CN101997684A - Authorization authentication method, device and system - Google Patents
Authorization authentication method, device and system Download PDFInfo
- Publication number
- CN101997684A CN101997684A CN 200910161372 CN200910161372A CN101997684A CN 101997684 A CN101997684 A CN 101997684A CN 200910161372 CN200910161372 CN 200910161372 CN 200910161372 A CN200910161372 A CN 200910161372A CN 101997684 A CN101997684 A CN 101997684A
- Authority
- CN
- China
- Prior art keywords
- authentication information
- authorization
- authentication
- parameter
- authorization center
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Landscapes
- Mobile Radio Communication Systems (AREA)
Abstract
The invention provides an authorization authentication method. In the method, m authorization centers are provided. The method comprises the following steps that: a first device applied to the m authorization centers for authorization respectively to acquire m authorization messages; the first device generates first device authentication information by using the m authorization messages and sends the generated first device authentication information to a second device; and the second device authenticates the first device according to the first device authentication information from the first device, wherein m is a natural number which is more than or equal to 2. The invention also provides a system. According to the authorization authentication method, a device and the system, communication among legal terminals in the presence of a plurality of authorization centers can be ensured.
Description
Technical field
The present invention relates to a kind ofly can have under the situation of a plurality of authorization center authorization and authentication method, device and the system that guarantees the communication between the legal terminal.
Background technology
When communicating between terminal and terminal, whether in order to ensure the fail safe of communication, needing to authenticate mutually the other side between the terminal is legitimate device.Generally speaking, the legitimacy of terminal proves by the third-party institution, and promptly terminal at first needs to authorize to third-party institution's registration, after this terminal is authorized by the third-party institution, can and other terminal of being authorized by this third-party institution between communicate.At this, whether communicating pair can be to be confirmed by the such verification process of terminal that the same third-party institution is authorized whether the other side is legal terminal by checking the other side, is legal terminal then communicates if confirmed the other side, otherwise finish communication.
In aforesaid existing authorization identifying mode, can mutual communication between the terminal of being authorized by the same third-party institution, and communicate between the terminal that these terminals can not and not authorized by this third-party institution.Like this, can avoid the intrusion of illegal terminal effectively.
Yet, in existing authorization identifying mode, even legal terminal also has the problem that can't communicate by letter.For example, when having a plurality of third-party institution, if each third-party institution manages the terminal that belongs to separately respectively, then belong between the terminal of the same third-party institution and can communicate mutually, then can't not communicate but do not belong between the legal terminal of the same third-party institution.
Therefore, need to change existing authorization identifying mode, with the communication between convenient more legal terminal.
In the present invention, this third-party institution is called authorization center.
Summary of the invention
In view of this, the object of the present invention is to provide a kind of authorization and authentication method, device and system, can have the communication that guarantees under the situation of a plurality of authorization center between the legal terminal.
To achieve these goals, the invention provides a kind of authorization and authentication method, comprise m authorization center, first device is by each the authorization center SEPARATE APPLICATION mandate in a described m authorization center, from the authorized information of each authorization center difference, m the authorization message that the described first device utilization obtains from a described m authorization center generates first device authentication information, and first device authentication information that will generate sends to second device, described second device is according to the authentication of carrying out from described first first device authentication information that installs described first device, wherein, described m is the natural number more than or equal to 2.
Preferably, the step that m the authorization message that the described first device utilization obtains from a described m authorization center generates first device authentication information comprises: described first device utilizes m the authorization message that obtains from a described m authorization center to generate m authentication information correspondingly respectively, a described m authentication information constitutes described first device authentication information, described second device carries out the step of described first authentication of installing is comprised according to first device authentication information from described first device: described second device is according to carry out m authentication correspondingly from m authentication information in first device authentication information of described first device, when m authentication all passed through, authentication to described first device is passed through, when at least once authentication is not passed through, to the authentification failure of described first device.
Preferably, for arbitrary authentication in described m the authentication, the step that second device authenticates according to authentication information comprises: described second device calculates authority checking information according to authentication information, utilize described first device of the authority checking Information Authentication that is calculated whether by corresponding authorization center mandate, if above-mentioned checking result is for being then authenticate and pass through, otherwise authentification failure.
Preferably, described authorization message is the private key for user of the mandate public key certificate that licenses to described first device being signed and generating by authorization center, described second device calculates authority checking information according to authentication information, whether utilize described first device of the authority checking Information Authentication that is calculated to be comprised by the step of corresponding authorization center mandate: described second device calculates public key certificate according to authentication information, relatively whether the public key certificate that is calculated is consistent with the mandate public key certificate that corresponding authorization center licenses to described first device, if unanimity then authenticate is passed through, otherwise authentification failure.
Preferably, described authorization message is the private key for user of the mandate public key certificate that licenses to described first device being signed and generating by authorization center.
Preferably, the step that m the authorization message that the described first device utilization obtains from a described m authorization center generates first device authentication information comprises: the i private key for user Si that described first device utilizes the i authorization center from a described m authorization center to obtain generates the i authentication information, wherein, the value of i gets 1 respectively to m, the 1st authentication information to the m authentication information that is generated constitutes described first device authentication information, wherein, the step that the i private key for user Si that described first device utilizes the i authorization center from a described m authorization center to obtain generates the i authentication information comprises: described first device produces the first random number R i and safe entropy parameter CTi, described first device is based on safety entropy parameter CTi, the utilization logical circuit of can recombinating generates safe entropy mixed number STi, described first device is based on the first random number R i, safe entropy mixed number STi, i private key for user Si, and safe entropy parameter CTi produces the i authentication information, described second device carries out the step of described first authentication of installing is comprised according to first device authentication information from described first device: second device extracts the 1st authentication information to the m authentication information of first device from the first received device authentication information, calculate the j public key certificate GCj ' of first device according to the j authentication information of first device, and utilize the j public key certificate GCj ' that calculates to authenticate first device, wherein the value of j gets 1 respectively to m.
Preferably, the step that described first device produces the i authentication information based on the first random number R i, safe entropy mixed number STi, i private key for user Si and safe entropy parameter CTi comprises: based on the first random number R i, safe entropy mixed number STi, i private key for user Si produces Xi, Yi according to following formula:
Xi=gi
ei*Ri?mod?ni
Yi=Si*gi
sTi*Rimod?ni
Wherein, ei, ni, gi are the relevant parameters of PKI of i authorization center,
With Xi, Yi, CTi as the i authentication information.
Preferably, described second device comprises according to the step that the first j authentication information that installs calculates the public key certificate GCj ' of first device: second device extracts the first safe entropy parameter CTj that installs from the j authentication information of first device; Based on safety entropy parameter CTj, utilization can recombinate logical circuit calculate first the device safe entropy index CKj;
The safe entropy index CKj that utilizes the Xj, the Yj that comprise in the j authentication information of first device and aforementioned calculation to go out, calculate the public key certificate GCj ' of first device according to following formula:
Xj
CKj/Yj
ejmod?nj=GCj’,
Wherein ej, nj are the relevant parameters of PKI of j authorization center.
Preferably, described safe entropy parameter CTi comprises the second random number R si, user security entropy CSTi, system safety entropy CSKi, the described logical circuit of recombinating comprises first logical circuit and second logical circuit of can recombinating of can recombinating, described based on safety entropy parameter CTi, the utilization step that logical circuit generates safe entropy mixed number STi of can recombinating comprises: with described random number R si as described first input that can recombinate logical circuit, utilize described user security entropy CSTi control described first can recombinate logical circuit obtain first output, with described first output as described second input that can recombinate logical circuit, utilize described system safety entropy CSKi to control described second logical circuit of can recombinating, obtain safe entropy mixed number STi.
Preferably, described first device is after generating first device authentication information, described first device authentication information is encrypted first device authentication information that obtains encrypting, and first device authentication information that will encrypt sends to described second device, and described second device is decrypted first device authentication information of received encryption and obtains first device authentication information.
Preferably, the encryption key that described first device uses when described first device authentication information is encrypted is the combination of p encryption key parameters, the decruption key that described second device uses when first device authentication information of encrypting is decrypted is the combination of p decruption key parameter, wherein, p is the natural number more than or equal to 1.
Preferably, a described p encryption key parameters is the parameter that first device generates, and described p decruption key parameter is the parameter that second device generates.
Preferably, a described p encryption key parameters is p the parameter that authorization center respectively obtain of first device from a described m authorization center, described p decruption key parameter is p the parameter that authorization center respectively obtain of second device from a described m authorization center, wherein, p is more than or equal to 1 and smaller or equal to the natural number of m.
Preferably, a described p encryption key parameters is r parameter and s the parameter that authorization center obtains respectively from a described m authorization center that first device generates, described p decruption key parameter is r parameter and s the parameter that authorization center obtains respectively from a described m authorization center that second device generates, wherein, r is more than or equal to 1 and less than the natural number of p, s is more than or equal to 1 and smaller or equal to the natural number of m, and r and s sum equal p.
Preferably, the combination of a described p encryption key parameters is that p encryption key parameters is long-pending, and the combination of described p decruption key parameter is that p decruption key parameter is long-pending.
Preferably, the cryptographic algorithm that described first device uses when described first device authentication information is encrypted is the cryptographic algorithm of DSE arithmetic, and a described p encryption key parameters is identical with described p decruption key parameter respectively.
To achieve these goals, the invention provides a kind of authorization and authentication method, comprise m authorization center, first subscriber card is connected with first device, described first subscriber card obtains m authorization message by described first device each authorization center SEPARATE APPLICATION mandate in a described m authorization center, the described first subscriber card utilization generates the first subscriber card authentication information from m the authorization message that a described m authorization center obtains, and the first subscriber card authentication information that will generate sends to second device by described first device, so that carry out authentication to described first subscriber card, wherein, described m is the natural number more than or equal to 2.
To achieve these goals, the invention provides a kind of authorization and authentication method, comprise m authorization center, first device each authorization center SEPARATE APPLICATION mandate in a described m authorization center obtains m authorization message, first subscriber card is connected with described first device, described first device will send to described first subscriber card from m the authorization message that a described m authorization center obtains, described first subscriber card utilizes a described m authorization message to generate the first subscriber card authentication information, and the first subscriber card authentication information that will generate sends to second device by described first device, so that carry out authentication to described first subscriber card, wherein, described m is the natural number more than or equal to 2.
Preferably, second subscriber card is connected with described second device, described second device will send to described second subscriber card by the first subscriber card authentication information that described first device sends, and described second subscriber card carries out authentication to described first subscriber card according to the described first subscriber card authentication information.
