CN102739660A - Key exchange method for single sign on system - Google Patents
Key exchange method for single sign on system Download PDFInfo
- Publication number
- CN102739660A CN102739660A CN2012102003202A CN201210200320A CN102739660A CN 102739660 A CN102739660 A CN 102739660A CN 2012102003202 A CN2012102003202 A CN 2012102003202A CN 201210200320 A CN201210200320 A CN 201210200320A CN 102739660 A CN102739660 A CN 102739660A
- Authority
- CN
- China
- Prior art keywords
- data
- key
- key exchange
- receiver
- sender
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Landscapes
- Storage Device Security (AREA)
- Mobile Radio Communication Systems (AREA)
Abstract
本发明公开了一种单点登录系统的密钥交换方法,应用于身份认证请求或者服务请求中交互的发送方和接收方之间的密钥交换,本发明方法通过发送方和接收方共享的共享密钥对交互的额外信息进行HMAC操作得到第二数据,并将第二数据与要交换的密钥进行位异或操作后的第三数据传送给接收方,接收方根据接收的第一数据和本地的共享密钥进行HMAC操作得到第二数据;接收方对计算得到的第二数据和接收的第三数据进行位异或操作得到发送方发送的密钥。本方法既减轻了密钥交互算法的复杂性,在保证密钥交互的时效性下又支持长密钥的交换,保证密钥换的安全性,适用于瘦终端间的密钥交换。
The invention discloses a key exchange method of a single sign-on system, which is applied to the key exchange between the sending party and the receiving party interacting in the identity authentication request or service request. The shared key performs the HMAC operation on the additional information exchanged to obtain the second data, and transmits the third data after the second data and the key to be exchanged to the receiver, and the receiver receives the first data according to the The HMAC operation is performed with the local shared key to obtain the second data; the receiver performs a bit-exclusive OR operation on the calculated second data and the received third data to obtain the key sent by the sender. The method not only reduces the complexity of the key exchange algorithm, but also supports the exchange of long keys while ensuring the timeliness of key exchange, ensures the security of key exchange, and is suitable for key exchange between thin terminals.
Description
Technical field
The present invention relates to a kind of single-node login system, especially a kind of key exchange method of single-node login system.
Background technology
Single-sign-on (Single Sign On): abbreviating SSO as, is one of solution of integrating of at present popular business event.The definition of SSO is in a plurality of application systems, the user only need login the application system that once just can visit all mutual trusts, all will verify the performance loss that identity causes when having avoided service of the each request of user.In order to realize single-sign-on, all application systems are all shared an identity authorization system.If in the whole authentication or service interaction process of single-node login system, the permanent password of long-time or too much use is encrypted message, then causes the key victim to obtain easily, causes the leakage of key.
Existing key exchange method is generally based on the graceful key change in Di Fei-Hull (Diffie – Hellman key exchange; Be called for short " D-H ") agreement; Said D-H agreement is a kind of security protocol, and it can let both sides under the condition that does not have any information of the other side fully, set up a key through dangerous channel.This key can come the encryption communication content as symmetric key in follow-up communication.At application number is CN03116619.9; A kind of key exchange method based on public spoon certificate is disclosed in the Chinese invention patent document of patent name for " a kind of key exchange method based on public spoon certificate "; Its discrete logarithm problem and D-H agreement from the large prime field is aided with the session key exchange method of anti-collision hash function, public spoon certificate and digital signature.This D-H agreement is based on the application of discrete logarithm; But if an algorithm that solves discrete logarithm problem efficiently occurred; So then can be used for simplifying the calculating of a or b; Just can solve the graceful problem in Di Fei-Hull, make the graceful cipher key exchange system in this Di Fei-Hull become dangerous in interior a lot of public spoon cryptographic system.
At application number is CN200610103449.6; Patent name is for disclosing a kind of novel encrypting and decrypting system and key management method of MANET network security protection process in the Chinese invention patent document of " application of a kind of elliptic curve key exchange method in the MANET network "; This method has adopted oval curve cryptography system; But it is very big that oval curve encrypted secret key switching method requires amount of calculation, is not suitable for thin terminal.
Summary of the invention
The technical problem that the present invention will solve is: a kind of key exchange method of single-node login system is provided, this key exchange method to amount of calculation require low and safe.
In order to solve the problems of the technologies described above, the technical scheme that the present invention adopted is:
A kind of key exchange method of single-node login system is applied to the key change between transmit leg and the recipient, has the shared key of shared by both parties between said transmit leg and the recipient, and said key change may further comprise the steps:
Transmit leg carries out the HMAC operation with shared key to first data that will send and obtains second data;
Transmit leg carries out an xor operation to said second data with the key that will send and obtains the 3rd data;
Transmit leg sends to the recipient with first data and the 3rd data;
The recipient carries out the HMAC operation according to first data that receive and local shared key and obtains second data;
The recipient carries out an xor operation to the 3rd data of second data that calculate and reception and obtains the key that transmit leg sends.
