CN106877996A - User in PKI domains accesses the authentication key agreement method of the resource in IBC domains - Google Patents

User in PKI domains accesses the authentication key agreement method of the resource in IBC domains Download PDF

Info

Publication number
CN106877996A
CN106877996A CN201710082835.XA CN201710082835A CN106877996A CN 106877996 A CN106877996 A CN 106877996A CN 201710082835 A CN201710082835 A CN 201710082835A CN 106877996 A CN106877996 A CN 106877996A
Authority
CN
China
Prior art keywords
domains
user
ibc
resource
session key
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201710082835.XA
Other languages
Chinese (zh)
Other versions
CN106877996B (en
Inventor
张文芳
袁超
王小敏
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Chengdu Chuangxin Huatong Information Technology Co ltd
Original Assignee
Southwest Jiaotong University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Southwest Jiaotong University filed Critical Southwest Jiaotong University
Priority to CN201710082835.XA priority Critical patent/CN106877996B/en
Publication of CN106877996A publication Critical patent/CN106877996A/en
Application granted granted Critical
Publication of CN106877996B publication Critical patent/CN106877996B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/006Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols involving public key infrastructure [PKI] trust models
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0838Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0838Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these
    • H04L9/0847Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these involving identity based encryption [IBE] schemes

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Storage Device Security (AREA)
  • Multi Processors (AREA)

Abstract

The invention discloses the authentication key agreement method that the user in a kind of PKI domains accesses the resource in IBC domains, its main operational steps is:A, application are accessed:The user in PKI domains sends the request of the resource for accessing IBC domains to the certificate server in this domain, and the access request of user is forwarded after the certificate server certification user identity legitimacy of PKI domains to the certificate server in IBC domains;B, generation user index simultaneously send;C, bidirectional identity authentication and consulting session key:Session key is to carry out XOR treatment by the User Part after the certificate server part of session key and filling to obtain;D, re-authentication:When the User Part of session key exceeds its life cycle, but session key certificate server part still in its life cycle, if the user in PKI domains still needs to access the resource in IBC domains, quick re-authentication can be carried out;E, termination session.The method can effectively realize that the user in PKI domains accesses the authenticated key agreement of the resource in IBC domains, and its consumption resource is few, safe.

