CN102739660A - Key exchange method for single sign on system - Google Patents

Key exchange method for single sign on system Download PDF

Info

Publication number
CN102739660A
CN102739660A CN2012102003202A CN201210200320A CN102739660A CN 102739660 A CN102739660 A CN 102739660A CN 2012102003202 A CN2012102003202 A CN 2012102003202A CN 201210200320 A CN201210200320 A CN 201210200320A CN 102739660 A CN102739660 A CN 102739660A
Authority
CN
China
Prior art keywords
data
key
key exchange
receiver
sender
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN2012102003202A
Other languages
Chinese (zh)
Other versions
CN102739660B (en
Inventor
赵淦森
巴钟杰
李子柳
李惊生
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
South China Normal University
GCI Science and Technology Co Ltd
Original Assignee
South China Normal University
GCI Science and Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by South China Normal University, GCI Science and Technology Co Ltd filed Critical South China Normal University
Priority to CN201210200320.2A priority Critical patent/CN102739660B/en
Publication of CN102739660A publication Critical patent/CN102739660A/en
Application granted granted Critical
Publication of CN102739660B publication Critical patent/CN102739660B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Landscapes

  • Storage Device Security (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

本发明公开了一种单点登录系统的密钥交换方法,应用于身份认证请求或者服务请求中交互的发送方和接收方之间的密钥交换,本发明方法通过发送方和接收方共享的共享密钥对交互的额外信息进行HMAC操作得到第二数据,并将第二数据与要交换的密钥进行位异或操作后的第三数据传送给接收方,接收方根据接收的第一数据和本地的共享密钥进行HMAC操作得到第二数据;接收方对计算得到的第二数据和接收的第三数据进行位异或操作得到发送方发送的密钥。本方法既减轻了密钥交互算法的复杂性,在保证密钥交互的时效性下又支持长密钥的交换,保证密钥换的安全性,适用于瘦终端间的密钥交换。

Figure 201210200320

The invention discloses a key exchange method of a single sign-on system, which is applied to the key exchange between the sending party and the receiving party interacting in the identity authentication request or service request. The shared key performs the HMAC operation on the additional information exchanged to obtain the second data, and transmits the third data after the second data and the key to be exchanged to the receiver, and the receiver receives the first data according to the The HMAC operation is performed with the local shared key to obtain the second data; the receiver performs a bit-exclusive OR operation on the calculated second data and the received third data to obtain the key sent by the sender. The method not only reduces the complexity of the key exchange algorithm, but also supports the exchange of long keys while ensuring the timeliness of key exchange, ensures the security of key exchange, and is suitable for key exchange between thin terminals.

