CN103236927B - A kind of authentication method based on dynamic ID mark and system - Google Patents
A kind of authentication method based on dynamic ID mark and system Download PDFInfo
- Publication number
- CN103236927B CN103236927B CN201310132283.0A CN201310132283A CN103236927B CN 103236927 B CN103236927 B CN 103236927B CN 201310132283 A CN201310132283 A CN 201310132283A CN 103236927 B CN103236927 B CN 103236927B
- Authority
- CN
- China
- Prior art keywords
- identification information
- user
- dynamic
- server
- technical
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
Landscapes
- Storage Device Security (AREA)
Abstract
The invention discloses a kind of authentication method based on dynamic ID mark and system, its method includes two kinds of technical schemes, its system includes client and server: in the first technical scheme, client passes through negative data storehouse generating algorithm, the dynamic ID identification information transmission being generated user by user real identification identification information is authenticated to server, and server is authenticated after then recovering the user real identification identification information that this dynamic ID identification information is corresponding;In the second technical scheme, client passes through one-way hash function and negative data storehouse generating algorithm, the dynamic ID identification information transmission being generated user by user real identification identification information and default secret parameter is authenticated to server, server is then generated dynamic ID identification information by same method by the secret parameter of locally stored user real identification identification information and correspondence, and is authenticated the dynamic ID identification information of the user received.By using method and system disclosed by the invention, improve safety.
Description
Technical field
The present invention relates to field of computer technology, particularly relate to a kind of authentication method based on dynamic ID mark and system.
Background technology
Along with the high speed development of network technology, emerge substantial amounts of network application.In many applications, user is required for
Access server to obtain system resource.In order to ensure the legal use of user that server resource can only have been authorized, system
Need user is carried out authentication.Identification information is the important evidence realizing authentication.But, in major part
In application, identification information is all that this can cause the identity of user to be revealed in plain text or to use in the way of static state.
But, at many identity informations such as ecommerce, electronic voting system, Telemedicine System and Tele Financing system
In sensitive actual application, the leakage of user identity can cause serious security threat.Such as, in e-commerce field
In electronic auction application, the people of the meeting that takes part in auction must use legal identification information to prove oneself being to have permission
Bidder, in order in auction process, carry out authentication, it is ensured that the every time non-repudiation of auction.But, for
Some relate to the auction of important item, the leakage of the identification information of bidder may result in bidder safety and
Privacy is on the hazard.For another example, in important electronic voting, electoral vote information must comprise its identity and power
The identification information of limit, in order to system is able to verify that legitimacy and the effectiveness of this ballot.But, if failing effectively to hide throws
Identification information in ticket information, may affect the fairness of election results.And for example, remote system is accessed as user
Time, User Identity information is typically the important evidence of system authentication user identity legitimacy, if User Identity letter
Breath comprises in the packet in a static manner, then assailant can obtain the body of user by modes such as eavesdropping or data intercept bags
Part identification information, and on purpose follow the trail of user, camouflage user or user is carried out attack etc..If the identity mark of user
Containing the sensitive information of user identity in knowledge information, the leakage of these information is also possible to bring serious damage to user
Lose.Therefore, protection user identification information safety in the case of realize authentication it is critical that.
Negative data storehouse by Esponda et al. at paper " Enhancing Privacy through Negative
Representations of Data " (UNM Computer Science Technical Report, 2004) and " Online
Negative Database " (Proceedings of ICARIS, 2004) formally proposes.Generally, negative data storehouse is only deposited
Store up the compression expression of the supplementary set of former data base.And solve the former data base of its correspondence by a negative data storehouse and be equivalent to solve
One satisfiability problem, is np complete problem (uncertain problems of multinomial complexity).Therefore, negative data storehouse
There is the function of the information security protecting former data base.
At present, negative data storehouse has been used for the fields such as secret protection, image watermarking and sensitive data collection.Such as,
Dasgupta et al. is at document " An Investigation of Negative Authentication Systems "
(Proceedings of3rd International Conference on Information Warfare and Security,
2008) in, negative data storehouse is applied to identity authorization system, but its authentication method is based on static password, not to
Family identification information is protected, therefore, and its Shortcomings that remains unchanged in terms of user identity safety.
Summary of the invention
It is an object of the invention to provide a kind of authentication method based on dynamic ID mark and system, identified by dynamic ID
The true identity information of user is not revealed while information realization authentication.
It is an object of the invention to be accomplished by:
A kind of authentication method based on dynamic ID mark, the method includes following two technical scheme:
First technical scheme includes: generation phase, is former data base with user real identification identification information, calls negative
The negative data storehouse of this former data base is generated according to storehouse generating algorithm, and as the dynamic ID identification information of user;Send rank
Section, replaces with user real identification identification information this dynamic ID identification information and sends to server;Authentication phase,
The dynamic ID identification information received is carried out resolving the user real identification identification information obtaining correspondence by described server,
And this user real identification identification information is authenticated;
Second technical scheme includes: generation phase, by user real identification identification information and default secret parameter,
Call one-way hash function and negative data storehouse generating algorithm generates dynamic ID identification information, and update secret parameter;Send
In the stage, user real identification identification information is replaced with this dynamic ID identification information and sends to server;Certification rank
Section, after described server receives the dynamic ID identification information of user, server is based on locally stored each legal
True identity mark and the corresponding secret parameter of user, generates this by one-way hash function and negative data storehouse generating algorithm
The legal dynamic ID identification information in ground, and the user that the dynamic ID identification information generated according to this locality is to receiving is dynamic
Identification information is authenticated, if certification is passed through, then corresponding user is validated user, and server update this locality is corresponding
Secret parameter in this user.
A kind of Verification System based on dynamic ID mark, this system includes:
Client, for following two technical scheme: in first technical scheme, generation phase, with the true body of user
Part identification information is former data base, calls negative data storehouse generating algorithm and generates the negative data storehouse of this former data base, and as using
The dynamic ID identification information at family;Transmission phase, replaces with this dynamic ID mark letter by user real identification identification information
Cease and send to server;In second technical scheme, generation phase, by user real identification identification information with pre-
If secret parameter, call one-way hash function and negative data storehouse generating algorithm and generate dynamic ID identification information, and update
Secret parameter;Transmission phase, replaces with user real identification identification information this dynamic ID identification information and sends to clothes
Business device;
Server, for following two technical scheme: in first technical scheme, authentication phase, for receiving
Dynamic ID identification information carry out resolving and obtain corresponding user real identification identification information, and to this user real identification
Identification information is authenticated;In second technical scheme, authentication phase, for receiving the dynamic ID mark of user
After information, true identity based on locally stored each validated user mark and corresponding secret parameter, dissipated by unidirectional
Array function and negative data storehouse generating algorithm generate local dynamic ID identification information, and the dynamic ID generated according to this locality
The user's dynamic ID identification information received is authenticated by identification information, if certification is passed through, then corresponding user is for closing
Method user, and update the local secret parameter corresponding to this user.
The authentication method and the system that are thered is provided by the invention described above are it can be seen that by using negative data storehouse technology (or negative data
Storehouse technology and one-way hash function) generate dynamic ID identification information carry out authentication, each dynamic ID identification information
Only use once, it is therefore prevented that the leakage of user real identification, be effectively improved safety.
Accompanying drawing explanation
In order to be illustrated more clearly that the technical scheme of the embodiment of the present invention, required use in embodiment being described below
Accompanying drawing is briefly described, it should be apparent that, the accompanying drawing in describing below is only some embodiments of the present invention, for
From the point of view of those of ordinary skill in the art, on the premise of not paying creative work, it is also possible to obtain according to these accompanying drawings
Other accompanying drawings.
The registration phase flow chart of a kind of based on dynamic ID mark the authentication method that Fig. 1 provides for the embodiment of the present invention one;
The generation phase flow chart of a kind of based on dynamic ID mark the authentication method that Fig. 2 provides for the embodiment of the present invention one;
The authentication phase flow chart of a kind of based on dynamic ID mark the authentication method that Fig. 3 provides for the embodiment of the present invention one;
The registration phase flow process of another authentication method based on dynamic ID mark that Fig. 4 provides for the embodiment of the present invention two
Figure;
The generation phase flow process of another authentication method based on dynamic ID mark that Fig. 5 provides for the embodiment of the present invention two
Figure;
The authentication phase flow process of another authentication method based on dynamic ID mark that Fig. 6 provides for the embodiment of the present invention two
Figure;
The schematic diagram of a kind of based on dynamic ID mark the Verification System that Fig. 7 provides for the embodiment of the present invention three.
Detailed description of the invention
Below in conjunction with the accompanying drawing in the embodiment of the present invention, the technical scheme in the embodiment of the present invention is carried out clearly and completely
Describe, it is clear that described embodiment is only a part of embodiment of the present invention rather than whole embodiments.Based on
Embodiments of the invention, it is every other that those of ordinary skill in the art are obtained under not making creative work premise
Embodiment, broadly falls into protection scope of the present invention.
The present invention carries out authentication based on dynamic ID mark.Dynamic ID identification method is that one can guarantee that user is true
The safety of identity information also realizes identity authentication method.Compared to by real identification information with in plain text or static
Mode use, dynamic ID identification method be based on user real identification identification information produce a series of different and
Hold the new identification information (i.e. dynamic ID identification information) of certification.In dynamic ID identification method, user makes
Substitute static, real identification information by the identification information being continually changing, and each identification information is only
Use once, this assailant cannot be determined which packet belongs to same user, it is difficult to user is tracked and
Attack.
The authentication method based on dynamic ID identification information that the present invention provides mainly has two kinds of implementations, for the ease of saying
Bright, will be described in detail with embodiment two by embodiment one.The present invention provide based on dynamic ID identification information
Verification System be made up of client and server, for purposes of illustration only, be then described in detail by example three.