Description

User in PKI domains accesses the authentication key agreement method of the resource in IBC domains
Technical field
The invention belongs to across isomery domain certifiede-mail protocol technical field in information communication.
Background technology
The various applications of distributed network environment, such as virtual enterprise, instantaneous communication system etc., user want with it The information resources of access are often all in different trust domain.And different trust domain may be based on different password bodies System, such as cipher system based on Kerberos and (is based on cipher system based on PKI (PKIX) based on IBC The cryptographic technique of identity) cipher system etc..Authentication key agreement method between isomorphic field has had more research, and And formed standard and be widely used.Also have for the authentication key agreement method between two domains of PKI and Kerberos More research.But the user in PKI domains accesses the authentication key agreement method during resource in IBC domains, but few people's research.And Under the application scenarios such as the such as virtual enterprise under distributed network, Agile manufactruing, the user in PKI domains accesses the resource in IBC domains Application demand it is a lot.
Authenticated key agreement document when the user in existing PKI domains accesses the resource in IBC domains only has:
(Meng Xin, Hu Liang, just sword peak, waits cross-domain authorization [J] of isomery trust domain to document 1 " cross-domain authorization in isomery domain " Jilin University's journal Edition, 2010,48 (1):The mutual trust interconnection system between PKI isomorphic fields 89-93.) is relied on, using body Part mapping, cross-domain authorization two parts content realizes the credible interconnection between IBC and PKI domains.But it is a large amount of multiple in the document Using to certificate, certificate can all consume substantial amounts of resource in transmission in storing process, design IBC cipher systems originally with people Original intention be not inconsistent;Very not direct by the way of identity map, feasibility is not high in the application of reality.And the document is With identity map, the mode of Trust transitivity realizes the thought of certification, does not have specific protocol procedures, and it is a kind of new that can only can be regarded as Cross-domain authorization thought rather than a scheme that can be directly realized by.
The content of the invention
It is an object of the invention to provide the authenticated key agreement side that the user in a kind of PKI domains accesses the resource in IBC domains Method, the method can effectively realize that the user in PKI domains accesses the authenticated key agreement of the resource in IBC domains, and its consumption resource is few, It is safe.
The technical scheme adopted by the invention for realizing the object of the invention is that the user in a kind of PKI domains is accessed in IBC domains The authentication key agreement method of resource, its operating procedure is:
A, application are accessed
The user U in PKI domains sends the request of the resource S for accessing IBC domains, the certification of PKI domains to the certificate server CA in PKI domains Server CA is authenticated to the identity legitimacy of the user U in PKI domains;If certification does not pass through, step E is jumped to;Otherwise, to The access request of the user U in IBC domains certificate server TA forwarding PKI domains;
B, generation user index simultaneously send
IBC domains certificate server TA carries out authentication to PKI domains certificate server CA, if certification does not pass through, redirects To step E;Otherwise, the user U in IBC domains certificate server TA generations PKI domains accesses recognizing for the session key K of resource S in IBC domains Card server section k1, and generate the certificate server part k of session key K1Corresponding user index Na;And the user index Na is differed to randomly generate and with existing subscriber's index;
IBC domains certificate server TA utilizes own private key SKTATo the identity ID of IBC domains certificate servers TATA, use Family indexes the certificate server part k of Na and session key K1, signed signature information Msign, recycle PKI domains The public key PK of user UUTo signature information MsignIt is encrypted, obtains user and receive message MA2TA->U, and user is received into message MA2TA->UIt is sent to the user U in PKI domains;
Meanwhile, IBC domains certificate server TA utilizes the public key Q of resource S in IBC domainsSTo signature information MsignAdded It is close, obtain resource receive information MA2TA->S, and by resource receive information MA2TA->SIt is sent to the resource S in IBC domains;
C, bidirectional identity authentication and consulting session key
