CN102281139A - authentication system and method based on key management protocol - Google Patents
authentication system and method based on key management protocol Download PDFInfo
- Publication number
- CN102281139A CN102281139A CN201010200007XA CN201010200007A CN102281139A CN 102281139 A CN102281139 A CN 102281139A CN 201010200007X A CN201010200007X A CN 201010200007XA CN 201010200007 A CN201010200007 A CN 201010200007A CN 102281139 A CN102281139 A CN 102281139A
- Authority
- CN
- China
- Prior art keywords
- module
- authentication
- key
- session key
- management module
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3234—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving additional secure or trusted devices, e.g. TPM, smartcard, USB or software token
Abstract
The invention discloses an authentication system and method based on a key management protocol, wherein the authentication system based on the key management protocol comprises an identity module, a key management module, an authentication module, a key storage module and a route protocol module; wherein the authentication module is connected with the key storage module and used for obtaining authentication information from the key storage module and authenticating communication entities according to the authentication information. According to the invention, the problem that two parties in communication are incapable of authenticate in the prior art is solved, and the safety of communication is guaranteed.
Description
Technical field
The present invention relates to technical field of communication safety and comprising, in particular to a kind of Verification System and method based on IKMP (Key Management Protocol, abbreviation KMP).
Background technology
The safety of Routing Protocol is the technology of a key, has a lot of working groups that it is studied and standardization in IETF, and wherein authentication techniques and the needed key management in authentication in the route technology mainly studied by KARP working group.In KARP working group, the notion of a KMP is proposed, wherein, KMP operates between two communication entities of carrying out Routing Protocols, for these two communication entities provide authentication, produces session key and new session key more.KMP is why important to be because artificial key managing project depends on keeper's work more, in case that network size becomes is big, the keeper will feel simply helpless to complex key management.
Present system based on KMP as shown in Figure 1, it comprises: identification module (Identifier) 102, key management module 104, authentication module (Identity Proof) 106, cipher key storage block (Keystore) 108 and Routing Protocol module 110.
In working order down, identification module 102 provides the ID value of the opposite end that needs communication to key management module 104, and key management module 104 is obtained the Routing Protocol module 110 that root key usefulness generates session key and delivers required key from cipher key storage block 108.Cipher key storage block 108 storage root keys, session key.
But, in above-mentioned system architecture, because not having to be used to authenticate and produce the root key and the session cipher key separation of session key opens, thereby cause when each key of access KMP agreement, all need with Fig. 1 in cipher key storage block 108 carry out alternately, this may cause big pressure to cipher key storage block.Simultaneously, owing to use same database to come storage root key and session key, thus when the module accesses database, all may obtain or destroy root key, like this, stayed the chance that can attack to the hacker.
In addition, said method also may cause the another one problem: because authentication module 106 is not mutual with cipher key storage block 108, thereby can't obtain the root key that cipher key storage block 108 is preserved, like this, authentication module can't generate authentication information, thereby make communicating pair to authenticate, reduced the fail safe of communication the other side.
Summary of the invention
Main purpose of the present invention is to provide a kind of Verification System and method based on IKMP, and communicating pair can't authenticate the other side in the prior art to solve at least, thereby has reduced the safety issue of communication.
According to an aspect of the present invention, a kind of Verification System based on IKMP is provided, it comprises: identity module, key management module, authentication module, cipher key storage block, Routing Protocol module, wherein, above-mentioned authentication module is connected with above-mentioned cipher key storage block, be used for obtaining authentication information, and communication entity authenticated according to above-mentioned authentication information from above-mentioned cipher key storage block.
Further, above-mentioned cipher key storage block is used to preserve the long term keys relevant with user identity, and generates the above-mentioned authentication information that is used to authenticate according to the pairing above-mentioned long term keys of user's identification information.
Further, the session key that above-mentioned key management module is used for producing according to above-mentioned authentication information or receive from above-mentioned authentication module sends to above-mentioned cipher key storage block, above-mentioned cipher key storage block sends to above-mentioned Routing Protocol module with above-mentioned session key, wherein, above-mentioned authentication module produces above-mentioned session key according to above-mentioned authentication information.
Further, the session key that above-mentioned key management module is used for producing according to above-mentioned authentication information or receive from above-mentioned authentication module sends to above-mentioned Routing Protocol module, and wherein, above-mentioned authentication module produces above-mentioned session key according to above-mentioned authentication information.
Further, above-mentioned cipher key storage block also is used to store long term keys material and ephemeral keys material, wherein, above-mentioned long term keys material comprise following one of at least: user's root key, certificate; Above-mentioned ephemeral keys material is generated by long term keys.