Embodiment one
The embodiment of the present invention carries out authentication by dynamic ID identification information.In this embodiment, client directly with
The true identity identification information of user generates negative data storehouse as former data base, and the negative data storehouse generated is dynamic ID
Identification information;After server receives the message of user, from user message, extract dynamic ID identification information (the most negative
Data base), and recover former data base by negative data storehouse, i.e. can get the true identity identification information of user and carry out
Certification.The authentication method based on dynamic ID mark that the embodiment of the present invention provides mainly includes four-stage: register rank
Section, generation phase, transmission phase and authentication phase.The present embodiment is described in detail by 1-3 below in conjunction with the accompanying drawings.
(1) registration phase
The validated user of one user's server to be become must be to server registration, and server only allows legal user to obtain
Take system resource.Registration process is primarily to set up the information of sharing between user and server, in order to carry out follow-up
Verification process.As shown in fig. 1, key step includes the flow process of execution in detail of registration phase:
Step 11, send registration request with user orientation server, and the true identity identification information of oneself is passed through safe lane
It is sent to server.
Step 12, server authentication user the form of true identity identification information the most legal.If legal, proceed to step
13, otherwise, proceed to step 14.
Step 13, server send, to client, the message that succeeds in registration, and the true identity identification information storage of user are arrived
In local validated user list item.
Step 14, server send registration failure message to client.
(2) generation phase
After completing registration phase, message can be sent to server and realize certification.Before the message, user is first
Need to generate dynamic ID identification information by the true identity identification information of oneself.Generation phase is generation dynamic ID
The process of identification information, main flow process is as in figure 2 it is shown, mainly comprise the steps:
Step 21, using user real identification identification information as former data base, and the generating algorithm calling negative data storehouse generates
Negative data storehouse.
Step 22, the tuple in the negative data storehouse generated is carried out random alignment, and this negative data storehouse is moved as user
State identification information.
In embodiments of the present invention, negative data storehouse generating algorithm needs to generate complete and reversible negative data storehouse and (complete refers to
Negative data storehouse covers the whole supplementary set of former data base, reversible refers to that recovering former data base by negative data storehouse is to calculate
Feasible).Further, it is contemplated that the high efficiency of algorithm, prefix algorithm (Prefix algorithm) can be used to generate negative
Data base.Prefix algorithm refers to the paper " Negative representations of information " of Esponda et al.
(International Journal of Information Security, 2009).
(3) transmission phase
After completing generation phase, i.e. can get a dynamic ID identification information, this dynamic ID identification information can be used for recognizing
Card.Sending message phase, user first by the dynamic ID identification information that generated replace in message all really
Or the identification information of static state, transmit the message to server the most again.Owing to dynamic ID identification information is more static
Identification information has higher safety, and dynamic ID mark is continually changing, therefore, and dynamic ID mark
Knowledge information can protect the true identity information of user, and prevents tracked.
(4) authentication phase
In authentication phase, server receives the message that user sends, and therefrom extracts negative data storehouse (i.e. dynamic ID mark
Knowledge information), and this negative data storehouse is carried out inverse transformation obtain former data base (i.e. the true identity identification information of user).
Then, check that whether this identification information is the true identity identification information of the validated user in this earth's surface, the most then
User passes through certification.The flow process of authentication phase is as it is shown on figure 3, mainly comprise the steps that
Step 31, server receive the message that user sends, and therefrom extract negative data storehouse.
Being inverted in the negative data storehouse extracted by step 32, server, obtains former data base.
Step 33, server check that whether this identification information is the true identity mark letter of the validated user in this earth's surface
Breath.The most then user passes through certification;Otherwise, user authentication failure.
The embodiment of the present invention one carries out authentication by dynamic ID identification information, and user uses the identity mark being continually changing
Know information substitution static state, real identification information, and each identification information only uses once, effectively carries
High safety.
Embodiment two
In embodiments of the present invention, client not only have shared the true identity identification information of user with server, the most shared
One secret parameter.Based on these shared data, client is raw by one-way hash function and negative data storehouse generating algorithm
Become dynamic ID identification information.After server receives the message of user, can therefrom extract dynamic ID identification information.
Then, based on locally stored validated user true identity mark and secret parameter, server by one-way hash function and
Negative data storehouse generating algorithm generates dynamic ID identification information, and compares with the dynamic ID identification information in user message,
To carry out authentication.The authentication method based on dynamic ID mark that this embodiment provides mainly includes four-stage: note
Volume stage, generation phase, transmission phase and authentication phase.For the ease of understanding the present invention, below in conjunction with the accompanying drawings 4-6 make into
One step explanation.
(1) registration phase
In the present embodiment, user not only have shared the true identity identification information of oneself at registration phase with server, also
Have shared a secret parameter (such as, the random number seed of PRNG, maybe can produce the most different
The parameter of data).Detailed process as shown in Figure 4, mainly comprises the steps that
Step 41, a default secret parameter (such as, selecting a random number seed).