The user U in C1, PKI domain utilizes own private key SKUThe user sent to IBC domains certificate server TA receives message MA2TA->UIt is decrypted, obtains the identity ID of IBC domains certificate servers TATA, user index Na and session key K certification Server section k1;Recycle the identity ID of IBC domains certificate servers TATA, calculate the public affairs of IBC domains certificate servers TA Key QTA, and with the public key Q of IBC domains certificate servers TATATo verify the validity of signature, if checking does not pass through, step is jumped to Rapid E;Otherwise, the User Part k of the user U generation session keys K in PKI domains2, and by the User Part k of session key K2At first place It is filled, makes its certificate server part k with session key K1Digit it is identical, then the certification of session key K is taken Business device part k1With the User Part k after filling2Carry out XOR treatment and obtain complete session key K;
Resource S own private key S in C2, IBC domainSThe resource sent to certificate server TA in IBC domains in step B Receive message MA2TA->SIt is decrypted, obtains the certificate server part K of decrypted session key K '1' and corresponding resource-side are used Family indexes Na';
The user U in C3, PKI domain recycles the identity ID of the resource S in IBC domainsS, calculate the resource S in IBC domains Public key QS, to the User Part K of session key K2It is encrypted with user index Na, obtains user's ciphertext S-k2;Meanwhile, profit With session key K to the identity ID of the resource S in IBC domainsSIt is encrypted, obtains identity ciphertext S-ID;To use again Family ciphertext S-k2The resource S in IBC domains is sent jointly to identity ciphertext S-ID;
Resource S in C4, IBC domain is to user's ciphertext S-k for receiving2It is decrypted, obtains resource-side session key K ' ''s User Part K2' ' and user terminal user index Na ' ';Search again for out detection decryption corresponding with user terminal user index Na ' ' The certificate server part K of session key K ' ' '1' ' ';Again by the User Part K of resource-side session key K ' '2' ' enter at first place Row filling, makes its certificate server part K with detection decrypted session key K ' ' '1The digit of ' ' ' is identical, and then detection is solved The certificate server part K of close session key K ' ' '1User Part K after ' ' ' and filling2' ' carry out XOR treatment and obtain complete Resource-side session key K ' ';The identity ciphertext S-ID for receiving is decrypted with resource-side session key K ' ' again, IBC domains are obtained The extraction identity ID of interior resource SS', identity ID will be extractedS' and IBC domains resource S identity IDSTested Card, if the two is inconsistent, jumps to step E;Otherwise, the resource-side session key K ' ' of the resource S in IBC domains are to its identity Mark IDSIt is encrypted, obtains the resource-side identity ciphertext M of the resource S in IBC domainsA3S->U, and send it to PKI domains User U;
The user U session keys K in C5, PKI domain is to the resource-side identity ciphertext M that receivesA3S->UIt is decrypted, obtains To the user terminal identity ID of the resource S in IBC domainsS", and verify the user terminal identity ID of resource S in IBC domainsS” Validity, if checking do not pass through, jump to step E;The certification key of the otherwise user U in the PKI domains and resource S in IBC domains Consult to complete, the user U in PKI domains has secure access to the resource S in IBC domains using session key K;
D, re-authentication
As the certificate server part k of session key K1During beyond its life cycle, IBC domains certificate server TA destroys B The certificate server part k with session key K generated in step1Corresponding user index Na;Resource S in IBC domains is destroyed It is being obtained in C2 steps with session key K certificate server part K1Corresponding user index Na;If the user U in PKI domains is not The resource S in IBC domains is visited again, then jumps to step E;If the user U in PKI domains still needs to access the resource S in IBC domains, jump to Step A;
As the User Part k of session key K2Beyond its life cycle, but session key K certificate server part k1Still In its life cycle, if the user U in PKI domains does not visit again the resource S in IBC domains, step E is jumped to;If the use in PKI domains Family U still needs to access the resource S in IBC domains, then jump to step A or carry out quick re-authentication;
E, termination session.
Compared with prior art, the beneficial effects of the invention are as follows:
First, across the isomery domain authenticated key agreement during resource in IBC domains is accessed The present invention gives the user in PKI domains Method so that the resource in access IBC domains that the user in PKI domains can be safe.