To achieve these goals, the invention provides a kind of device, comprising: Transmit-Receive Unit is used for receiving and transmission information; The authorized application unit is used for sending the authorized application request by Transmit-Receive Unit respectively to each authorization center of m authorization center; Authorization message is preserved the unit, is used for receiving authorization message by Transmit-Receive Unit respectively from each authorization center, and preserves; The authentication information generation unit is used to utilize m the authorization message that obtains from a described m authorization center to generate authentication information, and the authentication information that is generated is sent to the other side's device through Transmit-Receive Unit; And authentication ' unit, be used for receiving the authentication information of the other side's device from described the other side's device, and utilize the authentication information of the other side's device that the other side's device is authenticated through Transmit-Receive Unit, wherein m is the natural number more than or equal to 2.
Preferably, described device also comprises: parameter is preserved the unit, be used for f parameter preserved, ciphering unit, be used to utilize described parameter to preserve the combination of described f the parameter of preserving the unit as encryption key, the authentication information that described authentication information generation unit generates is encrypted the encrypting and authenticating information that obtains, through Transmit-Receive Unit this encrypting and authenticating information is sent to the other side's device, wherein f is the natural number more than or equal to 1.
Preferably, described device also comprises parameter generating unit, is used to generate f parameter, and described parameter is preserved the unit f the parameter that described parameter generating unit generates preserved.
Preferably, described device also comprises the parameter receiving element, be used for obtaining parameter respectively from f authorization center of a described m authorization center through Transmit-Receive Unit, described parameter is preserved the unit f the parameter that described parameter receiving element receives is preserved, and wherein f is more than or equal to 1 and smaller or equal to the natural number of m.
Preferably, described device also comprises: parameter generating unit is used to generate r parameter; The parameter receiving element, be used for obtaining parameter respectively from s authorization center of a described m authorization center through Transmit-Receive Unit, described parameter is preserved s the parameter that r parameter that the unit generates described parameter generating unit and described parameter receiving element receive and is preserved, wherein, described r is more than or equal to 1 and less than the natural number of f, described s is more than or equal to 1 and smaller or equal to the natural number of m, and r and s sum equal f.
Preferably, described device also comprises: decrypting device, be used to utilize described parameter to preserve the combination of f the parameter of preserving the unit as decruption key, obtain authentication information to being decrypted, authentication information is sent to described authentication ' unit from the encrypting and authenticating information that receives through described Transmit-Receive Unit from the other side's device.
Preferably, described authentication information generation unit comprises: the first random number generation unit, be used to produce the first random number R i, safe entropy parameter generation unit is used to produce safe entropy parameter CTi, the logical circuit of can recombinating, be used to utilize safe entropy parameter CTi to generate safe entropy mixed number STi, parameter calculation unit is used for based on the first random number R i, safe entropy mixed number STi, i private key for user Si, calculate Xi, Yi according to following formula
Xi=gi
ei*Rimod?ni
Yi=Si*gi
STi*Ri?mod?ni
Wherein, ei, ni, gi are the relevant parameters of PKI of i authorization center,
Authentication information constitutes the unit, is used for the safe entropy parameter CTi that Xi, Yi that described parameter calculation unit is calculated and described safe entropy parameter generation unit generate and constitutes the i authentication information, and wherein, the value of i gets 1 respectively to m.
Preferably, described safe entropy parameter generation unit comprises: the second random number generation unit is used to produce the second random number R si; User security entropy generation unit is used to generate user security entropy CSTi; System safety entropy generation unit, be used for generation system safety entropy CSKi, the described logical circuit of recombinating comprises: user's logical circuit and system logical circuit of can recombinating of can recombinating, described user can recombinate logical circuit with the described second random number R Si as input signal, with user security entropy CSTi as control signal, output user security entropy mixed number UTi, described system can recombinate logical circuit with described user security entropy mixed number UTi as input signal, with described system safety entropy CSKi as control signal, output safety entropy mixed number STi.
Preferably, described authentication ' unit comprises: parameter extraction unit, be used for from j authentication information, extracting Xj, Yj and safe entropy parameter CTj from the authentication information of the other side's device, the logical circuit of can recombinating, be used to utilize described safe entropy parameter CTj to calculate safe entropy index CKj, the public key certificate computing unit utilizes Xj, Yj and safe entropy index CKj, calculates public key certificate GCj ' according to following formula:
Xj
CKj/Yj
ejmod?nj=GCj’,
Wherein ej, nj are the relevant parameters of PKI of j authorization center,
Authentication unit is used to utilize whether described public key certificate GCj ' checking the other side device is the authorized user of j authorization center, and wherein, the value of j gets 1 respectively to m.
Preferably, comprise the second random number R sj among the described safe entropy parameter CTj, user security entropy CSTj, system safety entropy CSKj, the described logical circuit of recombinating comprises: user's logical circuit and system logical circuit of can recombinating of can recombinating, described user can recombinate logical circuit with the described second random number R sj as input signal, with user security entropy CSTj as control signal, output user security entropy mixed number UTj, described system can recombinate logical circuit with described user security entropy mixed number UTj as input signal, with described system safety entropy CSKj as control signal, output safety entropy index CKj.
To achieve these goals, the invention provides a kind of system, comprise the described device of a plurality of claims 20 and m authorization center, described authorization center comprises granted unit, be used for according to authorized application request from described device, authorization message is sent to described device, and wherein, m is the natural number more than or equal to 2.
According to the present invention, when having a plurality of authorization center, subscriber equipment is by after described a plurality of authorization center SEPARATE APPLICATION mandates obtain a plurality of authorization messages, and the other user's equipment between communicate etc. before, the authentication information that utilizes a plurality of authorization messages to produce authenticates mutually, authentication be by then can communicating, otherwise thinks that the other side is illegal equipment and refuse communication.Thus, the communication that has guaranteed under the situation of a plurality of authorization center between the legal terminal can be had.In addition, when legal terminal is attacked etc. and authorization message when being distorted etc., because can't be by above-mentioned authentication, so also can't communicate, thus the fail safe of communicating by letter guaranteed.In addition, can not be by above-mentioned authentication by the illegality equipment of above-mentioned a plurality of authorization center mandates etc., so prevented the intrusion etc. of illegal terminal effectively, guaranteed the fail safe of communication.
In addition, among the present invention, above-mentioned authorization message can be the private key for user that subscriber authorisation public key certificate signature is generated by authorization center, when authenticating, both sides utilize the private key for user of self to generate authentication information respectively, but there is not leakage private key for user separately, but generate with the computation model that separately private key for user and random number are expanded on index, therefore, because the confidentiality of private key for user and the randomness and the unpredictability of random number, common guarantee authentication information mutual fail safe, thereby improved the fail safe of communication.
Description of drawings
Fig. 1 is an authoring system schematic diagram of the present invention.
Fig. 2 is to be the flow chart of example explanation authentication with two mandate systems in the embodiment of the present invention one.
Fig. 3 is to be the flow chart of example explanation authentication with two mandate systems in the embodiment of the present invention two.
Fig. 4 is the authoring system schematic diagram of embodiment of the present invention four.
Fig. 5 is the structure chart of subscriber equipment in the embodiment of the present invention five.
Fig. 6 is another structure chart of subscriber equipment in the embodiment of the present invention six.
Fig. 7 is the flow chart that user equipment (UE) i generates authentication information in the embodiment of the present invention seven.
Fig. 8 is the schematic diagram of computationally secure entropy mixed number in the embodiment of the present invention seven.
Fig. 9 is the flow chart that user equipment (UE) j authenticates user equipment (UE) i in the embodiment of the present invention seven.
Figure 10 is the structure chart of the subscriber equipment of present embodiment ten of the present invention.
Figure 11 a is a schematic diagram of realizing the recombinated logical circuit of Different Logic function.
Figure 11 b is the table that is illustrated in the functional relation that is realized in the circuit shown in above-mentioned Figure 11 a when CTRL1 gets different values with CTRL2.
Figure 12 a is recombinated a logical circuit schematic diagram of realizing different annexations.
Figure 12 b is the figure of a kind of annexation of realizing of the recombinated logical circuit of presentation graphs 12a.
Figure 12 c is the figure of the another kind of annexation that realizes of the recombinated logical circuit of presentation graphs 12a.
Figure 13 is the recombinated logical circuit schematic diagram when constituting the connection network with the indirect ways of connecting of register.
Figure 14 is the recombinated logical circuit schematic diagram when constituting the connection network in the direct-connected mode of switching network.
Figure 15 be part with register connect indirectly, part constitutes recombinated logical circuit schematic diagram when connecting network in the direct-connected mode of switching network.
Embodiment
Below in conjunction with accompanying drawing, the specific embodiment of the present invention is described.
Mandate system provided by the invention is the systems of authorizing more, and the so-called systems of authorizing are by the common system of authorizing of a plurality of authorization center more.For example, two mandate systems are by the common system of authorizing of two authorization center, and three mandate systems are that the rest may be inferred by the common system of authorizing of three authorization center.
Figure 1 shows that authoring system schematic diagram of the present invention.Suppose m authorize m authorization center under the system be respectively authorization center CA1, CA2 ... CAm (m is the natural number more than or equal to 2).Suppose under this m mandate system, to comprise n subscriber equipment, need to communicate mutually between these n subscriber equipment.For the convenience that illustrates, with n subscriber equipment with UE1, UE2 ..., UEn (n is a natural number) expression.
These n user equipment (UE) i (i=1,2 ..., n) between in order to communicate mutually, respectively to m authorization center CA1, CA2 ... CAm applies for authorizing, user equipment (UE) i (i=1,2 ..., n) by respectively to authorization center CAk (k=1,2 ..., m) application authorizes and obtains k authorization message AIik (AIik represents the authorization message that user equipment (UE) i obtains from authorization center CAk mandate).At this, authorization message AI for example can be the private key for user that subscriber authorisation public key certificate signature is generated by authorization center so long as the information relevant with mandate then can be any form.
By m authorization center CA1, CA2 ... user equipment (UE) i and user equipment (UE) j (i that CAm authorizes, j=1,2 ..., n, whether i ≠ when j) communicating, need carry out authentication wherein is legitimate device with the subscriber equipment of checking communicating pair.When authenticating, the subscriber equipment of communicating pair utilizes m the authorization message that obtains from m authorization center to generate authentication information separately, and the authentication information that is generated sent to the other side, the subscriber equipment of communicating pair authenticates according to the authentication information from the other user's equipment.