According to a further aspect in the invention, a kind of Verification System based on IKMP is provided, it comprises: key management module, authentication module, the Routing Protocol module, identity module, long term keys memory module and ephemeral keys memory module, wherein, above-mentioned authentication module is used to receive the identification information of the communication entity that above-mentioned key management module sends, send the authentication message that carries above-mentioned identification information to above-mentioned long term keys memory module, reception is from the authentication information corresponding with above-mentioned identification information of above-mentioned long term keys memory module, and uses above-mentioned authentication information to authenticate.
Further, above-mentioned authentication module also is used to produce the session key that is used to communicate by letter, and above-mentioned session key is sent to above-mentioned key management module, and wherein, above-mentioned key management module is used for above-mentioned session key is sent to the Routing Protocol module; Perhaps, above-mentioned authentication module also is used to notify above-mentioned key management module to produce above-mentioned session key, wherein, above-mentioned key management module sends to above-mentioned Routing Protocol module with above-mentioned session key, and above-mentioned ephemeral keys memory module is used to receive and preserve the above-mentioned session key from above-mentioned authentication module or above-mentioned key management module.
According to another aspect of the invention, provide a kind of authentication method based on IKMP, it comprises: above-mentioned authentication module obtains authentication information from cipher key storage block, and according to above-mentioned authentication information communication entity is authenticated.
Further, above-mentioned authentication mould certainly obtains authentication information from cipher key storage block and comprises: above-mentioned cipher key storage block is obtained the long term keys corresponding with the identification information of above-mentioned communication entity; Above-mentioned cipher key storage block generates above-mentioned authentication information according to above-mentioned long term keys; Above-mentioned cipher key storage block sends to above-mentioned authentication module with above-mentioned authentication information.
Further, after authentication is passed through, also comprise: above-mentioned authentication module produces the session key that is used to communicate by letter, and above-mentioned session key is sent to above-mentioned key management module, and above-mentioned key management module sends to the Routing Protocol module with above-mentioned session key; Perhaps above-mentioned authentication module notifies above-mentioned key management module to produce above-mentioned session key, and above-mentioned key management module sends to above-mentioned Routing Protocol module with above-mentioned session key.
Further, after authentication is passed through, also comprise: above-mentioned authentication module produces session key, and above-mentioned session key sent to above-mentioned key management module, above-mentioned key management module is sent to above-mentioned cipher key storage block with above-mentioned session key and preserves, and above-mentioned cipher key storage block sends to above-mentioned Routing Protocol module with above-mentioned session key; Perhaps above-mentioned authentication module notifies above-mentioned key management module to produce session key, above-mentioned key management module is sent to above-mentioned cipher key storage block with above-mentioned session key and preserves, and above-mentioned cipher key storage block sends to above-mentioned Routing Protocol module with above-mentioned session key.
Further, after the session key that above-mentioned Routing Protocol module obtains to be used to communicate by letter, also comprise: above-mentioned Routing Protocol module uses above-mentioned session key that protocol massages is protected.
According to another aspect of the invention, provide a kind of authentication method based on IKMP, it comprises: authentication module receives the identification information of the communication entity of key management module transmission; Above-mentioned authentication module sends authentication request message to the long term keys memory module, and wherein, above-mentioned authentication request message carries above-mentioned identification information; Above-mentioned authentication module receives the authentication information corresponding with above-mentioned identification information from above-mentioned long term keys memory module; Above-mentioned authentication module uses above-mentioned authentication information to authenticate.
Further, before the authentication information corresponding with above-mentioned identification information of above-mentioned authentication module reception from above-mentioned long term keys memory module, also comprise: above-mentioned long term keys memory module is obtained the long term keys corresponding with above-mentioned identification information; Above-mentioned long term keys memory module generates above-mentioned authentication information according to above-mentioned long term keys; Above-mentioned long term keys memory module sends to above-mentioned authentication module with above-mentioned authentication information.
Further, above-mentioned long term keys is a root key.
Further, after authentication is passed through, also comprise: above-mentioned authentication module produces the session key that is used to communicate by letter, and above-mentioned session key is sent to above-mentioned key management module, and above-mentioned key management module sends to the Routing Protocol module with above-mentioned session key; Perhaps above-mentioned authentication module notifies above-mentioned key management module to produce above-mentioned session key, and above-mentioned key management module sends to above-mentioned Routing Protocol module with above-mentioned session key.
Further, after authentication is passed through, also comprise: above-mentioned authentication module produces session key, and above-mentioned session key sent to above-mentioned key management module, above-mentioned key management module is sent to the ephemeral keys memory module with above-mentioned session key and preserves, and above-mentioned ephemeral keys memory module sends to the Routing Protocol module with above-mentioned session key; Perhaps above-mentioned authentication module notifies above-mentioned key management module to produce session key, above-mentioned key management module is sent to ephemeral keys storage mould with above-mentioned session key and certainly preserves, and above-mentioned ephemeral keys memory module sends to above-mentioned Routing Protocol module with above-mentioned session key.
Further, after the session key that above-mentioned Routing Protocol module obtains to be used to communicate by letter, also comprise: above-mentioned Routing Protocol module uses above-mentioned session key that protocol massages is protected.
The present invention has following beneficial effect:
1) because authentication module can obtain access authentication information in the cipher key storage block, thereby makes communicating pair to authenticate mutually, and under the situation that authentication is passed through, just generate session key, thereby guaranteed the fail safe of communication according to the other side's authentication information.
2) because (for example with long term keys, root key) database with (for example deposit ephemeral keys, session key) database separately, thereby can be only in the case of necessary (for example, generate session key) just visit the database of long term keys, and when transfer of data, only need visit to deposit the database of ephemeral keys and can obtain session key.Like this, have only specific modules (as, authentication module etc.) (for example could visit long term keys, root key) database, obtain the higher root key of level of security, other module then can't be visited the database of long term keys, thereby can improve security performance.
Description of drawings
Accompanying drawing described herein is used to provide further understanding of the present invention, constitutes the application's a part, and illustrative examples of the present invention and explanation thereof are used to explain the present invention, do not constitute improper qualification of the present invention.In the accompanying drawings:
Fig. 1 is the schematic diagram according to the KMP framework of correlation technique;
Fig. 2 is the flow chart based on the authentication method of IKMP according to the embodiment of the invention;
Fig. 3 is a kind of preferred flow charts based on the authentication method of IKMP according to the embodiment of the invention;
Fig. 4 is the another kind of preferred flow charts based on the authentication method of IKMP according to the embodiment of the invention;
Fig. 5 is another preferred flow charts based on the authentication method of IKMP according to the embodiment of the invention;
Fig. 6 is another preferred flow charts based on the authentication method of IKMP according to the embodiment of the invention;
Fig. 7 is another preferred flow charts based on the authentication method of IKMP according to the embodiment of the invention;
Fig. 8 is another preferred flow charts based on the authentication method of IKMP according to the embodiment of the invention;
Fig. 9 is according to the another kind of the embodiment of the invention flow chart based on the authentication method of IKMP;
Figure 10 is the schematic diagram based on the Verification System of IKMP according to the embodiment of the invention;
Figure 11 is the preferred schematic diagram according to a kind of Verification System based on IKMP of the embodiment of the invention;
Figure 12 is according to the another kind of the embodiment of the invention preferred schematic diagram based on the Verification System of IKMP.
Embodiment
Hereinafter will describe the present invention with reference to the accompanying drawings and in conjunction with the embodiments in detail.Need to prove that under the situation of not conflicting, embodiment and the feature among the embodiment among the application can make up mutually.
Fig. 2 is the flow chart based on the authentication method of IKMP according to the embodiment of the invention, and it comprises the steps:
S202, authentication module receive the identification information of the communication entity of key management module transmission;
S204, above-mentioned authentication module sends authentication request message to the long term keys memory module, and wherein, above-mentioned authentication request message carries above-mentioned identification information;
S206, above-mentioned authentication module receives the authentication information corresponding with above-mentioned identification information from above-mentioned long term keys memory module;
S208, above-mentioned authentication module use above-mentioned authentication information to authenticate.
In the prior art, authentication module is not mutual with cipher key storage block, thereby can't obtain the root key that cipher key storage block is preserved, and like this, communicating pair can't authenticate the other side, thereby has reduced the fail safe of communication.Review the embodiment of the invention, because authentication module can obtain access authentication information from the long term keys memory module, thereby make communicating pair to authenticate mutually according to the other side's authentication information, and under the situation that authentication is passed through, just generate session key, thereby guaranteed the fail safe of communication.
Preferably, before the authentication information corresponding with described identification information of described authentication module reception from described long term keys memory module, also comprise: described long term keys memory module is obtained the long term keys corresponding with described identification information; Described long term keys memory module generates described authentication information according to described long term keys; Described long term keys storage mould certainly sends to described authentication module with described authentication information.
Preferably, described long term keys is a root key.
Preferably, after authentication is passed through, also comprise: described authentication module produces the session key that is used to communicate by letter, and described session key is sent to described key management module, and described key management module sends to the Routing Protocol module with described session key; Perhaps described authentication module notifies described key management module to produce described session key, and described key management module sends to described Routing Protocol module with described session key.