Figure 201210200320

Description

A kind of key exchange method of single-node login system
Technical field
The present invention relates to a kind of single-node login system, especially a kind of key exchange method of single-node login system.
Background technology
Single-sign-on (Single Sign On): abbreviating SSO as, is one of solution of integrating of at present popular business event.The definition of SSO is in a plurality of application systems, the user only need login the application system that once just can visit all mutual trusts, all will verify the performance loss that identity causes when having avoided service of the each request of user.In order to realize single-sign-on, all application systems are all shared an identity authorization system.If in the whole authentication or service interaction process of single-node login system, the permanent password of long-time or too much use is encrypted message, then causes the key victim to obtain easily, causes the leakage of key.
Existing key exchange method is generally based on the graceful key change in Di Fei-Hull (Diffie – Hellman key exchange; Be called for short " D-H ") agreement; Said D-H agreement is a kind of security protocol, and it can let both sides under the condition that does not have any information of the other side fully, set up a key through dangerous channel.This key can come the encryption communication content as symmetric key in follow-up communication.At application number is CN03116619.9; A kind of key exchange method based on public spoon certificate is disclosed in the Chinese invention patent document of patent name for " a kind of key exchange method based on public spoon certificate "; Its discrete logarithm problem and D-H agreement from the large prime field is aided with the session key exchange method of anti-collision hash function, public spoon certificate and digital signature.This D-H agreement is based on the application of discrete logarithm; But if an algorithm that solves discrete logarithm problem efficiently occurred; So then can be used for simplifying the calculating of a or b; Just can solve the graceful problem in Di Fei-Hull, make the graceful cipher key exchange system in this Di Fei-Hull become dangerous in interior a lot of public spoon cryptographic system.
At application number is CN200610103449.6; Patent name is for disclosing a kind of novel encrypting and decrypting system and key management method of MANET network security protection process in the Chinese invention patent document of " application of a kind of elliptic curve key exchange method in the MANET network "; This method has adopted oval curve cryptography system; But it is very big that oval curve encrypted secret key switching method requires amount of calculation, is not suitable for thin terminal.
Summary of the invention
The technical problem that the present invention will solve is: a kind of key exchange method of single-node login system is provided, this key exchange method to amount of calculation require low and safe.
In order to solve the problems of the technologies described above, the technical scheme that the present invention adopted is:
A kind of key exchange method of single-node login system is applied to the key change between transmit leg and the recipient, has the shared key of shared by both parties between said transmit leg and the recipient, and said key change may further comprise the steps:
Transmit leg carries out the HMAC operation with shared key to first data that will send and obtains second data;
Transmit leg carries out an xor operation to said second data with the key that will send and obtains the 3rd data;
Transmit leg sends to the recipient with first data and the 3rd data;
The recipient carries out the HMAC operation according to first data that receive and local shared key and obtains second data;
The recipient carries out an xor operation to the 3rd data of second data that calculate and reception and obtains the key that transmit leg sends.
Further as preferred embodiment, said first data are to participate in mutual extraneous information in the key exchange process.
Further as preferred embodiment, said transmit leg or recipient are client or server mutual in ID authentication request or the services request.
The invention has the beneficial effects as follows: the key exchange method of single-node login system of the present invention; Be applied to transmit leg mutual in ID authentication request or the services request and the key change between the recipient; The shared key that the inventive method is shared through transmit leg and recipient carries out the HMAC operation to mutual extraneous information and obtains second data; And the result that second data and the key that will exchange are carried out behind the xor operation sends the recipient to, both alleviated the complexity of cipher key interaction algorithm, guaranteeing the ageing exchange of supporting long key down again of cipher key interaction; Guarantee the fail safe that key changes, be applicable to the key change of thin terminal room.
Description of drawings
Be described further below in conjunction with the accompanying drawing specific embodiments of the invention:
Fig. 1 is the flow chart of steps of the key exchange method of single-node login system of the present invention.
Embodiment
With reference to Fig. 1, a kind of key exchange method of single-node login system is applied to the key change between transmit leg and the recipient, and said transmit leg or recipient are client or server mutual in ID authentication request or the services request.For example when transmit leg was client, the recipient was a server; When transmit leg was server, the recipient was a client.The shared key of sharing between said transmit leg and the recipient is sharekey.Said key change may further comprise the steps:
Transmit leg carries out the HMAC operation with shared key sharekey to the first data content that will send and obtains the second data H (sharekey; Content); (sharekey is that expression is a key with sharekey content) to said H, and message content is carried out the HMAC operation;
(sharekey content) carries out an xor operation ⊕ with the key exchangkey that will send and obtains the 3rd data H (sharekey, content) ⊕ exchangdkey transmit leg to the said second data H;
Transmit leg with the first data content and the 3rd data H (sharekey, content) ⊕ exchangdkey sends to the recipient;
The recipient according to first data content that receives and local shared key sharekey carry out the HMAC operation obtain the second data H (sharekey, content);
(sharekey, content) (sharekey, content) ⊕ exchangdkey carries out an xor operation and obtains the key exchangkey that transmit leg sends the recipient with the 3rd data H that receives to the second data H that calculates.Said process is following:
H(sharekey,?content)?⊕(H(sharekey,?content)?⊕exchangdkey)?→?exchangekey。
After said exchangkey is meant and is created or learnt by a side, exchange or pass to an other side's key; Said content is meant the mutual extraneous information of participation in whole key exchange process; If among the content partial information being arranged is known (being labeled as share_content); The data that so above transmit leg sends also can be expressed as " partial_content, share_content_tips, H (sharekey; partial_content+share_content) ⊕ exchangdkey "; Wherein share_content_tips is the relevant information of the shared message of indicating to use, and how "+" expression and operation are organized and can be decided as the case may be with the information on the operation left side and the right.
More than be that preferable enforcement of the present invention is specified; But the invention is not limited to said embodiment; Those of ordinary skill in the art can also make all equivalent variations or replacement under the prerequisite of spirit of the present invention, distortion that these are equal to or replacement all are included in the application's claim institute restricted portion.