Further as preferred embodiment, said first data are to participate in mutual extraneous information in the key exchange process.
Further as preferred embodiment, said transmit leg or recipient are client or server mutual in ID authentication request or the services request.
The invention has the beneficial effects as follows: the key exchange method of single-node login system of the present invention; Be applied to transmit leg mutual in ID authentication request or the services request and the key change between the recipient; The shared key that the inventive method is shared through transmit leg and recipient carries out the HMAC operation to mutual extraneous information and obtains second data; And the result that second data and the key that will exchange are carried out behind the xor operation sends the recipient to, both alleviated the complexity of cipher key interaction algorithm, guaranteeing the ageing exchange of supporting long key down again of cipher key interaction; Guarantee the fail safe that key changes, be applicable to the key change of thin terminal room.
Description of drawings
Be described further below in conjunction with the accompanying drawing specific embodiments of the invention:
Fig. 1 is the flow chart of steps of the key exchange method of single-node login system of the present invention.
Embodiment
With reference to Fig. 1, a kind of key exchange method of single-node login system is applied to the key change between transmit leg and the recipient, and said transmit leg or recipient are client or server mutual in ID authentication request or the services request.For example when transmit leg was client, the recipient was a server; When transmit leg was server, the recipient was a client.The shared key of sharing between said transmit leg and the recipient is sharekey.Said key change may further comprise the steps:
Transmit leg carries out the HMAC operation with shared key sharekey to the first data content that will send and obtains the second data H (sharekey; Content); (sharekey is that expression is a key with sharekey content) to said H, and message content is carried out the HMAC operation;
(sharekey content) carries out an xor operation ⊕ with the key exchangkey that will send and obtains the 3rd data H (sharekey, content) ⊕ exchangdkey transmit leg to the said second data H;
Transmit leg with the first data content and the 3rd data H (sharekey, content) ⊕ exchangdkey sends to the recipient;
The recipient according to first data content that receives and local shared key sharekey carry out the HMAC operation obtain the second data H (sharekey, content);
(sharekey, content) (sharekey, content) ⊕ exchangdkey carries out an xor operation and obtains the key exchangkey that transmit leg sends the recipient with the 3rd data H that receives to the second data H that calculates.Said process is following:
H(sharekey,?content)?⊕(H(sharekey,?content)?⊕exchangdkey)?→?exchangekey。
After said exchangkey is meant and is created or learnt by a side, exchange or pass to an other side's key; Said content is meant the mutual extraneous information of participation in whole key exchange process; If among the content partial information being arranged is known (being labeled as share_content); The data that so above transmit leg sends also can be expressed as " partial_content, share_content_tips, H (sharekey; partial_content+share_content) ⊕ exchangdkey "; Wherein share_content_tips is the relevant information of the shared message of indicating to use, and how "+" expression and operation are organized and can be decided as the case may be with the information on the operation left side and the right.
More than be that preferable enforcement of the present invention is specified; But the invention is not limited to said embodiment; Those of ordinary skill in the art can also make all equivalent variations or replacement under the prerequisite of spirit of the present invention, distortion that these are equal to or replacement all are included in the application's claim institute restricted portion.
Claims (3)
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210200320.2A CN102739660B (en) | 2012-06-16 | 2012-06-16 | Key exchange method for single sign on system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210200320.2A CN102739660B (en) | 2012-06-16 | 2012-06-16 | Key exchange method for single sign on system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN102739660A true CN102739660A (en) | 2012-10-17 |
| CN102739660B CN102739660B (en) | 2015-07-08 |
Family
ID=46994444
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201210200320.2A Active CN102739660B (en) | 2012-06-16 | 2012-06-16 | Key exchange method for single sign on system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102739660B (en) |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2015113485A1 (en) * | 2014-01-28 | 2015-08-06 | 西安西电捷通无线网络通信股份有限公司 | Entity identification method, apparatus and system |
| CN107995214A (en) * | 2017-12-19 | 2018-05-04 | 深圳市创梦天地科技股份有限公司 | A kind of Website logging method and relevant device |
| CN110995703A (en) * | 2019-12-03 | 2020-04-10 | 望海康信(北京)科技股份公司 | Service processing request processing method and device, and electronic device |
| CN115118454A (en) * | 2022-05-25 | 2022-09-27 | 四川中电启明星信息技术有限公司 | Cascade authentication system and method based on mobile application |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1832397A (en) * | 2005-11-28 | 2006-09-13 | 北京浦奥得数码技术有限公司 | Authorization key, consultation and update method based on common key credentials between interface of electronic equipment |