Execution mode one:
In present embodiment one, subscriber equipment is when generating authentication information, utilize respectively and self generate m authentication information from m the authorization message that m authorization center mandate obtains, k (k=1 wherein, 2, ... m) individual authentication information be by k (k=1,2 ... m) individual authorization message generates; When the other user's equipment is authenticated, authenticate authentication authorization and accounting m time respectively according to each authentication information, when m authentication all passed through, authentication to the other user's equipment is passed through, when at least 1 authentication is not passed through, to the authentification failure of the other user's equipment.
Below in conjunction with Fig. 2, be the process that authenticates between example explanation user equipment (UE) i and the user equipment (UE) j with two mandate systems.
User equipment (UE) i utilizes from authorization center CA1 and authorizes the authorization message AIi1 that obtains to generate authentication information ATi1 (ST2101), utilizes from authorization center CA2 and authorizes the authorization message AIi2 that obtains to generate authentication information ATi2 (ST2103).
At this, the mode of utilizing authorization message AIi1 to generate authentication information ATi1 can be an arbitrary form.For example, can utilize authorization message AIi1 is generated authentication information ATi1 as the functional relation Fi of parameter, promptly
ATi1=Fi(AIi1)
Wherein, the function F i that is used to generate authentication information ATi1 can be various functions such as linear function, quadratic function, exponential function for example, but is not limited thereto, and also comprises the function of arbitrary form.
The mode of utilizing authorization message AIi2 to generate authentication information ATi2 also can adopt as upper type.
User equipment (UE) j utilizes from authorization center CA1 and authorizes the authorization message AIj1 that obtains to generate authentication information ATj1 (ST2201), utilizes from authorization center CA2 and authorizes the authorization message AIj2 that obtains to generate authentication information ATj2 (ST2203).
Ditto, authentication information ATj1, authentication information ATj2 also can generate by aforesaid functional relation.
The mutual authentication information separately of user equipment (UE) i and user equipment (UE) j, be that user equipment (UE) i sends to user equipment (UE) j (ST2105) with authentication information ATi1 and authentication information ATi2, user equipment (UE) j sends to user equipment (UE) i (ST2205) with authentication information ATj1 and authentication information ATj2.
User equipment (UE) i is used to from the authentication information ATj1 of user's equipment UE j user equipment (UE) j be carried out the authentication first time (ST2107), utilizes authentication information ATj2 that user equipment (UE) j is carried out the authentication second time (ST2109).Judge whether authentication for the first time and authentication for the second time all pass through (ST2111), when authenticate the first time and authentication is all passed through for the second time, think the authentication of user equipment (UE) j is passed through, when any once authentication wherein when not passing through, think authentification failure to user equipment (UE) j, interrupt communication (ST2113).
In the authentication first time of step ST2107, user equipment (UE) i calculates authority checking information GCj1 ' according to authentication information ATj1, utilizing authority checking information GCj1 ' the verifying user equipment UEj that is calculated whether to be authorized to center CA 1 authorizes, if the result is for being in checking, then authenticates for the first time and pass through.At this, when utilizing authority checking information GCj1 ' verifying user equipment UEj whether to be authorized to center CA 1 mandate, user equipment (UE) i can finish by authorization center CA1.For example, user equipment (UE) i sends to authorization center CA1 with authority checking information GCj1 ' and requires authorization center CA1 to verify whether this user equipment (UE) j is the authorized user of authorization center CA1, authorization center CA1 will verify that the result returns to user equipment (UE) i, user equipment (UE) i determines according to the checking result who is returned whether authentication is passed through, when the checking result who is returned represented that user equipment (UE) j is the authorized user of authorization center CA1, authentication was passed through.For another example, when authorization center CA1 had announced the certificate of authority of user equipment (UE) j, user equipment (UE) i is the certificate of authority of authority checking information GCj1 ' and the user equipment (UE) j that has announced relatively, and when comparative result was consistent, authentication was passed through.
In the authentication second time of step ST2109, user equipment (UE) i calculates authority checking information GCj2 ' according to authentication information ATj2, utilizing authority checking information GCj2 ' the verifying user equipment UEj that is calculated whether to be authorized to center CA 2 authorizes, if the result is for being in checking, then authenticates for the second time and pass through.At this, when utilizing authority checking information GCj2 ' verifying user equipment UEj whether to be authorized to center CA 2 mandates, user equipment (UE) i can finish by authorization center CA2.For example, user equipment (UE) i sends to authorization center CA2 with authority checking information GCj2 ' and requires authorization center CA2 to verify whether this user equipment (UE) j is the authorized user of authorization center CA2, authorization center CA2 will verify that the result returns to user equipment (UE) i, user equipment (UE) i determines according to the checking result who is returned whether authentication is passed through, be specially, when the checking result who is returned represented that user equipment (UE) j is the authorized user of authorization center CA2, authentication was passed through.For another example, when authorization center CA2 had announced the certificate of authority of user equipment (UE) j, user equipment (UE) i is the certificate of authority of authority checking information GCj2 ' and the user equipment (UE) j that has announced relatively, and when comparative result was consistent, authentication was passed through.
User equipment (UE) j is used to carry out the authentication first time (ST2207) from the authentication information ATi1 of user's equipment UE i, utilizes authentication information ATi2 to carry out the authentication second time (ST2209).Judge whether double probate all passes through (ST2211), when authentication for the first time with when authentication all pass through for the second time, the authentication of user equipment (UE) i is passed through, when any once authentication when not passing through wherein, to the authentification failure of user equipment (UE) i, interrupt communication (ST2213).
In the authentication first time of step ST2207, user equipment (UE) j calculates authority checking information GCi1 ' according to authentication information ATi1, utilizing authority checking information GCi1 ' the verifying user equipment UEi that is calculated whether to be authorized to center CA 1 authorizes, if the result is for being in checking, then authenticates for the first time and pass through.At this, when utilizing authority checking information GCi1 ' verifying user equipment UEi whether to be authorized to center CA 1 mandate, user equipment (UE) j can finish by authorization center CA1.For example, user equipment (UE) j sends to authorization center CA1 with authority checking information GCi1 ' and requires authorization center CA1 to verify whether this user equipment (UE) i is the authorized user of authorization center CA1, authorization center CA1 will verify that the result returns to user equipment (UE) j, user equipment (UE) j determines according to the checking result who is returned whether authentication is passed through, be specially, when the checking result who is returned represented that user equipment (UE) i is the authorized user of authorization center CA1, authentication was passed through.For another example, when authorization center CA1 had announced the certificate of authority of user equipment (UE) i, user equipment (UE) j is the certificate of authority of authority checking information GCi1 ' and the user equipment (UE) i that has announced relatively, and when comparative result was consistent, authentication was passed through.
In the authentication second time of step ST2209, user equipment (UE) j calculates authority checking information GCi2 ' according to authentication information ATi2, utilizing authority checking information GCi2 ' the verifying user equipment UEi that is calculated whether to be authorized to center CA 2 authorizes, if the result is for being in checking, then authenticates for the second time and pass through.At this, when utilizing authority checking information GCi2 ' verifying user equipment UEi whether to be authorized to the CA2 mandate, user equipment (UE) j can finish by authorization center CA2.For example, user equipment (UE) j sends to authorization center CA2 with authority checking information GCi2 ' and requires authorization center CA2 to verify whether this user equipment (UE) i is the authorized user of authorization center CA2, authorization center CA2 will verify that the result returns to user equipment (UE) i, user equipment (UE) j determines according to the checking result who is returned whether authentication is passed through, be specially, when the checking result who is returned represented that this user equipment (UE) i is the authorized user of authorization center CA2, authentication was passed through.For another example, when authorization center CA2 had announced the certificate of authority of user equipment (UE) i, user equipment (UE) j is the certificate of authority of authority checking information GCi2 ' and the user equipment (UE) i that has announced relatively, and when comparative result was consistent, authentication was passed through.
By as above step, the authentication between user equipment (UE) i and user equipment (UE) j by the time, user equipment (UE) i and user equipment (UE) j communicate (ST2015), for example key agreement or transmit data etc.If either party is not by authentication, then interrupt both parties communication (ST2113, ST2213), and control system prompting: disabled user.
In the present embodiment, authorization message can be the private key for user of the mandate public key certificate that licenses to subscriber equipment being signed and generating by authorization center, and the authority checking information that calculates according to authentication information can be public key certificate.At this moment, in above-mentioned verification process shown in Figure 2, for example in step ST2107, user equipment (UE) i calculates public key certificate according to authentication information, whether compare the public key certificate that is calculated then consistent with the mandate public key certificate that corresponding authorization center CA1 licenses to described user equipment (UE) j, if unanimity then authenticate is passed through, otherwise authentification failure.Other step too, in this omission.
Authorize under the system three, when authenticating between user equipment (UE) i and the user equipment (UE) j, user equipment (UE) i utilizes from authorization center CA1 and authorizes the authorization message AIi1 that obtains to generate authentication information ATi1, utilization authorizes the authorization message AIi2 that obtains to generate authentication information ATi2 from authorization center CA2, utilization authorizes the authorization message AIi3 that obtains to generate authentication information ATi3 from authorization center CA3, and authentication information ATi1, ATi2, ATi3 are sent to user equipment (UE) j; User equipment (UE) j also generates authentication information ATj1, ATj2, ATj3 and sends it to user equipment (UE) i according to the same manner; User equipment (UE) i carries out the authentication first time according to 1 couple of user equipment (UE) j of authentication information ATj, according to authentication information ATj2 user equipment (UE) j is carried out the authentication second time, according to authentication information ATj3 user equipment (UE) j is authenticated for the third time, if three authentications are all passed through, then the authentication of user equipment (UE) j is passed through, if wherein any once authentication is not passed through, then to the authentification failure of user equipment (UE) j; Equally, user equipment (UE) j also carries out three authentications to user equipment (UE) i, if three authentications are all passed through, then the authentication of user equipment (UE) i is passed through, if wherein any once authentication do not pass through, then to the authentification failure of user equipment (UE) i.When the authentication between user equipment (UE) i and user equipment (UE) j was passed through, user equipment (UE) i and user equipment (UE) j can communicate.
According to present embodiment, the communicating pair subscriber equipment has only can be authenticated by common a plurality of authorization center mandates and passes through, and can prevent the intrusion of illegality equipment thus effectively.In addition, because the authorization message at each authorization center generates authentication information respectively, and authenticate respectively, so when in this authoring system, increasing new authorization center, subscriber equipment only need be after this new authorized information of authorization center mandate, when generating authentication information, utilize the authorization message that obtains from this new authorization center mandate to produce a corresponding authentication information again, when between subscriber equipment, authenticating, increase once corresponding verification process again and get final product.Therefore,, do not need to change authentication mode yet, can expand simply even increased new authorization center.
