CN107733657A - A kind of high in the clouds is based on PTPM and without CertPubKey signature double factor authentication method - Google Patents
A kind of high in the clouds is based on PTPM and without CertPubKey signature double factor authentication method Download PDFInfo
- Publication number
- CN107733657A CN107733657A CN201710996495.1A CN201710996495A CN107733657A CN 107733657 A CN107733657 A CN 107733657A CN 201710996495 A CN201710996495 A CN 201710996495A CN 107733657 A CN107733657 A CN 107733657A
- Authority
- CN
- China
- Prior art keywords
- auth
- user
- server
- ptpm
- clouds
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3226—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a predetermined code, e.g. password, passphrase or PIN
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/083—Network architectures or network communication protocols for network security for authentication of entities using passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0869—Network architectures or network communication protocols for network security for authentication of entities for achieving mutual authentication
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0861—Generation of secret information including derivation or calculation of cryptographic keys or passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0861—Generation of secret information including derivation or calculation of cryptographic keys or passwords
- H04L9/0877—Generation of secret information including derivation or calculation of cryptographic keys or passwords using additional device, e.g. trusted platform module [TPM], smartcard, USB or hardware security module [HSM]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/30—Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
Abstract
The present invention relates under cloud computing mode, existing safety problem and deficiency during in order to solve to carry out authentication between user and high in the clouds under current cloud environment, it is applied to by PTPM (portable TPM) and without CertPubKey cipher system in cloud environment, it is proposed it is a kind of be used for realize user with the scheme of bidirectional identity authentication between high in the clouds compared with existing scheme, new departure has advantages below:On the basis of user and high in the clouds identity uniqueness is realized by establishing identity management mechanisms, the true correct of authentication result between the secure and trusted of terminal platform and high in the clouds and user is not only ensured first with PTPM, and supports user to complete the authentication procedures with high in the clouds using any terminal device;Secondly, new departure is based on realizing the double factor authentication process of " password+key " without CertPubKey signature algorithm;Finally, suggest plans while EUF CMA securities are ensured, the computational efficiency of authentication between user and high in the clouds can be significantly improved.
Description
Technical field
The invention belongs to cloud computing applied technical field, and in particular to a kind of high in the clouds is based on PTPM and without CertPubKey label
Name double factor authentication method.
Background technology
Cloud computing is a kind of emerging service pattern that the resource such as storage and calculating is provided based on internet.Taken by means of cloud
Business, enterprise, organizations and individuals user can conveniently and efficiently carry out the operations such as mass data calculating and data storage be shared.But
Be, cloud service provider CSP (cloud service provider) firstly the need of to using cloud service enterprise, tissue and
The identity of personal user is authenticated, and determines its correctness and legitimacy.Otherwise, the use of cloud service is not applied for the registration of or bought
Cloud service can be used per family, so as on the one hand bring huge service response burden and serious economic loss to CSP, together
When validated user may because do not obtain timely service response and caused by the loss of result of calculation and storage information.Meanwhile
Application is also required to be authenticated CSP identity using the user of cloud service, and otherwise hacker or malice tissue can pass through personation
CSP obtains the important information such as user account and privacy, and the threat of serious economic loss and information leakage is brought to user.Cause
This to CSP and using the identity of the user of cloud service, it is necessary to carry out safety certification, it is ensured that the legitimacy of the two identity and correct
Property.Meanwhile it is that mass users can provide a variety of different types of clothes that cloud computing, which is based on a variety of deployment modes and service mode,
Business, and these services may be from different management domains, if using the ID authentication mechanism based on service, will certainly cause
Verification process it is cumbersome;In addition, user also can be in different working fields (such as enterprises working field and outside cloud working field)
In switch identity at any time, if each working field each establishes cloud user identity management mechanism, user identity just occurs multiple
Property, so that user authentication and access become complex.Therefore, compared with traditional calculations pattern, the identity under cloud environment is recognized
The problem of card also needs to consider cloud user identity management, different intra domain user identity are realized by establishing identity management mechanisms
The uniqueness of information, conciliate so as to improve the usage experience of user never in same area the problem of user identity synchronization.
In cloud environment, due to enterprise, organizations and individuals user can utilize include PC (personal computer),
Terminal device including PDA (personal digital assistant), Laptop and mobile phone is accessed using cloud service,
Therefore authentication is directed not only to the secure connection between high in the clouds and terminal device, it is also necessary to considers between user and high in the clouds
Secure connection.Because user is only CSP final service object, terminal device is use instrument and the service of user
Platform.As shown in figure 1, high in the clouds is used for the node server and the embedded TPM of subscriber terminal equipment of certification user identity
(trusted platform module) safety chip completes remote certification process.Although it can serviced using TPM chips
Credible connection is established between device and terminal device, but if for realizing user authentication process, safety problem just occurs.This
Because if the terminal device that user uses has Malware, then attacker's can by distort authentication result and
User cheating, i.e., trusted path can not be connected from terminal device and safely extend to user.In addition, the user under cloud environment
It can be accessed and using cloud service using any terminal device, if user utilizes TPM encryptions storage key or other data
In certain station terminal equipment, when it is attempted in other-end equipment in use, just needing to carry out data migration operation, and this meeting
The operating process of complexity is brought to user or even causes the privacy leakage of user.Therefore, the identity between high in the clouds and user is realized
On the one hand certification needs to ensure the authenticity of authentication result, on the other hand need to support user to utilize any terminal device
To complete authentication procedures.
The content of the invention
For work on hand the problems of when realizing the authentication between user and high in the clouds and deficiency, this hair
It is bright to be based on PTPM (portable TPM) and without CertPubKey signature algorithm, it is proposed that a kind of to support between high in the clouds and user
Bidirectional identity authentication scheme;Compared with existing scheme, this programme has advantages below:By establishing identity management mechanisms reality
On the basis of current family and high in the clouds identity uniqueness, the secure and trusted and cloud of terminal platform are not only ensured first with PTPM
Authentication result is true correct between end and user, and supports user to complete the body with high in the clouds using any terminal device
Part verification process;Secondly, new departure is based on realizing the double factor authentication mistake of " password+key " without CertPubKey signature algorithm
Journey;Finally, suggest plans while EUF-CMA securities are ensured, authentication between user and high in the clouds can be significantly improved
Computational efficiency.The technical solution adopted by the present invention is:
(1) system is established
Given security parameter K, choose the Big prime p of K bit length, it is assumed that G1And G2Be rank be p multiplicative cyclic group, g
It is G1Generation member.Bilinear map e:GG1×→1G2, select impact resistant hash function H1, H2, H1:{ 0,1 }*→G1, H2:
{ 0,1 }*→G1;It is (G that system, which discloses global parameter params,1, G2, e, p, g, H1, H2);
(2) identity ID is generated
Layering ID tree constructions proposed by the present invention define the identity ID values of the roles such as user in cloud environment, Cloud Server.
Whole hierarchy is formed by 2 layers, and root node is KGC, that is, generates third party's key generation centre of User Part private key;Leaf
Child node represents terminal user and the high in the clouds certification node server registered beyond the clouds.Obviously, it is layered all in ID tree constructions
Node has unique title, it is achieved thereby that the target of user and cloud server identity uniqueness;Assuming that user uiBody
Part IDi=DN0||DNi, high in the clouds certification node serverauthIdentity IDauth=DN0||DNserver, wherein, DN0,
DNi, DNserverKGC, u are represented respectivelyiAnd serverauthTitle defined in layering ID tree constructions, " | | " represent character
The concatenation of string.
(3) key generates
According to the thought without CertPubKey cipher system, leafy node node in schemeiThe following institute of key generation process
State:
A、nodeiChooseAs secret value, calculating and open public key
B, KGC choosesS0For KGC master key, calculating and open public keyGiven layering
Each leafy node node in ID structuresi, KGC obtains node firstiCorresponding identity IDiAnd pkiValue, then calculates Qi=
H1(IDi), rear KGC utilizes QiCalculate and sendTo nodei;
C, nodei passes through calculating firstObtain the part private key of KGC generationsThen inquiry point is passed through
Layer ID tree constructions obtain identity IDi, calculate Qi=H1(IDi) and verifyThe correctness of value:
Private key is generated if equal
During narration below, user uiPublic private key pair be expressed as
And high in the clouds certification node serverauthPublic private key pair be expressed as
(4) user's registration
A, user uiInput IDiWith password value pwi, H is calculated first using PTPM2(IDi||pwi);Then chooseCalculateWithLast uiSend registration request
Give high in the clouds certification node serverauth;
B、serverauthReceive RegreqAfterwards, first according to registered users information table TregisterTo inquire about IDiWhether deposit
If it is not, calculating Qi'=H1(IDi), then verifyThe correctness of value:
If equal serverauthChooseAnd calculate g using TPMSj, by IDi, Sj, gSiAnd H2(IDi||pwi) store and arrive Tregister, then utilize TPM
Calculate
And send registration response messageTo ui;
Otherwise registration failure mark is returned to ui.If TregisterThe ID is storediValue, then return it is registered indicate to
ui。
C、uiReceive registration response message RegresAfterwards, Q ' is calculated first with PTPMj=H1(IDauth) and H2(IDauth||
pkj), then calculateAnd by judging equation
Whether verified into Rob RoyThe correctness of value, if equal expression uiIn serverauthLocate successful registration, PTPM outputs
The mark that succeeds in registration arrives display window, while uiStore IDauth, SiAnd gSj;Otherwise registration failure mark is exported.
(5) login authentication
A, user uiID is inputted firstiAnd pwi, and calculate H using PTPM2(IDi||pwi), choose simultaneously
And calculate gri, then PTPM send login authentication request Authreq=(IDi, H2(IDi||pwi), gri) give serverauth。
B、serverauthReceive information AuthreqAfterwards, first according to IDiInquire about TregisterThe H of storage2(IDi||pwi) value
It is whether equal with what is received, if, serverauthPassword error message is returned to ui;Otherwise serverauthObtain first
IDiCorresponding SjAnd gSiValue, (g is calculated using TPMSi)Sj;Then chooseAnd calculated using TPMWithWhereinAfter sendTo ui.
C、uiReceive serverauthThe information Auth of returnresAfterwards, first according to the ID receivedauthValue inquiry is corresponded to
SiAnd gSj, then calculate k '=(g respectively using PTPMSj)SiAnd D1'=HMACk′(gri), verify D1With D1' whether equal.
If equal expression uiComplete to serverauthThe certification of identity, then calculate DHMAC using PTPM2=k′(grj) and send
To serverauth;Otherwise server is verifiedauthIdentity fails, uiTerminate verification process.
D、serverauthD is calculated using TPM2'=HMACk(grj) and and D2It is compared.If equal expression
serverauthComplete to uiThe certification of identity, then serverauthD is calculated using TPM3=HMACk((gri)rj||IDauth)
And it is sent to ui;Otherwise u is verifiediIdentity fails, serverauthTerminate verification process.
E、uiD is calculated using PTPM3'=HMACk′((grj)ri||IDauth) and the D with receiving3It is compared.If phase
It is proved to be successful mark Deng, PTPM output and arrives display window;Otherwise authentication failed mark is exported.Complete above-mentioned authentication procedures
Afterwards, uiAnd serverauthCan utilizes session keyTo carry out follow-up interaction.
(6) password updates
Assuming that uiNeed original password pwiIt is updated to pwi', then uiH is calculated respectively first with PTPM2(IDi||
pw′i)、
WithThen password renewal request is sent
To serverauth, wherein, × represent group G1On multiplying.Treat serverauthReceive updatepwAfterwards, first according to IDi
Inquire about the g of storageSiIt is worth and utilizes TPM to calculate (gSi)rj, judgeWithIt is whether equal;If do not wait and terminate password
Renewal process;Otherwise calculated using TPMObtain H2(IDi||pwi'), by inquiring about IDi by H2(IDi||pwi) replace
For H2(IDi||pw′i)。
Beneficial effect
(1) it is combined by PTPM and without CertPubKey signature algorithm to solve the body under cloud environment between user and high in the clouds
Part authentication question;
(2) identity management mechanisms including user and high in the clouds are established based on layering ID tree constructions, realized any
The target of communication entity identity uniqueness;
(3) using PTPM ensure that authentication result between the secure and trusted of terminal platform and high in the clouds and user it is true just
Really;
(4) the double factor authentication process of " password+key " is realized between high in the clouds and user;
(5) user is supported to complete the bidirectional identity authentication process with high in the clouds using any terminal device.
Brief description of the drawings
The present invention is further illustrated below in conjunction with the accompanying drawings.
Fig. 1 represents the flow for authenticating ID figure based on TPM under cloud environment;
Fig. 2 represents the bidirectional identity authentication flow chart between user and high in the clouds;
(a) the user's registration stage:(b) the login authentication stage;
Any terminal of multi-user described in Fig. 3 embodiments completes task flow for authenticating ID;
(a) single user completes certification using multiple terminal devices;
(b) multi-user completes certification using a station terminal equipment.
Embodiment
Embodiment 1
As shown in Fig. 2 user holds PTPM hardware modules, high in the clouds certification node server insertion TPM safety chips.With
Bidirectional identity authentication process between family and high in the clouds includes the user's registration shown in Fig. 2 (a) and the login authentication shown in Fig. 2 (b)
Two stages.
In registration phase, user uiPassword pw is inputted firstiWith identity IDiEtc. information, then it is calculated using PTPM
Registration information Regreq;Certification node server receives the registration information Reg of userreqAfterwards, first according to identity IDi
Inquire about user uiIt is whether registered, then input KGC and uiPublic key and using TPM calculate checking by pwiAnd IDiGiven birth to etc. information
Into signature value it is whether correct, it is to be verified it is correct after, certification node server storage user uiLog-on message, and send phase
The registration response message Reg answeredresTo ui;Receiving registration response message RegresAfterwards, uiKGC and certification node clothes are inputted first
Whether the public key of business device is simultaneously correct come the signature value of authentication verification node server using PTPM, and registration is exported if correct
The identity ID of Success Flag and authentication storage node serverauthWith the information such as secret value.
In authentication phase, user uiSending first includes IDi、H2(IDi||pwi) and griEtc. certification request information Authreq
Give certification node server;In the H that checking receives2(IDi||pwi) after value is correct, certification node server calculates HMAC firstk
(gr i), the secret that key k depends on user wherein used in HMAC computings and certification node server generates in registration phase
The value of information, then certification node server send IDauth、HMACk(gr i) andg r jEtc. authentication response information AuthresTo ui;ui
Calculate and verify received HMACk(gr i) value correctness after, just complete the certification to certification node server identity, together
When also need to calculate HMACk(g r j) it is used as response message;And certification node server is by verifying uiThe HMAC of transmissionk(grj)
Whether value is correctly completed to user uiThe certification of identity, while in order to allow uiConfirmation has passed through certification, it is also necessary to sends again
HMACk((gri)rj||IDahut) value is to ui, random number and ID that the HMAC values are generated based on both sides beforeauthAnd it is calculated;
Whole user uiUtilizing PTPM checkings HMACk((gri)rj||IDahut) value correctness after, output be proved to be successful mark arrive PTPM
Display window.
Because the user in cloud environment can be accessed using cloud service using any terminal device, therefore there have been
Single user shown in Fig. 3 (a) is completed using the multi-user shown in multiple terminal devices and Fig. 3 (b) using a station terminal equipment
Authentication procedures between user and high in the clouds.
Embodiment 2
(1) system is established
Given security parameter K, choose the Big prime p of K bit length, it is assumed that G1And G2Be rank be p multiplicative cyclic group, g
It is G1Generation member.Bilinear map e:GG1×→1G2, select impact resistant hash function H1, H2, H1:{ 0,1 }*→G1, H2:
{ 0,1 }*→G1;It is (G that system, which discloses global parameter params,1, G2, e, p, g, H1, H2);
(2) identity ID is generated
Layering ID tree constructions proposed by the present invention define the identity ID values of the roles such as user in cloud environment, Cloud Server.
Whole hierarchy is formed by 2 layers, and root node is KGC, that is, generates third party's key generation centre of User Part private key;Leaf
Child node represents terminal user and the high in the clouds certification node server registered beyond the clouds.Obviously, it is layered all in ID tree constructions
Node has unique title, it is achieved thereby that the target of user and cloud server identity uniqueness;Assuming that user uiBody
Part IDi=DN0||DNi, high in the clouds certification node serverauthIdentity IDauth=DN0||DNserver, wherein, DN0,
DNi, DNserverKGC, u are represented respectivelyiAnd serverauthTitle defined in layering ID tree constructions, " | | " represent character
The concatenation of string.
(3) key generates
According to the thought without CertPubKey cipher system, leafy node node in schemeiThe following institute of key generation process
State:
A、nodeiChooseAs secret value, calculating and open public key
B, KGC choosesS0For KGC master key, calculating and open public keyGiven layering
Each leafy node node in ID structuresi, KGC obtains node firstiCorresponding identity IDiAnd pkiValue, then calculates Qi=
H1(IDi), rear KGC utilizes QiCalculate and sendTo nodei;
C, nodei passes through calculating firstObtain the part private key of KGC generationsThen inquiry point is passed through
Layer ID tree constructions obtain identity IDi, calculate Qi=H1(IDi) and verifyThe correctness of value:
Private key is generated if equal
During narration below, user uiPublic private key pair be expressed aspki=gxi;
And high in the clouds certification node serverauthPublic private key pair be expressed as
(4) user's registration
A, user uiInput IDiWith password value pwi, H is calculated first using PTPM2(IDi||pwi);Then chooseCalculateWithLast uiSend registration request
Give high in the clouds certification node serverauth;
B、serverauthReceive RegreqAfterwards, first according to registered users information table TregisterTo inquire about IDiWhether deposit
If it is not, calculating Qi'=H1(IDi), then verifyThe correctness of value:If equal serverauthChooseAnd
G is calculated using TPMSj, by IDi, Sj, gSiAnd H2(IDi||pwi) store and arrive Tregister, then calculated using TPM
And send registration response messageTo ui;
Otherwise registration failure mark is returned to ui.If TregisterThe ID is storediValue, then return it is registered indicate to
ui。
C、uiReceive registration response message RegresAfterwards, Q ' is calculated first with PTPMj=H1(IDauth) and H2(IDauth||
pkj), then calculateAnd by judging equationWhether verified into Rob RoyThe correctness of value, such as
The equal expression u of fruitiIn serverauthLocate successful registration, PTPM exports the mark that succeeds in registration and arrives display window, while uiStorage
IDauth, SiAnd gSj;Otherwise registration failure mark is exported.
(5) login authentication
A, user uiID is inputted firstiAnd pwi, and calculate H using PTPM2(IDi||pwi), choose simultaneously
And calculate gri, then PTPM send login authentication request Authreq=(IDi, H2(IDi||pwi), gri) give serverauth。
B、serverauthReceive information AuthreqAfterwards, first according to IDiInquire about TregisterThe H of storage2(IDi||pwi) value
It is whether equal with what is received, if, serverauthPassword error message is returned to ui;Otherwise serverauthObtain first
IDiCorresponding SjAnd gSiValue, (g is calculated using TPMSi)Sj;Then chooseAnd calculated using TPMWithWhereinAfter sendTo ui.
C、uiReceive serverauthThe information Auth of returnresAfterwards, first according to the ID receivedauthValue inquiry is corresponded to
SiAnd gSj, then calculate k '=(g respectively using PTPMSj)SiAnd D1'=HMACk′(gri), verify D1With D1' whether equal.
If equal expression uiComplete to serverauthThe certification of identity, then calculate DHMAC using PTPM2=k′(grj) and send
To serverauth;Otherwise server is verifiedauthIdentity fails, uiTerminate verification process.
D、serverauthD is calculated using TPM2'=HMACk(grj) and and D2It is compared.If equal expression
serverauthComplete to uiThe certification of identity, then serverauthD is calculated using TPM3=HMACk((gri)rj||IDauth)
And it is sent to ui;Otherwise u is verifiediIdentity fails, serverauthTerminate verification process.
E、uiD is calculated using PTPM3'=HMACk′((grj)ri||IDauth) and the D with receiving3It is compared.If phase
It is proved to be successful mark Deng, PTPM output and arrives display window;Otherwise authentication failed mark is exported.Complete above-mentioned authentication procedures
Afterwards, uiAnd serverauthCan utilizes session keyTo carry out follow-up interaction.
(6) password updates
Assuming that uiNeed original password pwiIt is updated to pwi', then uiH is calculated respectively first with PTPM2(IDi||
pw′i)、
WithThen password renewal request is sentTo serverauth, wherein, × represent group G1On multiplying.Treat serverauth
Receive updatepwAfterwards, first according to IDiInquire about the g of storageSiIt is worth and utilizes TPM to calculateJudgeWithIt is whether equal;If do not wait and terminate password renewal process;Otherwise calculated using TPMObtain H2(IDi||
pwi'), by inquiring about IDiBy H2(IDi||pwi) replace with H2(IDi||pw′i)。
Claims (3)
1. a kind of high in the clouds is based on PTPM and without CertPubKey signature double factor authentication method, it is characterised in that comprises the following steps:
(1) system is established;(2) identity ID is generated;(3) key generates;(4) user's registration;(5) login authentication;(6) password updates.
2. a kind of high in the clouds according to claims 1 is based on PTPM and signed double factor authentication method without CertPubKey, its
It is characterised by, the detailed process of above-mentioned steps is:
(1) system is established:Given security parameter K, choose the Big prime p of K bit length;Assuming that G1And G2It is that the multiplication that rank is p follows
Ring group, g are G1Generation member, bilinear map e:G G1×→1G2, select impact resistant hash function H1, H2, H1:{ 0,1 }*→
G1, H2:{ 0,1 }*→G1, the open global parameter params that unites is (G1, G2, e, p, g, H1, H2);
(2) identity ID is generated:The identity ID of the roles such as user in cloud environment, Cloud Server is defined using layering ID tree constructions
Value, whole hierarchy are formed by 2 layers, and root node is KGC, that is, generate third party's key generation centre of User Part private key;
Leafy node represents terminal user and the high in the clouds certification node server registered beyond the clouds, that is, all knots being layered in ID tree constructions
Point has unique title, it is achieved thereby that the target of user and cloud server identity uniqueness.Assuming that user ui identity
IDi=DN0 | | DNi, high in the clouds certification node server auth identity IDauth=DN0 | | DNserver, wherein,
DN0, DNi, DNserver represent the title of KGC, ui and serverauth defined in layering ID tree constructions respectively, " | | " table
Show the concatenation of character string;
(3) key generates
According to the thought without CertPubKey cipher system, leafy node node in schemeiKey generation process it is as described below:
A、nodeiChooseAs secret value, calculating and open public key
B, KGC choosesS0For KGC master key, calculating and open public keyGiven layering ID knots
Each leafy node node in structurei, KGC obtains node firstiCorresponding identity IDiAnd pkiValue, then calculates Qi=H1
(IDi), rear KGC utilizes QiCalculate and sendTo nodei;
C, nodei passes through calculating firstObtain the part private key of KGC generationsThen it is layered ID by inquiring about
Tree construction obtains identity IDi, calculate Qi=H1(IDi) and verifyThe correctness of value:If
It is equal, generate private key
During narration below, user uiPublic private key pair be expressed as ski=(Qi s0, xi), pki=gxi;And high in the clouds
Certification node serverauthPublic private key pair be expressed as
(4) user's registration:
A, user uiInput IDiWith password value pwi, H is calculated first using PTPM2(IDi||pwi);Then chooseMeter
CalculateWithLast uiSend registration requestGive
High in the clouds certification node serverauth。
B、serverauthReceive RegreqAfterwards, first according to registered users information table TregisterTo inquire about IDiIt whether there is, such as
Fruit does not have, then calculates Qi'=H1(IDi), then verifyThe correctness of value:If equal serverauthChooseAnd profit
G is calculated with TPMSj, by IDi, Sj, gSiAnd H2(IDi||pwi) store and arrive Tregister, then calculated using TPMAnd send registration response messageTo ui;
Otherwise registration failure mark is returned to ui.If TregisterThe ID is storediValue, then return to registered indicate to ui;
C、uiReceive registration response message RegresAfterwards, Q ' is calculated first with PTPMj=H1(IDauth) and H2(IDauth||pkj),
Then calculateAnd by judging equation
Whether verified into Rob RoyThe correctness of value.If equal expression uiIn serverauthLocate successful registration, PTPM output notes
Volume Success Flag is to display window, while uiStore IDauth, SiAnd gSj;Otherwise registration failure mark is exported;
(5) login authentication:A, user uiID is inputted firstiAnd pwi, and calculate H using PTPM2(IDi||pwi), choose simultaneouslyAnd calculate gri, then PTPM send login authentication request Authreq=(IDi, H2(IDi||pwi), gri) give
serverauth;
B、serverauthReceive information AuthreqAfterwards, first according to IDiInquire about TregisterThe H of storage2(IDi||pwi) value is with receiving
It is whether equal, if, serverauthPassword error message is returned to ui;Otherwise serverauthID is obtained firstiIt is corresponding
SjAnd gSiValue, (g is calculated using TPMSi)Sj;Then chooseAnd calculated using TPMWithWhereinAfter sendTo ui;
C、uiReceive serverauthThe information Auth of returnresAfterwards, first according to the ID receivedauthS corresponding to value inquiry acquisitioniWith
gSj, then calculate k '=(g respectively using PTPMSj)SiAnd D1'=HMACk′(gri), verify D1With D1' whether equal;If phase
Deng expression uiComplete to serverauthThe certification of identity, then calculate D HMAC using PTPM2=k′(grj) and be sent to
serverauth;Otherwise server is verifiedauthIdentity fails, uiTerminate verification process;
D、serverauthD is calculated using TPM2'=HMACk(grj) and and D2It is compared.If equal expression serverauthIt is complete
Into to uiThe certification of identity, then serverauthD is calculated using TPM3=HMACk((gri)rj||IDauth) and be sent to ui;
Otherwise u is verifiediIdentity fails, serverauthTerminate verification process;
E、uiD is calculated using PTPM3'=HMACk′((grj)ri||IDauth) and the D with receiving3It is compared.If equal, PTPM
Output is proved to be successful mark and arrives display window;Otherwise authentication failed mark is exported;After completing above-mentioned authentication procedures, uiWith
serverauthCan utilizes session keyTo carry out follow-up interaction;
(6) password updates
Assuming that uiNeed original password pwiIt is updated to pwi', then uiH is calculated respectively first with PTPM2(IDi||pw′i)、WithThen password renewal request is sent
To serverauth, wherein, × represent group G1On multiplying.Treat serverauthReceive updatepwAfterwards, first according to IDiLook into
Ask the g of storageSiIt is worth and utilizes TPM to calculate (gSi)rj, judgeWithIt is whether equal.If do not wait and terminate password more
New process;Otherwise calculated using TPMObtain H2(IDi||pw′i), by inquiring about IDiBy H2(IDi||pwi) replace with H2
(IDi||pw′i)。
3. a kind of high in the clouds according to claim 1 or 2 be based on PTPM and without CertPubKey sign double factor authentication method, its
It is characterised by, the model definition of methods described is:The security of this method is based on CDH (computational Diffie-
Hellman) difficulty of problem, related definition are as follows:
Define 1CDH problems, it is known thatG is generation member, gives (g, ga, gb), calculate gab;Here,Represent equally distributed from meetingMiddle selection element a and b;
2CDH is defined it is assumed that algorithm B solves the problems, such as that CDH probability is Adv within the probabilistic polynomial timeCDH(B)=pr [gab←B
(g,ga,gb)], if AdvCDH(B) it can be neglected, then claim CDH problems to be difficult.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201710996495.1A CN107733657A (en) | 2017-10-24 | 2017-10-24 | A kind of high in the clouds is based on PTPM and without CertPubKey signature double factor authentication method |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201710996495.1A CN107733657A (en) | 2017-10-24 | 2017-10-24 | A kind of high in the clouds is based on PTPM and without CertPubKey signature double factor authentication method |
Publications (1)
Publication Number | Publication Date |
---|---|
CN107733657A true CN107733657A (en) | 2018-02-23 |
Family
ID=61213336
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201710996495.1A Pending CN107733657A (en) | 2017-10-24 | 2017-10-24 | A kind of high in the clouds is based on PTPM and without CertPubKey signature double factor authentication method |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN107733657A (en) |
Cited By (10)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN108512862A (en) * | 2018-05-30 | 2018-09-07 | 博潮科技(北京)有限公司 | Internet-of-things terminal safety certification control platform based on no certificates identified authentication techniques |
CN108667616A (en) * | 2018-05-03 | 2018-10-16 | 西安电子科技大学 | Across cloud security Verification System based on mark and method |
CN109995509A (en) * | 2019-05-08 | 2019-07-09 | 西安电子科技大学 | Authentication key based on message recovery signature exchanges method |
CN110069918A (en) * | 2019-04-11 | 2019-07-30 | 苏州同济区块链研究院有限公司 | A kind of efficient double factor cross-domain authentication method based on block chain technology |
CN110430041A (en) * | 2018-03-12 | 2019-11-08 | 西安电子科技大学 | Certificateless digital signature scheme under cloud service scene |
CN110636498A (en) * | 2019-11-08 | 2019-12-31 | 国网电子商务有限公司 | Identity authentication method and device of mobile terminal based on network electronic identity |
CN111277583A (en) * | 2020-01-15 | 2020-06-12 | 东方红卫星移动通信有限公司 | Identity authentication method for monitoring system of mobile cloud computing |
CN113115307A (en) * | 2021-04-12 | 2021-07-13 | 北京邮电大学 | Two-factor identity authentication method oriented to smart home scene |
CN114050930A (en) * | 2021-11-10 | 2022-02-15 | 国家电网有限公司 | Data communication authentication method and system based on industrial internet cloud computing |
CN116049826A (en) * | 2022-06-09 | 2023-05-02 | 荣耀终端有限公司 | TPM-based data protection method, electronic equipment and storage medium |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102201920A (en) * | 2011-07-12 | 2011-09-28 | 北京中兴通数码科技有限公司 | Method for constructing certificateless public key cryptography |
CN103024743A (en) * | 2012-12-17 | 2013-04-03 | 北京航空航天大学 | Wireless local area network trusted security access method |
CN103546567A (en) * | 2013-10-28 | 2014-01-29 | 中国航天科工集团第二研究院七〇六所 | Method for certificateless cross-domain authentication in credible could computing environment |
CN104052608A (en) * | 2014-07-07 | 2014-09-17 | 西安电子科技大学 | Certificate-free remote anonymous authentication method based on third party in cloud application |
-
2017
- 2017-10-24 CN CN201710996495.1A patent/CN107733657A/en active Pending
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102201920A (en) * | 2011-07-12 | 2011-09-28 | 北京中兴通数码科技有限公司 | Method for constructing certificateless public key cryptography |
CN103024743A (en) * | 2012-12-17 | 2013-04-03 | 北京航空航天大学 | Wireless local area network trusted security access method |
CN103546567A (en) * | 2013-10-28 | 2014-01-29 | 中国航天科工集团第二研究院七〇六所 | Method for certificateless cross-domain authentication in credible could computing environment |
CN104052608A (en) * | 2014-07-07 | 2014-09-17 | 西安电子科技大学 | Certificate-free remote anonymous authentication method based on third party in cloud application |
Non-Patent Citations (1)
Title |
---|
王中华等: "云环境下基于PTPM和无证书公钥的省份认证方案", 《软件学报》 * |
Cited By (17)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110430041B (en) * | 2018-03-12 | 2022-09-23 | 西安电子科技大学 | Certificateless digital signature method under cloud service scene |
CN110430041A (en) * | 2018-03-12 | 2019-11-08 | 西安电子科技大学 | Certificateless digital signature scheme under cloud service scene |
CN108667616A (en) * | 2018-05-03 | 2018-10-16 | 西安电子科技大学 | Across cloud security Verification System based on mark and method |
CN108667616B (en) * | 2018-05-03 | 2021-05-04 | 西安电子科技大学 | Cross-cloud security authentication system and method based on identification |
CN108512862B (en) * | 2018-05-30 | 2023-12-05 | 博潮科技(北京)有限公司 | Internet of things terminal security authentication management and control platform based on certificate-free identification authentication technology |
CN108512862A (en) * | 2018-05-30 | 2018-09-07 | 博潮科技(北京)有限公司 | Internet-of-things terminal safety certification control platform based on no certificates identified authentication techniques |
CN110069918A (en) * | 2019-04-11 | 2019-07-30 | 苏州同济区块链研究院有限公司 | A kind of efficient double factor cross-domain authentication method based on block chain technology |
CN109995509B (en) * | 2019-05-08 | 2021-07-06 | 西安电子科技大学 | Authentication key exchange method based on message recovery signature |
CN109995509A (en) * | 2019-05-08 | 2019-07-09 | 西安电子科技大学 | Authentication key based on message recovery signature exchanges method |
CN110636498A (en) * | 2019-11-08 | 2019-12-31 | 国网电子商务有限公司 | Identity authentication method and device of mobile terminal based on network electronic identity |
CN111277583A (en) * | 2020-01-15 | 2020-06-12 | 东方红卫星移动通信有限公司 | Identity authentication method for monitoring system of mobile cloud computing |
CN113115307B (en) * | 2021-04-12 | 2021-10-26 | 北京邮电大学 | Two-factor identity authentication method oriented to smart home scene |
CN113115307A (en) * | 2021-04-12 | 2021-07-13 | 北京邮电大学 | Two-factor identity authentication method oriented to smart home scene |
CN114050930A (en) * | 2021-11-10 | 2022-02-15 | 国家电网有限公司 | Data communication authentication method and system based on industrial internet cloud computing |
CN114050930B (en) * | 2021-11-10 | 2023-12-08 | 国家电网有限公司 | Data communication authentication method and system based on industrial Internet cloud computing |
CN116049826A (en) * | 2022-06-09 | 2023-05-02 | 荣耀终端有限公司 | TPM-based data protection method, electronic equipment and storage medium |
CN116049826B (en) * | 2022-06-09 | 2023-10-13 | 荣耀终端有限公司 | TPM-based data protection method, electronic equipment and storage medium |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN107733657A (en) | A kind of high in the clouds is based on PTPM and without CertPubKey signature double factor authentication method | |
CN108111301B (en) | Method and system for realizing SSH protocol based on post-quantum key exchange | |
TWI749061B (en) | Blockchain identity system | |
CN106789047B (en) | A kind of block chain identification system | |
Odelu et al. | Provably secure authenticated key agreement scheme for distributed mobile cloud computing services | |
CN108292402B (en) | Determination of a common secret and hierarchical deterministic keys for the secure exchange of information | |
CN104753917B (en) | Key management system and method based on ID | |
CN106341232B (en) | A kind of anonymous entity discrimination method based on password | |
CN101902476B (en) | Method for authenticating identity of mobile peer-to-peer user | |
US20120278628A1 (en) | Digital Signature Method and System | |
Odelu et al. | An efficient ECC-based privacy-preserving client authentication protocol with key agreement using smart card | |
JP2017517229A (en) | Network authentication system using dynamic key generation | |
WO2009065356A1 (en) | A method, system and network device for mutual authentication | |
CN102404347A (en) | Mobile internet access authentication method based on public key infrastructure | |
CN111835526B (en) | Method and system for generating anonymous credential | |
CN106788989A (en) | A kind of method and apparatus for setting up safe encryption channel | |
CN101626364A (en) | Method for authentication for resisting secrete data disclosure and key exchange based on passwords | |
Zhu | Flexible and password-authenticated key agreement scheme based on chaotic maps for multiple servers to server architecture | |
CN104901804A (en) | User autonomy-based identity authentication implementation method | |
CN108632042A (en) | A kind of class AKA identity authorization systems and method based on pool of symmetric keys | |
CN109818752A (en) | Credit scoring generation method, device, computer equipment and storage medium | |
CN107395627B (en) | Lightweight authentication protocol based on one-way function | |
CN111065097B (en) | Channel protection method and system based on shared secret key in mobile internet | |
CN106850584B (en) | A kind of anonymous authentication method of curstomer-oriented/server network | |
US9292671B1 (en) | Multi-server authentication using personalized proactivization |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20180223 |
|
RJ01 | Rejection of invention patent application after publication |