Preferably, after authentication is passed through, also comprise: described authentication module produces session key, and described session key sent to described key management module, described key management module is sent to the ephemeral keys memory module with described session key and preserves, and described ephemeral keys memory module sends to the Routing Protocol module with described session key; Perhaps described authentication module notifies described key management module to produce session key, described key management module is sent to the ephemeral keys memory module with described session key and preserves, and described ephemeral keys memory module sends to described Routing Protocol module with described session key.
According to above-mentioned preferred embodiment, use different databases to deposit long term keys (for example, root key) and ephemeral keys (for example, session key) respectively.Because the safe class of long term keys is different with ephemeral keys, therefore, under the design that this database separates, can only just visits the database of long term keys in the case of necessary, thereby can improve security performance.
In above-mentioned two kinds of preferred embodiments, after the session key that described Routing Protocol module obtains to be used to communicate by letter, described Routing Protocol module uses described session key that protocol massages is protected.
Be described in detail in authentication method process under the scene shown in Figure 2 below in conjunction with accompanying drawing.
Embodiment 1
Fig. 3 is a kind of preferred flow charts based on the authentication method of IKMP according to the embodiment of the invention, and it comprises the steps:
Step S302: key management module is received identity information (id information).
Step S304: key management module sends authentication request to authentication module.
Step S306: authentication module and long term keys memory module are mutual, obtain authentication information.
Step S308: authentication module sends authentication response to key management module.
Step S310: key management module produces session key.
Step S312: key management module sends session key to the ephemeral keys memory module.
Step S314: the ephemeral keys memory module sends session key to the Routing Protocol module.
Step S316: the Routing Protocol module is protected the route protocol massages with session key.
Embodiment 2
Fig. 4 is the another kind of preferred flow charts based on the authentication method of IKMP according to the embodiment of the invention, and it comprises the steps:
Step S402: the Routing Protocol module sends the queued session key message to the ephemeral keys memory module.
Step S404: the ephemeral keys memory module sends the queued session key message to key management module.
Step S406: key management module and identity module are mutual, obtain identity information.
Step S408: key management module and long term keys memory module are mutual, obtain authentication information.
Step S410: key management module is carried out identifying procedure.
Step S412: key management module produces session key.
Step S414: key management module sends session key to the ephemeral keys memory module.
Step S416: the ephemeral keys memory module sends secret meeting words key to the Routing Protocol module.
Step S418: the Routing Protocol module is protected the route protocol massages with session key.
Embodiment 3
Fig. 5 is another preferred flow charts based on the authentication method of IKMP according to the embodiment of the invention, and it comprises the steps:
Step S502: the Routing Protocol module sends the queued session key message to key management module.
Step S504: key management module and identity module are mutual, obtain identity information.
Step S506: key management module and long term keys memory module are mutual, obtain authentication information.
Step S508: key management module is carried out identifying procedure.
Step S510: key management module produces session key.
Step S512: key management module sends session key and determines to ephemeral keys management mould.
Step S514: the ephemeral keys administration module sends secret meeting words key to the Routing Protocol module.
Step S516: the Routing Protocol module is protected the route protocol massages with session key.
The present invention also provides another kind of authentication method based on IKMP, and as shown in Figure 9, it comprises the steps:
S902, above-mentioned authentication module obtains authentication information from cipher key storage block;
S904, above-mentioned authentication module authenticates communication entity according to above-mentioned authentication information.
In the above-described embodiment, because authentication module can obtain access authentication information from cipher key storage block, thereby make communicating pair to authenticate mutually, and under the situation that authentication is passed through, just generate session key, thereby guaranteed the fail safe of communicating by letter according to the other side's authentication information.
Preferably, described authentication module obtains authentication information from cipher key storage block and comprises: described cipher key storage block is obtained the long term keys corresponding with described identification information; Described cipher key storage block generates described authentication information according to described long term keys; Described cipher key storage block sends to described authentication module with described authentication information.
Preferably, after authentication is passed through, also comprise: described authentication module produces the session key that is used to communicate by letter, and described session key is sent to described key management module, and described key management module sends to the Routing Protocol module with described session key; Perhaps described authentication module notifies described key management module to produce described session key, and described key management module sends to described Routing Protocol module with described session key.
Preferably, after authentication is passed through, also comprise: described authentication module produces session key, and described session key sent to described key management module, described key management module is sent to described cipher key storage block with described session key and preserves, and described cipher key storage block sends to described Routing Protocol module with described session key; Perhaps described authentication module notifies described key management module to produce session key, described key management module is sent to described cipher key storage block with described session key and preserves, and described cipher key storage block sends to described Routing Protocol module with described session key.
Preferably, after the session key that described Routing Protocol module obtains to be used to communicate by letter, also comprise: described Routing Protocol module uses described session key that protocol massages is protected.
Be described in detail in authentication method process under the scene shown in Figure 9 below in conjunction with accompanying drawing.
Embodiment 4
Fig. 6 is another preferred flow charts based on the authentication method of IKMP according to the embodiment of the invention, and it comprises the steps:
Step S602: key management module is received identity information (id information).
Step S604: key management module sends authentication request to authentication module.
Step S606: authentication module and cipher key storage block are mutual, obtain authentication information.
Step S608: authentication module sends authentication response.
Step S610: key management module produces session key.
Step S612: key management module sends session key to cipher key storage block.
Step S614: cipher key storage block sends session key to the Routing Protocol module.
Step S616: the Routing Protocol module is protected the route protocol massages with session key.
Embodiment 5
Fig. 7 is another preferred flow charts based on the authentication method of IKMP according to the embodiment of the invention, and it comprises the steps:
Step S702: the Routing Protocol module sends the queued session key message to cipher key storage block.
Step S704: cipher key storage block sends the queued session key message to key management module.
Step S706: key management module and identity module are mutual, obtain identity information.
Step S708: the key management mould is determined mutual with cipher key storage block, obtains authentication information.
Step S710: key management module is carried out identifying procedure.
Step S712: key management module produces session key.
Step S714: key management module sends session key to cipher key storage block.
Step S716: cipher key storage block sends secret meeting words key to the Routing Protocol module.
Step S718: the Routing Protocol module is protected the route protocol massages with session key.
Embodiment 6
Fig. 8 is another preferred flow charts based on the authentication method of IKMP according to the embodiment of the invention, and it comprises the steps:
Step S802: the Routing Protocol module sends the queued session key message to key management module.
Step S804: key management module and identity module are mutual, obtain identity information.
Step S806: key management module and cipher key storage block are mutual, obtain authentication information.
Step S808: key management module is carried out identifying procedure.
Step S810: key management module produces session key.
Step S812: key management module sends session key to cipher key storage block.
Step S814: cipher key storage block sends secret meeting words key to the Routing Protocol module.
Step S816: the Routing Protocol module is protected the route protocol massages with session key.
The present invention also provides a kind of Verification System based on KMP, and it can be suitable for above-mentioned authentication method.
Figure 10 shows above-mentioned Verification System, and it comprises: first identity module 1002, first key management module 1006, first authentication module 1010, first cipher key storage block 1014, first routing module 1018, second identity module 1004, second key management module 1008, second authentication module 1012, second cipher key storage block 1016, secondary route module 1020.
First identity module 1002, first key management module 1006, first authentication module 1010, first cipher key storage block 1014, first routing module 1018 communication process each other can not repeat them here with reference to accompanying drawing 6-8.Equally, second identity module 1004, second key management module 1008, second authentication module 1012, second cipher key storage block 1016, secondary route module 1020 communication process each other can not repeat them here with reference to accompanying drawing 6-8 yet.
According to the embodiment of the invention, because authentication module can obtain access authentication information in the calm key memory module, thereby make communicating pair to authenticate mutually, under the situation that authentication is passed through, just generate session key, thereby guaranteed the fail safe of communication according to the other side's authentication information.
Figure 11 is the schematic diagram according to a kind of Verification System based on IKMP of the embodiment of the invention, it comprises: identity module 1102, key management module 1104, authentication module 1106, cipher key storage block 1110, Routing Protocol module 1112, wherein, described authentication module 1106 is connected with described cipher key storage block 1110, be used for obtaining authentication information, and communication entity authenticated according to described authentication information from described cipher key storage block 1110.
Preferably, in the embodiment shown in fig. 11, identity module 1102, key management module 1104, authentication module 1106, cipher key storage block 1110, Routing Protocol module 1112 annexation each other as shown in figure 11, communication process each other can be with reference to accompanying drawing 6-8.
Preferably, described cipher key storage block 1110 is used to preserve the long term keys relevant with user identity, generates the described authentication information that is used to authenticate according to the pairing described long term keys of user's identification information.
Preferably, the session key that described key management module 1104 is used for producing according to described authentication information or receive from described authentication module 1106 sends to described cipher key storage block 1110, described cipher key storage block 1110 sends to described Routing Protocol module 1112 with described session key, wherein, described authentication module 1106 produces described session key according to described authentication information.
Preferably, the session key that described key management module 1104 is used for producing according to described authentication information or receive from described authentication module 1106 sends to described Routing Protocol module 1112, wherein, described authentication module 1106 produces described session key according to described authentication information.
Preferably, described cipher key storage block 1110 also is used to store long term keys material and ephemeral keys material, wherein, described long term keys material comprise following one of at least: user's root key, certificate; Described ephemeral keys material is generated by long term keys.
