CN102299794A - Multiple combination method of keys - Google Patents
Multiple combination method of keys Download PDFInfo
- Publication number
- CN102299794A CN102299794A CN2010102108154A CN201010210815A CN102299794A CN 102299794 A CN102299794 A CN 102299794A CN 2010102108154 A CN2010102108154 A CN 2010102108154A CN 201010210815 A CN201010210815 A CN 201010210815A CN 102299794 A CN102299794 A CN 102299794A
- Authority
- CN
- China
- Prior art keywords
- key
- matrix
- ids
- group
- private key
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Abstract
The invention belongs to the field of network information security, and discloses a multiple combination method of keys based on a CPK (combined public key) certification system. The method comprises the following steps: grouping IDs of users, generating a key matrix of each group of the IDs, making rules to cause the value range of each group of the IDs to be less than the rank of a combination key mapping matrix so as to avoid the risk of collusive cracking, and combining group keys of the multiple groups of the IDs once again to acquire user keys, thus ensuring the enough available key spaces; combining and saving private key matrixes of the grouped IDs according to the principle of key division so as to defend external and internal attacks on the private key matrixes; and adding version numbers of the IDs to update the ID certificates and the keys conveniently on the premise that the user IDs are not changed.
Description
Technical field
The invention belongs to filed of network information security, relate to a kind of cipher key combinations method, be applied under the Conbined public or double key system (CPK), make user's private key be effectively protected.
Background technology
Public Key Infrastructure (PKI) has been deep into the various aspects of network world as the current greatest engineering of cryptographic applications.PKI is meant the security infrastructure with universality of implementing and provide security service with the notion of public-key cryptography and technology.Any security infrastructure based on public-key technology all is PKI.The core of public-key technology is a rivest, shamir, adelman, and common have RSA and an ECC algorithm.Wherein the key in the ECC algorithm have can be compound characteristic, utilize this characteristic on the basis of PKI, to amplify out the Conbined public or double key system again: the CPK system.
The CPK system has realized having solved insurmountable technical barrier of a lot of past based on authentication, digital signature and the cipher key change of sign (such as user ID).The CPK algorithm is produced and is close to unlimited key with very little factor, sets up sign and key correspondence by " mapping algorithm ", thereby huge database is reduced to small key generator matrix.CPK is as a kind of public-key cryptosystem, and its algorithm (comprising cipher key combinations algorithm and mapping algorithm) and PKI matrix are open to the public, and private key and private key matrix are maintained secrecy.Private key is by user's keeping, and the private key matrix is controlled by KMC.User's private key is generated by sign mapping algorithm and private key matrix by KMC.
The CPK system has the online support that advantage: CPK does not need database on scale, economy, feasibility, operational efficiency, the available chip of checking end is realized; It in PKI, must rely on the third party and just can finish checking and test label, and CPK can again; CPK only need obtain square mark, and only tens bytes just can solve the other side's PKI, saves the expense of transmitting certificate greatly.
Though there is huge superiority in the CPK authentic authentication system, yet CPK system itself can not be resisted a large number of users collusion attack.For the CPK combinatorial matrix of m*m, as long as the assailant collects the private key for user of m* (m-1) quantity, just can solve whole private key factor matrix, thus the whole system of cracking.
The key of CPK is the private key factor matrix, is easy to be subjected to from various attack outside and inside.
In addition, the key of CPK is directly related with sign ID, needs to upgrade in case key is lost, and user's ID also will change thereupon, is unfavorable for the application of many occasions.Such as, people's identity ID should not change with the renewal of key or certificate.
Therefore, how to solve private key protection and replacement problem, become the significant problem that needs to be resolved hurrily in the CPK authentication system.
Summary of the invention
The objective of the invention is to propose a kind of method of Multiple Combination key, resist user's collusion attack effectively, can also help the management and the key updating of KMC (KMC) simultaneously in order to strengthen the fail safe of CPK authentication system.
Technical scheme of the present invention is:
1, formulates the generation rule of user ID,, and make the value of every group of sub-ID be no more than cipher key combinations rank of matrix m* (m-1) the ID average packet.
2, produce every group PKI matrix respectively and become sequence with the private key rectangular, wherein the PKI matrix sequence is externally announced, the private key matrix sequence then according to the requirement of " key is cut apart ", is stored respectively by the KMC strange land.
3, the generation of private key for user: certificate center utilizes the private key matrix sequence to generate user's private key when producing an ID according to above-mentioned rule for the user, its step is the sub-private key that at first divides into groups according to compound each ID of going out of the method for CPK Conbined public or double key system, then with the further compound private key for user that then obtains of the whole sub-private keys of gained.
4, the derivation of client public key: as relying party's (authentication) when receiving user ID, utilize the PKI matrix sequence of announcing in advance can derive client public key, the generation of its step and private key is in full accord.
5, respectively independently produce every group public affairs, a plurality of copies of private key matrix, and periodic replacement, after user ID, set up some positions " version number ", find corresponding public affairs, private key matrix to produce private key, derive PKI according to the queueing discipline of version number.
Advantage of the present invention is:
1, because every group of sub-ID value is no more than the order of its cipher key matrix, cracks the private key matrix, fundamentally avoided collusion attack so can't obtain abundant private key quantity;
2, the generation of private key for user is private key matrix sequence decision by a plurality of private key matrixes, with strange land storage respectively of each private key matrix in the sequence, has realized that naturally key cuts apart, and is beneficial to that KMC resists external attack and the internal staff commits a crime;
3, by the version number of ID certificate is set, make that user ID can be along with new key more and change, help reporting the loss, revoke and upgrading of ID certificate.
Embodiment
1, select the ID of 12 ten's digits as the user, can be divided into 4 groups, every group of 3 numerals, condition are that these 3 numerals can not be identical, have 990 kinds to follow the example of.And all the value space of ID is 990^4, approximates 1,000,000,000,000 kinds.
2, correspondingly, every group of public affairs, private key matrix of getting 32*32, its order is 32*31=992, greater than 990, meets the condition that can't crack.The numerical value of public, private key matrix same position, one group of discrete logarithm, i.e. public private key pair on corresponding the given elliptic curve (ECC).Onrelevant between every group of cipher key matrix that generates, provides sequence numbering I, II, III, IV respectively by totally 4 groups.Wherein the PKI matrix sequence is externally announced, and the private key matrix sequence can be according to the key partitioning scheme of " 4 select 3 ", i.e. matrix I and II, II and III, III and IV, IV and I combination in twos respectively, and the strange land is stored in 4 safety places.
3, the generation of private key: one group of sub-ID is done the computing of SHA-1 hash, obtain 160 hashed value, 5 is one group, obtain 32 groups 5 (bit) numerals altogether, therefore group number can be expressed as 0-31 number, and the numerical value among every group also can be expressed as the decimal system numerical value (binary zero 0000-11111) of 0-31.Represent row matrix number with group number, numerical value representative row number are mapped to the private key matrix, find 32 sub-private keys, by the compound calculating of key, obtain the sub-private key of grouping of sub-ID.Above-mentioned computing is done in 4 ID groupings respectively, is obtained group key, as follows formula:
The private key sum of matrix I: r
I=(r
1+ r
2+ ... + r
32) mod n,
The private key sum of matrix II: r
II=(r
1+ r
2+ ... + r
32) mod n,
The private key sum of matrix III: r
III=(r
1+ r
2+ ... + r
32) mod n,
The private key sum of matrix IV: r
IV=(r
1+ r
2+ ... + r
32) mod n,
Then, again 4 group keys are done compound calculating for the second time:
Final key r=(r
I+ r
II+ r
III+ r
IV) mod n.
4, the derivation of client public key: in full accord with the private key production process, the mapping matrix difference that different are to use.Produce private key private key matrix, derive PKI PKI matrix.
5, at first set up copy respectively for public affairs, the private key matrix of grouping, the quantity of copy is according to the frequency decision of ID certificate update; Then, for the ID certificate is provided with version number, such as 6 bit digital, preceding four representatives are issued licence days, and version is upgraded in back two representatives; Formulate a rule at last, can select different public affairs, private key matrix copy to produce private key or derivation PKI according to different version numbers.
Claims (2)
1. method based on the Multiple Combination key of CPK authentication system, it is characterized in that: with user's ID grouping, generate the cipher key matrix of every group of ID simultaneously, the span that makes every group of ID of laying down a regulation is less than the order of combination key mapping matrix, when derivation user's public affairs, private key, at first go out packet key, the compound once more key that obtains the user of multicomponent group key according to the cipher key matrix of grouping is compound.
2. according to the described a kind of method that authenticates the Multiple Combination key of system based on CPK of claim 1, it is characterized in that: a plurality of copies that produce the cipher key matrix of every group of ID, and periodic replacement, after user ID, set up some version numbers, queueing discipline according to version number finds corresponding cipher key matrix to produce private key for user, derives client public key.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2010102108154A CN102299794A (en) | 2010-06-28 | 2010-06-28 | Multiple combination method of keys |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2010102108154A CN102299794A (en) | 2010-06-28 | 2010-06-28 | Multiple combination method of keys |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN102299794A true CN102299794A (en) | 2011-12-28 |
Family
ID=45359983
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2010102108154A Pending CN102299794A (en) | 2010-06-28 | 2010-06-28 | Multiple combination method of keys |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102299794A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111010269A (en) * | 2019-11-29 | 2020-04-14 | 中国人民解放军国防科技大学 | Pair-based combined hierarchical interactive-free key agreement method |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2006078561A2 (en) * | 2005-01-18 | 2006-07-27 | Tricipher, Inc. | Technique for asymmetric crypto-key generation |
| CN1905438A (en) * | 2006-08-15 | 2007-01-31 | 华为技术有限公司 | Combined key managing method and system based on ID |
| CN101488853A (en) * | 2009-01-15 | 2009-07-22 | 赵建国 | Cross-certification method based on seed key management |
-
2010
- 2010-06-28 CN CN2010102108154A patent/CN102299794A/en active Pending
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2006078561A2 (en) * | 2005-01-18 | 2006-07-27 | Tricipher, Inc. | Technique for asymmetric crypto-key generation |
| CN1905438A (en) * | 2006-08-15 | 2007-01-31 | 华为技术有限公司 | Combined key managing method and system based on ID |
| CN101488853A (en) * | 2009-01-15 | 2009-07-22 | 赵建国 | Cross-certification method based on seed key management |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111010269A (en) * | 2019-11-29 | 2020-04-14 | 中国人民解放军国防科技大学 | Pair-based combined hierarchical interactive-free key agreement method |
| CN111010269B (en) * | 2019-11-29 | 2022-07-15 | 中国人民解放军国防科技大学 | Pair-based combined hierarchical non-interactive key negotiation method |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Han et al. | Efficient and robust attribute-based encryption supporting access policy hiding in Internet of Things | |
| CN102025491A (en) | Generation method of bimatrix combined public key | |
| Fan et al. | Cross-domain based data sharing scheme in cooperative edge computing | |
| CN109412810B (en) | Key generation method based on identification | |
| CN107483205B (en) | A kind of the digital signature generation method and system of the private key secret based on encryption | |
| CN103297227A (en) | Attribute-based encryption supporting flexible and direct-revocatory ciphertext policy | |
| CN105790941A (en) | Identity-based combined key generation and authentication method with field partition | |
| CN111917721B (en) | Attribute encryption method based on block chain | |
| CN101958793A (en) | Double public key cryptograph identity identification, secrete key verification and digital signing integrated solution | |
| CN110784300B (en) | Secret key synthesis method based on multiplication homomorphic encryption | |
| Xie et al. | Revocable identity-based fully homomorphic signature scheme with signing key exposure resistance | |
| Du et al. | An efficient identity-based short signature scheme from bilinear pairings | |
| Wang et al. | Provably Secure and Efficient Identity-based Signature Scheme Based on Cubic Residues. | |
| CN103490890A (en) | Combination public key authentication password method based on conic curves | |
| CN102299794A (en) | Multiple combination method of keys | |
| Zhang | Insecurity of a certificateless aggregate signature scheme | |
| Du et al. | Certificate-based key-insulated signature | |
| Wang et al. | Attribute-based online/offline encryption in smart grid | |
| Wang et al. | Multi-user searchable encryption with coarser-grained access control without key sharing | |
| Hong et al. | Achieving secure and fine-grained data authentication in cloud computing using attribute based proxy signature | |
| Liu et al. | Integrated and Accountable Data Sharing for Smart Grids With Fog and Dual-Blockchain Assistance | |
| Wan et al. | Identity-based key-insulated proxy signature | |
| Chen et al. | An efficient certificateless short designated verifier signature scheme | |
| CN104168113A (en) | Certificate-based encryption method and system for n layers of CA structures | |
| Duan et al. | IAM-BDSS: A Secure Ciphertext-Policy and Identity-Attribute Management Data Sharing Scheme based on Blockchain |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| ASS | Succession or assignment of patent right |
Owner name: JUBAO NETWORKS (BEIJING) CO., LTD. Free format text: FORMER OWNER: BEIJING GLOBAL JULANG NETWORK TECHNOLOGY CO., LTD. Effective date: 20120516 |
|
| C41 | Transfer of patent application or patent right or utility model | ||
| TA01 | Transfer of patent application right |
Effective date of registration: 20120516 Address after: Two road Petrova building A block 100102 in Beijing City, Chaoyang District Wangjing Lize 5 layer room 1508 Applicant after: Jubo Networks (Beijing) Co., Ltd. Address before: Two Beijing 100102 Chaoyang District city in Wangjing Lize Park No. 203 Petrova building C block 8 layer Applicant before: Beijing Global Julang Network Technology Co., Ltd. |
|
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C02 | Deemed withdrawal of patent application after publication (patent law 2001) | ||
| WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20111228 |