A kind of key exchange method of single-node login system
Technical field
The present invention relates to a kind of single-node login system, especially a kind of key exchange method of single-node login system.
Background technology
Single-sign-on (Single Sign On): abbreviating SSO as, is one of solution of integrating of at present popular business event.The definition of SSO is in a plurality of application systems, the user only need login the application system that once just can visit all mutual trusts, all will verify the performance loss that identity causes when having avoided service of the each request of user.In order to realize single-sign-on, all application systems are all shared an identity authorization system.If in the whole authentication or service interaction process of single-node login system, the permanent password of long-time or too much use is encrypted message, then causes the key victim to obtain easily, causes the leakage of key.
Existing key exchange method is generally based on the graceful key change in Di Fei-Hull (Diffie – Hellman key exchange; Be called for short " D-H ") agreement; Said D-H agreement is a kind of security protocol, and it can let both sides under the condition that does not have any information of the other side fully, set up a key through dangerous channel.This key can come the encryption communication content as symmetric key in follow-up communication.At application number is CN03116619.9; A kind of key exchange method based on public spoon certificate is disclosed in the Chinese invention patent document of patent name for " a kind of key exchange method based on public spoon certificate "; Its discrete logarithm problem and D-H agreement from the large prime field is aided with the session key exchange method of anti-collision hash function, public spoon certificate and digital signature.This D-H agreement is based on the application of discrete logarithm; But if an algorithm that solves discrete logarithm problem efficiently occurred; So then can be used for simplifying the calculating of a or b; Just can solve the graceful problem in Di Fei-Hull, make the graceful cipher key exchange system in this Di Fei-Hull become dangerous in interior a lot of public spoon cryptographic system.
At application number is CN200610103449.6; Patent name is for disclosing a kind of novel encrypting and decrypting system and key management method of MANET network security protection process in the Chinese invention patent document of " application of a kind of elliptic curve key exchange method in the MANET network "; This method has adopted oval curve cryptography system; But it is very big that oval curve encrypted secret key switching method requires amount of calculation, is not suitable for thin terminal.
Summary of the invention
The technical problem that the present invention will solve is: a kind of key exchange method of single-node login system is provided, this key exchange method to amount of calculation require low and safe.
In order to solve the problems of the technologies described above, the technical scheme that the present invention adopted is:
A kind of key exchange method of single-node login system is applied to the key change between transmit leg and the recipient, has the shared key of shared by both parties between said transmit leg and the recipient, and said key change may further comprise the steps:
Transmit leg carries out the HMAC operation with shared key to first data that will send and obtains second data;
Transmit leg carries out an xor operation to said second data with the key that will send and obtains the 3rd data;
Transmit leg sends to the recipient with first data and the 3rd data;
The recipient carries out the HMAC operation according to first data that receive and local shared key and obtains second data;
The recipient carries out an xor operation to the 3rd data of second data that calculate and reception and obtains the key that transmit leg sends.
Further as preferred embodiment, said first data are to participate in mutual extraneous information in the key exchange process.
Further as preferred embodiment, said transmit leg or recipient are client or server mutual in ID authentication request or the services request.
The invention has the beneficial effects as follows: the key exchange method of single-node login system of the present invention; Be applied to transmit leg mutual in ID authentication request or the services request and the key change between the recipient; The shared key that the inventive method is shared through transmit leg and recipient carries out the HMAC operation to mutual extraneous information and obtains second data; And the result that second data and the key that will exchange are carried out behind the xor operation sends the recipient to, both alleviated the complexity of cipher key interaction algorithm, guaranteeing the ageing exchange of supporting long key down again of cipher key interaction; Guarantee the fail safe that key changes, be applicable to the key change of thin terminal room.
Description of drawings
Be described further below in conjunction with the accompanying drawing specific embodiments of the invention:
Fig. 1 is the flow chart of steps of the key exchange method of single-node login system of the present invention.
Embodiment
With reference to Fig. 1, a kind of key exchange method of single-node login system is applied to the key change between transmit leg and the recipient, and said transmit leg or recipient are client or server mutual in ID authentication request or the services request.For example when transmit leg was client, the recipient was a server; When transmit leg was server, the recipient was a client.The shared key of sharing between said transmit leg and the recipient is sharekey.Said key change may further comprise the steps:
Transmit leg carries out the HMAC operation with shared key sharekey to the first data content that will send and obtains the second data H (sharekey; Content); (sharekey is that expression is a key with sharekey content) to said H, and message content is carried out the HMAC operation;
(sharekey content) carries out an xor operation ⊕ with the key exchangkey that will send and obtains the 3rd data H (sharekey, content) ⊕ exchangdkey transmit leg to the said second data H;
Transmit leg with the first data content and the 3rd data H (sharekey, content) ⊕ exchangdkey sends to the recipient;
The recipient according to first data content that receives and local shared key sharekey carry out the HMAC operation obtain the second data H (sharekey, content);
(sharekey, content) (sharekey, content) ⊕ exchangdkey carries out an xor operation and obtains the key exchangkey that transmit leg sends the recipient with the 3rd data H that receives to the second data H that calculates.Said process is following:
H(sharekey,?content)?⊕(H(sharekey,?content)?⊕exchangdkey)?→?exchangekey。
After said exchangkey is meant and is created or learnt by a side, exchange or pass to an other side's key; Said content is meant the mutual extraneous information of participation in whole key exchange process; If among the content partial information being arranged is known (being labeled as share_content); The data that so above transmit leg sends also can be expressed as " partial_content, share_content_tips, H (sharekey; partial_content+share_content) ⊕ exchangdkey "; Wherein share_content_tips is the relevant information of the shared message of indicating to use, and how "+" expression and operation are organized and can be decided as the case may be with the information on the operation left side and the right.
More than be that preferable enforcement of the present invention is specified; But the invention is not limited to said embodiment; Those of ordinary skill in the art can also make all equivalent variations or replacement under the prerequisite of spirit of the present invention, distortion that these are equal to or replacement all are included in the application's claim institute restricted portion.