mapping e:G ₁* G ₁→ G ₂Satisfy following conditions and just be called the mapping of tolerable bilinearity:

(1) bilinearity.For any P, Q, R ∈ G ₁And α, β ∈ Z _qHave:

e(αP+βQ，R)＝e(P，R) ^αe(Q，R) ^β

e(R，αP+βQ)＝e(R，P) ^αe(R，Q) ^β’

Especially

e(αP，βQ)＝e(P，Q) ^αβ，

G wherein ₁Be that rank are the module of q, G ₂Be that rank are the multiplicative group of q, at G ₁, G ₂In to find the solution discrete logarithm be difficult.

(2) non-degeneracy: e is the non-trivial mapping, and promptly e can be G ₁* G ₁In all units all be mapped to G ₂Identical element on.

(3) computability: to P arbitrarily, Q ∈ G ₁, exist effective algorithm computation e (P, Q).

The bilinearity mapping can be matched by pairing of the Weil on the super unusual elliptic curve or Tate and be constructed.

3, relevant technologies term

(1) KGC, key generates the center.In the cryptographic system based on identity, user's secret keys will be generated and be sent to the user by safe lane by KGC, and this can introduce two safety defects: 2. 1. Yin Xing key escrow needs safe lane between KGC and the user.The present invention has avoided this shortcoming of cryptographic system based on identity.

(2) pairing computing, i.e. bilinearity mapping e:G ₁* G ₁→ G ₂, with module G ₁In two units be that two points on the elliptic curve are mapped to multiplicative group G ₂In.

(3) CDH generator

The CDH generator is a probability polynomial time algorithm, operates in the polynomial time, and the output rank are the module G of q.

(4) BDH generator

The BDH generator is a probability polynomial time algorithm, operates in the polynomial time, exports two module G that rank are q ₁And G ₂, and a tolerable bilinearity mapping e:G ₁* G ₁→ G ₂

(5) DBDH problem is promptly for group G ₁In random element Y and Z _q ^*In random element a, b, c, d, distinguish five-tuple (Y, aY, bY, cY, e (Y, Y) ^Abc) and (Y, aY, bY, cY, e (Y, Y) ^d) be difficult.

Two, specific implementation of the present invention

With reference to Fig. 1, the present invention is divided into that the authentication group key is shared, the member leaves the back group key shares and the newcomer adds the back group key shares three parts again again, and concrete steps are as follows:

(1) authentication group key of the present invention is shared step

Step 1, key generation center KGC and all group memberships move the BDH parameter generator and generate the group G that first rank are prime number q ₁, second group G that rank are prime number q ₂With bilinearity mapping e:G ₁* G ₁→ G ₂

Step 2, KGC selects secret keys and open parameter, generates oneself open key, and will disclose parameter and disclose key and announce to all group memberships.

(2.1) key generates center KGC and selects the random secret key s ∈ Z of oneself _q ^*, P ∈ G ₁Be crowd G ₁Generator, Z _q ^*Be the multiplication loop group of mould q;

(2.2) KGC calculates open key P according to its oneself secret keys _Pub=sP, open parameter is { e, G ₁, G ₂, q, P, P _Pub, H, H ₁, H ₂, Hash function H wherein ₁: 0,1} ^*→ G ₁, Hash function H ₂: 0,1} ^*→ Z _q, Hash function H:G ₂→ 0,1} ^m, m is a positive integer.

Step 3, each group membership u _i, i=1 ..., n selects oneself secret keys s _iAnd secret parameter

According to secret keys and the identify label ID of oneself _iGenerate open key Q _i

(3.1) each group membership u _iSelect s _i∈ Z _q ^*As the secret keys of oneself, select the random secret number $h_i^{\&prime;}\&Element;{Z_q}^{*};$

(3.2) each group membership u _iCalculate identity information P _i=H ₁(sessionID, ID _i), u then _iOpen key be Q _i=s _iP _i, wherein sessionID is the session identification of this session, ID _iBe group membership u _iIdentify label, the order $W_i=h_i^{\&prime;}P,$ W _iIt is open parameter.

Step 4, key generate center KGC secret keys and each group membership u according to oneself _i, i=1 ..., the identify label ID of n _iGenerate u _iA part of C of master key _i, and by overt channel with this C _iSend to this group membership u _i

(4.1) KGC calculates each group membership u of group _i, i=1 ..., the identify label ID of n _iHash value P _i=H ₁(sessionID, ID _i);

(4.2) KGC calculates C _i=sP _i, i=1 ..., n sends C by overt channel _iGive group membership u _i

Step 5, each group membership u _i, i=1 ..., n is according to the secret keys s of oneself _iAnd secret parameter

Generate the master key of oneself.

(5.1) each group membership u _i, i=1 ..., n, that part of oneself in the computation key

Wherein $P_i^{\&prime;}=H_1\left({\mathrm{ID}}_i\right)$ Be u _iIdentify label ID _iHash value;

(5.2) each group membership u _i, i=1 ..., n calculates the master key of oneself $k_i=C_i+s_i{h}_i^{\&prime;}{P}_i^{\&prime;}.$ If $R_i=h_i^{\&prime;}{P}_i^{\&prime;},$ $Q_i^{\&prime;}=s_i{P}_i^{\&prime;}.$

Step 6, each group membership u _i, i=1 ..., n is according to the master key k of oneself _iWith oneself open key Q _iHash value h _iComposition is to open key Q _iAuthorization information T _i, and key Q will be disclosed _iWith this authorization information T _iLink is broadcast to every other group membership, and this is first round broadcasting.

(6.1) each group membership u _iCalculate oneself open key Q _iHash value h _i=H ₂(Q _i);

(6.2) each group membership u _iCalculating oneself open key Q _iHash value after, calculate open key Q again _iAuthorization information T _i=s _iP _Pub+ h _ik _i=s _iP _Pub+ h _iSP _i+ s _ih _iR _i, P wherein _PubBe the open key that key generates center KGC, s _iBe u _iSecret keys, k _iBe u _iMaster key, H ₂Be to be mapped to crowd Z from the 0 and 1 bit sequence set of forming _qOn the Hash function.

(6.3) broadcasting＜Q _i, T _iTo every other group membership.

Step 7, each group membership u _i, i=1 ..., n receives its left neighbours u _I-1With right neighbours u _I+1First round broadcast after, the authenticity of checking broadcast if real, is calculated the secret median L that itself and left neighbours share earlier _iAnd the secret median of sharing with right neighbours

Calculate this group membership's who is comprised in the cluster conversation key information X again according to these two medians _i, and broadcast this X _i, this is second to take turns broadcasting;

(7.1) each group membership u _i, i=1 ..., n receives broadcast＜Q of its left neighbours _I-1, T _I-1, broadcast＜Q of the first right neighbours _I+1, T _I+1And broadcast＜Q of the second right neighbours _I+2, T _I+2Afterwards, whether set up to verify whether the broadcast of receiving is true by following equation: $e({\mathrm{\&Sigma;}}_{l\&Element;\{-\mathrm{1,1,2}\}}{T}_{i+l},P)=e({\mathrm{\&Sigma;}}_{l\&Element;\{-\mathrm{1,1,2}\}}(Q_{i+l}+h_{i+l}{P}_{i+l}),P_{\mathrm{pub}})\&CenterDot;e({\mathrm{\&Sigma;}}_{l\&Element;\{-\mathrm{1,1,2}\}}\left(h_{i+l}{Q}_i^{\&prime;}\right),W_i)$ In the formula, e is the mapping of tolerable bilinearity, and { 1,1,2} is the summation variable to l ∈, and P is crowd G ₁Generator, P _PubBe the open key that key generates center KGC,

And W _iBe u _iOpen parameter, Q _I+l, be group membership u _I+l, open key, T _I+l, be to open key Q _I+l, authorization information, h _I+lBe open key Q _I+lHash value, P _I+l, be session identification and group membership u _I+lThe hash value of identify label, this hash value is represented u _I+lIdentity information.

(7.2) if above-mentioned equation is set up, the left and right sides neighbours' that then received broadcast is real, each group membership u _i, i=1 ..., n, the secret keys s of utilization earlier oneself _iOpen key Q with its left neighbours _I-1With and right neighbours' open key Q _I+1Calculate the secret median L that itself and left neighbours share _i,

L _i＝e(s _iQ _i-1，Q _i+1)，

Utilize the secret keys s of oneself again _iOpen key Q with its first right neighbours _I+1With and the second right neighbours' open key Q _I+2Calculate the secret median that it and right neighbours share

$L_i^{\&prime;}=e(s_i{Q}_{i+2},Q_{i+1}),$

Obviously, $L_i^{\&prime;}=L_{i+1},$ L wherein _I+1Be group membership u _I+1With his left neighbours, i.e. u _i, the secret median of sharing;

(7.3) each group membership u _i, i=1 ..., n, the secret median L that shares according to itself and left neighbours of aforementioned calculation _iAnd the secret median of sharing with right neighbours

Calculate this group membership's who is comprised in the cluster conversation key information X _i,

$X_i=H(L_i,\mathrm{sessionID})\&CirclePlus;H(L_i^{\&prime;},\mathrm{sessionID}),$

Wherein

Be that mould 2 adds, sessionID is the session identification of this session, H:G ₂→ 0,1} ^m, be from group G ₂Being mapped to by 0 and 1 length of forming is Hash function in the bit sequence set of m.

Step 8, each group membership u _i, i=1 ..., n is according to the X that calculates _iAnd the message X of every other group membership's broadcasting of receiving _j, j=1 ..., n, j ≠ i calculates the cluster conversation key K of this session.

(8.1) each group membership u _i, i=1 ..., n, receive the broadcast that every other member second takes turns after, according to the X that calculates _i, the every other group membership broadcasting of receiving message X _j, j=1 ..., n, j ≠ i, with and the secret median L that shares with right neighbours _i' and session identification sessionID calculate n share B of cluster conversation key _j, j=1 ..., n,

Wherein when j 〉=i:

$B_i=H(L_i^{\&prime;},\mathrm{sessionID})$

$B_{i+1}=X_{i+1}\&CirclePlus;B_i$

$B_{i+2}=X_{i+2}\&CirclePlus;B_{i+1}$

$B_n=X_n\&CirclePlus;B_{n-1}$

And when j＜i:

$B_{i-1}=X_i\&CirclePlus;B_i$

$B_{i-2}=X_{i-1}\&CirclePlus;B_{i-1}$

${\mathrm{<figure-callout\; id="1"\; label="B"\; filenames="A200810232657E00171.png"\; state="\{\{state\}\}">B</figure-callout>}}_1=X_2\&CirclePlus;B_2$

(8.2) each group membership u _iCompare B _I-1Whether equal H (L _i, sessionID),, go up other members second wrong or that receive and take turns broadcasting X otherwise then may exist to calculate if equate then carry out next step _j, j=1 ..., n, j ≠ i, therefore earlier message is distorted or is forged, and checks the mistake whether aforementioned calculation exists, and if calculate errorlessly, the broadcast of then receiving is distorted or is forged, and should stop carrying out;

(8.3) each group membership u _i, i=1 ..., n calculates and shares cluster conversation key K=H (B ₁‖ B ₂‖ ... ‖ B _n), wherein, " ‖ represents the splicing of two Bit Strings.

Above step 1 to step 5 is an initialization procedure, and step 6 to step 8 is the group key shared procedure.

(2) member of the present invention leaves the shared again step of back group key

The present invention supports dynamic group, promptly has the member to leave with the newcomer at any time and adds.

Step 9, with reference to Fig. 2, group membership u _kLeave group, all the other group members are shared new group key again.

(9.1) all the other members change into (n-1) with the group member number;

(9.2) group membership u _K-1Delete it and u _kThe secret value of sharing

Group membership u _K+1Delete it and u _kThe secret value L that shares _K+1

(9.3) u then _K-1And u _K+1By two side's key agreement protocols, as the DH agreement, share a new secret value S, order $L_{k-1}^{\&prime;}=S$ And L _K+1=S;

(9.4) all group membership u after the k member _jThe index value that changes them is (j-1);

(9.5) each member begins to carry out key from step (7.3) and shares agreement and regain new group key.

(4) newcomer of the present invention adds the shared again step of back group key

Step 10, with reference to Fig. 3, the newcomer adds in the group by n member composition, and all group memberships comprise initiate member, share new cluster conversation key.

(10.1) newcomer is u _N+1, it is by two side's key agreement protocol and u _nShare L _N+1, by two side's key agreement protocol and u ₁Share

(10.2) u ₁With L ₁Change into and u _N+1The secret value of sharing

(10.3) last, each member begins to carry out the shared agreement of key from step (7.3) and regains new group key.

Fail safe of the present invention can further specify by following simple and clear theoretical proof:

Forward secrecy is that the leakage of user's master key can not constitute a threat to the fail safe of before this cluster conversation key.

Forward security of the present invention is based on addition cyclic group G ₁In find the solution the difficulty of DBDH problem, promptly for G ₁In random element Y and Z _q ^*In random element a, b, c, d, distinguish five-tuple (Y, aY, bY, cY, e (Y, Y) ^Abc) and (Y, aY, bY, cY, e (Y, Y) ^d) be difficult.

The proof line of forward security of the present invention is: according to the difficulty of finding the solution the DBDH problem, to the such difficult problem of DBDH, then the present invention has identical with DBDH at least fail safe with reduction of the present invention.Concrete reduction method is as follows.

Among the present invention, suppose group membership u _iMaster key k _iReveal, the assailant is known $k_i=C_i+s_i{h}_i^{\&prime;}{P}_i^{\&prime;},$ Be that the assailant has grasped

Always can make $s_i{h}_i^{\&prime;}{P}_i^{\&prime;}=s_i\mathrm{\&beta;P},$ Wherein P is crowd G ₁Generator, β ∈ Z _q ^*In addition also known being correlated with of assailant discloses parameter

Because P is crowd G ₁Generator, can make Q _I-1=bP, Q _I+1=cP, for reduction on the DBDH problem, make Y=P again, a=s _i, L then _i=e (s _iQ _I-1, Q _I+1)=e (P, P) ^AbcIf the assailant can be by { P, s _iP, Q _I-1, Q _I+1, s _iβ P} obtains L _i=e (s _iQ _I-1, Q _I+1), then this assailant just can find the solution the DBDH problem.Conversely speaking, since the DBDH problem be difficult, so the assailant can not by $\left\{\begin{array}{cccc}P,s_{i}P,& Q_{i-1},& Q_{i+1},& s_i{h}_i^{\&prime;}{P}_i^{\&prime;}\end{array}\right\}$ Obtain L _i=e (s _iQ _I-1, Q _I+1), i.e. the present invention is a forward secrecy.

Claims (6)

1. the authentication group key management method based on identity comprises the steps:

(1) key generates center KGC and moves the group G of BDH parameter generator generation rank for first prime number q with all group memberships ₁, second group G that rank are prime number q ₂With bilinearity mapping e:G ₁* G ₁→ G ₂

(2) key generates center KGC and selects secret keys and the open parameter of oneself, and generates the open key of oneself, will disclose parameter and announce to all group memberships with open key;

(3) each group membership u _i, i=1 ..., n selects oneself secret keys s _iAnd secret parameter

, according to secret keys and the identify label ID of oneself _iGenerate open key Q _i

(4) key generates center KGC secret keys and each group membership u according to oneself _i, i=1 ..., n, identify label ID _iGenerate u _iA part of C of master key _i, and by overt channel with this C _iSend to group membership u _i

(5) each group membership u _i, i=1 ..., n is according to the secret keys s of oneself _iAnd secret parameter

Generate the master key of oneself $k_i=C_i+s_i{h}_i^{\&prime;}{P}_i^{\&prime;},$ Wherein $P_i^{\&prime;}=H_1\left({\mathrm{ID}}_i\right),$ H ₁Be to be mapped to second group G from the 0 and 1 bit sequence set of forming ₂H ash function;

(6) each group membership u _i, i=1 ..., n is according to the master key k of oneself _iWith the open key Q of oneself _iHash value h _iComposition is to open key Q _iAuthorization information T _i=s _iP _Pub+ h _ik _i, and key Q will be disclosed _iWith this authorization information T _iLink is broadcast to every other group membership, wherein P _PubIt is the open key that key generates center KGC;

(7) each group membership u _i, i=1 ..., n receives its left neighbours u _I-1With right neighbours u _I+1First round broadcast after, the authenticity of checking broadcast if real, is calculated the secret median L that itself and left neighbours share earlier _iAnd the secret median of sharing with right neighbours

, calculate this group membership's who is comprised in cluster conversation keys information X again according to these two medians _i, and broadcast this X _i

(8) each group membership u _i, i=1 ..., n is according to the X that calculates _iAnd the message X of every other group membership's broadcasting of receiving _j, j=1 ..., n, j ≠ i calculates the cluster conversation key K of this session;

(9) if the member leaves arbitrarily, this member's left neighbours and right neighbours delete them respectively and leave the secret median that the member shares, and share new secret median, group membership u again by two side's key agreement protocols _j, j=1 ..., n-1, this group membership's who is comprised in the calculating cluster conversation key information X _j, and broadcast this X _j, execution in step (8) again;

(10) if newcomer u is arranged _N+1Add this newcomer u _N+1By two side's key agreement protocols, respectively with n member u _nWith the 1st member u ₁The shared secret median, group membership u _j, j=1 ..., n+1 calculates this group membership's who is comprised in the cluster conversation key information X separately _j, and at this X of broadcasting _jBack execution in step (8).

2. the authentication group key management method based on identity according to claim 1, step (3) wherein, carry out according to the following procedure:

(3a) group membership u _iSelect secret keys $s_i\&Element;{Z_q}^{*}$ With the random secret number $h_i^{\&prime;}\&Element;{Z_q}^{*},$ Wherein

It is cyclic group.

(3b) calculate identity information P _i=H ₁(sessionID, ID _i), sessionID is the session identification of this session, ID _iBe group membership u _iIdentify label;

(3b) according to described random secret number and identify label, generate open key Q respectively _i=s _iP _iWith open parameter $W_i=h_i^{\&prime;}P,$ Wherein P is first group G ₁Generator.

3. the authentication group key management method based on identity according to claim 1, wherein the described key of step (4) generates secret keys and the group membership u of center KGC according to oneself _iIdentify label ID _iGenerate u _iA part of C of master key _i, be to generate center KGC according to group membership u by key _iIdentify label ID _i(i=1 ..., n) calculate u earlier _iIdentity information P _i=H ₁(sessionID, ID _i); Again with this group membership u _iIdentity information P _iThe secret keys s that generates center KGC with key carries out the scalar multiplication computing, obtains group membership u _iA part of C of master key _i=sP _i