Step 42, to server send registration request, and by user real identification identification information and preset secret parameter lead to
Cross safe lane and be sent to server.
Step 43, server check that the form of the true identity identification information of this user is the most legal.If legal, then proceed to
Step 44, otherwise, proceeds to step 45.
Step 44, server send the confirmation message succeeded in registration to client, and by the true identity identification information of user
Store in local validated user list item with this secret parameter.
Step 45, server send registration failure message to client.
(2) generation phase
In embodiments of the present invention, not only used negative data storehouse during the generation of dynamic ID identification information and generate calculation
Method, and employ one-way hash function, there is dual security mechanism, safety is higher.Additionally, dynamic ID mark
The generation of knowledge information is together decided on by user real identification identification information and secret parameter.Detailed flow process is as it is shown in figure 5, lead
Comprise following step:
Step 51, utilize secret parameter to produce next random number, and the random number of generation is connected to the true body of user
The end of part identification information forms a new string.
Step 52, employing one-way hash function carry out hash to the new string after connecting and obtain hash code.
Step 53, this hash code is input in the generating algorithm of negative data storehouse as former data base, and generating algorithm is produced
Raw negative data storehouse is as dynamic ID identification information.
Secret parameter (i.e. random number seed) is updated to current random number by step 54, client.
Further, in this enforcement example, one-way hash function may be selected to be the algorithm of SHA series, and use negative
Data base's generating algorithm then needs to generate the negative data storehouse being difficult to resolve and (is difficult to resolve and refers to recover former data base from negative data storehouse at meter
It is infeasible for counting in).In view of the high efficiency of algorithm, can negative data storehouse generating algorithm be further preferably that q-hidden calculates
Method.About q-hidden algorithm, refer to paper " the Protecting Data Privacy through of Esponda et al.
Hard-to-Reverse Negative Databases " (International Journal of Information Security,
2007) and paper " the Generating Hard Satisfiable Formulas by Hiding Solutions of Jia et al.
Deceptively " (Proceedings of the20th National Conference on Artificial Intelligence,
2005).Wherein, parameter q of q-hidden algorithm is preferably 0.5, and parameter r is preferably 5.5.Negative data storehouse generating algorithm
The random number of middle use is all produced by the random number seed shared, and which ensure that server is held same wheel with validated user
The negative data storehouse produced in row is identical.
(3) transmission phase
After completing the generation phase of the present embodiment, user can obtain a dynamic ID identification information.In order to protect user
True identity identification information, prevent tracked and opposing Replay Attack etc., user needs before the message by message
Real or static identification information replaces with generated dynamic ID identification information, then sends it to service
Device.
(4) authentication phase
After server receives user's dynamic ID identification information, the identity of user can be authenticated.If sending message
User is validated user, then in server, the random number seed in this validated user list item is previous at generation phase with this user
Cause.Owing to server cannot determine that the user sending message is corresponding with which list item in local validated user table, therefore,
First server respectively generates a negative data storehouse according to the information of each validated user, and (this generation process is generating rank with user
The process of Duan Zhihang is identical, and one-way hash function, negative data storehouse generating algorithm and algorithm parameter that server is used are equal
With user generation phase used identical), then, server check from receive message extract negative data storehouse
The most identical with certain negative data storehouse that this locality is generated.If there is the negative data storehouse of certain this locality and the negative data extracted
Storehouse is identical, then prove that the user sending message is validated user, and this user passes through certification, and server update this locality corresponds to
The secret parameter of this user.As shown in Figure 6, key step is as described below for detailed flow process:
Step 61, server receive the message that user sends, and therefrom extract negative data storehouse.
Each with being labeled as non-test status per family by local validated user table of step 62, server.
Step 63, server check that in local user's table, all of user is the most all labeled as test status.If so, tie
Bundle authentication phase, user fails by certification;If it is not, then there is also not verified user's list item, perform step 64.
Step 64, server select a not verified user from local validated user table, use in this user's list item
Random number seed produces next random number, and this random number is connected to the end of the true identity identification information of this user
Tail, forms a new string.
Step 65, server are by the new hash code gone here and there of one-way hash function generation arranged with this user.
Step 66, server are by the negative data storehouse generating algorithm arranged with this user and PRNG, to be produced
Raw hash code is former data base, generates negative data storehouse and as dynamic ID identification information.
The dynamic ID identification information generated in step 67, server check step 66 whether with step 61 in extract dynamic
State identification information is identical.If identical, then perform step 69;If it is different, then perform step 68.
Step 68, server mark the user as checking, and jump to step 63.
Step 69, the user of transmission message pass through certification, and server allows user to log in, and are somebody's turn to do with current random number replacement
Random number seed in user's list item, terminates authentication phase.
In this embodiment, owing to the identification information that dynamic ID identification information is more static has higher safety,
And dynamic ID mark is continually changing, and therefore, dynamic ID identification information can protect the true identity of user to believe
Breath, and prevent tracked.
For example and without limitation, the dynamic ID identification method in embodiment two can be used for solving the identity in electronic voting
Hide and Verify Your Identity questions.Main implementation method is: the elector in electronic voting system is as validated user, and electric
Vote-counting center in sub-election system, as server, processes identification information further in accordance with above-mentioned steps.Thus,
Even if the election message person of being hacked that elector sends intercepts and captures, assailant also cannot be identified by the dynamic ID in message
Information obtains the true identity identification information of user, therefore, it is impossible to determine the true identity information of this sender of the message, also
The sender of message cannot be pretended.During additionally, due to send election message every time, the dynamic ID that identical user uses
Identification information is the most different, and therefore, message interception person also cannot pass through certain dynamic ID identification information trace message sender
The election information of next time.On the other hand, even if the message person of being hacked that elector sends intercepts and captures, assailant also cannot pass through
Dynamic ID identification information in message determines the true identity information of sender, and this makes electoral true identity information
Protected, it is ensured that elected fairness.Electoral every legal election message can pass through dynamic ID
Identification information is by vote-counting center's success identity, and completes count of votes.
Hide and identity it addition, the dynamic ID identification method in embodiment two can be additionally used in the identity solved in electronic auction
Authentication question.Main implementation method is: the bidder in electronic auction system is as validated user, and electronic auction system
In auction center as server, process identification information further in accordance with above-mentioned steps.Thus, bidder sends
Even if auction message intercepted by other people, due to that do not comprise any static state in message or real subscriber identity information,
Interceptor also cannot obtain the true identity identification information of user, therefore, nothing by the dynamic ID identification information in message
Method determines the true identity information of bidder, also cannot generate effective dynamic ID identification information, thus cannot pretend competing
Bat person.Due in the message that bidder sends every time use dynamic ID identification information the most different, therefore, interceptor without
Method is followed the trail of by the dynamic ID identification information of certain message and locks the auction message that certain bidder is next.Whole auction
During, owing to the true identity information of bidder will not be compromised, this makes the fairness of auction be ensured.This
Outward, the identity of bidder can be authenticated by auction center by the dynamic ID identification information in every auction message, and
Verify legitimacy and the effectiveness of each auction, this guarantees the non-repudiation of auction.
In Tele Financing system and Telemedicine System etc. are applied, implementation like above can be used, it is achieved identity
Hide and complete authentication, reaching to protect the purpose of user identity privacy.
Embodiment three
Fig. 7 is the schematic diagram of a kind of based on dynamic ID mark the Verification System that the embodiment of the present invention three provides.Such as Fig. 7 institute
Showing, this system specifically includes that
Client 71, for following two technical scheme: in first technical scheme, generation phase, true with user
Identification information is former data base, calls negative data storehouse generating algorithm and generates the negative data storehouse of this former data base, and conduct
The dynamic ID identification information of user;Transmission phase, replaces with this dynamic ID mark by user real identification identification information
Information also sends to server;In second technical scheme, generation phase, by user real identification identification information and
The secret parameter preset, calls one-way hash function and negative data storehouse generating algorithm and generates dynamic ID identification information, and more
New secret parameter;Transmission phase, replaces with user real identification identification information this dynamic ID identification information and sends extremely
Server;
Server 72, for following two technical scheme: in first technical scheme, authentication phase, for reception
To dynamic ID identification information carry out resolving and obtain corresponding user real identification identification information, and body true to this user
Part identification information is authenticated;In second technical scheme, authentication phase, for receiving the dynamic ID mark of user
After knowledge information, true identity based on locally stored each validated user mark and corresponding secret parameter, by unidirectional
Hash function and negative data storehouse generating algorithm generate local dynamic ID identification information, and the dynamic body generated according to this locality
The user's dynamic ID identification information received is authenticated by part identification information, if certification is passed through, then corresponding user is
Validated user, and update the local secret parameter corresponding to this user.
Described client includes with server:
Wherein, described client 71 includes: information sending module 711, in first technical scheme, for by safety
Registration request is sent to server 72 by channel with true identity identification information;In second technical scheme, it is used for passing through
Registration request, true identity identification information and default secret parameter are sent to server 72 by safe lane;
Described server 72 includes: information authentication module 721, in first technical scheme, for the user received
The form of true identity identification information is verified;If form is legal, then this user real identification identification information is stored in this
In ground validated user list, and send the confirmation message succeeded in registration to client 71;Otherwise, return registration failure to disappear
Breath;In second technical scheme, for the form of the user real identification identification information received is verified;If
Form is legal, then the secret parameter of this user real identification identification information and correspondence be stored in local validated user list,
And the confirmation message succeeded in registration is sent to client 71;Otherwise, registration failure message is returned.