2nd, session key is to carry out XOR treatment by the certificate server part of session key and User Part to obtain, compared with The simple session key generated by certificate server for, its security is largely increased, and increased resource consumption It is few.
3rd, the resource in IBC domains is based on the method for user index come the legal identity of the user in certification PKI domains, due to User index is randomly generated, ciphertext is transmitted;Therefore can guarantee that the security of access.Than traditional based on access mandate bill Authentication method, the information content of user index is few, and the traffic can be efficiently reduced again.
4th, when the certificate server part of session key exceeds its life cycle, its corresponding user index is sold immediately Ruin;Reduce the consumption to storage resource;Meanwhile, generate new user index faster, retrieved using user index When more it is rapid efficiently.
Further, the certificate server part K of the session key K in step B of the invention1Digit be 128;It is described C1 steps in, the User Part K of the user U in IBC domains generation session key K2Length be 80.
So, the certificate server part being filled with 128 using the User Part of 80 carries out XOR must attend the meeting Words key, than the session key for only being obtained by the certificate server part of 128, the life cycle of key is shorter, and session is close The safety of key is guaranteed, meanwhile, the increased traffic is little.
Further, the specific practice of the quick re-authentication in D steps of the invention is:
User U generation re-authentication session keys K in PKI domainsRUser Part KR2, and by re-authentication session key KR's User Part KR2The first place is filled, and makes it with re-authentication session key KRCertificate server part k1Digit it is identical, Then counterweight authen session key KRCertificate server part k1With the User Part K after fillingR2XOR treatment is carried out to obtain Complete re-authentication session key KR;Go to C3 steps.
So, when session key User Part exceed its life cycle, but session key certificate server part still When in its life cycle;If the user in PKI domains still needs to access the resource in IBC domains, quick re-authentication can be carried out, and without again The operation that application is accessed and access mandate bill is generated and distributed is carried out, on the premise of access safety is ensured, is greatly reduced The interaction times of method, the traffic and amount of calculation.
With reference to specific embodiment, the present invention is described in further detail.
Specific embodiment
Embodiment
A kind of user in PKI domains accesses the authentication key agreement method of the resource in IBC domains, and its operating procedure is:
A, application are accessed
The user U in PKI domains sends the request of the resource S for accessing IBC domains, the certification of PKI domains to the certificate server CA in PKI domains Server CA is authenticated to the identity legitimacy of the user U in PKI domains;If certification does not pass through, step E is jumped to;Otherwise, to The access request of the user U in IBC domains certificate server TA forwarding PKI domains;
B, generation user index simultaneously send
IBC domains certificate server TA carries out authentication to PKI domains certificate server CA, if certification does not pass through, redirects To step E;Otherwise, the user U in IBC domains certificate server TA generations PKI domains accesses recognizing for the session key K of resource S in IBC domains Card server section k1, and generate the certificate server part k of session key K1Corresponding user index Na;And the user index Na is differed to randomly generate and with existing subscriber's index;
IBC domains certificate server TA utilizes own private key SKTATo the identity ID of IBC domains certificate servers TATA, use Family indexes the certificate server part k of Na and session key K1, signed signature information Msign, recycle PKI domains The public key PK of user UUTo signature information MsignIt is encrypted, obtains user and receive message MA2TA->U, and user is received into message MA2TA->UIt is sent to the user U in PKI domains;
Meanwhile, IBC domains certificate server TA utilizes the public key Q of resource S in IBC domainsSTo signature information MsignAdded It is close, obtain resource receive information MA2TA->S, and by resource receive information MA2TA->SIt is sent to the resource S in IBC domains;
C, bidirectional identity authentication and consulting session key