Execution mode two:
In above-mentioned execution mode one, after both sides generate authentication information, directly the authentication information that is generated is sent to the other side.In present embodiment two, after both sides generate authentication information, the authentication information that is generated is encrypted the encrypting and authenticating information that obtains, encrypting and authenticating information is sent to the other side, the other side is decrypted this encrypting and authenticating information and obtains authentication information, and authenticates according to authentication information.
Below in conjunction with Fig. 3, be the process that authenticates between example explanation user equipment (UE) i and the user equipment (UE) j with two mandate systems.Wherein, the distinctive points of the identifying procedure of Fig. 3 and the identifying procedure of Fig. 2 is: increased the step ST2104 and the step ST2204 that are used for authentication information is encrypted among Fig. 3, be used for step ST2106 and ST2206 that encrypting and authenticating information is decrypted, and changed step ST2105 and the ST2205 that is used for mutual encrypting and authenticating information.Only the difference step is described below.
In step ST2104, user equipment (UE) i utilizes parameter K as encryption key authentication information ATi1 and ATi2 to be encrypted and obtains encrypting and authenticating information CATi.
CATi=[Am]
K(ATi1,ATi2)
In step ST2204, user equipment (UE) j utilizes parameter K as encryption key authentication information ATj1 and ATj2 to be encrypted and obtains encrypting and authenticating information CATj.
CATj=[Am]
K(ATj1,ATj2)
In step ST2105, user equipment (UE) i sends to user equipment (UE) j with encrypting and authenticating information CATi.
In step ST2205, user equipment (UE) j sends to user equipment (UE) i with encrypting and authenticating information CATj.
In step ST2106, user equipment (UE) i utilizes parameter K as decruption key encrypting and authenticating information CATj to be decrypted and obtains authentication information ATj1 and ATj2.
ATj1,ATj2=[Am]
K(CATj)
In step ST2206, user equipment (UE) j utilizes parameter K as decruption key encrypting and authenticating information CATi to be decrypted and obtains authentication information ATi1 and ATi2.
ATi1,ATi2=[Am]
K(CATi)
In the present embodiment, the parameter K of encryption key when authentication information is encrypted and the decruption key when authentication information is decrypted for example can be following parameter:
(1) offer the parameter K 1 of user equipment (UE) i and user equipment (UE) j by authorization center CAI, that is, and K=K1
(2) offer the parameter K 2 of user equipment (UE) i and user equipment (UE) j by authorization center CA2, that is, and K=K2
(3) offer the parameter K 1 of user equipment (UE) i and user equipment (UE) j and offer the combination of the parameter K 2 of user equipment (UE) i and user equipment (UE) j by authorization center CA1 by authorization center CA2, that is, K=(K1, K2)
Wherein, as the combination of parameter K 1 and parameter K 2, can be various ways, for example be K=K1 * K2, K=K1+K2 etc.
(4) parameter of subscriber equipment generation
For example, subscriber equipment can calculate parameter K as encryption key and decruption key according to authorization message.
In the present embodiment, the cryptographic algorithm Am when authentication information is encrypted can be consulted in advance to determine by user equipment (UE) i and user equipment (UE) j, also can be specified by authorization center.In addition, this cryptographic algorithm can adopt the cryptographic algorithm of DSE arithmetic.
Based on above-mentioned flow process, if user equipment (UE) i and user equipment (UE) j correctly do not hold parameter K, then can't be decrypted and obtain authentication information encrypting and authenticating information from the other side, cause authentification failure.
Authorizing system with three below is the process that authenticates between example explanation user equipment (UE) i and the user equipment (UE) j.
User equipment (UE) i utilizes self user equipment (UE) i to authorize the authorization message AIi1 that obtains to generate authentication information ATi1 from authorization center CA1, utilization authorizes the authorization message AIi2 that obtains to generate authentication information ATi2 from authorization center CA2, utilization authorizes the authorization message AIi3 that obtains to generate authentication information ATi3 from authorization center CA3, utilizes parameter K m*Kn that authentication information ATi1, ATi2, ATi3 are encrypted and obtains authentication information CATi.
CATi=[Am]
Km*Kn(ATi1,ATi2,ATi3)
User equipment (UE) j utilizes self user equipment (UE) j to authorize the authorization message AIj1 that obtains to generate authentication information ATj1 from authorization center CA1, utilization authorizes the authorization message AIj2 that obtains to generate authentication information ATj2 from authorization center CA2, utilization authorizes the authorization message AIj3 that obtains to generate authentication information ATj3 from authorization center CA3, utilizes parameter K m*Kn that authentication information ATj1, ATj2, ATj3 are encrypted and obtains authentication information CATj.
CATj=[Am]
Km*Kn(ATj1,ATj2,ATj3)
The mutual encrypting and authenticating information separately of user equipment (UE) i and user equipment (UE) j.
User equipment (UE) i utilizes parameter K m*Kn as decruption key encrypting and authenticating information CATj to be decrypted and obtains authentication information ATj1, ATj2 and ATj3.
ATj1,ATj2,ATj3=[Am]
Km*Kn(CATj)
User equipment (UE) j utilizes parameter K m*Kn as decruption key encrypting and authenticating information CATi to be decrypted and obtains authentication information ATi1, ATi2 and ATi3.
ATi1,ATi2,ATi3=[Am]
Km*Kn(CATi)
Wherein, parameter K m can be the parameter that is offered user equipment (UE) i and user equipment (UE) j by authorization center CA2, and parameter K n can be the parameter that is offered user equipment (UE) i and user equipment (UE) j by authorization center CA3.In addition, among parameter K m and the parameter K n any can be by user equipment (UE) i and the user equipment (UE) j parameter that generates of strategy according to the rules at least.
Based on above-mentioned object lesson, authorize the mode that authenticates between the user equipment (UE) i and user equipment (UE) j under the system to be at m: at user equipment (UE) i during at the generation authentication information, utilization generates a corresponding m authentication information from m the authorization message that m authorization center obtains, utilize parameter K a described m authentication information to be encrypted the encrypting and authenticating information that obtains, and this encrypting and authenticating information is sent to user equipment (UE) j as encryption key; User equipment (UE) j receives after the encrypting and authenticating information, utilize parameter K this encrypting and authenticating information to be decrypted m the authentication information that obtains user equipment (UE) i earlier as decruption key, utilize this m authentication information to authenticate respectively, when all authentications are all passed through, think the authentication of user equipment (UE) i is passed through.
At this, encryption key and decruption key K can be the combinations of the individual parameter of q (q 〉=1).
When q≤m, this q parameter can all be the parameter that is offered subscriber equipment by q authorization center in m the authorization center respectively; Or s parameter in q parameter is the parameter that is provided respectively by the individual authorization center of the s in m the authorization center (m>s 〉=1), and the individual parameter of r (q>r 〉=1) is the parameter that is generated by subscriber equipment in addition, r+s=q.
When q>m, m parameter in q parameter is the parameter that is offered subscriber equipment by m authorization center respectively, and q-m parameter can be by the subscriber equipment parameter that produces of strategy according to the rules in addition; Or the individual parameter of s (m>s 〉=1) in q parameter is by s the parameter that authorization center provides respectively in m the authorization center, and the individual parameter of r (q>r 〉=1) is the parameter that is generated by subscriber equipment in addition, this moment r+s=q.
As the combination of q parameter, can be the combination in any mode, for example, long-pending, the q parameter sum of q parameter etc.
In addition, in the present embodiment, cryptographic algorithm when encrypting can be consulted in advance to determine by user equipment (UE) i and user equipment (UE) j, also can be specified by authorization center, as long as can make user equipment (UE) i adopt identical enciphering and deciphering algorithm with user equipment (UE) j.In addition, this cryptographic algorithm can adopt the cryptographic algorithm of DSE arithmetic.
According to present embodiment, after authentication information is encrypted, send to the other side, so the transmission security of the authentication information of communicating pair is guaranteed.
Execution mode three:
Execution mode three is with the distinctive points of execution mode two, in execution mode two authentication information has only been encrypted once, but in present embodiment three, can have been utilized different cryptographic algorithm to encrypted authentication information repeatedly.
For example, utilize encryption key K1 and cryptographic algorithm Am1 that authentication information is encrypted, utilize encryption key K2 and cryptographic algorithm Am2 that a last enciphered message is encrypted again then, by that analogy, utilize encryption key Kk and cryptographic algorithm Amk that a last enciphered message is encrypted again, obtain encrypting and authenticating information CAT.
CAT=[Amk]
Kk...[Am2]
K2([Am1]
K1(AT))
Receive after the above-mentioned encrypting and authenticating information CAT, utilize decruption key Kk and decipherment algorithm Amk that CAT is decrypted earlier, by that analogy, utilize decruption key K1 and decipherment algorithm Am1 that a last decrypted result is decrypted at last, obtain authentication information AT.
Wherein, the usage policy of cryptographic algorithm and encryption key can be consulted in advance to determine, also can be specified by authorization center by user equipment (UE) i and user equipment (UE) j.
Execution mode four:
In above execution mode, for allow the user utilize subscriber equipment carry out with other subscriber equipment between communicate by letter and authorize and authenticate, promptly subscriber equipment directly is authorized to central authority, authenticates between subscriber equipment and the subscriber equipment.In present embodiment four, in order to allow the user can utilize subscriber card to finish with other subscriber card or communicating by letter of other subscriber equipment and authorize and authenticate.The authoring system block diagram of present embodiment four as shown in Figure 4.
In present embodiment four, the authorization of subscriber card comprises direct mandate and authorizes dual mode indirectly.
The direct authorization of subscriber card is, this subscriber card is to authorization center application mandate, the direct authorized user card of authorization center.Under the direct authorization of subscriber card, subscriber card is equivalent to the subscriber equipment in the above-mentioned execution mode, and the verification process of the licensing process of subscriber card and authorization center and subscriber card and subscriber card or subscriber equipment is with above-mentioned execution mode.Different is that subscriber card all is to finish by the subscriber equipment that is connected with this subscriber card with subscriber card with the mutual of other subscriber card or other subscriber equipment with authorization center alternately.That is, subscriber equipment just works as the communication module of subscriber card.For example, subscriber card i is with after user equipment (UE) i is connected, this subscriber card i obtains m authorization message by described user equipment (UE) i each authorization center SEPARATE APPLICATION mandate in m authorization center, described subscriber card i utilizes this m authorization message to generate the subscriber card authentication information, and the subscriber card authentication information that will generate sends to the other user's equipment UE j by described user equipment (UE) i, so that authenticate.
The indirect authorization of subscriber card is authorization center authorized user device, this this subscriber card of authorized users device authorization.Promptly under the indirect authorization of this subscriber card, authorization center is by the indirect authorized user card of subscriber equipment.Under the indirect authorization of subscriber card, the verification process between subscriber card and other subscriber card or other subscriber equipment is with above-mentioned execution mode.Promptly in verification process, generate authentication information and send to the other side according to authorization message by subscriber card by subscriber equipment, this subscriber card receives from the other side's authentication information by subscriber equipment and authenticates.For example, at first, user equipment (UE) i obtains m authorization message to m authorization center application mandate, when subscriber card i is connected with user equipment (UE) i, this user equipment (UE) i will send to described subscriber card i from m the authorization message that m authorization center obtains, described subscriber card i utilizes described m authorization message to generate the subscriber card authentication information, and the subscriber card authentication information that will generate sends to the other user's equipment UE j by described user equipment (UE) i, so that authenticate.
When user equipment (UE) j is connected with subscriber card j, this user equipment (UE) j sends to the subscriber card j that is connected with self with the subscriber card authentication information of the subscriber card i that receives, and this subscriber card j carries out authentication to this subscriber card i according to the subscriber card authentication information of subscriber card i.
Because when utilizing subscriber card, licensing process and verification process all can adopt above-mentioned execution mode one~three, so omit the mandate and the authentication method of subscriber card at this.
Subscriber card can be a key card, also can be safety card.
In the present embodiment, by using subscriber card to improve the convenience of communication.And when using subscriber card, also improved the fail safe of communicating by letter by above-mentioned mandate and authentication mode.
Execution mode five:
In present embodiment five, be provided for realizing the subscriber equipment of above-mentioned execution mode one.
Figure 5 shows that structure chart at the subscriber equipment of present embodiment five.As shown in Figure 5, subscriber equipment comprises: Transmit-Receive Unit 501 is used for receiving and transmission information; Authorized application unit 502 is used for sending the authorized application request by Transmit-Receive Unit 501 respectively to each authorization center of m authorization center; Authorization message is preserved unit 503, is used for receiving authorization message by Transmit-Receive Unit 501 respectively from each authorization center, and preserves; Authentication information generation unit 504 is used to utilize m the authorization message that obtains from a described m authorization center to generate authentication information, and the authentication information that is generated is sent to the other user's equipment through Transmit-Receive Unit 501; And authentication ' unit 505, be used for receiving the authentication information of the other user's equipment from described the other user's equipment, and utilize the authentication information of the other user's equipment that the other user's equipment is authenticated through Transmit-Receive Unit 501.Wherein m is the natural number more than or equal to 2.
The performed operation in each unit in the subscriber equipment in the present embodiment all can be adopted the method for above-mentioned execution mode one to three, in this omission.In addition, the internal structure of the subscriber card in the execution mode four also can be identical with above-mentioned structure shown in Figure 5, in this omission.
Execution mode six:
In present embodiment six, be provided for realizing the subscriber equipment of above-mentioned execution mode two.
Figure 6 shows that structure chart at the subscriber equipment of present embodiment six.As shown in Figure 6, subscriber equipment also comprises on architecture basics shown in Figure 5: parameter generating unit 506 is used to generate parameter, as encryption key or decruption key; Parameter is preserved unit 507, is used to preserve q the parameter that described parameter generating unit generates; Ciphering unit 508 is used for that described parameter is preserved q the parameter of preserving the unit and as encryption key authentication information is encrypted the encrypting and authenticating information that obtains, and sends to the other user's equipment through Transmit-Receive Unit 501.In addition, can also comprise decrypting device 509, q the parameter that is used for described parameter preservation unit is preserved is decrypted the encrypting and authenticating information that receives by described Transmit-Receive Unit 501 as decruption key, and the authentication information that deciphering is obtained sends to authentication ' unit 505.Wherein, q is the natural number more than or equal to 1.
Replacement execution mode as present embodiment six, replace the parameter generating unit 506 among Fig. 6, can comprise parameter receiving element (not shown), this parameter receiving element receives q parameter respectively through q the authorization center of described Transmit-Receive Unit 501 from m authorization center.At this moment, parameter is preserved unit 507 and is preserved q the parameter that described parameter receiving element receives.Wherein, q is the natural number more than or equal to 1.
Another replacement execution mode as present embodiment six, can also comprise parameter receiving element (not shown) in subscriber equipment shown in Figure 6, this parameter receiving element receives s parameter through s the authorization center of described Transmit-Receive Unit 501 from m authorization center.At this moment, parameter is preserved unit 507 and is preserved s parameter that described parameter receiving element receives and q parameter of described parameter generating unit 506 generations.In this case, the combination that ciphering unit 508 is preserved q+s the parameter of preserving the unit with described parameter is encrypted the encrypting and authenticating information that obtains as encryption key to authentication information, and sends to the other user's equipment through Transmit-Receive Unit 501.The combination that decrypting device 509 is preserved q+s the parameter of preserving the unit with described parameter is decrypted the encrypting and authenticating information by described Transmit-Receive Unit 501 receptions as decruption key, and the authentication information that deciphering is obtained sends to authentication ' unit 505.Wherein, q is the natural number more than or equal to 1, and s is more than or equal to 1 and smaller or equal to the natural number of m.
The performed operation in each unit in the subscriber equipment in the present embodiment all can be adopted the method for above-mentioned execution mode one to three, in this omission.In addition, the internal structure of the subscriber card in the execution mode four also can be identical with above-mentioned structure shown in Figure 5, in this omission.
Execution mode seven:
The identifying procedure that carries out authentication between present embodiment seven explanation user equipment (UE) i and the user equipment (UE) j.The identifying procedure of present embodiment seven goes for above-mentioned execution mode one~six.Need to prove that the authentication mode in the above-mentioned execution mode one~six is not limited to the method in the present embodiment seven, can adopt any existing authentication mode.
Below with user equipment (UE) i utilize from k authorization center CAk (k=1 ..., it is example that the private key for user Sik that m) obtains generates authentication information ATik, and the step of generation authentication information is described, as shown in Figure 7, comprises the steps:
Step ST801: user equipment (UE) i produces a random number R ik.
Step ST802: user equipment (UE) i determines user security entropy CSTik, and system safety entropy CSKik and random number R sik set up safe entropy information parameters C Tik.
CTik=CSTik,CSKik,Rsik
Random number R sik is the input data of logical circuit of can recombinating.User security entropy CSTik and system safety entropy CSKik are respectively can the recombinate static coding and the dynamic coding of logical circuit.
Step ST803: user equipment (UE) i is according to the safety entropy information parameters C Tik and the logical circuit computationally secure entropy mixed number STik that can recombinate
STik=CTik(RELOG)
The generation of STik is referring to Fig. 8.
User security entropy mixed number UTik is user security entropy CSTik and random number R sik by user's mixed number that logical circuit Sa produces of can recombinating.Wherein, user security entropy CSTik is used to control can the recombinate control signal of controllable node of logical circuit Sa of user, random number R sik is can the recombinate input of logical circuit Sa of user, and user security entropy mixed number UTik is can the recombinate output of logical circuit Sa of user.
Safe entropy mixed number STik is system safety entropy CSKik and user security entropy mixed number UTik by system's mixed number that logical circuit Pa produces of can recombinating.Safe entropy mixed number STik participates in the authentication information Model Calculation.Wherein, system safety entropy CSKik is used for can the recombinate control signal of controllable node of logical circuit Pa of system, user security entropy mixed number UTik is can the recombinate input of logical circuit Pa of system, and safe entropy mixed number STik is can the recombinate output of logical circuit Pa of system.
About the formation and the realization of the logical circuit of can recombinating, being described at last of this paper.
Step ST804: user equipment (UE) i calculates Xik, Yik
Xik=gk
ek*Rik?mod?nk
Yik=Sik*gk
STik*Rik?mod?nk
Wherein, ek, nk, gk are the public key informations of authorization center CAk.
User equipment (UE) i with Xik, Yik, CTik as authentication information ATik.
By as above step, user equipment (UE) i can utilize m the private key for user that obtains from m authorization center to obtain m authentication information ATi1~ATim.
Below with user equipment (UE) j be used to from user's equipment UE i authentication information ATik (k=1 ..., m) authenticate and be example, the step of carrying out authentication information is described, as shown in Figure 9, comprise the steps:
Step ST1001: user equipment (UE) j always extracts the safe entropy information parameters C Tik of user equipment (UE) i in the authentication information ATik of user's equipment UE i.
CTik=CSTik,CSKik,Rsik
Step ST1002: user equipment (UE) j utilizes the safe entropy information parameters C Tik computationally secure entropy index CKik of user equipment (UE) i based on the logical circuit of can recombinating.
CKik=CTik(RELOG)
The method of computationally secure entropy index CKik can be referring to Fig. 8, and difference is that can the recombinate output of logical circuit Pa of system is safe entropy index CKik.
At this, user equipment (UE) i has identical formation with recombinated logical circuit among the user equipment (UE) j, it is identical with user among the user equipment (UE) j logical circuit Sa that can recombinate to be user equipment (UE) i, and the logical circuit Pa that can recombinate of user equipment (UE) i and system among the user equipment (UE) j is identical.Like this, logical circuit that logical circuit constitutes is the same to utilize the control of identical control signal to recombinate.
If safe entropy information parameters C Tik is not tampered in the authentication information transmission course; Then user equipment (UE) j utilize the user security entropy CSTik control user from authentication information, extract to recombinate logic circuit that logic circuit Sa consists of and utilize the security of system entropy CSKik control system that from authentication information, extracts can recombinate the logic circuit of logic circuit Pa formation will be identical with the logic circuit that in user equipment (UE) i, consists of, the safe entropy index CKik that obtains based on the safe entropy information parameters C Tik that extracts from authentication information in user equipment (UE) j like this equals the safe entropy mixed number STik that generates in user equipment (UE) i. If safe entropy information parameters C Tik distorted in the authentication information transmission course, then the safe entropy index CKik that obtains of user equipment (UE) j is different from the safe entropy mixed number STik that generates in user equipment (UE) i.
Step ST1003: user equipment (UE) j calculates the mandate public key certificate GCik ' of user equipment (UE) i.
Xik
CKik/Yik
ek?mod?nk=GCik’
Wherein, Xik and Yik extract from authentication information ATik and obtain, and ek is the relevant parameter of PKI of k authorization center CAk with nk.
If the safe entropy index CKik that obtains in above-mentioned steps ST1002 equals the safe entropy mixed number STik that generates in user equipment (UE) i, then can correctly obtain GCik ', otherwise can not correctly obtain GCik '.
Step ST1004: user equipment (UE) j utilizes the mandate public key certificate GCik ' of the user equipment (UE) i that calculates to come whether verifying user equipment UEi is legal.
For example, whether user equipment (UE) j compares the mandate public key certificate GCik of the mandate public key certificate GCik ' of the user equipment (UE) i that calculates and known user equipment (UE) i, be legal according to comparative result verifying user equipment UEi.
For example, can comprise the idi parameter because user equipment (UE) i authorizes among the public key certificate GCik, this idi comprises the information of user equipment (UE) i, for example network address, telephone number, identity etc., so by these information relatively can verifying user equipment UEi legitimacy.
If there is another subscriber equipment fake user equipment UE i that does not have the private key for user Sik that obtains from k authorization center mandate then can't pass through above-mentioned verification process.
User equipment (UE) i is identical with said process to the verification process of user equipment (UE) j, in this omission.
After both sides' authentication between user equipment (UE) j and the user equipment (UE) i is passed through, the agreement phase that enters both sides' key agreement, otherwise interrupt both parties communication, control system prompting: disabled user.
Execution mode eight:
In the authentication process of present embodiment eight, obtain authentication information ATik (comprising Xik, Yik, CTik) afterwards by flow process shown in Figure 7, also further calculate the summary of authentication information ATik, be the summary that user equipment (UE) i calculates Xik, Yik, safe entropy information parameters C Tik, obtain Xikm, Yikm, CTikm.User equipment (UE) i sends to user equipment (UE) j with the summary ATikm (comprising Xikm, Yikm, CTikm) of authentication information ATik (comprising Xik, Yik, CTik) and authentication information.
The summary ATikm (comprising Xikm, Yikm, CTikm) that user equipment (UE) j receives authentication information ATik (comprising Xik, Yik, CTik) and authentication information from user equipment (UE) i afterwards, when user equipment (UE) i is authenticated, before above-mentioned step ST1001 shown in Figure 9, carry out following steps: user equipment (UE) j utilizes summary Xikm, the Yikm, the CTikm that are received to check authentication information Xik, Yik, CTik.
Particularly, the digest algorithm that user equipment (UE) j uses and user equipment (UE) i is same calculates summary info Xikm ', Yikm ', the CTikm ' of authentication information Xik, Yik, CTik.If the summary info Xikm ', the Yikm ' that calculate, CTikm ' are consistent with summary info Xikm, the Yikm, the CTikm that receive, illustrate that then Xik, Yik, CTik are not distorted, and enter step ST1001.If checked result is inconsistent, illustrate that then Xik, Yik, CTik information are distorted, user equipment (UE) i is not by authentication, and the end verification process.
Execution mode nine:
When authentication information is encrypted, can adopt the authentication process of present embodiment nine.
In the authentication process of present embodiment nine, obtain authentication information ATik (comprising Xik, Yik, CTik) afterwards by flow process shown in Figure 7, authentication information ATik is encrypted obtain encrypting and authenticating information Cik
XY
For example, under two mandate systems, user equipment (UE) i with Km as encryption key, with cryptographic algorithm Am to ATik (k=1,2 ..., m) carry out and obtain Cik after encrypting
XY(k=1,2 ..., m).
Cik
XY=[A
m]
Km(ATik)=[A
m]
Km(X
ik,Y
ik,CT
ik)
Perhaps, user equipment (UE) i as encryption key, uses cryptographic algorithm Am to ATi1, ATi2 Km ..., ATim obtains Ci after carrying out and encrypting
XY
Ci
XY=[A
m]
Km(ATi1,ATi2,......,ATim)
Wherein, Km is the parameter that user equipment (UE) i obtains from the second authorization center CA2, also can be the user equipment (UE) i parameter of strategy generation according to the rules.
User equipment (UE) i calculates Cik
XY(k=1,2 ..., m) or Ci
XYAfterwards, with this Cik
XY(k=1,2 ..., m) or Ci
XYSend to user equipment (UE) j.
User equipment (UE) j receives Cik
XY(k=1,2 ..., m) or Ci
XYAfterwards, as decruption key, use decipherment algorithm Am Km to authentication information Cik
XY(k=1,2 ..., m) or Ci
XYObtain X after carrying out deciphering
Ik, Y
Ik, CT
Ik(k=1,2 ..., m).
Wherein, Km is the parameter that user equipment (UE) j obtains from the second authorization center CA2, also can be the user equipment (UE) j parameter of strategy generation according to the rules.
For another example, authorize under the systems three, user equipment (UE) i with the product of Km and Kn as encryption key, with cryptographic algorithm Am to ATik (k=1,2 ..., m) carry out and obtain Cik after encrypting
XY(k=1,2 ..., m) or Ci
XY
Cik
XY=[A
m]
Km×Kn(ATik)=[A
m]
Km×Kn(X
ik,Y
ik,CT
ik)
Ci
XY=[A
m]
Km×Kn(ATi1,ATi2,......,ATim)
Wherein, the definition of Km is the same, and Kn is the parameter that user equipment (UE) i obtains from the 3rd authorization center CA3, also can be the user equipment (UE) i parameter of strategy generation according to the rules.
At this,, can also adopt other combining form, for example a plurality of parameter sums etc. if a plurality of parameters during as encryption key, are not limited to the such form of product of above-mentioned Km that mentions and Kn.
User equipment (UE) j by Km and Kn as decruption key, with decipherment algorithm Am to authentication information Cik
XY(k=1,2 ..., m) or Ci
XYObtain X after carrying out deciphering
Ik, Y
Ik, CT
Ik(k=1,2 ..., m).
Wherein, the definition of Km is the same, and Kn is the parameter that user equipment (UE) j obtains from the 3rd authorization center, also can be the user equipment (UE) j parameter of strategy generation according to the rules.
At this,, can also adopt other combining form, for example a plurality of parameter sums etc. if a plurality of parameters during as decruption key, are not limited to the such form of product of above-mentioned Km that mentions and Kn.Which kind of certainly, no matter adopt the encryption key and the decruption key of combining form, all need to guarantee to be mutually to be pair of secret keys.
In addition, about Km and Kn, for example, Km is the safe entropy key that second authorization center (administrative center) licenses to subscriber equipment, and Kn is the auxiliary key that the 3rd authorization center (network management center) licenses to subscriber equipment, and its form is as follows:
Administrative center's authorizing secure entropy private key certificate: [e, n, g, Km];
Auxiliary private key certificate is authorized by network management center: [e, n, g, Kn, STi].
Wherein,
E, n: authorities conducting the examination on the ministry's authorization PKI
G: authorities conducting the examination on the ministry's authorization key code system primitive element
Km: safe entropy key
Kn: auxiliary key
STi: safe entropy mixed number
Execution mode ten:
In present embodiment ten, be provided for realizing the subscriber equipment of above-mentioned execution mode seven~nine.
Figure 10 shows that structure chart at the subscriber equipment of present embodiment ten.As shown in figure 10, the difference shown in subscriber equipment and Fig. 5 or 6 is authentication information generation unit 504 and authentication ' unit 505 and the logical circuit 510 of can recombinating.
Authentication information generation unit 504 comprises: the first random number generation unit 5041, safe entropy parameter generation unit 5042, parameter calculation unit 5043, authentication information constitute unit 5044.
Authentication ' unit 505 comprises: parameter extraction unit 5051, public key certificate computing unit 5052, authentication unit 5053.
As shown in Figure 8, the described logical circuit 510 of recombinating comprises: user's logical circuit and system logical circuit of can recombinating of can recombinating.
When generating authentication information, following operation is carried out in relevant unit:
The first random number generation unit 5041 produces the first random number R i; Safe entropy parameter generation unit 5042 produces safe entropy parameter CTi; The logical circuit 510 of can recombinating generates safe entropy mixed number STi based on safety entropy parameter CTi, exports to parameter calculation unit 5043; Parameter calculation unit 5043 based on the first random number R i, safe entropy mixed number STi, be kept at authorization message and preserve i private key for user Si in the unit 503, produce Xi, Yi according to following formula; The safe entropy parameter CTi that Xi, Yi that authentication information formation unit 5044 calculates described parameter calculation unit and described safe entropy parameter generation unit 5042 generate constitutes the i authentication information.
Xi=gi
ei*Ri?mod?ni
Yi=Si*gi
STi*Ri?mod?ni
Wherein, ei, ni, gi are the relevant parameters of PKI of i authorization center, and the value of i gets 1 respectively to m.
Described safe entropy parameter generation unit 5042 can comprise: the second random number generation unit is used to produce the second random number R si; User security entropy generation unit is used to generate user security entropy CSTi; System safety entropy generation unit is used for generation system safety entropy CSKi.The second random number R si, user security entropy CSTi, system safety entropy CSKi constitute safe entropy parameter CTi.
When generating safe entropy mixed number STi, user in the described logical circuit 510 of recombinating can recombinate logical circuit Sa with user security entropy CSTi as control signal, with the described second random number R Si as input signal, output user security entropy mixed number UTi, described system can recombinate logical circuit Pa with described system safety entropy CSKi as control signal, with described user can recombinate the output of logical circuit Sa be user security entropy mixed number UTi as input signal, output safety entropy mixed number STi.
When authenticating, following operation is carried out in relevant unit:
Xj
CKj/Yj
ejmod?nj=GCj’
Wherein ej, nj are the relevant parameters of PKI of j authorization center, and the value of j gets 1 respectively to m.
Comprise the second random number R sj, user security entropy CSTj, system safety entropy CSKj among the described safe entropy parameter CTj.When obtaining safe entropy index CKj, user in the described logical circuit 510 of recombinating can recombinate logical circuit Sa with user security entropy CSTj as control signal, with the described second random number R sj as input signal, output user security entropy mixed number UTj, described system can recombinate logical circuit Pa with described system safety entropy CSKj as control signal, with described user can recombinate the output of logical circuit Sa be user security entropy mixed number UTj as input signal, output safety entropy index CKj.
The performed operation in each unit in the subscriber equipment in the present embodiment all can be adopted the method for above-mentioned execution mode seven to nine, in this omission.In addition, the internal structure of the subscriber card in the execution mode four also can be identical with above-mentioned structure shown in Figure 10, in this omission.
Introduce the principle and the implementation method of the logical circuit of can recombinating below.
Any one algorithm all is to be formed according to necessarily being linked in sequence by a series of basic operation.If OP represents to constitute the operation of algorithms of different operation and the set of control relation, then OF can be expressed as:
OP=(op
1,1+op
1,2+...+op
1,m1)*(op
2,1+op
2,2+...+op
2,m2)*...*(op
n,1+op
n,2+...+op
n,mn)
Wherein, op
I, j(j=1,2 ..., m
i, i=1,2 ..., n) expression rudimentary algorithm operation, "+" expression parallel work-flow relation, " * " expression serial operation relation.
By algorithms of different is analyzed and studied, we find that algorithm has a notable attribute: a lot of different algorithms have same or analogous basic operation composition, and the frequency that same in other words basic operation composition occurs in algorithms of different is very high.Because algorithms of different often has a lot of same or analogous basic operation compositions, the pairing hardware resource of these basic operation compositions just can be shared by multiple algorithms of different institute, so we just can overlap logical circuit with less circuit scale structure one and realize multiple algorithm.Can the recombinate design considerations of logical circuit that Here it is.
At first define some terms in the logical circuit of to recombinate.
If E represents the set that some can be constituted by the reusable functional part of algorithms of different, E={e1, e2 ..., em} (m ∈ natural number), as seen CNode represents some command interface, the controlled set that parts constituted, CNode={cnode1, cnode2, ..., cnoden} (n ∈ natural number), C represents the set that annexation constituted between above-mentioned functions parts or the controllable component, C={R<a, b〉| R<a, b〉be the annexation of a to b, a, b ∈ E ∪ CNode}, then by E, CNode, the determined logical circuit of C just is called the logical circuit of can recombinating, be designated as RELOG={E, CNode, C}.Wherein ei ∈ E (i=1,2 ..., m) be called the reorganization element, cnodei ∈ CNode (i=1,2 ..., n) be called controllable node.
The function of logical circuit of can recombinating will be along with the change of the control signal of controllable node and is changed, if can recombinate logical circuit RELOG={E, CNode, the function that C} can realize is represented with FUNC_RELOG, the set of the control signal of its controllable node correspondence is represented with CTRL, then FUNC_RELOG is the function of CTRL, is expressed as
FUNC_RELOG=f(CTRL)
CTRL={ctrl1, ctrl2 ..., ctrln} (n ∈ natural number)
As mentioned above, the logical circuit of can recombinating is made up of three parts: the wire net between a plurality of controllable node, a plurality of reorganization element and controllable node and the reorganization element.
The reorganization element is the basic operation composition that is used to realize various algorithms, is that the logical circuit of can recombinating is used to make up the basic element of various algorithms.Connection network between the reorganization element is used to various algorithms to set up required data transmission path.Reorganization element and connection network thereof are realized different algorithms under the control of controllable node.
The controllable node that can recombinate in the logical circuit mainly contains two classes: function controllable node and path controllable node.The controlled function controllable node can make the changing function of reorganization element, to adapt to the different operating function demand of algorithms of different; The control access controllable node can make the data transfer path between the reorganization element change, to adapt to the transfer of data demand of algorithms of different.
Provide the example of the recombinated logical circuit of realizing the Different Logic function below, to make things convenient for can the recombinate formation of logical circuit of understanding.
Figure 11 a is a schematic diagram of realizing the recombinated logical circuit of Different Logic function.
In the circuit shown in Figure 11 a, AND2_1, AND2_2 represent 2 inputs and door, and AND3 represents 3 inputs and door, and OR2 represents 2 inputs or door, and NOT represents not gate, and A, B, C, D are 4 input variables, and F is an output variable.Be provided with 2 controllable node AND2_1 and AND2_2 in foregoing circuit, its control signal is designated as CTRL1 and CTRL2 respectively.By CTRL1 is composed with different values with CTRL2, just can change the logic function of foregoing circuit, realize different logical functions.Table shown in Figure 11 b has provided when CTRL1 gets different values with CTRL2, the functional relation that the circuit shown in above-mentioned Figure 11 a is realized.
Recombinated logical circuit shown in above-mentioned Figure 11 a can be described as:
RELOG={E,CNode,C}
Wherein,
Reorganization element set E={AND3, NOT, OR2};
Controllable node set CNode={AND2_1, AND2_2};
Connect network C={ AND3 → AND2_1, NOT → AND2_2, AND2_1 → OR2, AND2_1 → OR2}.
The function that this logical circuit of can recombinating is realized can be expressed as:
FUNC_RELOG=f(CTRL)=CTRL1·ABC+CTRL2·D
Wherein, control signal CTRL={CTRL1, CTRL2}.
Figure 12 a is recombinated a logical circuit schematic diagram of realizing different annexations.Have 3 reorganization elements A, B, C in the recombinated logical circuit shown in Figure 12 a.Enter the C parts behind the output process MUX gating of A and B, as the input of C parts.Wherein MUX is exactly a controllable node, and this controllable node is controlled by control signal M.Just can realize two kinds of different annexations by control, respectively shown in Figure 12 b and Figure 12 c to this controllable node.
A plurality of reorganization element combinations are got up really to realize certain algorithm, also must recombinate and set up the desired data transfer path of this algorithm between the element at these.The desired data transfer path difference of different algorithms realizes multiple different algorithm, just must make the annexation between the reorganization element variable.Realize that the annexation between the reorganization element is variable, just must in the connection network between the reorganization element, controllable node be set, realize different annexations by control to controllable node.
Connection network as shown in figure 13 is with the indirect ways of connecting of register; Wherein the output of each reorganization element B, C, D is kept at earlier as in the register that connects network, and then is input under the control of controllable node in one the input of reorganization element B, C, D.
Connection network as shown in figure 14 is in the direct-connected mode of switching network; Wherein the output of each reorganization element B, C, D directly is connected in the suitable input by gating network MUX.
Connection network as shown in figure 15 be the part with register connect indirectly, the part in the direct-connected mode of switching network; The output of the element B of wherein recombinating directly links to each other with oneself input by gating network MUX, and the register buffer memory is passed through in the output of reorganization Elements C, D earlier, directly enters into C, D then or passes through the input of gating network B.
Those of ordinary skill in the art will be appreciated that, have many lines all will with situation that a line links to each other under, utilizing gating network to come which bar in many lines of Dynamic Selection is a kind of optimal way.
In addition, the technology of this area will be appreciated that, though all do not have the input and the output of entire circuit in the circuit theory diagrams of Figure 13~15, obviously can regard the input and output of entire circuit as special reorganization element respectively and is connected in the circuit.For example, can on the connection network of Figure 13, add an input and an output respectively, respectively as the input and the output of entire circuit.
Description of the invention provides for example with for the purpose of describing, and is not exhaustively or limit the invention to disclosed form.Many modifications and variations are obvious for the ordinary skill in the art.Selecting and describing embodiment is for better explanation principle of the present invention and practical application, thereby and makes those of ordinary skill in the art can understand the various embodiment that have various modifications that the present invention's design is suitable for special-purpose.
Claims (12)
1. an authorization and authentication method is characterized in that, comprises m authorization center,
First device passes through each the authorization center SEPARATE APPLICATION mandate in a described m authorization center, from the authorized information of each authorization center difference,
Described first device utilizes m authorization message obtaining from a described m authorization center to generate first device authentication information, and first device authentication information that will generate sends to second and install,
Described second installs according to the authentication of carrying out from described first first device authentication information that installs described first device,
Wherein, described m is the natural number more than or equal to 2.
2. authorization and authentication method according to claim 1 is characterized in that,
The step that m the authorization message that the described first device utilization obtains from a described m authorization center generates first device authentication information comprises: described first device utilizes m the authorization message that obtains from a described m authorization center to generate m authentication information correspondingly respectively, a described m authentication information constitutes described first device authentication information
Described second device carries out the step of described first authentication of installing is comprised according to first device authentication information from described first device: described second device is according to carry out m authentication correspondingly from m authentication information in first device authentication information of described first device, when m authentication all passed through, authentication to described first device is passed through, when at least once authentication is not passed through, to the authentification failure of described first device.
3. authorization and authentication method according to claim 2 is characterized in that,
For arbitrary authentication in described m the authentication, the step that second device authenticates according to authentication information comprises: described second device calculates authority checking information according to authentication information, utilize described first device of the authority checking Information Authentication that is calculated whether by corresponding authorization center mandate, if above-mentioned checking result is for being then authenticate and pass through, otherwise authentification failure.
4. authorization and authentication method according to claim 3 is characterized in that,
Described authorization message is the private key for user of the mandate public key certificate that licenses to described first device being signed and generating by authorization center,
Described second device calculates authority checking information according to authentication information, whether utilize described first device of the authority checking Information Authentication that is calculated to be comprised by the step of corresponding authorization center mandate: described second device calculates public key certificate according to authentication information, relatively whether the public key certificate that is calculated is consistent with the mandate public key certificate that corresponding authorization center licenses to described first device, if unanimity then authenticate is passed through, otherwise authentification failure.
5. according to each the described authorization and authentication method in the claim 1 to 4, it is characterized in that,
Described first device is encrypted first device authentication information that obtains encrypting to described first device authentication information after generating first device authentication information, and first device authentication information that will encrypt sends to described second and install,
Described second device is decrypted first device authentication information of received encryption and obtains first device authentication information.
6. authorization and authentication method according to claim 5 is characterized in that,
The encryption key that described first device uses when described first device authentication information is encrypted is the combination of p encryption key parameters,
The decruption key that described second device uses when first device authentication information of encrypting is decrypted is the combination of p decruption key parameter,
Wherein, p is the natural number more than or equal to 1.
7. authorization and authentication method according to claim 6 is characterized in that,
A described p encryption key parameters is p the parameter that authorization center respectively obtain of first device from a described m authorization center, described p decruption key parameter is p the parameter that authorization center respectively obtain of second device from a described m authorization center, wherein, p is more than or equal to 1 and smaller or equal to the natural number of m
Perhaps,
A described p encryption key parameters is r parameter and s the parameter that authorization center obtains respectively from a described m authorization center that first device generates, described p decruption key parameter is r parameter and s the parameter that authorization center obtains respectively from a described m authorization center that second device generates, wherein, r is more than or equal to 1 and less than the natural number of p, s is more than or equal to 1 and smaller or equal to the natural number of m, and r and s sum equal p.
8. an authorization and authentication method is characterized in that, comprises m authorization center,
First subscriber card is connected with first device,
Described first subscriber card obtains m authorization message by described first device each authorization center SEPARATE APPLICATION mandate in a described m authorization center,
The described first subscriber card utilization generates the first subscriber card authentication information from m the authorization message that a described m authorization center obtains, and the first subscriber card authentication information that will generate sends to second device by described first device, so that carry out authentication to described first subscriber card
Wherein, described m is the natural number more than or equal to 2.