Claims (3)

1.一种单点登录系统的密钥交换方法,应用于发送方与接收方之间的密钥交换,所述发送方与接收方之间存在双方共享的共享密钥,其特征在于,所述密钥交换包括以下步骤: 1. A key exchange method of a single sign-on system, applied to the key exchange between the sender and the receiver, there is a shared key shared by both parties between the sender and the receiver, it is characterized in that the The key exchange described above includes the following steps: 发送方以共享密钥对要发送的第一数据进行HMAC操作得到第二数据; The sender uses the shared key to perform an HMAC operation on the first data to be sent to obtain the second data; 发送方对所述第二数据与要发送的密钥进行位异或操作得到第三数据; The sender performs a bit-exclusive OR operation on the second data and the key to be sent to obtain third data; 发送方将第一数据和第三数据发送给接收方; The sender sends the first data and the third data to the receiver; 接收方根据接收的第一数据和本地的共享密钥进行HMAC操作得到第二数据; The receiver performs an HMAC operation according to the received first data and the local shared key to obtain the second data; 接收方对计算得到的第二数据和接收的第三数据进行位异或操作得到发送方发送的密钥。 The receiver performs a bit-exclusive OR operation on the calculated second data and the received third data to obtain the key sent by the sender. 2.根据权利要求1所述的一种单点登录系统的密钥交换方法,其特征在于:所述第一数据为密钥交换过程中参与交互的额外信息。 2. The key exchange method of a single sign-on system according to claim 1, characterized in that: the first data is additional information involved in the interaction during the key exchange process. 3.根据权利要求1所述的一种单点登录系统的密钥交换方法,其特征在于:所述发送方或者接收方为身份认证请求或者服务请求中交互的客户端或者服务器。 3. The key exchange method of a single sign-on system according to claim 1, wherein the sender or receiver is a client or server interacting in an identity authentication request or a service request.
CN201210200320.2A 2012-06-16 2012-06-16 Key exchange method for single sign on system Active CN102739660B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201210200320.2A CN102739660B (en) 2012-06-16 2012-06-16 Key exchange method for single sign on system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201210200320.2A CN102739660B (en) 2012-06-16 2012-06-16 Key exchange method for single sign on system

Publications (2)

Publication Number Publication Date
CN102739660A true CN102739660A (en) 2012-10-17
CN102739660B CN102739660B (en) 2015-07-08

Family

ID=46994444

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201210200320.2A Active CN102739660B (en) 2012-06-16 2012-06-16 Key exchange method for single sign on system

Country Status (1)

Country Link
CN (1) CN102739660B (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2015113485A1 (en) * 2014-01-28 2015-08-06 西安西电捷通无线网络通信股份有限公司 Entity identification method, apparatus and system
CN107995214A (en) * 2017-12-19 2018-05-04 深圳市创梦天地科技股份有限公司 A kind of Website logging method and relevant device
CN110995703A (en) * 2019-12-03 2020-04-10 望海康信(北京)科技股份公司 Service processing request processing method and device, and electronic device
CN115118454A (en) * 2022-05-25 2022-09-27 四川中电启明星信息技术有限公司 Cascade authentication system and method based on mobile application

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1832397A (en) * 2005-11-28 2006-09-13 北京浦奥得数码技术有限公司 Authorization key, consultation and update method based on common key credentials between interface of electronic equipment
US20070022058A1 (en) * 2002-08-08 2007-01-25 Fujitsu Limited Wireless computer wallet for physical point of sale (POS) transactions
CN102239661A (en) * 2009-08-14 2011-11-09 华为技术有限公司 Method and device for exchanging keys
CN102239654A (en) * 2009-08-14 2011-11-09 华为技术有限公司 Authentication method and device for passive optical network equipment