The user U in C1, PKI domain utilizes own private key SKUThe user sent to IBC domains certificate server TA receives message MA2TA->UIt is decrypted, obtains the identity ID of IBC domains certificate servers TATA, user index Na and session key K certification Server section k1;Recycle the identity ID of IBC domains certificate servers TATA, calculate the public affairs of IBC domains certificate servers TA Key QTA, and with the public key Q of IBC domains certificate servers TATATo verify the validity of signature, if checking does not pass through, step is jumped to Rapid E;Otherwise, the User Part k of the user U generation session keys K in PKI domains2, and by the User Part k of session key K2At first place It is filled, makes its certificate server part k with session key K1Digit it is identical, then the certification of session key K is taken Business device part k1With the User Part k after filling2Carry out XOR treatment and obtain complete session key K;
Resource S own private key S in C2, IBC domainSThe resource sent to certificate server TA in IBC domains in step B Receive message MA2TA->SIt is decrypted, obtains the certificate server part K of decrypted session key K '1' and corresponding resource-side are used Family indexes Na';
The user U in C3, PKI domain recycles the identity ID of the resource S in IBC domainsS, calculate the resource S in IBC domains Public key QS, to the User Part K of session key K2It is encrypted with user index Na, obtains user's ciphertext S-k2;Meanwhile, profit With session key K to the identity ID of the resource S in IBC domainsSIt is encrypted, obtains identity ciphertext S-ID;To use again Family ciphertext S-k2The resource S in IBC domains is sent jointly to identity ciphertext S-ID;
Resource S in C4, IBC domain is to user's ciphertext S-k for receiving2It is decrypted, obtains resource-side session key K ' ''s User Part K2' ' and user terminal user index Na ' ';Search again for out detection decryption corresponding with user terminal user index Na ' ' The certificate server part K of session key K ' ' '1' ' ';Again by the User Part K of resource-side session key K ' '2' ' enter at first place Row filling, makes its certificate server part K with detection decrypted session key K ' ' '1The digit of ' ' ' is identical, and then detection is solved The certificate server part K of close session key K ' ' '1User Part K after ' ' ' and filling2' ' carry out XOR treatment and obtain complete Resource-side session key K ' ';The identity ciphertext S-ID for receiving is decrypted with resource-side session key K ' ' again, IBC domains are obtained The extraction identity ID of interior resource SS', identity ID will be extractedS' and IBC domains resource S identity IDSTested Card, if the two is inconsistent, jumps to step E;Otherwise, the resource-side session key K ' ' of the resource S in IBC domains are to its identity Mark IDSIt is encrypted, obtains the resource-side identity ciphertext M of the resource S in IBC domainsA3S->U, and send it to PKI domains User U;
The user U session keys K in C5, PKI domain is to the resource-side identity ciphertext M that receivesA3S->UIt is decrypted, obtains To the user terminal identity ID of the resource S in IBC domainsS", and verify the user terminal identity ID of resource S in IBC domainsS” Validity, if checking do not pass through, jump to step E;The certification key of the otherwise user U in the PKI domains and resource S in IBC domains Consult to complete, the user U in PKI domains has secure access to the resource S in IBC domains using session key K;
D, re-authentication
As the certificate server part k of session key K1During beyond its life cycle, IBC domains certificate server TA destroys B The certificate server part k with session key K generated in step1Corresponding user index Na;Resource S in IBC domains is destroyed It is being obtained in C2 steps with session key K certificate server part K1Corresponding user index Na;If the user U in PKI domains is not The resource S in IBC domains is visited again, then jumps to step E;If the user U in PKI domains still needs to access the resource S in IBC domains, jump to Step A;
As the User Part k of session key K2Beyond its life cycle, but session key K certificate server part k1Still In its life cycle, if the user U in PKI domains does not visit again the resource S in IBC domains, step E is jumped to;If the use in PKI domains Family U still needs to access the resource S in IBC domains, then jump to step A or carry out quick re-authentication;
E, termination session.
The certificate server part K of the session key K in the step B of this example1Digit be 128;Described C1 steps In, the User Part K of the user U generation session keys K in PKI domains2Length be 80.
The specific practice of the quick re-authentication in the D steps of this example is:
User U generation re-authentication session keys K in PKI domainsRUser Part KR2, and by re-authentication session key KR's User Part KR2The first place is filled, and makes it with re-authentication session key KRCertificate server part k1Digit it is identical, Then counterweight authen session key KRCertificate server part k1With the User Part K after fillingR2XOR treatment is carried out to obtain Complete re-authentication session key KR;Go to C3 steps.

Claims (3)

1. the user in a kind of PKI domains accesses the authentication key agreement method of the resource in IBC domains, and its operating procedure is:
A, application are accessed
The user U in PKI domains sends the request of the resource S for accessing IBC domains, PKI domains authentication service to the certificate server CA in PKI domains Device CA is authenticated to the identity legitimacy of the user U in PKI domains;If certification does not pass through, step E is jumped to;Otherwise, to IBC The access request of the user U in domain certificate server TA forwarding PKI domains;
B, generation user index simultaneously send
IBC domains certificate server TA carries out authentication to PKI domains certificate server CA, if certification does not pass through, jumps to step Rapid E;Otherwise, the user U in IBC domains certificate server TA generation PKI domains accesses the certification clothes of the session key K of resource S in IBC domains Business device part k1, and generate the certificate server part k of session key K1Corresponding user index Na;And user index Na is Randomly generate and differed with existing subscriber's index;
IBC domains certificate server TA utilizes own private key SKTATo the identity ID of IBC domains certificate servers TATA, user index The certificate server part k of Na and session key K1, signed signature information Msign, recycle the user U in PKI domains Public key PKUTo signature information MsignIt is encrypted, obtains user and receive message MA2TA->U, and user is received into message MA2TA->UIt is sent to the user U in PKI domains;
Meanwhile, IBC domains certificate server TA utilizes the public key Q of resource S in IBC domainsSTo signature information MsignIt is encrypted, obtains To resource receive information MA2TA->S, and by resource receive information MA2TA->SIt is sent to the resource S in IBC domains;
C, bidirectional identity authentication and consulting session key
The user U in C1, PKI domain utilizes own private key SKUThe user sent to IBC domains certificate server TA receives message MA2TA->U It is decrypted, obtains the identity ID of IBC domains certificate servers TATA, user index Na and session key K certificate server Part k1;Recycle the identity ID of IBC domains certificate servers TATA, calculate the public key Q of IBC domains certificate servers TATA, And with the public key Q of IBC domains certificate servers TATATo verify the validity of signature, if checking does not pass through, step E is jumped to;It is no Then, the User Part k of the user U generation session keys K in PKI domains2, and by the User Part k of session key K2The first place is filled out Fill, make its certificate server part k with session key K1Digit it is identical, then to the certificate server portion of session key K Divide k1With the User Part k after filling2Carry out XOR treatment and obtain complete session key K;
Resource S own private key S in C2, IBC domainSThe resource sent to certificate server TA in IBC domains in step B is received Message MA2TA->SIt is decrypted, obtains the certificate server part K of decrypted session key K '1' and corresponding resource end subscriber rope Draw Na';
The user U in C3, PKI domain recycles the identity ID of the resource S in IBC domainsS, calculate the public affairs of the resource S in IBC domains Key QS, to the User Part K of session key K2It is encrypted with user index Na, obtains user's ciphertext S-k2;Meanwhile, using meeting Identity IDs of the words key K to the resource S in IBC domainsSIt is encrypted, obtains identity ciphertext S-ID;It is again that user is close Literary S-k2The resource S in IBC domains is sent jointly to identity ciphertext S-ID;
Resource S in C4, IBC domain is to user's ciphertext S-k for receiving2Be decrypted, obtain resource-side session key K " use the Ministry of Revenue Divide K2" and user terminal user index Na ";Search again for out and user terminal user index Na " corresponding detection decrypted session keys The certificate server part K of K " '1″′;Again by resource-side session key K " User Part K2" first place at be filled, make its with The certificate server part K of detection decrypted session key K " '1" ' digit it is identical, then to detection decrypted session key K " ' Certificate server part K1" ' and filling after User Part K2" carry out XOR treatment and obtain complete resource-side session key K "; Again with resource-side session key K, " the identity ciphertext S-ID that decryption is received, obtains the extraction identity of resource S in IBC domains IDS', identity ID will be extractedS' and IBC domains resource S identity IDSVerified, if the two is inconsistent, redirected To step E;Otherwise, the resource-side session key K of the resource S in IBC domains are " to its identity IDSIt is encrypted, obtains IBC The resource-side identity ciphertext M of the resource S in domainA3S->U, and send it to the user U in PKI domains;
The user U session keys K in C5, PKI domain is to the resource-side identity ciphertext M that receivesA3S->UIt is decrypted, obtains IBC The user terminal identity ID of the resource S in domainS", and verify the user terminal identity ID of resource S in IBC domainsS" it is effective Property, if checking does not pass through, jump to step E;The authenticated key agreement of the otherwise resource S in the user U and IBC domains in PKI domains is complete Into the user U in PKI domains is had secure access to using session key K to the resource S in IBC domains;
D, re-authentication
As the certificate server part k of session key K1During beyond its life cycle, IBC domains certificate server TA is destroyed in step B The certificate server part k with session key K of generation1Corresponding user index Na;Resource S in IBC domains destroys C2 steps In the certificate server part K with session key K that obtains1Corresponding user index Na;If the user U in PKI domains is not visited again The resource S in IBC domains, then jump to step E;If the user U in PKI domains still needs to access the resource S in IBC domains, step A is jumped to;
As the User Part k of session key K2Beyond its life cycle, but session key K certificate server part k1Still at it In life cycle, if the user U in PKI domains does not visit again the resource S in IBC domains, step E is jumped to;If the user U in PKI domains Still need to access the resource S in IBC domains, then jump to step A or carry out quick re-authentication;
E, termination session.
2. the user in a kind of PKI domains according to claim 1 accesses the authenticated key agreement side of the resource in IBC domains Method, it is characterised in that the certificate server part k of the session key K in described step B1Digit be 128;Described In C1 steps, the User Part k of the user U generation session keys K in PKI domains2Length be 80.
3. the user in a kind of PKI domains according to claim 1 accesses the authenticated key agreement side of the resource in IBC domains Method, it is characterised in that the specific practice of the quick re-authentication in the D steps is:
User U generation re-authentication session keys K in PKI domainsRUser Part KR2, and by re-authentication session key KRUser Part KR2The first place is filled, and makes it with re-authentication session key KRCertificate server part k1Digit it is identical, then Counterweight authen session key KRCertificate server part k1With the User Part K after fillingR2Carry out XOR treatment and obtain complete Re-authentication session key KR;Go to C3 steps.
CN201710082835.XA 2017-02-16 2017-02-16 User in the domain PKI accesses the authentication key agreement method of the resource in the domain IBC Active CN106877996B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201710082835.XA CN106877996B (en) 2017-02-16 2017-02-16 User in the domain PKI accesses the authentication key agreement method of the resource in the domain IBC

