The content of the invention
It is an object of the invention to provide the authenticated key agreement side that the user in a kind of PKI domains accesses the resource in IBC domains
Method, the method can effectively realize that the user in PKI domains accesses the authenticated key agreement of the resource in IBC domains, and its consumption resource is few,
It is safe.
The technical scheme adopted by the invention for realizing the object of the invention is that the user in a kind of PKI domains is accessed in IBC domains
The authentication key agreement method of resource, its operating procedure is:
A, application are accessed
The user U in PKI domains sends the request of the resource S for accessing IBC domains, the certification of PKI domains to the certificate server CA in PKI domains
Server CA is authenticated to the identity legitimacy of the user U in PKI domains;If certification does not pass through, step E is jumped to;Otherwise, to
The access request of the user U in IBC domains certificate server TA forwarding PKI domains;
B, generation user index simultaneously send
IBC domains certificate server TA carries out authentication to PKI domains certificate server CA, if certification does not pass through, redirects
To step E;Otherwise, the user U in IBC domains certificate server TA generations PKI domains accesses recognizing for the session key K of resource S in IBC domains
Card server section k1, and generate the certificate server part k of session key K1Corresponding user index Na;And the user index
Na is differed to randomly generate and with existing subscriber's index;
IBC domains certificate server TA utilizes own private key SKTATo the identity ID of IBC domains certificate servers TATA, use
Family indexes the certificate server part k of Na and session key K1, signed signature information Msign, recycle PKI domains
The public key PK of user UUTo signature information MsignIt is encrypted, obtains user and receive message MA2TA->U, and user is received into message
MA2TA->UIt is sent to the user U in PKI domains;
Meanwhile, IBC domains certificate server TA utilizes the public key Q of resource S in IBC domainsSTo signature information MsignAdded
It is close, obtain resource receive information MA2TA->S, and by resource receive information MA2TA->SIt is sent to the resource S in IBC domains;
C, bidirectional identity authentication and consulting session key
The user U in C1, PKI domain utilizes own private key SKUThe user sent to IBC domains certificate server TA receives message
MA2TA->UIt is decrypted, obtains the identity ID of IBC domains certificate servers TATA, user index Na and session key K certification
Server section k1;Recycle the identity ID of IBC domains certificate servers TATA, calculate the public affairs of IBC domains certificate servers TA
Key QTA, and with the public key Q of IBC domains certificate servers TATATo verify the validity of signature, if checking does not pass through, step is jumped to
Rapid E;Otherwise, the User Part k of the user U generation session keys K in PKI domains2, and by the User Part k of session key K2At first place
It is filled, makes its certificate server part k with session key K1Digit it is identical, then the certification of session key K is taken
Business device part k1With the User Part k after filling2Carry out XOR treatment and obtain complete session key K;
Resource S own private key S in C2, IBC domainSThe resource sent to certificate server TA in IBC domains in step B
Receive message MA2TA->SIt is decrypted, obtains the certificate server part K of decrypted session key K '1' and corresponding resource-side are used
Family indexes Na';
The user U in C3, PKI domain recycles the identity ID of the resource S in IBC domainsS, calculate the resource S in IBC domains
Public key QS, to the User Part K of session key K2It is encrypted with user index Na, obtains user's ciphertext S-k2;Meanwhile, profit
With session key K to the identity ID of the resource S in IBC domainsSIt is encrypted, obtains identity ciphertext S-ID;To use again
Family ciphertext S-k2The resource S in IBC domains is sent jointly to identity ciphertext S-ID;
Resource S in C4, IBC domain is to user's ciphertext S-k for receiving2It is decrypted, obtains resource-side session key K ' ''s
User Part K2' ' and user terminal user index Na ' ';Search again for out detection decryption corresponding with user terminal user index Na ' '
The certificate server part K of session key K ' ' '1' ' ';Again by the User Part K of resource-side session key K ' '2' ' enter at first place
Row filling, makes its certificate server part K with detection decrypted session key K ' ' '1The digit of ' ' ' is identical, and then detection is solved
The certificate server part K of close session key K ' ' '1User Part K after ' ' ' and filling2' ' carry out XOR treatment and obtain complete
Resource-side session key K ' ';The identity ciphertext S-ID for receiving is decrypted with resource-side session key K ' ' again, IBC domains are obtained
The extraction identity ID of interior resource SS', identity ID will be extractedS' and IBC domains resource S identity IDSTested
Card, if the two is inconsistent, jumps to step E;Otherwise, the resource-side session key K ' ' of the resource S in IBC domains are to its identity
Mark IDSIt is encrypted, obtains the resource-side identity ciphertext M of the resource S in IBC domainsA3S->U, and send it to PKI domains
User U;
The user U session keys K in C5, PKI domain is to the resource-side identity ciphertext M that receivesA3S->UIt is decrypted, obtains
To the user terminal identity ID of the resource S in IBC domainsS", and verify the user terminal identity ID of resource S in IBC domainsS”
Validity, if checking do not pass through, jump to step E;The certification key of the otherwise user U in the PKI domains and resource S in IBC domains
Consult to complete, the user U in PKI domains has secure access to the resource S in IBC domains using session key K;
D, re-authentication
As the certificate server part k of session key K1During beyond its life cycle, IBC domains certificate server TA destroys B
The certificate server part k with session key K generated in step1Corresponding user index Na;Resource S in IBC domains is destroyed
It is being obtained in C2 steps with session key K certificate server part K1Corresponding user index Na;If the user U in PKI domains is not
The resource S in IBC domains is visited again, then jumps to step E;If the user U in PKI domains still needs to access the resource S in IBC domains, jump to
Step A;
As the User Part k of session key K2Beyond its life cycle, but session key K certificate server part k1Still
In its life cycle, if the user U in PKI domains does not visit again the resource S in IBC domains, step E is jumped to;If the use in PKI domains
Family U still needs to access the resource S in IBC domains, then jump to step A or carry out quick re-authentication;
E, termination session.