| US20070022058A1 (en) * | 2002-08-08 | 2007-01-25 | Fujitsu Limited | Wireless computer wallet for physical point of sale (POS) transactions |
| CN102239661A (en) * | 2009-08-14 | 2011-11-09 | 华为技术有限公司 | Method and device for exchanging keys |
| CN102239654A (en) * | 2009-08-14 | 2011-11-09 | 华为技术有限公司 | Authentication method and device for passive optical network equipment |
-
2012
- 2012-06-16 CN CN201210200320.2A patent/CN102739660B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20070022058A1 (en) * | 2002-08-08 | 2007-01-25 | Fujitsu Limited | Wireless computer wallet for physical point of sale (POS) transactions |
| CN1832397A (en) * | 2005-11-28 | 2006-09-13 | 北京浦奥得数码技术有限公司 | Authorization key, consultation and update method based on common key credentials between interface of electronic equipment |
| CN1832397B (en) * | 2005-11-28 | 2010-09-29 | 四川长虹电器股份有限公司 | Authorization key, consultation and update method based on common key credentials between interface of electronic equipment |
| CN102239661A (en) * | 2009-08-14 | 2011-11-09 | 华为技术有限公司 | Method and device for exchanging keys |
| CN102239654A (en) * | 2009-08-14 | 2011-11-09 | 华为技术有限公司 | Authentication method and device for passive optical network equipment |
Cited By (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2015113485A1 (en) * | 2014-01-28 | 2015-08-06 | 西安西电捷通无线网络通信股份有限公司 | Entity identification method, apparatus and system |
| JP2017506455A (en) * | 2014-01-28 | 2017-03-02 | 西安西▲電▼捷通▲無▼綫▲網▼絡通信股▲分▼有限公司China Iwncomm Co., Ltd. | Entity identification method, apparatus and system |
| US9860070B2 (en) | 2014-01-28 | 2018-01-02 | China Iwncomm Co., Ltd | Entity identification method, apparatus and system |
| CN107995214A (en) * | 2017-12-19 | 2018-05-04 | 深圳市创梦天地科技股份有限公司 | A kind of Website logging method and relevant device |
| CN110995703A (en) * | 2019-12-03 | 2020-04-10 | 望海康信(北京)科技股份公司 | Service processing request processing method and device, and electronic device |
| CN110995703B (en) * | 2019-12-03 | 2021-09-17 | 望海康信(北京)科技股份公司 | Service processing request processing method and device, and electronic device |
| CN115118454A (en) * | 2022-05-25 | 2022-09-27 | 四川中电启明星信息技术有限公司 | Cascade authentication system and method based on mobile application |
| CN115118454B (en) * | 2022-05-25 | 2023-06-30 | 四川中电启明星信息技术有限公司 | Cascade authentication system and authentication method based on mobile application |
Also Published As
| Publication number | Publication date |
|---|---|
| CN102739660B (en) | 2015-07-08 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110087239B (en) | Anonymous access authentication and key agreement method and device based on 5G network | |
| He et al. | A strong user authentication scheme with smart cards for wireless communications | |
| CN107342859B (en) | Anonymous authentication method and application thereof | |
| EP2416524B1 (en) | System and method for secure transaction of data between wireless communication device and server | |
| JP5349619B2 (en) | Identity-based authentication key agreement protocol | |
| CN104506534A (en) | Safety communication secret key negotiation interaction scheme | |
| WO2007011897A2 (en) | Cryptographic authentication, and/or establishment of shared cryptographic keys, using a signing key encrypted with a non-one-time-pad encryption, including (but not limited to) techniques with improved security against malleability attacks | |
| CN101459506A (en) | Cipher key negotiation method, system, customer terminal and server for cipher key negotiation | |
| CN107947913A (en) | The anonymous authentication method and system of a kind of identity-based | |
| Ray et al. | Establishment of ECC-based initial secrecy usable for IKE implementation | |
| CN104901935A (en) | Bilateral authentication and data interaction security protection method based on CPK (Combined Public Key Cryptosystem) | |
| CN111953479B (en) | Data processing method and device | |
| CN103118363A (en) | Method, system, terminal device and platform device of secret information transmission | |
| CN111416712B (en) | Quantum secret communication identity authentication system and method based on multiple mobile devices | |
| CN105577377A (en) | Identity-based authentication method and identity-based authentication system with secret key negotiation | |
| Niu et al. | A novel user authentication scheme with anonymity for wireless communications | |
| Yang et al. | A trust and privacy preserving handover authentication protocol for wireless networks | |
| CN113014376B (en) | Method for safety authentication between user and server | |
| CN102739660A (en) | Key exchange method for single sign on system | |
| CN105162585A (en) | Efficient privacy protecting session key agreement method | |
| CN105848140A (en) | Safe end-to-end establishment method capable of achieving communication supervision in 5G network | |
| KR100456624B1 (en) | Authentication and key agreement scheme for mobile network | |
| GB2543359A (en) | Methods and apparatus for secure communication | |
| CN111404670A (en) | A key generation method, UE and network device | |
| Kakarla et al. | A secure and light-weighted group based authentication and key agreement protocol involving ecdh for machine type communications in 3GPP networks |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant |