CN105119721A - Three-factor remote identity authentication method based on intelligent card - Google Patents

Abstract

The invention discloses three-factor remote identity authentication method based on an intelligent card. The method comprises the following steps that a user and a server log in a registration center, wherein the intelligent card comprises encryption information; the user logins; local verification is performed on the intelligent card; the registration center verifies the server and the user; the server verifies the registration center; and the intelligent card verifies the server. By using the method of the invention, user anonymity is realized; and attacking modes of denial of service attacking, eavesdropping attacking, intelligent-card stolen attacking and the like are successfully resisted.

Description

A kind of Three factors remote identity authentication method based on smart card

Technical field

The present invention relates to information security and networking technology area, particularly a kind of Three factors remote identity authentication method based on smart card.

Background technology

Network communications technology development rapidly, makes increasing people be accustomed to obtaining service, such as ecommerce, E-Government, E-logistics etc. by network.User obtains information from server or enjoys the service that provides of server, first needs to sign in server.Therefore, a long-distance identity-certifying scheme being applied to network need be had, with the legitimacy of authentication of users.But the Internet is a public environment, and anyone can tackle the message between user and server, so how to protect user profile, prevent illegal communication extremely important.

In practical application, the Dual-factor identity authentication method under environment of multi-server is widely used, and the environment of high safety but these class methods still can not meet the demands, as fields such as finance, military affairs, national security.Biological characteristic, as fingerprint, iris etc., has uniqueness, and not easily lose, not malleable, not easily usurp, just in time meet the needs of high security applications.Nineteen seventies, some researchers start to pay close attention to biological information, but due to technical limitations, effectively cannot extract, store biological information, also the correctness of biological information cannot be verified by digital means, so failed to be used widely by biological identification technology.Along with the development of fingerprint identification technology, iris recognition technology and voice recognition technology, biological identification technology has come into multiple field, and one of them important field is exactly identity identifying method.

Three factors identity identifying method, by three factors (" user is known ", " user owns ", " whom user is ") identifying user identity, utilizes the feature that biological information is uniquely constant, enhances the fail safe of identity identifying method.When user wants logon server, except password and identify label are provided, also need to input biological information; If the matching degree of the biological information gathered when the biological information of input and registration does not reach secure threshold, server can not provide service to registrant.

But the certain methods provided in prior art, there is the problem cannot resisted Denial of Service attack, eavesdropping attack, the stolen attack of smart card and anonymity and attack in such as now general credit identity verification method.

Summary of the invention

For above defect, the object of the present invention is to provide the Three factors remote identity authentication method based on smart card under a kind of safer environment of multi-server, Denial of Service attack can be resisted, eavesdropping is attacked, the stolen attack of smart card, has fingerprint identification function simultaneously.

For achieving the above object, the present invention adopts following technical scheme:

Based on a Three factors remote identity authentication method for smart card, described method comprises: server is registered as the legal server in multi-server system in registration center; User submits application for registration to registration center, and after succeeding in registration, user obtains the smart card having customizing messages, and described customizing messages is { P _i, D _i, C _i, G _i, V _i, Z _i, B _i, h () }, wherein, P _i, D _i, C _i, G _i, V _i, Z _iand B _ibe enciphered message, Pi is provided password PW by user _itwice cryptographic Hash P _i=h (h (PW _i)), Di is User Identity UID _isecret value $D_i={\mathrm{UID}}_i\⊕h\left({\mathrm{PW}}_i\right),$ C _ifor the secret value of user $C_i={\mathrm{RU}}_i\⊕h\left({\mathrm{PW}}_i\right),$ RU _i=h (UID _i|| x), G _ifor the secret value of system parameters v _ifor the secret value of fingerprint feature point z _iand B _ifor the enciphered message that described registration center generates b is the random number that described smart card generates, and z and x, y are the key of registration center; User uses described smart card logon server; The entry password that described smart card provides according to user carries out local verification, if password is correct, the biological characteristic of the further authentication of users of smart card, if be verified, then generate first verification data and send it to described server, otherwise stopping session; After described server receives first verification data, generate the second verification msg proving described server identity, and first verification data and the second verification msg are issued described registration center; Described registration center is first according to the legitimacy of the second verification msg authentication server identity received, then according to the legitimacy of first verification data identifying user identity, after the identity of server and user is all verified, registration center generates the 3rd verification msg and the 4th verification msg, and the 3rd and four verification msgs are sent to described server; Described server is verified registration center's identity according to the 3rd received verification msg, if server authentication the 3rd verification msg is really by described registration center is sent out, then described server generation server end session key, and the 4th verification msg is sent to described smart card; Whether the 4th verification msg that described smart card authentication receives is legal, if by checking, then smart card completes the inspection of server identity legitimacy, generate smart card end session key, described smart card and described server use the session key of each self-generating to be encrypted with symmetrical encipher-decipher method and communicate, otherwise stop session.

Further, a kind of Three factors remote identity authentication method based on smart card, the step of server registration comprises further: registration center uses key y encryption server identify label SID _j, generate cryptographic Hash RS _j=h (SID _j|| y), and by { RS _j, g, h () } by safe lane stored in server, wherein g is the parameter of system.

Further, a kind of Three factors remote identity authentication method based on smart card, the step that user carries out registering in registration center comprises further: user submits User Identity UID to registration center _iwith password PW _i, and typing fingerprint; Described registration center extracts digitized fingerprint feature point F _i, twice cryptographic Hash P of generating cipher _i=h (h (PW _i)), identify label secret value the secret value RU of user _i=h (UID _i|| x) and the secret value of system parameters and the secret value of fingerprint feature point described smart card generates a random number b, and described registration center calculates and then generate x, y and z are the keys of registration center; Described registration center is by enciphered message { P _i, D _i, C _i, G _i, V _i, Z _i, B _i, h () } and stored in smart card.

Further, a kind of Three factors remote identity authentication method based on smart card, user's login step comprises further: described user is by the password PW of smart card input oneself _i ^*, smart card judges equation P _i=h (h (PW _i ^*)) whether set up, if set up, smart card prompting user typing fingerprint, and extract its characteristic value F _i ^*, otherwise end session; Described smart card is by calculating reduction registered fingerprint characteristic value and check F _i ^*with F _imatching degree, if the matching degree of the two does not exceed the secure threshold of setting, then stop log in, if exceed described threshold value, then login successfully.

Further, a kind of Three factors remote identity authentication method based on smart card, the step that smart card generates and sends first verification data comprises further: described smart card generates random number r _uand b _new, and reduce user ID ${\mathrm{UID}}_i=D_i\⊕h\left({\mathrm{PW}}_i^{*}\right),$ Calculate $B_{new}={\mathrm{UID}}_i\⊕b_{new}$ With $Q_i=B_{new}\⊕Z_i,$ Reduction ${\mathrm{RU}}_i=C_i\⊕h\left({\mathrm{PW}}_i^{*}\right)$ And calculate first verification data $M_1=h\left({\mathrm{RU}}_i\right|\left|g^{r_u}\right|\left|{\mathrm{SID}}_j\right|\left|T_i\right),$ Wherein T _iit is the timestamp that smart card end represents current time; Smart card is by aided verification data with first verification data M ₁send to server.

Further, a kind of Three factors remote identity authentication method based on smart card, the step that server sends first verification data and the second verification msg to registration center comprises further: described server verifies its time stamp T after receiving the verification msg of smart card transmission _ivalidity, if timestamp is not in scope service time, then stop communication; Otherwise server generates random number for the multiplication of integers group of mould q, q is Big prime, and calculates the second verification msg wherein T _jit is the timestamp that server end represents current time; Described server by first verification data, the second verification msg and relevant aided verification data as deng all issuing registration center.

Further, a kind of Three factors remote identity authentication method based on smart card, registration center's examination service device and user identity legitimacy comprise further: described registration center is proving time stamp T first _iand T _jwhether effective, if invalid, then stop session, otherwise carry out following steps, described registration center calculates RS' _j=h (SID _j|| y) and then equation M' is checked ₂=M ₂whether set up, if set up, then server, otherwise stop session if having legitimacy; Described registration center calculates $Z_i=h(B_i\⊕z)$ With $B_{new}=Q_i\⊕Z_i,$ And reduce User Identity ${\mathrm{UID}}_i=B_{new}\⊕b_{new},$ Calculate RU ' _i=h (UID _i|| x) and judge M ' ₁with M ₁whether equal, if equal, then the identity of user is legal.

Further, a kind of Three factors remote identity authentication method based on smart card, the step that registration center generates and sends the 3rd verification msg and the 4th verification msg comprises further: described registration center calculates $Z_{new}=h(B_{new}\⊕z),Q_j=Z_{new}\⊕B_{new}$ 3rd verification msg $M_3=h\left(g^{r_u}\right|\left|g^{r_s}\right|\left|{\mathrm{RS}}_j^{\′}\right|\left|T_i\right|\left|T_j\right)$ With the 4th verification msg and by { Q _j, M ₃, M ₄issue server.

Further, a kind of Three factors remote identity authentication method based on smart card, the bi-directional authentication steps of server and user identity comprises further: whether described server authentication the 3rd verification msg is by registration center is sent out, if by checking, server forwards the 4th verification msg and aided verification message to smart card generation server end key simultaneously, otherwise stop session; Whether described smart card authentication the 4th verification msg, by registration center is sent out, if by checking, then generates smart card end key, otherwise stops session.

Further, a kind of Three factors remote identity authentication method based on smart card, also comprises the steps: that smart card calculates after smart card authentication server identity is legal and with { Z _new, B _newreplace it the front { Z stored _i, B _i.

{ P is stored in the inventive solutions in smart card _i, D _i, C _i, G _i, V _i, Z _i, B _i, h () }, except hash function, other information are all secret value, even if victim is stolen, also can not reveal sensitive information, thus reach the target that the opposing stolen attack of smart card and opposing eavesdropping attack.P in smart card _i=h (h (PW _i)), user is after input password, and smart card will calculate twice cryptographic Hash of password, and checking whether with P _iequal, thus can in the correctness of local verification password, compensate for prior art cannot the defect of local verification password correctness, has well resisted Denial of Service attack.And, present invention improves over storage and the verification method of fingerprint, adopt the method for feature point extraction and threshold value coupling, fingerprint recognition is more easily realized.In addition, the present invention achieves good anonymity by using random number encryption and smart card to upgrade the method stored, and can resist anonymity and attack.

Accompanying drawing explanation

Fig. 1 is the schematic diagram of a specific embodiment server registration stage etch of the present invention;

Fig. 2 is the schematic diagram of a specific embodiment user registration phase step of the present invention;

Fig. 3 is the schematic diagram of a specific embodiment entry stage of the present invention and Qualify Phase step.

Embodiment

In order to make object of the present invention, technical scheme and advantage clearly understand, below in conjunction with drawings and Examples, the present invention is further elaborated.Should be appreciated that specific embodiment described herein only in order to explain the present invention, be not intended to limit the present invention.

The technical scheme announced in the present invention comprises three participants, user U _i, registration center RC and server S _j; Comprise three phases, registration phase, entry stage and Qualify Phase.

As shown in Figure 1,2 and 3, a kind of Three factors remote identity authentication method based on smart card, described method comprises: server is registered as the legal server in multi-server system in registration center; User submits application for registration to registration center, and after succeeding in registration, user obtains the smart card having customizing messages, and described customizing messages is { P _i, D _i, C _i, G _i, V _i, Z _i, B _i, h () }, wherein, P _i, D _i, C _i, G _i, V _i, Z _iand B _ibe enciphered message, P _iby user is provided password PW _itwice cryptographic Hash P _i=h (h (PW _i)), D _ifor User Identity UID _isecret value c _ifor the secret value of user rU _i=h (UID _i|| x), G _ifor the secret value of system parameters v _ifor the secret value of fingerprint feature point z _iand B _ifor the enciphered message that described registration center generates b is the random number that described smart card generates, and x, y and z are the key of registration center; User uses described smart card logon server; The entry password that described smart card provides according to user carries out local verification, if password is correct, the biological characteristic of the further authentication of users of smart card, if be verified, then generate first verification data and send it to described server, otherwise stopping session; After described server receives first verification data, generate the second verification msg proving described server identity, and first verification data and the second verification msg are issued described registration center; Described registration center is first according to the legitimacy of the second verification msg authentication server identity received, then according to the legitimacy of first verification data identifying user identity, after the identity of server and user is all verified, registration center generates the 3rd verification msg and the 4th verification msg, and the 3rd and four verification msgs are sent to described server; Described server is verified registration center's identity according to the 3rd received verification msg, if server authentication the 3rd verification msg is really by described registration center is sent out, then described server generation server end session key, and the 4th verification msg is sent to described smart card; Whether the 4th verification msg that described smart card authentication receives is legal, if by checking, then smart card completes the inspection of server identity legitimacy, generate smart card end session key, described smart card and described server use the session key of each self-generating to be encrypted with symmetrical encipher-decipher method and communicate, otherwise stop session.

{ P is stored in the inventive solutions in smart card _i, D _i, C _i, G _i, V _i, Z _i, B _i, h () }, except hash function, other information are all secret value, even if victim is stolen, also can not reveal sensitive information, thus reach the target that the opposing stolen attack of smart card and opposing eavesdropping attack.P in smart card _i=h (h (PW _i)), user is after input password, and smart card will calculate twice cryptographic Hash of password, and with checking whether with P _iequal, thus can in the correctness of local verification password, this compensate for the defect that prior art cannot carry out local password checking.And, present invention improves over storage and the verification method of fingerprint, adopt the method for feature point extraction and threshold value coupling, fingerprint recognition is more easily realized.In addition, the present invention achieves good anonymity by being used by first verification data random number encryption and smart card to upgrade the method stored, and can resist anonymity and attack.Carry out authentication server and smart card by registration center, then server authentication registration center, smart card authentication server, this verification method entirety can realize the technique effect resisting server emulates attack.

Further, the step of server registration comprises further: registration center uses key y encryption server identify label SID _j, obtain cryptographic Hash RS _j=h (SID _j|| y), and by { RS _j, g, h () } by safe lane stored in server, wherein g is the parameter of integrated system.Integrated system refers to the system of the compositions such as registration center, smart card, server.

Further, the step that user carries out registering in registration center comprises further: when registration phase starts, and user submits User Identity UID to registration center _iwith password PW _i, and typing fingerprint; Described registration center extracts digitized fingerprint feature point F _i, calculate twice cryptographic Hash P of password _i=h (h (PW _i)), identify label secret value user encryption value RU _i=h (UID _i|| x) and the secret value of integrated system parameter and the secret value of fingerprint feature point described smart card generates a random number b, and described registration center calculates and then calculate the key of x herein, y and z Dou Shi registration center; Described registration center is by enciphered message { P _i, D _i, C _i, G _i, V _i, Z _i, B _i, h () } and stored in smart card, and by safe lane, smart card is issued user.

Further, login step comprises further: described user is by the password PW of smart card input oneself _i ^*, smart card is by judging equation P _i=h (h (PW _i ^*)) whether become Rob Roy inspection user password whether correct.Only after password is correctly entered, smart card prompting user typing fingerprint, and extract its characteristic value F _i ^*; Described smart card is by calculating reduction registered fingerprint characteristic value and check F _i ^*with F _imatching degree, if the matching degree of the two does not exceed the secure threshold (as 90%) of setting, then stop log in, if exceed described threshold value, smart card can think the register that described user implements.