Described server 72 also includes:
User authentication module 722, for the legitimacy of the authentication phase checking user in first and second technical scheme.
It should be noted that the specific implementation of function that each functional module comprised in said system is realized is front
Each embodiment in face has a detailed description, therefore has here repeated no more.
Those skilled in the art is it can be understood that arrive, for convenience and simplicity of description, only with above-mentioned each function mould
The division of block is illustrated, and in actual application, can distribute above-mentioned functions by different function moulds as desired
Block completes, and the internal structure of device will be divided into different functional modules, with complete described above in whole or in part
Function.
It is more than three embodiments of the present invention, describes authentication method based on dynamic ID identification information the most in detail
And system, a following characteristics is mainly had compared to prior art:
1) time loss needed for calculating is the polynomial time of user real identification identification information length, and requisite space is also
The multinomial magnitude of user real identification identification information length.Therefore, the present invention can be not only used for general purpose PC, it is possible to
For the equipment (such as mobile device) that computing capability is relatively low.
2) algorithm (including negative data storehouse generating algorithm) that each stage is used is the most relatively simple, it is achieved step is the simplest
Clean.Therefore, the present invention is easily achieved.
3) preferably solve hiding user real identification identification information, support the problems such as authentication, do not rely on other
Security protocol and certificate scheme, can be independently operated, and also can be used in mixed way with other security strategy.
On the other hand, the embodiment of the present invention two, it also has the following characteristics that
1) the negative data storehouse that the negative data storehouse generating algorithm used generates is difficult to resolve, and has preferable safety.Therefore,
Even if assailant has intercepted the message of user, also cannot therefrom recover the true identity identification information of user.This makes to use
The true identity information at family will not be compromised.Further, even if assailant obtains all of message, cannot also be passed through these
Message obtains the true identity identification information of user.In the case of there is no the true identity identification information of validated user, attack
The person of hitting cannot generate effective dynamic ID identification information of this user, and therefore, assailant cannot pretend validated user.
2) the dynamic ID identification information that user uses every time depends not only upon real identification information, and depends on
One secret parameter.Owing to have employed the dual protection mechanism that negative data storehouse combines with one-way hash function, even if attacking
Person's a certain moment is guessed or enumerates the true identity identification information of user, in the situation that cannot obtain correct random number
Under, still cannot verify that its conjecture is the most correct, also cannot produce correct dynamic ID identification information and pretend legal use
Family.Therefore, it can resist exhaustive attack and guessing attack.
The above, the only present invention preferably detailed description of the invention, but protection scope of the present invention is not limited thereto,
Any those familiar with the art in the technical scope of present disclosure, the change that can readily occur in or replace
Change, all should contain within protection scope of the present invention.Therefore, protection scope of the present invention should be with claims
Protection domain is as the criterion.
Claims (10)
1. an authentication method based on dynamic ID mark, it is characterised in that the method includes following two technical side
Case:
First technical scheme includes: generation phase, is former data base with user real identification identification information, calls negative
The negative data storehouse of this former data base is generated according to storehouse generating algorithm, and as the dynamic ID identification information of user;Send rank
Section, replaces with user real identification identification information this dynamic ID identification information and sends to server;Authentication phase,
The dynamic ID identification information received is carried out resolving the user real identification identification information obtaining correspondence by described server,
And this user real identification identification information is authenticated;
Second technical scheme includes: generation phase, by user real identification identification information and default secret parameter,
Call one-way hash function and negative data storehouse generating algorithm generates dynamic ID identification information, and update secret parameter;Send
In the stage, user real identification identification information is replaced with this dynamic ID identification information and sends to server;Certification rank
Section, after described server receives the dynamic ID identification information of user, server is based on locally stored each legal
True identity mark and the corresponding secret parameter of user, generates this by one-way hash function and negative data storehouse generating algorithm
The legal dynamic ID identification information in ground, and the user that the dynamic ID identification information generated according to this locality is to receiving is dynamic
Identification information is authenticated, if certification is passed through, then corresponding user is validated user, and server update this locality is corresponding
Secret parameter in this user.
Method the most according to claim 1, it is characterised in that also included registration phase before generation phase, and
The step of registration phase includes:
In first technical scheme, by safe lane, registration request is sent to service with true identity identification information
Device;The form of the server user real identification identification information to receiving is verified;If form is legal, then by this use
Family true identity identification information is stored in local validated user list, and sends the confirmation message succeeded in registration to client;
Otherwise, server returns registration failure message;
In second technical scheme, by safe lane by registration request, true identity identification information and default secret
Parameter sends to server;The form of the server user real identification identification information to receiving is verified;If form
Legal, then the secret parameter of this user real identification identification information and correspondence is stored in local validated user list, and to
Client sends the confirmation message succeeded in registration;Otherwise, server returns registration failure message.
Method the most according to claim 1, it is characterised in that the step of described generation phase includes:
In first technical scheme, call negative data storehouse generating algorithm and generated negative data storehouse by described former data base, and right
Tuple in this negative data storehouse carries out random alignment, it is thus achieved that the dynamic ID identification information of this user;
In second technical scheme, utilize the secret parameter preset to produce a random number, and be connected to this random number use
The end of family true identity identification information forms new string;Use one-way hash function that this new string carries out hash and obtain hash
Code, using this hash code as former data base, calls negative data storehouse generating algorithm and is generated negative data storehouse by described former data base,
And using this negative data storehouse as the dynamic ID identification information of user.
Method the most according to claim 3, it is characterised in that described authentication phase includes:
In first technical scheme, server carries out inverse transformation to the dynamic ID identification information of user, obtains user true
Real identification information, and judge whether described user real identification identification information is locally stored validated user information;
The most then this user passes through certification;Otherwise, this user authentication failure;
In second technical scheme, the dynamic ID identification information of some validated users that this locality is generated by server is successively
Compared with the user's dynamic ID identification information received, if there is identical dynamic ID mark, then this user passes through
Certification, updates this locality secret parameter corresponding to this user;Otherwise, this user authentication failure, do not update secret parameter.
5. according to the method described in any one of claim 1-4, it is characterised in that described negative data storehouse includes:
In first technical scheme, the negative data storehouse of generation covers the whole supplementary set of former data base, and this negative data storehouse
The user real identification identification information of correspondence can be recovered by parsing;
In second technical scheme, what user real identification identification information and default secret parameter generated cannot recover
Go out the negative data storehouse of former database information.
6. according to the method described in any one of claim 1-4, it is characterised in that described default secret parameter includes:
The random number seed of PRNG, maybe can produce the parameter of a large amount of different data.
7. according to the method described in any one of claim 1-4, it is characterised in that described negative data storehouse generating algorithm bag
Include:
Prefix algorithm for first technical scheme;And the q-hidden algorithm for second technical scheme.
8. a Verification System based on dynamic ID mark, it is characterised in that this system includes:
Client, for following two technical scheme: in first technical scheme, generation phase, with the true body of user
Part identification information is former data base, calls negative data storehouse generating algorithm and generates the negative data storehouse of this former data base, and as using
The dynamic ID identification information at family;Transmission phase, replaces with this dynamic ID mark letter by user real identification identification information
Cease and send to server;In second technical scheme, generation phase, by user real identification identification information with pre-
If secret parameter, call one-way hash function and negative data storehouse generating algorithm and generate dynamic ID identification information, and update
Secret parameter;Transmission phase, replaces with user real identification identification information this dynamic ID identification information and sends to clothes
Business device;
Server, for following two technical scheme: in first technical scheme, authentication phase, for receiving
Dynamic ID identification information carry out resolving and obtain corresponding user real identification identification information, and to this user real identification
Identification information is authenticated;In second technical scheme, authentication phase, for receiving the dynamic ID mark of user
After information, true identity based on locally stored each validated user mark and corresponding secret parameter, dissipated by unidirectional
Array function and negative data storehouse generating algorithm generate local dynamic ID identification information, and the dynamic ID generated according to this locality
The user's dynamic ID identification information received is authenticated by identification information, if certification is passed through, then corresponding user is for closing
Method user, and update the local secret parameter corresponding to this user.
System the most according to claim 8, it is characterised in that described client includes with server:
Wherein, described client includes: information sending module, in first technical scheme, is used for passing through safe lane
Registration request is sent to server with true identity identification information;In second technical scheme, for being believed by safety
Registration request, true identity identification information and default secret parameter are sent to server by road;
Described server includes: information authentication module, in first technical scheme, for true to the user received
The form of identification information is verified;If form is legal, then this user real identification identification information is stored in local conjunction
In method user list, and send the confirmation message succeeded in registration to client;Otherwise, registration failure message is returned;?
In two technical schemes, for the form of the user real identification identification information received is verified;If form closes
Method, then be stored in the secret parameter of this user real identification identification information and correspondence in local validated user list, and to visitor
Family end sends the confirmation message succeeded in registration;Otherwise, registration failure message is returned.
System the most according to claim 8 or claim 9, it is characterised in that described server also includes:
User authentication module, for the legitimacy of the authentication phase checking user in first and second technical scheme.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310132283.0A CN103236927B (en) | 2013-04-16 | 2013-04-16 | A kind of authentication method based on dynamic ID mark and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310132283.0A CN103236927B (en) | 2013-04-16 | 2013-04-16 | A kind of authentication method based on dynamic ID mark and system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN103236927A CN103236927A (en) | 2013-08-07 |
| CN103236927B true CN103236927B (en) | 2016-09-14 |
Family
ID=48884945
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201310132283.0A Expired - Fee Related CN103236927B (en) | 2013-04-16 | 2013-04-16 | A kind of authentication method based on dynamic ID mark and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN103236927B (en) |
Families Citing this family (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107294909B (en) * | 2016-04-04 | 2020-10-02 | 汪风珍 | Electronic identity real-name authentication product and method |
| CN107872429A (en) * | 2016-09-26 | 2018-04-03 | 中国电信股份有限公司 | The method and system that identity is examined is realized in VXLAN |
| CN107770183B (en) * | 2017-10-30 | 2020-11-20 | 新华三信息安全技术有限公司 | Data transmission method and device |
| CN108182401B (en) * | 2017-12-27 | 2021-09-03 | 武汉理工大学 | Safe iris identification method based on aggregated block information |
| CN110868374A (en) * | 2018-08-27 | 2020-03-06 | 京东方科技集团股份有限公司 | Security authentication method, server and client device |
| CN111586688B (en) * | 2020-04-24 | 2023-12-05 | 深圳市塔洛思技术有限公司 | Method for generating and verifying identity based on environment perception |
| CN112217861B (en) * | 2020-09-02 | 2022-10-28 | 中国人民解放军战略支援部队信息工程大学 | 5G network boundary network element identification protection method and device based on identification jump |
| CN112203279B (en) * | 2020-09-02 | 2022-07-12 | 中国人民解放军战略支援部队信息工程大学 | 5G network boundary network element address protection method and device based on discrete address change |
| CN113378623A (en) * | 2021-04-08 | 2021-09-10 | 武汉理工大学 | Face recognition method and system based on negative database algorithm encryption |
| CN112989398B (en) * | 2021-05-18 | 2021-07-30 | 腾讯科技(深圳)有限公司 | Data processing method and device for block chain network, computer equipment and medium |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102045601A (en) * | 2009-10-22 | 2011-05-04 | 中兴通讯股份有限公司 | Optical network unit (ONU) activating method and system in gigabit passive optical network (GPON) system |
| CN103020571A (en) * | 2013-01-17 | 2013-04-03 | 合肥学院 | Radio-frequency identification based bidirectional authentication method |
-
2013
- 2013-04-16 CN CN201310132283.0A patent/CN103236927B/en not_active Expired - Fee Related
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102045601A (en) * | 2009-10-22 | 2011-05-04 | 中兴通讯股份有限公司 | Optical network unit (ONU) activating method and system in gigabit passive optical network (GPON) system |
| CN103020571A (en) * | 2013-01-17 | 2013-04-03 | 合肥学院 | Radio-frequency identification based bidirectional authentication method |
Non-Patent Citations (1)
| Title |
|---|
| An investigation of negative authentication systems;Dasgupta, D;Azeem, R;《3RD INTERNATIONAL CONFERENCE ON INFORMATION WARFARE AND SECURITY,PROCEEDINGS》;20080425;第117页至126页 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN103236927A (en) | 2013-08-07 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN103236927B (en) | A kind of authentication method based on dynamic ID mark and system | |
| Jiang et al. | Three-factor authentication protocol using physical unclonable function for IoV | |
| CN102647461B (en) | Communication means based on HTTP, server, terminal | |
| CN101674304B (en) | Network identity authentication system and method | |
| CN104735065B (en) | A kind of data processing method, electronic equipment and server | |
| CN103338201B (en) | The remote identity authentication method that under a kind of environment of multi-server, registration center participates in | |
| CN102685093A (en) | Mobile-terminal-based identity authentication system and method | |
| Ibrahim et al. | Electionblock: an electronic voting system using blockchain and fingerprint authentication | |
| CN108777616B (en) | Electronic election method, management device and electronic election system for resisting quantum computer attack | |
| CN105681470A (en) | Communication method, server and terminal based on hypertext transfer protocol | |
| CN110737915B (en) | Anti-quantum-computation anonymous identity recognition method and system based on implicit certificate | |
| CN105791274B (en) | A kind of distributed cryptographic storage and method for authenticating based on local area network | |
| CN112329519A (en) | Safe online fingerprint matching method | |
| Schneider et al. | Survey on remote electronic voting | |
| CN109245894A (en) | A kind of distributed cloud storage system based on intelligent contract | |
| CN103347018A (en) | Long-distance identity authentication method based on intelligent card and under multiple-service environment | |
| CN111355591A (en) | Block chain account safety management method based on real-name authentication technology | |
| CN106060097A (en) | Management system and management method for information security competition | |
| CN101667917B (en) | Dynamic password input rule | |
| Yuan et al. | A universally composable secure grouping‐proof protocol for RFID tags | |
| Kumar et al. | Blockchain and internet of things (IoT) enabled smart e-voting system | |
| CN116976890A (en) | Multi-sign encryption transaction system of block chain | |
| CN112787810A (en) | Electronic voting method and device based on block chain and safe multi-party calculation | |
| CN104009851B (en) | A kind of bank net one-time pad two-way authentication secure log technology | |
| CN116318901A (en) | Privacy and verifiable internet of things data aggregation method integrating blockchain |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20160914 |
|
| CF01 | Termination of patent right due to non-payment of annual fee |