Figure 12 is that it comprises: identity module 1202, key management module 1204, authentication module (certificate server) 1206, long term keys memory module 1208, ephemeral keys memory module 1210, Routing Protocol module 1212 according to the schematic diagram of a kind of Verification System based on IKMP of the embodiment of the invention.Wherein, described authentication module 1206 is used to receive the identification information of the communication entity that described key management module 1204 sends, send the authentication message that carries described identification information to described long term keys memory module 1208, reception is from the authentication information corresponding with described identification information of described long term keys memory module 1208, and uses described authentication information to authenticate.
Preferably, described authentication module 1206 also is used to produce the session key that is used to communicate by letter, and described session key is sent to described key management module 1204, and described key management module 1204 sends to Routing Protocol module 1212 with described session key; Perhaps, described authentication module 1206 also is used to notify described key management module 1204 to produce described session key, and described key management module 1204 sends to described Routing Protocol module 1212 with described session key; Described ephemeral keys memory module 1210 is used to receive and preserve the described session key from described authentication module 1206 or described key management module 1204.
The database that the embodiment of the invention will be deposited long-term master key separates with the database of depositing the short-term session key, can produce following several benefit like this: the 1) division of safe class, the safe class of long term keys is higher than the session key of short-term far away, the destroyed safety that just influences session this time of the session key of short-term, and the result that long term keys is affected to be following safety certification all can be forged.So, separately be necessary with these two cipher key storage block, also be to meet principle that safety classification guarantees; 2) because two databases separation, interface API can separately design, in access keys, also can guarantee the ID authenticator that only is necessary like this and need the KMP module of key material can touch the database of depositing long-term master key, the Routing Protocol module then can touch the database of depositing the short-term session key, thereby has further improved the fail safe of communication.
Obviously, those skilled in the art should be understood that, above-mentioned each module of the present invention or each step can realize with the general calculation device, they can concentrate on the single calculation element, perhaps be distributed on the network that a plurality of calculation element forms, alternatively, they can be realized with the executable program code of calculation element, thereby, they can be stored in the storage device and carry out by calculation element, and in some cases, can carry out step shown or that describe with the order that is different from herein, perhaps they are made into each integrated circuit modules respectively, perhaps a plurality of modules in them or step are made into the single integrated circuit module and realize.Like this, the present invention is not restricted to any specific hardware and software combination.
The above is the preferred embodiments of the present invention only, is not limited to the present invention, and for a person skilled in the art, the present invention can have various changes and variation.Within the spirit and principles in the present invention all, any modification of being done, be equal to replacement, improvement etc., all should be included within protection scope of the present invention.
Claims (18)
1. Verification System based on IKMP comprises: identity module, key management module, authentication module, cipher key storage block, Routing Protocol module, it is characterized in that,
Described authentication module is connected with described cipher key storage block, is used for obtaining authentication information from described cipher key storage block, and according to described authentication information communication entity is authenticated.
2. system according to claim 1 is characterized in that, described cipher key storage block is used to preserve the long term keys relevant with user identity, and generates the described authentication information that is used to authenticate according to the pairing described long term keys of user's identification information.
3. system according to claim 1, it is characterized in that, the session key that described key management module is used for producing according to described authentication information or receive from described authentication module sends to described cipher key storage block, described cipher key storage block sends to described Routing Protocol module with described session key, wherein, described authentication module produces described session key according to described authentication information.
4. system according to claim 1, it is characterized in that, the session key that described key management module is used for producing according to described authentication information or receive from described authentication module sends to described Routing Protocol module, wherein, described authentication module produces described session key according to described authentication information.
5. system according to claim 1 is characterized in that, described cipher key storage block also is used to store long term keys material and ephemeral keys material, wherein, described long term keys material comprise following one of at least: user's root key, certificate; Described ephemeral keys material is generated by long term keys.
6. Verification System based on IKMP comprises: key management module, authentication module, Routing Protocol module, identity module, it is characterized in that, and also comprise: long term keys memory module, ephemeral keys memory module, wherein,
Described authentication module is used to receive the identification information of the communication entity that described key management module sends, send the authentication message that carries described identification information to described long term keys memory module, reception is from the authentication information corresponding with described identification information of described long term keys memory module, and uses described authentication information to authenticate.
7. system according to claim 6, it is characterized in that described authentication module also is used to produce the session key that is used to communicate by letter, and described session key is sent to described key management module, wherein, described key management module is used for described session key is sent to the Routing Protocol module; Perhaps, described authentication module also is used to notify described key management module to produce described session key, wherein, described key management module is used for described session key is sent to described Routing Protocol module, and described ephemeral keys memory module is used to receive and preserve the described session key from described authentication module or described key management module.