9. an authorization and authentication method is characterized in that, comprises m authorization center,
First device each authorization center SEPARATE APPLICATION mandate in a described m authorization center obtains m authorization message,
First subscriber card is connected with described first device,
Described first device will send to described first subscriber card from m the authorization message that a described m authorization center obtains,
Described first subscriber card utilizes a described m authorization message to generate the first subscriber card authentication information, and the first subscriber card authentication information that will generate sends to second device by described first device, so that carry out authentication to described first subscriber card,
Wherein, described m is the natural number more than or equal to 2.
10. device is characterized in that comprising:
Transmit-Receive Unit is used for receiving and transmission information;
The authorized application unit is used for sending the authorized application request by Transmit-Receive Unit respectively to each authorization center of m authorization center;
Authorization message is preserved the unit, is used for receiving authorization message by Transmit-Receive Unit respectively from each authorization center, and preserves;
The authentication information generation unit is used to utilize m the authorization message that obtains from a described m authorization center to generate authentication information, and the authentication information that is generated is sent to the other side's device through Transmit-Receive Unit; And
Authentication ' unit is used for receiving the authentication information of the other side's device through Transmit-Receive Unit from described the other side's device, and utilizes the authentication information of the other side's device that the other side's device is authenticated,
Wherein m is the natural number more than or equal to 2.
11. device according to claim 10 is characterized in that also comprising:
Parameter is preserved the unit, is used for f parameter preserved,
Ciphering unit, be used to utilize described parameter to preserve the combination of described f the parameter of preserving the unit as encryption key, the authentication information that described authentication information generation unit generates is encrypted the encrypting and authenticating information that obtains, this encrypting and authenticating information is sent to the other side's device through Transmit-Receive Unit
Decrypting device, be used to utilize described parameter to preserve the combination of f the parameter of preserving the unit as decruption key, obtain authentication information to being decrypted, authentication information is sent to described authentication ' unit from the encrypting and authenticating information that receives through described Transmit-Receive Unit from the other side's device
Wherein f is the natural number more than or equal to 1.
12. a system is characterized in that comprising the described device of a plurality of claims 10 and m authorization center,
Described authorization center comprises granted unit, is used for authorization message being sent to described device according to authorized application request from described device,
Wherein, m is the natural number more than or equal to 2.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN 200910161372 CN101997684B (en) | 2009-08-10 | 2009-08-10 | Authorization authentication method, device and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN 200910161372 CN101997684B (en) | 2009-08-10 | 2009-08-10 | Authorization authentication method, device and system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN101997684A true CN101997684A (en) | 2011-03-30 |
| CN101997684B CN101997684B (en) | 2013-01-23 |
Family
ID=43787332
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN 200910161372 Active CN101997684B (en) | 2009-08-10 | 2009-08-10 | Authorization authentication method, device and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101997684B (en) |
Cited By (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103780389A (en) * | 2012-10-26 | 2014-05-07 | 华为技术有限公司 | Port based authentication method and network device |
| WO2014134986A1 (en) * | 2013-10-09 | 2014-09-12 | 中兴通讯股份有限公司 | Method and device for secure viewing of shared file |
| CN105450418A (en) * | 2014-09-22 | 2016-03-30 | 中兴通讯股份有限公司 | IKE authentication method, IKE initiating terminal, IKE response terminal and IKE authentication system |
| CN108023873A (en) * | 2017-11-08 | 2018-05-11 | 深圳市文鼎创数据科技有限公司 | channel establishing method and terminal device |
| CN113098964A (en) * | 2021-04-01 | 2021-07-09 | 中天光伏技术有限公司 | Communication connection establishing method and device, storage medium and electronic equipment |
| CN113972995A (en) * | 2020-07-24 | 2022-01-25 | 华为技术有限公司 | Network configuration method and device |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101175324B (en) * | 2004-08-29 | 2010-11-10 | 华为技术有限公司 | Safety guaranteeing method of user card |
| CN101388775A (en) * | 2008-10-17 | 2009-03-18 | 圆刚科技股份有限公司 | Network authentication method and real-time information server applying the same |
-
2009
- 2009-08-10 CN CN 200910161372 patent/CN101997684B/en active Active
Cited By (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103780389A (en) * | 2012-10-26 | 2014-05-07 | 华为技术有限公司 | Port based authentication method and network device |
| WO2014134986A1 (en) * | 2013-10-09 | 2014-09-12 | 中兴通讯股份有限公司 | Method and device for secure viewing of shared file |
| CN105450418A (en) * | 2014-09-22 | 2016-03-30 | 中兴通讯股份有限公司 | IKE authentication method, IKE initiating terminal, IKE response terminal and IKE authentication system |
| CN108023873A (en) * | 2017-11-08 | 2018-05-11 | 深圳市文鼎创数据科技有限公司 | channel establishing method and terminal device |
| CN108023873B (en) * | 2017-11-08 | 2020-12-11 | 深圳市文鼎创数据科技有限公司 | Channel establishing method and terminal equipment |
| CN113972995A (en) * | 2020-07-24 | 2022-01-25 | 华为技术有限公司 | Network configuration method and device |
| CN113972995B (en) * | 2020-07-24 | 2023-04-28 | 华为技术有限公司 | Network configuration method and device |
| CN113098964A (en) * | 2021-04-01 | 2021-07-09 | 中天光伏技术有限公司 | Communication connection establishing method and device, storage medium and electronic equipment |
Also Published As
| Publication number | Publication date |
|---|---|
| CN101997684B (en) | 2013-01-23 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Tseng et al. | A chaotic maps-based key agreement protocol that preserves user anonymity | |
| CN101938354B (en) | Key distribution method based on modular exponentiation and application thereof | |
| EP3386143B1 (en) | Method and system for generating a private key for encrypted data transfer between an electronic identity document and a terminal | |
| US20220327530A1 (en) | Digital signature generation using a cold wallet | |
| CN101997684B (en) | Authorization authentication method, device and system | |
| CN101997683B (en) | Method and device for authenticating zero knowledge proof | |
| CN106101068A (en) | Terminal communicating method and system | |
| CN103684772B (en) | Dynamic deficiency encryption system | |
| CN103269266A (en) | Safety authentication method and system of dynamic password | |
| CN102013141B (en) | Authentication method and authentication system | |
| CN103188219A (en) | Method, equipment and system for digital right management | |
| CN103186720A (en) | Digital rights management method, equipment and system | |
| CN106713349A (en) | Inter-group proxy re-encryption method capable of resisting selected ciphertext attack | |
| CN101997680B (en) | Security chip directly supporting certificate management | |
| Abusukhon et al. | An authenticated, secure, and mutable multiple‐session‐keys protocol based on elliptic curve cryptography and text‐to‐image encryption algorithm | |
| Chin | High-confidence design for security: don't trust—verify | |
| Zahednejad et al. | A secure and efficient AKE scheme for IoT devices using PUF and cancellable biometrics | |
| CN104820807B (en) | A kind of intelligent card data processing method | |
| CN106487502A (en) | A kind of lightweight key negotiation method based on password | |
| CN104780049B (en) | A kind of method of safe read-write data | |
| Amin et al. | An efficient remote mutual authentication scheme using smart mobile phone over insecure networks | |
| Sharp | Applied Cryptography | |
| CN110098915B (en) | Authentication method and system, and terminal | |
| Błaśkiewicz et al. | Two-Head Dragon Protocol: Preventing Cloning of Signature Keys: Work in Progress | |
| Zhang et al. | Old School, New Primitive: Toward Scalable PUF-Based Authenticated Encryption Scheme in IoT |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| DD01 | Delivery of document by public notice |
Addressee: Beijing Duosi science and technology development limited company finance Document name: Notification of Approving Refund |
|
| ASS | Succession or assignment of patent right |
Owner name: NANSI SCIENCE AND TECHNOLOGY DEVELOPMENT CO LTD, B Free format text: FORMER OWNER: BEIJING WISDOM TECHNOLOGY DEVELOPMENT CO., LTD. Effective date: 20141009 |
|
| C41 | Transfer of patent application or patent right or utility model | ||
| COR | Change of bibliographic data |
Free format text: CORRECT: ADDRESS; FROM: 100080 HAIDIAN, BEIJING TO: 100091 HAIDIAN, BEIJING |
|
| TR01 | Transfer of patent right |
Effective date of registration: 20141009 Address after: 100091, Beijing Haidian District red mountain Yamaguchi 3 maintenance group new building 189, a layer Patentee after: Nansi Science and Technology Development Co., Ltd., Beijing Address before: 100080, Beijing, Zhongguancun Haidian District South Avenue, building 56, B801 Patentee before: Beijing Duosi Technology Development Co., Ltd. |
|
| C41 | Transfer of patent application or patent right or utility model | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20160223 Address after: 100095, room 108, building G, quiet core garden, No. 25, North Hollywood Road, Beijing, Haidian District Patentee after: Beijing Duosi security chip technology Co. Ltd. Address before: 100091, Beijing Haidian District red mountain Yamaguchi 3 maintenance group new building 189, a layer Patentee before: Nansi Science and Technology Development Co., Ltd., Beijing |
|
| DD01 | Delivery of document by public notice |
Addressee: Zhou Yan Document name: Notification of Passing Examination on Formalities |
|
| C41 | Transfer of patent application or patent right or utility model | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20160713 Address after: 100195, room 106, building G, quiet core garden, No. 25, North Hollywood Road, Beijing, Haidian District Patentee after: Beijing tianhongyi Network Technology Co., Ltd. Address before: Room 108, building G, static core garden, No. 25, North Village Road, Haidian District, Beijing Patentee before: Beijing Duosi security chip technology Co. Ltd. |
|
| C41 | Transfer of patent application or patent right or utility model | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20160720 Address after: 100195, room 109, block G, Beijing quiet garden, 25 North Road, North Hollywood village, Beijing, Haidian District Patentee after: Beijing Duosi technical services Co. Ltd. Address before: 100195, room 106, building G, quiet core garden, No. 25, North Hollywood Road, Beijing, Haidian District Patentee before: Beijing tianhongyi Network Technology Co., Ltd. |
|
| CP02 | Change in the address of a patent holder | ||
| CP02 | Change in the address of a patent holder |
Address after: 100192 no.814, 8th floor, building 26, yard 1, Baosheng South Road, Haidian District, Beijing Patentee after: BEIJING DUOSI TECHNICAL SERVICE Co.,Ltd. Address before: 100195 room 109, block G, Beijing static core garden 25, North Wu Village, Haidian District, Beijing. Patentee before: BEIJING DUOSI TECHNICAL SERVICE Co.,Ltd. |