4. the authentication group key management method based on identity according to claim 1, wherein described each the group membership u of step (7) _iThe authenticity of checking broadcast is to receive its left neighbours broadcast＜Q _I-1, T _I-1, first right neighbours broadcast＜Q _I+1, T _I+1And broadcast＜Q of the second right neighbours _I+2, T _I+2Afterwards, determine by verifying whether following equation is set up, promptly $e({\mathrm{\&Sigma;}}_{l\&Element;\{-\mathrm{1,1,2}\}}{T}_{i+l},P)=e({\mathrm{\&Sigma;}}_{l\&Element;\{-\mathrm{1,1,2}\}}(Q_{i+l}+h_{i+l}{P}_{i+l}),P_{\mathrm{pub}})\&CenterDot;e({\mathrm{\&Sigma;}}_{l\&Element;\{-\mathrm{1,1,2}\}}\left(h_{i+l}{Q}_i^{\&prime;}\right),W_i)$ E is the mapping of tolerable bilinearity in the formula, and l is the summation variable, and P is crowd G ₁Generator, P _PubBe the open key that key generates center KGC, And W _iBe open parameter, Q _I+lBe group membership u _I+lOpen key, T _I+lBe to open key Q _I+lAuthorization information, h _I+lBe open key Q _I+lHash value, P _I+lBe session identification and group membership u _I+lThe hash value of identify label, this hash value is represented u _I+lIdentity information.

5. the authentication group key management method based on identity according to claim 1, wherein rapid (7) described calculates the secret median L that itself and left neighbours share earlier _iAnd the secret median of sharing with right neighbours Calculate this group membership's who is comprised in the cluster conversation key information X again according to these two medians _i, undertaken by following formula:

(7a) each group membership u _i, i=1 ..., n utilizes oneself secret keys s _iOpen key Q with its left neighbours _I-1With and right neighbours' open key Q _I+1Calculate the secret median L that itself and left neighbours share _i,

L _i＝e(s _iQ _i-1，Q _i+1)；

(7b) group membership u _i, i=1 ..., n utilizes oneself secret keys s _iOpen key Q with its first right neighbours _I+1With and the second right neighbours' open key Q _I+2Calculate the secret median that it and right neighbours share

$L_i^{\&prime;}=e(s_i{Q}_{i+2},Q_{i+1});$

(7c) group membership u _i, i=1 ..., n, the secret median L that shares according to itself and left neighbours of aforementioned calculation _iAnd the secret median of sharing with right neighbours

, this group membership's who is comprised in the calculating cluster conversation key information X _i,

$X_i=H(L_i,\mathrm{sessionID})\&CirclePlus;H(L_i^{\&prime;},\mathrm{sessionID}),$

Wherein Be that mould 2 adds H:G ₂→ 0,1} ^m, be from group G ₂Being mapped to by 0 and 1 length of forming is Hash function in the bit sequence set of m.

6. the authentication group key management method based on identity according to claim 1, step (8) wherein, carry out as follows:

(8a) each group membership u _i, i=1 ..., n, receive the broadcast that every other member second takes turns after, according to the X that calculates _i, the every other group membership broadcasting of receiving message X _j, j=1 ..., n, j ≠ i, with and the secret median shared with right neighbours

N share B with session identification sessionID calculating cluster conversation key _j, j=1 ..., n,

Wherein when j 〉=i:

$B_i=H(L_i^{\&prime;},\mathrm{sessionID})$

$B_{i+1}=X_{i+1}\&CirclePlus;B_i$

$B_{i+2}=X_{i+2}\&CirclePlus;B_{i+1}$

.....

$B_n=X_n\&CirclePlus;B_{n-1}$

And when j＜i:

$B_{i-1}=X_i\&CirclePlus;B_i$

$B_{i-2}=X_{i-1}\&CirclePlus;B_{i-1}$

.....

$B_1=X_2\&CirclePlus;B_2$

(8b) compare B _I-1Whether equal H (L _i, sessionID),, go up other members second wrong or that receive and take turns broadcast X otherwise then may exist to calculate if equate then carry out next step _j, j=1 ..., n, therefore earlier j ≠ i is distorted or is forged, and checks the mistake whether aforementioned calculation exists, and if calculate errorlessly, the broadcast of then receiving is distorted or is forged, and should stop carrying out;

(8c) calculate shared group key K=H (B ₁‖ B ₂‖ ... ‖ B _n), the wherein splicing of two Bit Strings of " ‖ " expression.

Images