8. the authentication method based on IKMP is characterized in that, comprising:
Described authentication module obtains authentication information from cipher key storage block, and according to described authentication information communication entity is authenticated.
9. method according to claim 8 is characterized in that, described authentication module obtains authentication information from cipher key storage block and comprises:
Described cipher key storage block is obtained the long term keys corresponding with the identification information of described communication entity;
Described cipher key storage block generates described authentication information according to described long term keys;
Described cipher key storage block sends to described authentication module with described authentication information.
10. method according to claim 8 is characterized in that, after authentication is passed through, also comprises:
Described authentication module produces the session key that is used to communicate by letter, and described session key is sent to described key management module, and described key management module sends to the Routing Protocol module with described session key; Perhaps
Described authentication module notifies described key management module to produce described session key, and described key management module sends to described Routing Protocol module with described session key.
11. method according to claim 8 is characterized in that, after authentication is passed through, also comprises:
Described authentication module produces session key, and described session key sent to described key management module, described key management module is sent to described cipher key storage block with described session key and preserves, and described cipher key storage block sends to described Routing Protocol module with described session key; Perhaps
Described authentication module notifies described key management module to produce session key, described key management module is sent to described cipher key storage block with described session key and preserves, and described cipher key storage block sends to described Routing Protocol module with described session key.
12. according to claim 10 or 11 described methods, it is characterized in that, after the session key that described Routing Protocol module obtains to be used to communicate by letter, also comprise:
Described Routing Protocol module uses described session key that protocol massages is protected.
13. the authentication method based on IKMP is characterized in that, comprising:
Authentication module receives the identification information of the communication entity of key management module transmission;
Described authentication module sends authentication request message to the long term keys memory module, and wherein, described authentication request message carries described identification information;
Described authentication module receives the authentication information corresponding with described identification information from described long term keys memory module;
Described authentication module uses described authentication information to authenticate.
14. method according to claim 13 is characterized in that, before the authentication information corresponding with described identification information of described authentication module reception from described long term keys memory module, also comprises:
Described long term keys memory module is obtained the long term keys corresponding with described identification information;
Described long term keys memory module generates described authentication information according to described long term keys;
Described long term keys memory module sends to described authentication module with described authentication information.
15. method according to claim 14 is characterized in that, described long term keys is a root key.
16. method according to claim 13 is characterized in that, after authentication is passed through, also comprises:
Described authentication module produces the session key that is used to communicate by letter, and described session key is sent to described key management module, and described key management module sends to the Routing Protocol module with described session key; Perhaps
Described authentication module notifies described key management module to produce described session key, and described key management module sends to described Routing Protocol module with described session key.
17. method according to claim 13 is characterized in that, after authentication is passed through, also comprises:
Described authentication module produces session key, and described session key sent to described key management module, described key management module is sent to the ephemeral keys memory module with described session key and preserves, and described ephemeral keys memory module sends to the Routing Protocol module with described session key; Perhaps
Described authentication module notifies described key management module to produce session key, described key management module is sent to the ephemeral keys memory module with described session key and preserves, and described ephemeral keys memory module sends to described Routing Protocol module with described session key.
18. according to claim 16 or 17 described methods, it is characterized in that, after the session key that described Routing Protocol module obtains to be used to communicate by letter, also comprise:
Described Routing Protocol module uses described session key that protocol massages is protected.