Compared with prior art, the beneficial effects of the invention are as follows:
First, across the isomery domain authenticated key agreement during resource in IBC domains is accessed The present invention gives the user in PKI domains
Method so that the resource in access IBC domains that the user in PKI domains can be safe.
2nd, session key is to carry out XOR treatment by the certificate server part of session key and User Part to obtain, compared with
The simple session key generated by certificate server for, its security is largely increased, and increased resource consumption
It is few.
3rd, the resource in IBC domains is based on the method for user index come the legal identity of the user in certification PKI domains, due to
User index is randomly generated, ciphertext is transmitted;Therefore can guarantee that the security of access.Than traditional based on access mandate bill
Authentication method, the information content of user index is few, and the traffic can be efficiently reduced again.
4th, when the certificate server part of session key exceeds its life cycle, its corresponding user index is sold immediately
Ruin;Reduce the consumption to storage resource;Meanwhile, generate new user index faster, retrieved using user index
When more it is rapid efficiently.
Further, the certificate server part K of the session key K in step B of the invention1Digit be 128;It is described
C1 steps in, the User Part K of the user U in IBC domains generation session key K2Length be 80.
So, the certificate server part being filled with 128 using the User Part of 80 carries out XOR must attend the meeting
Words key, than the session key for only being obtained by the certificate server part of 128, the life cycle of key is shorter, and session is close
The safety of key is guaranteed, meanwhile, the increased traffic is little.
Further, the specific practice of the quick re-authentication in D steps of the invention is:
User U generation re-authentication session keys K in PKI domainsRUser Part KR2, and by re-authentication session key KR's
User Part KR2The first place is filled, and makes it with re-authentication session key KRCertificate server part k1Digit it is identical,
Then counterweight authen session key KRCertificate server part k1With the User Part K after fillingR2XOR treatment is carried out to obtain
Complete re-authentication session key KR;Go to C3 steps.
So, when session key User Part exceed its life cycle, but session key certificate server part still
When in its life cycle;If the user in PKI domains still needs to access the resource in IBC domains, quick re-authentication can be carried out, and without again
The operation that application is accessed and access mandate bill is generated and distributed is carried out, on the premise of access safety is ensured, is greatly reduced
The interaction times of method, the traffic and amount of calculation.
With reference to specific embodiment, the present invention is described in further detail.
Embodiment
A kind of user in PKI domains accesses the authentication key agreement method of the resource in IBC domains, and its operating procedure is:
A, application are accessed
The user U in PKI domains sends the request of the resource S for accessing IBC domains, the certification of PKI domains to the certificate server CA in PKI domains
Server CA is authenticated to the identity legitimacy of the user U in PKI domains;If certification does not pass through, step E is jumped to;Otherwise, to
The access request of the user U in IBC domains certificate server TA forwarding PKI domains;
B, generation user index simultaneously send
IBC domains certificate server TA carries out authentication to PKI domains certificate server CA, if certification does not pass through, redirects
To step E;Otherwise, the user U in IBC domains certificate server TA generations PKI domains accesses recognizing for the session key K of resource S in IBC domains
Card server section k1, and generate the certificate server part k of session key K1Corresponding user index Na;And the user index
Na is differed to randomly generate and with existing subscriber's index;
IBC domains certificate server TA utilizes own private key SKTATo the identity ID of IBC domains certificate servers TATA, use
Family indexes the certificate server part k of Na and session key K1, signed signature information Msign, recycle PKI domains
The public key PK of user UUTo signature information MsignIt is encrypted, obtains user and receive message MA2TA->U, and user is received into message
MA2TA->UIt is sent to the user U in PKI domains;
Meanwhile, IBC domains certificate server TA utilizes the public key Q of resource S in IBC domainsSTo signature information MsignAdded
It is close, obtain resource receive information MA2TA->S, and by resource receive information MA2TA->SIt is sent to the resource S in IBC domains;
C, bidirectional identity authentication and consulting session key
The user U in C1, PKI domain utilizes own private key SKUThe user sent to IBC domains certificate server TA receives message
MA2TA->UIt is decrypted, obtains the identity ID of IBC domains certificate servers TATA, user index Na and session key K certification
Server section k1;Recycle the identity ID of IBC domains certificate servers TATA, calculate the public affairs of IBC domains certificate servers TA
Key QTA, and with the public key Q of IBC domains certificate servers TATATo verify the validity of signature, if checking does not pass through, step is jumped to
Rapid E;Otherwise, the User Part k of the user U generation session keys K in PKI domains2, and by the User Part k of session key K2At first place
It is filled, makes its certificate server part k with session key K1Digit it is identical, then the certification of session key K is taken
Business device part k1With the User Part k after filling2Carry out XOR treatment and obtain complete session key K;
Resource S own private key S in C2, IBC domainSThe resource sent to certificate server TA in IBC domains in step B
Receive message MA2TA->SIt is decrypted, obtains the certificate server part K of decrypted session key K '1' and corresponding resource-side are used
Family indexes Na';
The user U in C3, PKI domain recycles the identity ID of the resource S in IBC domainsS, calculate the resource S in IBC domains
Public key QS, to the User Part K of session key K2It is encrypted with user index Na, obtains user's ciphertext S-k2;Meanwhile, profit
With session key K to the identity ID of the resource S in IBC domainsSIt is encrypted, obtains identity ciphertext S-ID;To use again
Family ciphertext S-k2The resource S in IBC domains is sent jointly to identity ciphertext S-ID;
Resource S in C4, IBC domain is to user's ciphertext S-k for receiving2It is decrypted, obtains resource-side session key K ' ''s
User Part K2' ' and user terminal user index Na ' ';Search again for out detection decryption corresponding with user terminal user index Na ' '
The certificate server part K of session key K ' ' '1' ' ';Again by the User Part K of resource-side session key K ' '2' ' enter at first place
Row filling, makes its certificate server part K with detection decrypted session key K ' ' '1The digit of ' ' ' is identical, and then detection is solved
The certificate server part K of close session key K ' ' '1User Part K after ' ' ' and filling2' ' carry out XOR treatment and obtain complete
Resource-side session key K ' ';The identity ciphertext S-ID for receiving is decrypted with resource-side session key K ' ' again, IBC domains are obtained
The extraction identity ID of interior resource SS', identity ID will be extractedS' and IBC domains resource S identity IDSTested
Card, if the two is inconsistent, jumps to step E;Otherwise, the resource-side session key K ' ' of the resource S in IBC domains are to its identity
Mark IDSIt is encrypted, obtains the resource-side identity ciphertext M of the resource S in IBC domainsA3S->U, and send it to PKI domains
User U;
The user U session keys K in C5, PKI domain is to the resource-side identity ciphertext M that receivesA3S->UIt is decrypted, obtains
To the user terminal identity ID of the resource S in IBC domainsS", and verify the user terminal identity ID of resource S in IBC domainsS”
Validity, if checking do not pass through, jump to step E;The certification key of the otherwise user U in the PKI domains and resource S in IBC domains
Consult to complete, the user U in PKI domains has secure access to the resource S in IBC domains using session key K;
D, re-authentication
As the certificate server part k of session key K1During beyond its life cycle, IBC domains certificate server TA destroys B
The certificate server part k with session key K generated in step1Corresponding user index Na;Resource S in IBC domains is destroyed
It is being obtained in C2 steps with session key K certificate server part K1Corresponding user index Na;If the user U in PKI domains is not
The resource S in IBC domains is visited again, then jumps to step E;If the user U in PKI domains still needs to access the resource S in IBC domains, jump to
Step A;
As the User Part k of session key K2Beyond its life cycle, but session key K certificate server part k1Still
In its life cycle, if the user U in PKI domains does not visit again the resource S in IBC domains, step E is jumped to;If the use in PKI domains
Family U still needs to access the resource S in IBC domains, then jump to step A or carry out quick re-authentication;
E, termination session.
The certificate server part K of the session key K in the step B of this example1Digit be 128;Described C1 steps
In, the User Part K of the user U generation session keys K in PKI domains2Length be 80.
The specific practice of the quick re-authentication in the D steps of this example is:
User U generation re-authentication session keys K in PKI domainsRUser Part KR2, and by re-authentication session key KR's
User Part KR2The first place is filled, and makes it with re-authentication session key KRCertificate server part k1Digit it is identical,
Then counterweight authen session key KRCertificate server part k1With the User Part K after fillingR2XOR treatment is carried out to obtain
Complete re-authentication session key KR;Go to C3 steps.