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201710082835.XA CN106877996B (en) 2017-02-16 2017-02-16 User in the domain PKI accesses the authentication key agreement method of the resource in the domain IBC

Publications (2)

Publication Number Publication Date
CN106877996A true CN106877996A (en) 2017-06-20
CN106877996B CN106877996B (en) 2019-09-24

Family

ID=59166113

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201710082835.XA Active CN106877996B (en) 2017-02-16 2017-02-16 User in the domain PKI accesses the authentication key agreement method of the resource in the domain IBC

Country Status (1)

Country Link
CN (1) CN106877996B (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108737436A (en) * 2018-05-31 2018-11-02 西安电子科技大学 Based on the cross-domain services device identity identifying method for trusting alliance's block chain
CN110097370A (en) * 2019-03-29 2019-08-06 捷德(中国)信息科技有限公司 Off line method of payment, device, server and medium

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20090240941A1 (en) * 2006-06-29 2009-09-24 Electronics And Telecommunications Research Institute Method and apparatus for authenticating device in multi domain home network environment
CN102164151A (en) * 2011-05-20 2011-08-24 北京理工大学 Bilinear-group-based cross-domain union authentication method
CN102970144A (en) * 2012-12-20 2013-03-13 四川长虹电器股份有限公司 Identity-based authentication method
CN103780618A (en) * 2014-01-22 2014-05-07 西南交通大学 Method for cross-isomerism domain identity authentication and session key negotiation based on access authorization ticket

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20090240941A1 (en) * 2006-06-29 2009-09-24 Electronics And Telecommunications Research Institute Method and apparatus for authenticating device in multi domain home network environment
CN102164151A (en) * 2011-05-20 2011-08-24 北京理工大学 Bilinear-group-based cross-domain union authentication method
CN102970144A (en) * 2012-12-20 2013-03-13 四川长虹电器股份有限公司 Identity-based authentication method
CN103780618A (en) * 2014-01-22 2014-05-07 西南交通大学 Method for cross-isomerism domain identity authentication and session key negotiation based on access authorization ticket

Non-Patent Citations (3)

* Cited by examiner, † Cited by third party
Title
HENG WANG: ""An End-to-end QoS Guarantee Scheme in Heterogeneous Networks"", 《2013 THIRD INTERNATIONAL CONFERENCE ON INSTRUMENTATION, MEASUREMENT, COMPUTER, COMMUNICATION AND CONTROL》 *
姚瑶 等: ""基于跨域认证与密钥协商的协议模型"", 《计算机工程》 *
魏振宇 等: ""基于PKI体系的跨域密钥协商协议"", 《计算机科学》 *

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108737436A (en) * 2018-05-31 2018-11-02 西安电子科技大学 Based on the cross-domain services device identity identifying method for trusting alliance's block chain
CN110097370A (en) * 2019-03-29 2019-08-06 捷德(中国)信息科技有限公司 Off line method of payment, device, server and medium
CN110097370B (en) * 2019-03-29 2022-03-04 捷德(中国)信息科技有限公司 Offline payment method, device, server and medium

Also Published As

Publication number Publication date
CN106877996B (en) 2019-09-24

Similar Documents

Publication Publication Date Title
US10243742B2 (en) Method and system for accessing a device by a user
CN107257334B (en) Identity authentication method for Hadoop cluster
CN103780618B (en) A kind of based on across the isomery territory authentication accessing mandate bill and session cipher negotiating method
CN103532981B (en) A kind of identity trustship towards many tenants authenticates cloud resource access control system and control method
CN104601593B (en) The method that anti-tracking in network electronic authentication procedures is realized based on challenge mode
CN108123795B (en) Quantum key chip issuing method, application method, issuing platform and system
CN106789042A (en) User in IBC domains accesses the authentication key agreement method of the resource in PKI domains
CN105791272A (en) Method and device for secure communication in Internet of Things
KR20180095873A (en) Wireless network access method and apparatus, and storage medium
CN106295393A (en) Electronic prescription operational approach, Apparatus and system
CN101686127A (en) Novel USBKey secure calling method and USBKey device
CN108809633B (en) Identity authentication method, device and system
CN108566273A (en) Identity authorization system based on quantum network
CN102685749A (en) Wireless safety authentication method orienting to mobile terminal
CN106060078A (en) User information encryption method, user registration method and user validation method applied to cloud platform
CN109951513A (en) Anti- quantum calculation wired home quantum cloud storage method and system based on quantum key card
CN111756530B (en) Quantum service mobile engine system, network architecture and related equipment
CN103916363A (en) Communication security management method and system for encryption machine
CN108011873A (en) A kind of illegal connection determination methods based on set covering
CN110505055A (en) Based on unsymmetrical key pond to and key card outer net access identity authentication method and system
CN109272314A (en) A kind of safety communicating method and system cooperateing with signature calculation based on two sides
CN110519304A (en) HTTPS mutual authentication method based on TEE
CN104486322B (en) Terminal access authentication authorization method and terminal access authentication authoring system
CN106789845A (en) A kind of method of network data security transmission
CN110572392A (en) Identity authentication method based on HyperLegger network

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
TR01 Transfer of patent right

Effective date of registration: 20230419

Address after: Room 801, 85 Kefeng Road, Huangpu District, Guangzhou City, Guangdong Province

Patentee after: Yami Technology (Guangzhou) Co.,Ltd.

Address before: 610031 No. two, section 111, ring road, Chengdu, Sichuan, China

Patentee before: SOUTHWEST JIAOTONG University

TR01 Transfer of patent right
TR01 Transfer of patent right

Effective date of registration: 20240110

Address after: 610096, China (Sichuan) Pilot Free Trade Zone, Chengdu, Sichuan Province, China. No. 138 Tianfu Second Street, Chengdu High tech Zone, Building 2, 30th Floor, 3002, 3003

Patentee after: Chengdu Chuangxin Huatong Information Technology Co.,Ltd.

Address before: Room 801, 85 Kefeng Road, Huangpu District, Guangzhou City, Guangdong Province

Patentee before: Yami Technology (Guangzhou) Co.,Ltd.

TR01 Transfer of patent right