Priority Applications (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201010200007.XA CN102281139B (en) | 2010-06-10 | 2010-06-10 | Based on Verification System and the method for IKMP |
| PCT/CN2010/079246 WO2011153794A1 (en) | 2010-06-10 | 2010-11-29 | Authentication system and method based on key management protocol |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201010200007.XA CN102281139B (en) | 2010-06-10 | 2010-06-10 | Based on Verification System and the method for IKMP |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN102281139A true CN102281139A (en) | 2011-12-14 |
| CN102281139B CN102281139B (en) | 2016-02-10 |
Family
ID=45097488
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201010200007.XA Expired - Fee Related CN102281139B (en) | 2010-06-10 | 2010-06-10 | Based on Verification System and the method for IKMP |
Country Status (2)
| Country | Link |
|---|---|
| CN (1) | CN102281139B (en) |
| WO (1) | WO2011153794A1 (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107733639A (en) * | 2017-08-24 | 2018-02-23 | 上海壹账通金融科技有限公司 | Key management method, device and readable storage medium storing program for executing |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112150312A (en) * | 2020-10-06 | 2020-12-29 | 广州云莫凡信息科技有限公司 | Quality monitoring data maintenance method and system for building construction engineering |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1305159A (en) * | 1999-11-01 | 2001-07-25 | 城市集团发展中心有限公司 | Method and system of safety communication used on self-help financial transaction terminal |
| CN1599338A (en) * | 2003-09-19 | 2005-03-23 | 皇家飞利浦电子股份有限公司 | Method of improving safety, for radio local network |
| CN1921379A (en) * | 2005-08-25 | 2007-02-28 | 华为技术有限公司 | Method for object discriminator/key supplier to get key |
| US20100119070A1 (en) * | 2003-07-16 | 2010-05-13 | Pkware, Inc. | Method and System for Mixed Symmetric and Asymmetric Decryption of .ZIP Files |
-
2010
- 2010-06-10 CN CN201010200007.XA patent/CN102281139B/en not_active Expired - Fee Related
- 2010-11-29 WO PCT/CN2010/079246 patent/WO2011153794A1/en active Application Filing
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1305159A (en) * | 1999-11-01 | 2001-07-25 | 城市集团发展中心有限公司 | Method and system of safety communication used on self-help financial transaction terminal |
| US20100119070A1 (en) * | 2003-07-16 | 2010-05-13 | Pkware, Inc. | Method and System for Mixed Symmetric and Asymmetric Decryption of .ZIP Files |
| CN1599338A (en) * | 2003-09-19 | 2005-03-23 | 皇家飞利浦电子股份有限公司 | Method of improving safety, for radio local network |
| CN1921379A (en) * | 2005-08-25 | 2007-02-28 | 华为技术有限公司 | Method for object discriminator/key supplier to get key |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107733639A (en) * | 2017-08-24 | 2018-02-23 | 上海壹账通金融科技有限公司 | Key management method, device and readable storage medium storing program for executing |
| CN107733639B (en) * | 2017-08-24 | 2020-08-04 | 深圳壹账通智能科技有限公司 | Key management method, device and readable storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN102281139B (en) | 2016-02-10 |
| WO2011153794A1 (en) | 2011-12-15 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US20230231711A1 (en) | Blockchain-implemented method and system | |
| CN110138560B (en) | Double-proxy cross-domain authentication method based on identification password and alliance chain | |
| US11880831B2 (en) | Encryption system, encryption key wallet and method | |
| Zhang et al. | A privacy-aware PUFs-based multiserver authentication protocol in cloud-edge IoT systems using blockchain | |
| CN112953727A (en) | Internet of things-oriented equipment anonymous identity authentication method and system | |
| US10742426B2 (en) | Public key infrastructure and method of distribution | |
| CN102007725A (en) | Method for distributed identification, a station in a network | |
| Jiang et al. | Two-factor authentication protocol using physical unclonable function for IoV | |
| CN112199726A (en) | Block chain-based alliance trust distributed identity authentication method and system | |
| Jia et al. | A Blockchain-Assisted Privacy-Aware Authentication scheme for internet of medical things | |
| CN101814991B (en) | Mutual authentication method and system based on identity | |
| CN106851635B (en) | A kind of distributed signature method and system of identity-based | |
| Sadri et al. | A lightweight anonymous two‐factor authentication protocol for wireless sensor networks in Internet of Vehicles | |
| Zhang et al. | Efficient and privacy-preserving blockchain-based multifactor device authentication protocol for cross-domain IIoT | |
| CN109600747A (en) | A kind of wireless sensor network dynamic credential authentication key agreement method | |
| Sarvabhatla et al. | A secure biometric-based user authentication scheme for heterogeneous WSN | |
| Xi et al. | ZAMA: A ZKP-based anonymous mutual authentication scheme for the IoV | |
| CN100463462C (en) | Coordinate access control system of ternary structure | |
| Karim et al. | BSDCE-IoV: blockchain-based secure data collection and exchange scheme for IoV in 5G environment | |
| Duan et al. | Design of anonymous authentication scheme for vehicle fog services using blockchain | |
| Sudarsan et al. | A model for signatories in cyber-physical systems | |
| CN109981637B (en) | Multi-source cross composite authentication method for Internet of things based on block chain | |
| CN102281139B (en) | Based on Verification System and the method for IKMP | |
| Rahman et al. | Man in the middle attack prevention for edge-fog, mutual authentication scheme | |
| Vishwakarma et al. | BSS: Blockchain enabled security system for internet of things applications |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20180425 Address after: California, USA Patentee after: Global innovation polymerization LLC Address before: No. 55, Nanshan District science and technology road, Nanshan District, Shenzhen, Guangdong Patentee before: ZTE Corp. |
|
| TR01 | Transfer of patent right | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20160210 |
|
| CF01 | Termination of patent right due to non-payment of annual fee |