Further, the step that smart card generates and sends first verification data comprises further: described smart card generates random number r _uand b _new, and reduce user ID calculate $B_{new}={\mathrm{UID}}_i\⊕b_{ne}$ With $Q_i=B_{new}\⊕Z_i,$ Reduction ${\mathrm{RU}}_i=C_i\⊕h\left({\mathrm{PW}}_i^{*}\right)$ And calculate first verification data wherein T _ibe the timestamp that smart card end represents current time, finally, smart card is aided verification data just with first verification data M ₁send to server.

Further, the step that server sends first verification data and the second verification msg to registration center comprises further: described server verifies its time stamp T after receiving the verification msg of smart card transmission _ivalidity, if timestamp is not in scope service time, then stop communication, otherwise server generate random number wherein, for the multiplication of integers group of mould q, q is Big prime, and calculates the second verification msg wherein T _jit is the timestamp that server end represents current time; First verification data and the second verification msg and relevant aided verification data are all issued registration center by described server, comprise with

Further, registration center's examination service device and user identity legitimacy comprise further: described registration center is proving time stamp T first _iand T _jwhether effective, if effectively, then authentication server identity legitimacy, the then identity legitimacy of authentication of users; Under server and all legal prerequisite of user, registration center sends the 3rd verification msg to server, and server and user complete the two-way authentication of the two according to the 3rd verification msg.

Further, registration center's examination service device identity legitimacy comprises further: described registration center calculates RS' _j=h (SID _j|| y) and then equation M' is checked ₂=M ₂whether set up, if set up, then prove that message that described server sends comprises the information of key y, also just demonstrate the legitimacy of server, if equation is false, then registration center stops this session.

Further, registration center's inspection user identity legitimacy comprises further: described registration center calculates $Z_i=h(B_i\⊕z)$ With $B_{new}=Q_i\⊕Z_i,$ And reduce User Identity ${\mathrm{UID}}_i=B_{new}\⊕b_{new},$ Calculate RU ' _i=h (UID _i|| x) and judge M ' ₁with M ₁whether equal, if equal, then the identity of provable user is legal.

Further, the step that registration center generates and sends the 3rd verification msg and the 4th verification msg comprises further: described registration center calculates with and the 3rd verification msg with the 4th verification msg $M_4=h\left(g^{r_u}\right|\left|g^{r_s}\right|\left|{\mathrm{RU}}_i^{\′}\right|\left|T_i\right|\left|T_j\right),$ And by { Q _j, M ₃, M ₄issue server.

Further, the bi-directional authentication steps of server and user identity comprises further: described server by confirmation the 3rd verification msg really send out by registration center the identity of indirect verification user, after demonstrating user identity, while server forwards the 4th verification msg to smart card, also need to send aided verification message described smart card by confirmation the 4th verification msg really send out by registration center the identity of indirect verification server.

Further, smart card authentication server identity legal after also comprise: upgrade the storage content of smart card; Smart card calculates and with { Z _new, B _newreplace it the front { Z stored _i, B _i.

Further, identical session key is calculated after smart card and server authentication $SK={\left(g^{r_u}\right)}^{r_s}.$

As another one of the present invention more close to the specific embodiment of application, registration phase completing user U _iand server S _jin the registration work of registration center, communicate and to carry out in safe lane.Concrete steps are as described below:

For legal server, need to submit its identify label SID to registration center _j, registration center calculates secret value RS _j=h (SID _j|| y), and by { RS _j, g, h () } by safe lane stored in server, wherein g is the parameter of system.

For validated user, need during registration to submit User Identity UID to registration center _iwith password PW _i, and typing fingerprint, registration center extracts digitized fingerprint feature point F _i.Then, registration center carries out following steps:

Step1. registration center calculates twice cryptographic Hash P of password _i=h (h (PW _i)), identify label secret value the secret value RU of user _i=h (UID _i|| x) and the secret value of system parameters and the secret value of fingerprint feature point

Step2. smart card generates a random number b, and registration center calculates and then the key of z and x, y Dou Shi registration center herein.

Step3. registration center is by { P _i, D _i, C _i, G _i, V _i, Z _i, B _i, h () } and stored in smart card, and by safe lane, smart card is issued user.

To log in and Qualify Phase will complete smart card local verification, registration center to the checking of server and user, server and user to the checking of the verification msg that registration center sends.Concrete steps are as follows:

Step1. user wants logon server, needs smart card to insert card reader, then inputs password PW _i ^*, smart card is by judging equation P _i=? h (h (PW _i ^*)) whether become the password of Rob Roy inspection user whether correct.Only after password is correctly entered, smart card prompting user typing fingerprint, and extract its characteristic value F _i ^*.Smart card is by calculating reduction registered fingerprint characteristic value and check F _i ^*with F _imatching degree, if the matching degree of the two does not exceed the threshold value (this threshold value can set according to the requirement of fail safe) of setting, then stop log in, if exceed threshold value, then can think that user logs in.Smart card continues to generate random number r _uand b _new, and reduce user ID calculate $B_{new}={\mathrm{UID}}_i\⊕b_{new}$ With $Q_i=B_{new}\⊕Z_i,$ Reduction ${\mathrm{RU}}_i=C_i\⊕h\left({\mathrm{PW}}_i^{*}\right)$ And calculate first verification data $M_1=h\left({\mathrm{RU}}_i\right|\left|g^{r_u}\right|\left|{\mathrm{SID}}_j\right|\left|T_i\right),$ Finally, smart card will send to server.

Step2. server receives the landing request information of user after, its time stamp T will be verified _ivalidity, if timestamp is not in scope service time, then stops communication, otherwise continue step below.

Step3. server generates random number for the multiplication of integers group of mould q, q is Big prime, and calculates the second verification msg wherein T _jit is the timestamp of server end current time.Then server landing request information that smart card is sent be transmitted to registration center, and send the authorization information of server to registration center simultaneously

Step4. registration center receives with after, first will verify T _iand T _jwhether effective, if effectively, more whether the identity examining server and user is legal, and under server and all legal prerequisite of user, registration center will send identity authentication message to server, and server and user can complete authentication according to this authentication message.Refer to following sub-step.

Step4-1. registration center calculates RS' _j=h (SID _j|| y) and then equation M' is checked ₂=? M ₂whether set up, if set up, then prove that the message of server transmission comprises the information of key y, demonstrate the legitimacy of server.If equation is false, then registration center stops this session.

Step4-2. registration center calculates with and reduce User Identity calculate RU ' _i=h (UID _i|| x) and judge M ' ₁with M ₁whether equal, if equal, then the identity of provable user is legal.If unequal, this user is illegal for registration center's announcement server.

Step4-3., after the identity of server and user all passes through checking, registration center calculates secret value with and the 3rd verification msg of authentication is completed for user and server with the 4th verification msg $M_4=h\left(g^{r_u}\right|\left|g^{r_s}\right|\left|{\mathrm{RU}}_i^{\′}\right|\left|T_i\right|\left|T_j\right).$ And by { Q _j, M ₃, M ₄issue server.

Step5. server receives { Q _j, M ₃, M ₄after, calculate and verify M ' ₃whether equal the M that registration center transmits ₃.If equal, then prove what this message was sent out for this login process registration center really, and be send out after the authenticated user profile of registration center, that is, now server completes the authentication to user.Server calculates the session key of this time service $SK={\left(g^{r_u}\right)}^{r_s}.$ And will send to user.

Step6. user receives the feedback information that server is beamed back after, calculate identity authentication message checking M' ₄the M sent with server ₄whether equal, if equal, then prove M ₄be that registration center calculates, and registration center is only in legal rear this value that just can calculate of first authentication server identity, so user also completes the authentication to server.Then, smart card calculates and with { Z _new, B _newreplace it the front { Z stored _i, B _i.Last smart card calculates the session key identical with server so far, login and proof procedure complete.

In sum, the present invention stores the method such as data, smart cards for storage password twice cryptographic Hash, random number encryption and renewal smart cards for storage by encrypted smart card this locality, solve being subject to that the people such as Chen institute proposes to exist in identity identifying method anonymity attacked, eavesdropping attack, the stolen attack of smart card and cannot the problem such as authentication password correctness.Meanwhile, the present invention has local verification, password can be revised, without the beneficial effect such as proof list, front backward security.

The foregoing is only preferred embodiment of the present invention, be not used for limiting practical range of the present invention; If do not depart from the spirit and scope of the present invention, the present invention is modified or equivalent to replace, in the middle of the protection range that all should be encompassed in the claims in the present invention.

Claims (10)

1. based on a Three factors remote identity authentication method for smart card, it is characterized in that, described method comprises:

Server is registered as the legal server in multi-server system in registration center;

User submits application for registration to registration center, and after succeeding in registration, user obtains the smart card having customizing messages, and described customizing messages is { P _i, D _i, C _i, G _i, V _i, Z _i, B _i, h () }, wherein, P _i, D _i, C _i, G _i, V _i, Z _iand B _ibe enciphered message, P _iby user is provided password PW _ithe value after twice Hash, i.e. P _i=h (h (PW _i)), D _ifor User Identity UID _isecret value c _ifor the secret value of user rU _i=h (UID _i|| x), G _ifor the secret value of system parameters v _ifor the secret value of fingerprint feature point z _i, B _ifor the enciphered message that described registration center generates $\begin{array}{cc}{B}_i={\mathrm{UID}}_i\⊕b,& Z_i=h(B_i\⊕z),\end{array}$ B is the random number that described smart card generates, and x, y and z are the key of registration center;

User uses described smart card logon server;

The entry password that described smart card provides according to user carries out local verification, if password is correct, the biological characteristic of the further authentication of users of smart card, if be verified, then generate first verification data and send it to described server, otherwise stopping session;

After described server receives first verification data, generate the second verification msg proving described server identity, and first verification data and the second verification msg are issued described registration center;

Described registration center is first according to the legitimacy of the second verification msg authentication server identity received, then according to the legitimacy of first verification data identifying user identity, after the identity of server and user is all verified, registration center generates the 3rd verification msg and the 4th verification msg, and the 3rd and four verification msgs are sent to described server;

Described server is verified registration center's identity according to the 3rd received verification msg, if server authentication the 3rd verification msg is really by described registration center is sent out, then described server generation server end session key, and the 4th verification msg is sent to described smart card;

Whether the 4th verification msg that described smart card authentication receives is legal, if by checking, then smart card completes the inspection of server identity legitimacy, generate smart card end session key, described smart card and described server use the session key of each self-generating to be encrypted with symmetrical encipher-decipher method and communicate, otherwise stop session.

2. method according to claim 1, is characterized in that, the step of server registration comprises further:

Registration center uses key y encryption server identify label SID _j, and generate cryptographic Hash RS _j=h (SID _j|| y), then by { RS _j, g, h () } by safe lane stored in server, wherein g is the parameter of system.

3. method according to claim 1, is characterized in that, the step that user carries out registering in registration center comprises further:

User submits User Identity UID to registration center _iwith password PW _i, and typing fingerprint;

Described registration center extracts digitized fingerprint feature point F _i, twice cryptographic Hash P of generating cipher _i=h (h (PW _i)), identify label secret value user encryption value RU _i=h (UID _i|| x) and the secret value of system parameters and the secret value of fingerprint feature point $V_i=F_i\⊕h\left({\mathrm{PW}}_i\right);$

Described smart card generates a random number b, and described registration center calculates and then generate x, y and z are the keys of registration center;

Described registration center is by enciphered message { P _i, D _i, C _i, G _i, V _i, Z _i, B _i, h () } and stored in smart card.

4. method according to claim 1, is characterized in that, user's login step comprises further:

Described user is by the password PW of smart card input oneself _i ^*, smart card judges equation P _i=h (h (PW _i ^*)) whether set up, if set up, smart card prompting user typing fingerprint, and extract its characteristic value F _i ^*, otherwise end session;

Described smart card is by calculating reduction registered fingerprint characteristic value and check F _i ^*with F _imatching degree, if the matching degree of the two does not exceed the secure threshold of setting, then stop log in, if exceed described threshold value, then login successfully.

5. method according to claim 4, is characterized in that, the step that smart card generates and sends first verification data comprises further:

Described smart card generates random number r _uand b _new, and reduce user ID calculate $B_{new}={\mathrm{UID}}_i\⊕b_{new}$ With $Q_i=B_{new}\⊕Z_i,$ Reduction ${\mathrm{RU}}_i=C_i\⊕h\left({\mathrm{PW}}_i^{*}\right)$ And calculate first verification data wherein T _iit is the timestamp that smart card end represents current time; Smart card is by aided verification data with first verification data M ₁send to server.

6. method according to claim 5, is characterized in that, the step that server sends first verification data and the second verification msg to registration center comprises further:

Described server verifies its time stamp T after receiving the verification msg of smart card transmission _ivalidity, if timestamp is not in scope service time, then stop communication, otherwise, server generate random number wherein, for the multiplication of integers group of mould q, q is Big prime, and then server calculates the second verification msg wherein T _jit is the timestamp that server end represents current time;

First verification data and the second verification msg and relevant aided verification data are all issued registration center by described server, comprise $\{Q_i,B_i,b_{new},M_1,g^{r_u},T_i\}$ With $\{{\mathrm{SID}}_j,M_2,g^{r_s},T_j\}.$

7. method according to claim 6, is characterized in that, registration center's examination service device and user identity legitimacy comprise further:

Described registration center is proving time stamp T first _iand T _jwhether effective, if invalid, then stop session, otherwise carry out following steps,

Described registration center calculates RS' _j=h (SID _j|| y) and then equation M' is checked ₂=M ₂whether set up, if set up, then server, otherwise stop session if having legitimacy;

Described registration center calculates with and reduce User Identity ${\mathrm{UID}}_i=B_{new}\⊕b_{new},$ Calculate RU _i'=h (UID _i|| x) and $M_1^{\′}=h\left({\mathrm{RU}}_i^{\′}\right|\left|g^{r_u}\right|\left|{\mathrm{SID}}_j\right|\left|T_i\right),$ Judge M ₁' and M ₁whether equal, if equal, then the identity of user is legal.

8. method according to claim 7, is characterized in that, the step that registration center generates and sends the 3rd verification msg and the 4th verification msg comprises further:

Described registration center calculates and generates with 3rd verification msg $M_3=h\left(g^{r_u}\right|\left|g^{r_s}\right|\left|{\mathrm{RS}}_j^{\′}\right|\left|T_i\right|\left|T_j\right)$ With the 4th verification msg $M_4=h\left(g^{r_u}\right|\left|g^{r_s}\right|\left|{\mathrm{RU}}_i^{\′}\right|\left|T_i\right|\left|T_j\right);$

By { Q _j, M ₃, M ₄issue server.

9. method according to claim 8, is characterized in that, the bi-directional authentication steps of server and user identity comprises further:

Whether described server authentication the 3rd verification msg is by registration center is sent out, if by checking, server forwards the 4th verification msg and aided verification message to smart card generation server end key simultaneously, otherwise stop session;

Whether described smart card authentication the 4th verification msg, by registration center is sent out, if by checking, then generates smart card end key, otherwise stops session.

10. method according to claim 9, is characterized in that, also comprises the steps: after smart card authentication server identity is legal

Smart card calculates and with { Z _new, B _newreplace it the front { Z stored _i, B _i.