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20070022058A1 (en) * 2002-08-08 2007-01-25 Fujitsu Limited Wireless computer wallet for physical point of sale (POS) transactions
CN1832397A (en) * 2005-11-28 2006-09-13 北京浦奥得数码技术有限公司 Authorization key, consultation and update method based on common key credentials between interface of electronic equipment
CN1832397B (en) * 2005-11-28 2010-09-29 四川长虹电器股份有限公司 Authorization key, consultation and update method based on common key credentials between interface of electronic equipment
CN102239661A (en) * 2009-08-14 2011-11-09 华为技术有限公司 Method and device for exchanging keys
CN102239654A (en) * 2009-08-14 2011-11-09 华为技术有限公司 Authentication method and device for passive optical network equipment

Cited By (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2015113485A1 (en) * 2014-01-28 2015-08-06 西安西电捷通无线网络通信股份有限公司 Entity identification method, apparatus and system
JP2017506455A (en) * 2014-01-28 2017-03-02 西安西▲電▼捷通▲無▼綫▲網▼絡通信股▲分▼有限公司China Iwncomm Co., Ltd. Entity identification method, apparatus and system
US9860070B2 (en) 2014-01-28 2018-01-02 China Iwncomm Co., Ltd Entity identification method, apparatus and system
CN107995214A (en) * 2017-12-19 2018-05-04 深圳市创梦天地科技股份有限公司 A kind of Website logging method and relevant device
CN110995703A (en) * 2019-12-03 2020-04-10 望海康信(北京)科技股份公司 Service processing request processing method and device, and electronic device
CN110995703B (en) * 2019-12-03 2021-09-17 望海康信(北京)科技股份公司 Service processing request processing method and device, and electronic device
CN115118454A (en) * 2022-05-25 2022-09-27 四川中电启明星信息技术有限公司 Cascade authentication system and method based on mobile application
CN115118454B (en) * 2022-05-25 2023-06-30 四川中电启明星信息技术有限公司 Cascade authentication system and authentication method based on mobile application

Also Published As

Publication number Publication date
CN102739660B (en) 2015-07-08

Similar Documents

Publication Publication Date Title
CN110087239B (en) Anonymous access authentication and key agreement method and device based on 5G network
He et al. A strong user authentication scheme with smart cards for wireless communications
CN107342859B (en) Anonymous authentication method and application thereof
EP2416524B1 (en) System and method for secure transaction of data between wireless communication device and server
JP5349619B2 (en) Identity-based authentication key agreement protocol
CN104506534A (en) Safety communication secret key negotiation interaction scheme
WO2007011897A2 (en) Cryptographic authentication, and/or establishment of shared cryptographic keys, using a signing key encrypted with a non-one-time-pad encryption, including (but not limited to) techniques with improved security against malleability attacks
CN101459506A (en) Cipher key negotiation method, system, customer terminal and server for cipher key negotiation
CN107947913A (en) The anonymous authentication method and system of a kind of identity-based
Ray et al. Establishment of ECC-based initial secrecy usable for IKE implementation
CN104901935A (en) Bilateral authentication and data interaction security protection method based on CPK (Combined Public Key Cryptosystem)
CN111953479B (en) Data processing method and device
CN103118363A (en) Method, system, terminal device and platform device of secret information transmission
CN111416712B (en) Quantum secret communication identity authentication system and method based on multiple mobile devices
CN105577377A (en) Identity-based authentication method and identity-based authentication system with secret key negotiation
Niu et al. A novel user authentication scheme with anonymity for wireless communications
Yang et al. A trust and privacy preserving handover authentication protocol for wireless networks
CN113014376B (en) Method for safety authentication between user and server
CN102739660A (en) Key exchange method for single sign on system
CN105162585A (en) Efficient privacy protecting session key agreement method
CN105848140A (en) Safe end-to-end establishment method capable of achieving communication supervision in 5G network
KR100456624B1 (en) Authentication and key agreement scheme for mobile network
GB2543359A (en) Methods and apparatus for secure communication
CN111404670A (en) A key generation method, UE and network device
Kakarla et al. A secure and light-weighted group based authentication and key agreement protocol involving ecdh for machine type communications in 3GPP networks

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant