CN107948189A - Asymmetric cryptography authentication identifying method, device, computer equipment and storage medium - Google Patents
Asymmetric cryptography authentication identifying method, device, computer equipment and storage medium Download PDFInfo
- Publication number
- CN107948189A CN107948189A CN201711375611.4A CN201711375611A CN107948189A CN 107948189 A CN107948189 A CN 107948189A CN 201711375611 A CN201711375611 A CN 201711375611A CN 107948189 A CN107948189 A CN 107948189A
- Authority
- CN
- China
- Prior art keywords
- client
- server
- identity
- result
- authentication
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/083—Network architectures or network communication protocols for network security for authentication of entities using passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
- H04L63/0442—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply asymmetric encryption, i.e. different keys for encryption and decryption
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0823—Network architectures or network communication protocols for network security for authentication of entities using certificates
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0869—Network architectures or network communication protocols for network security for authentication of entities for achieving mutual authentication
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/085—Secret sharing or secret splitting, e.g. threshold schemes
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0861—Generation of secret information including derivation or calculation of cryptographic keys or passwords
- H04L9/0869—Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer And Data Communications (AREA)
- Storage Device Security (AREA)
Abstract
The present invention relates to a kind of authentication identifying method of asymmetric cryptography, device, medium and computer equipment, the method for one embodiment includes:Identity is initiated to server-side and differentiates request, and identity differentiates that request includes number clients word certificate;Receive the identity that server-side returns and differentiate response, identity differentiates that response includes at least the encrypted result that the first random number is encrypted in client public key of the server-side based on client digital certificate;Response, which is handled, to be differentiated to identity according to client private key component, obtains handling result;Authentication request is sent to server-side based on handling result, the authentication request is used to indicate that the server-side carries out authentication process.The first random number that client public key and server-side are carried using client digital certificate carries out identity discriminating processing, when client and server-side hold private key component respectively, it can equally be realized by client public key with the private key component that client and server-side are held respectively and cooperate with decryption to differentiate to realize to client identity between client and server-side.
Description
Technical field
The present invention relates to technical field of cryptology, more particularly to a kind of authentication identifying method of asymmetric cryptography, device,
Computer equipment and computer-readable storage medium.
Background technology
Zero-knowledge proof (Zero-knowledge Proof) is by S.Goldwasser, S.Micali and C.Rackoff
Itd is proposed in early 1980s, referring to the person of claiming can make to test in the case where not providing any useful information to verifier
Card person believes that some judgement is correct, it is substantially a kind of agreement for being related to two sides or more side, i.e. two sides or more side
The series of steps taken needed for accomplishing a task.In the agreement, the person of claiming proves to verifier and it is believed oneself
Know or possess a certain message, but proof procedure cannot leak any information on being proved to message to verifier.
National standard《The 5th part of GB/T 15843.5-2005 information technology safe practices solid identification:Use Zero Knowledge
The mechanism of technology》Define the solid identification mechanism using asymmetric encipherment system based on certificate, the solid identification machine
System is related to information exchange between the person of claiming and verifier of above-mentioned zero-knowledge proof, it verifier to verify to claim
The identity of person.In this traditional authentication scheme, verifier can utilize one random message of public key encryption for the person of claiming,
And the person of claiming is required to return to the message decrypted.This authentication scheme requires the person of claiming to hold complete private key for user, when user is private
Key is divided into multiple components, cannot be provided when being held by multiple participants, in conventional art and employ collaboration signature plus solution
Implement the identity authentication protocol based on asymmetric cryptography under conditions of close mechanism.
The content of the invention
Based on this, it is necessary to can not be carried out for conventional art under conditions of collaboration signature, encryption and decryption mechanism is employed
The problem of identity differentiates, there is provided a kind of authentication identifying method of asymmetric cryptography, device, computer equipment and computer storage are situated between
Matter.
A kind of authentication identifying method of asymmetric cryptography, including:
Identity is initiated to server-side and differentiates request, and the identity differentiates that request includes number clients word certificate;
Receive the identity that the server-side returns and differentiate response, the identity differentiates that response is based on institute including at least server-side
State the encrypted result that the first random number is encrypted in the client public key of client digital certificate;
Response, which is handled, to be differentiated to the identity according to client private key component, obtains handling result;
Authentication request is sent to the server-side based on the handling result, the authentication request is used to indicate
The server-side carries out authentication process.
A kind of authentication identifying method of asymmetric cryptography, including:
Receive the identity that client is sent and differentiate request, the identity differentiates that request includes number clients word certificate;
After verifying that the client digital certificate is effective, the client public key based on the client digital certificate to first with
Acquisition encrypted result is encrypted in machine number, and returns to identity to the client and differentiate response, and the identity differentiates response at least
Including the encrypted result;
The client is received based on differentiating that response carries out processing acquisition to the identity according to client private key component
The authentication request that handling result returns;
Authentication process is carried out according to the authentication request, obtains authentication result.
A kind of identification device of asymmetric cryptography, including:
Differentiate request sending module, differentiate request for initiating identity to server-side, the identity differentiates that request includes visitor
Family end digital certificate;
Receiving module is responded, differentiates response for receiving the identity that the server-side returns, the identity differentiates response extremely
Include the encryption knot that the first random number is encrypted in client public key of the server-side based on the client digital certificate less
Fruit;
Response processing module, for differentiating that response is handled to the identity according to client private key component, at acquisition
Manage result;
Checking request sending module, for sending authentication request, institute to the server-side based on the handling result
Authentication request is stated to be used to indicate that the server-side carries out authentication process.
A kind of identification device of asymmetric cryptography, including:
Differentiate request receiving module, the identity for receiving client transmission differentiates request, and the identity differentiates request bag
Include client digital certificate;
Differentiate ask respond module, after verifying that the client digital certificate is effective, based on client numeral
The first random number is encrypted acquisition encrypted result in the client public key of certificate, and returns to identity to the client and differentiate sound
Should, the identity differentiates that response includes at least the encrypted result;
Checking request receiving module, is based on reflecting to the identity according to client private key component for receiving the client
The authentication request that the handling result of processing acquisition returns should be carried out by holding your noise;
Verification processing module, for carrying out authentication process according to the authentication request, obtains authentication knot
Fruit.
A kind of computer equipment, including memory, processor and storage can be run on a memory and on a processor
The step of computer program, the processor realizes the above method when performing described program.
A kind of computer-readable recording medium, is stored thereon with computer program, which realizes when being executed by processor
The step of above method.
Authentication identifying method, device, computer equipment and the medium of above-mentioned asymmetric cryptography, utilize client digital certificate
The first random number for carrying client public key and server-side carries out identity discriminating processing, when client and server-side hold private key respectively
During component, equally client and service can be completed by the private key component that client public key and client and server-side are held respectively
Collaboration decryption between end, differentiates so as to fulfill to the identity of client.
Brief description of the drawings
Fig. 1 is the schematic diagram of the application environment of a this embodiment scheme;
Fig. 2 is the flow diagram of the authentication identifying method of the asymmetric cryptography in one embodiment;
Fig. 3 is the flow diagram of the authentication identifying method of the asymmetric cryptography in another embodiment;
Fig. 4 is the flow diagram of the authentication identifying method of the asymmetric cryptography in another embodiment;
Fig. 5 is the flow diagram of the authentication identifying method of the asymmetric cryptography in another embodiment;
Fig. 6 is the structure diagram of the identification device of the asymmetric cryptography in one embodiment;
Fig. 7 is the structure diagram of the identification device of the asymmetric cryptography in another embodiment;
Fig. 8 is the interaction flow schematic diagram of the identity discrimination process of a specific example;
Fig. 9 is the interaction flow schematic diagram of the identity discrimination process of another specific example;
Figure 10 is the interaction flow schematic diagram of the identity discrimination process of another specific example;
Figure 11 is the interaction flow schematic diagram of the identity discrimination process of another specific example;
Figure 12 is the interaction flow schematic diagram of the identity discrimination process of another specific example;
Figure 13 is the interaction flow schematic diagram of the identity discrimination process of another specific example.
Embodiment
It is with reference to the accompanying drawings and embodiments, right in order to which the object, technical solution and advantage of the application are more clearly understood
The application is further elaborated.It should be appreciated that specific embodiment described herein is only to explain the application, and
It is not used in restriction the application.
Fig. 1 is the applied environment figure of the authentication identifying method of asymmetric cryptography in one embodiment.With reference to Fig. 1, this is non-right
The authentication identifying method of password is claimed to be applied to the identity identification system of asymmetric cryptography.The identification system of the asymmetric cryptography includes
Terminal 110 and server-side 120.Terminal 110 and server-side 120 pass through network connection.Terminal 110 can be specifically terminal console,
Mobile terminal and other terminal devices that can or need to carry out asymmetric encryption, mobile terminal can be specifically hand
At least one of machine, tablet computer, laptop etc., server-side 120 can use independent server either multiple clothes
The server cluster of business device composition is realized.Terminal 110 holds client digital certificate and client private key D1, server-side 120
Hold server-side digital certificate and server-side private key D2, client private key D1With server-side private key D2Collectively form private key for user
dA, i.e. dA=f (D1,D2).The private key partitioning scheme used in the application one embodiment is dA=D1·D2, it will be understood that
Other private key partitioning schemes can also be used in other embodiment, using other private key partitioning schemes when needs correspondence tune
Synchronizing is rapid.For example, private key partitioning scheme can be dA=D1 -1·D2 -1-1.Server-side 120 to 110 identity of terminal differentiate certification into
Work(can specifically show as terminal 110 can access server-side 120, terminal 110 can be with the system at login service end 120 etc..
Fig. 2 shows the flow diagram of the authentication identifying method of the asymmetric cryptography in one embodiment, the embodiment
In method be applied to the terminal 110 in above-mentioned Fig. 1 or the client that is arranged in terminal 110.With reference to Fig. 2, the embodiment
In the authentication identifying method of asymmetric cryptography specifically comprise the following steps S120 to step S160.
Step S120, initiates identity to server-side 120 and differentiates request, identity differentiates that request includes number clients word certificate.
Terminal 110 is initiated when needing to access server-side 120 or need 120 system of login service end to server-side 120
Identity differentiates request.Identity differentiates that request includes number clients word certificate, and client digital certificate refers to that terminal 110 obtains mutual
The string number of mark communication each side identity information in combined network communication.Identity differentiates that request can be received and rung by server-side 120
Should.
Step S140, receives the identity that server-side 120 returns and differentiates response, identity differentiates that response includes at least server-side
The encrypted result that the first random number is encrypted in 120 client public key based on client digital certificate.
Client public key is part disclosed in cipher key pair with private key for user composition key pair, wherein client public key, and user is private
Key is the private part of cipher key pair.The generating mode of client public key is not unique, can be based in one embodiment following
Formula calculates client public key:
PA=[dA]G
Wherein, PAFor client public key, dAFor private key for user, G is elliptic curve group generation member.
Elliptic curve systems parameter (containing above-mentioned elliptic curve group generation member G), can combine actual techniques needs to be selected
Take, be referred in one embodiment《The 5th part of GMT0003.5-2012SM2 ellipse curve public key ciphers algorithm:Parameter is determined
Justice》Specification makes choice.Relevant parameter includes:Finite field FqScale q, define elliptic curve equation E (Fq) two element a,
b∈Fq, E (Fq) on basic point G=(xG,yG) (G ≠ O), wherein xGAnd yGIt is FqIn two elements;The rank n of G and other are optional
Item (the cofactor h) of such as n.
Server-side 120 differentiates that request is responded after receiving identity and differentiating request, to identity and obtains identity discriminating sound
Should.Different according to the processing mode of response, the identity of acquisition differentiates that response is also different.For example, identity differentiates response at least
The encrypted result that the first random number is encrypted in the client public key based on client digital certificate including server-side 120.
Encrypted result refers to the data handled using Encryption Algorithm the first random number, and the encryption used when being encrypted is calculated
Method is not unique, can be encrypted in one embodiment using SM2 algorithms, elliptic curve systems parameter is referred in algorithm
《The 5th part of GM/T 0003.1-2012SM2 ellipse curve public key ciphers algorithm:Parameter definition》Specification is chosen.Can be with base
Encrypted result is obtained in the following formula:
Wherein, Challenge is encrypted result, and r is the first random number, functionRepresent and use
Public key PSSM2 cryptographic operations are performed to incoming message, SM2 cryptographic operations are performed to the first random number r in above formula.
Step S160, differentiates that response is handled to identity according to client private key component, obtains handling result.
Terminal 110 differentiates that response is handled according to client private key component to identity, and wherein client private key component is
Refer to the client private key component D that terminal 110 is held1, its server-side private key component D held with server-side 1202Collectively form use
Family private key dA, i.e. dA=f (D1,D2).It is appreciated that since server-side may need to carry out body for multiple and different clients
Part verification, therefore, identical or different private key partitioning scheme can be used to different clients, different to be used to client
Private key partitioning scheme exemplified by, above-mentioned client private key component D at this time1With server-side private key component D2Can be held with terminal 110
Some client digital certificates are corresponding.
The private key partitioning scheme used in the application one embodiment can be dA=D1·D2, it will be understood that in other realities
Other private key partitioning schemes can also be used by applying in mode, and using other private key partitioning schemes when needs correspondence adjustment step
Suddenly.For example, private key partitioning scheme can be dA=D1 -1·D2 -1-1.It is appreciated that differentiating the difference of response according to identity, obtain
Handling result also correspond to it is different.
Step S180, sends authentication request, the authentication request is used for based on handling result to server-side 120
Indicate that server-side carries out authentication process.
Terminal 110 is based on handling result and sends authentication request to server-side 120, it will be understood that based on handling result
Difference, the information included in authentication request can be different.In certain embodiments, authentication request can be straight
Connect and include the handling result, can be that the handling result is further processed (to pluck as calculated message in further embodiments
Will) after, the result (such as eap-message digest) after the further processing is included in authentication request, is carried out in following each examples
Illustrate.It is appreciated that accordingly, the difference of the information included in identity-based checking request, corresponding server-side
Authentication process also corresponds to different.
The authentication identifying method of above-mentioned asymmetric cryptography, client public key and server-side are carried using client digital certificate
First random number carries out identity discriminating processing, when client and server-side hold private key component respectively, can equally pass through user
Public key is realized with the private key component that client and server-side are held respectively cooperates with decryption to realize between client and server-side
Client identity is differentiated.
In one embodiment, collaboration decrypting process can be initiated by terminal.At this time, according to client in step S160
Private key component differentiates that the mode that response is handled includes to the identity:According to client private key component and encrypted result,
Generate client deciphering parameter.At this time, the handling result includes client deciphering parameter, can be with above-mentioned authentication request
Including the handling result.What client deciphering parameter referred to that in identity discrimination process terminal 110 generates is used for cooperateing with decryption
Parameter, in this embodiment it is that the parameter for being used for cooperateing with decryption that terminal 110 generates when terminal 110 initiates collaboration decryption.Specifically
It is not unique to obtain the mode of client deciphering parameter, client decryption ginseng can be obtained in one embodiment based on the following formula
Number:
Wherein, u1For client deciphering parameter, D1The client private key component held for terminal,It is terminal 110 from adding
Bit String C is extracted in close result1Afterwards, method Bit String provided by GM/T 0003.1-2012 standards 4.2.4 and 4.2.10
The elliptic curve group element being converted to data type.
In the present embodiment, collaboration decrypting process is initiated by terminal 110, decrypted result is finally obtained simultaneously by server-side 120
Verified, initiate collaboration decrypting process different from server-side 120, be also provided that one kind by client public key and private key for user
Realize and cooperate with decryption between terminal 110 and server-side 120 to realize the method for distinguishing that reflects to 110 identity of terminal.
In one embodiment, collaboration decrypting process can be initiated by server-side.In this embodiment, identity differentiates response
Further include:The server-side deciphering parameter that server-side 120 is determined based on server-side private key component and encrypted result.Server-side decryption ginseng
Number refers to the parameter for being used for cooperateing with decryption generated in server-side 120.In the present embodiment, collaboration solution is initiated by server-side 120
Close process, it will be understood that when the initiation collaboration decryption of terminal 110 initiates to cooperate with decryption with server-side 120, obtained server-side is decrypted
Parameter would also vary from, and the mode for specifically obtaining server-side deciphering parameter is not unique.Sent out with server-side 120 in the embodiment
Exemplified by playing collaboration decryption, server-side deciphering parameter can be obtained based on the following formula:
Wherein, u2For server-side deciphering parameter, D2The server-side private key component held for server-side,For server-side 120
Bit String C is extracted from encrypted result1Afterwards, the method logarithm provided by GM/T 0003.1-2012 standards 4.2.4 and 4.2.10
The elliptic curve group element being converted to according to type.
Accordingly, in the embodiment, the identity is differentiated at response according to client private key component in step S160
The mode of reason comprises the following steps:
According to client private key component and server-side deciphering parameter generation client deciphering parameter;
Encrypted result is decrypted according to client deciphering parameter, obtains decrypted result, handling result includes decryption and ties
Fruit.
Terminal 110 generates client deciphering parameter according to client private key component and server-side deciphering parameter, specific to obtain
Mode to client deciphering parameter is not unique, in one embodiment, when server-side 120 initiates collaboration decryption, and terminal 110
Client client deciphering parameter can be obtained based on the following formula:
u1=[D1]u2
Wherein, u1For client deciphering parameter, u2The server-side for initiating to obtain during collaboration decryption for server-side 120 decrypts ginseng
Number, D1The client private key component held for the client of terminal 110.
Terminal 110 is decrypted encrypted result according to client deciphering parameter, obtains decrypted result, at this time above-mentioned processing
As a result include decrypted result, can include the decrypted result in above-mentioned authentication request.Decrypted result refers to calculate using decryption
The data that encrypted result is decrypted in method, the decipherment algorithm of use is not unique, corresponding to above-mentioned steps S140
Embodiment in the Encryption Algorithm that uses, corresponding decipherment algorithm obtains encrypted result based on the following formula:
Wherein, r ' is decrypted result, and Challenge is encrypted result,Representative uses user
Private key dATo perform SM2 decryption oprerations to incoming message.It is appreciated that the server-side deciphering parameter sended over due to server-side
It is to be based on server-side key components D2Obtain, and the client deciphering parameter of client generation is to be based on client key component D1
Obtain, and client key component D1With server-side key components D2It is by private key for user dADecompose and obtain, therefore, client can
With based on private key for user dADecrypting process is completed, specific manner of decryption the present embodiment does not limit.
In the present embodiment, by server-side 120 initiate collaboration decrypting process, terminal 110 generate decrypted result send to by
Server-side 120, is verified by server-side 120, and collaboration decrypting process is initiated different from terminal 110, is also provided that a kind of logical
Cross client public key and private key for user and realize and cooperateing with decryption to reflect to realize to 110 identity of terminal between terminal 110 and server-side 120
Method for distinguishing.
In one embodiment, shared key can also be negotiated between terminal and server-side, with terminal and service
Escape way is established between end, realizes the secrecy transmission of communication data.Accordingly, in this embodiment, as shown in figure 3, in step
Before S120, step S110 can also be included.
Step S110, generate the second random number, and the client public key based on client digital certificate to the second random number into
Row encryption obtains the first shared key parameter.
At this time, identity differentiates that request further includes the first shared key parameter, and identity differentiates that response further includes server-side 120
The second shared key parameter that the 3rd random number is encrypted in client public key based on client digital certificate.
In this embodiment, terminal 110 generates the second random number, and the second random number is encrypted based on client public key
Obtain the first shared key parameter.First shared key parameter refers to that terminal 110 passes through encryption for generation client shared key
Handle obtained intermediate parameters.The Encryption Algorithm of use is not unique, and in one embodiment, the Encryption Algorithm of use can be based on
The following formula obtains the first shared key parameter:
T1=[a] PA
Wherein, T1For the first shared key parameter, a is the second random number, PAFor client public key.
At this time, before step S180 sends authentication request based on the handling result to the server-side, may be used also
With including step S166.
Step S166, client shared key is calculated according to the second random number and the second shared key parameter.
Client shared key refers to that terminal 110 is used for establishing the information transmission security passage between server-side 120
Key.The mode of client shared key is calculated not according to the second random number and the second shared key parameter in terminal 110
Uniquely, client shared key can be obtained based on the following formula in one embodiment:
(x1,y1)=[a] T2
K0=KDF (x1||y1,klen)
Wherein, (x1,y1) it is elliptic curve group element, a is the second random number, T2For the second shared key parameter, K0For visitor
Family end shared key, wherein | | represent splicing, KDF (*) is pre-defined cipher key derivation function, and klen states the bit of output
String length.
In the present embodiment, terminal 110 and server-side 120 perform one based on ellipse while identity discriminating is completed
The ECDH agreements of circular curve cipher system, shared key through consultation so that communicating pair establishes escape way, realizes
To the secrecy transmission of communication data, the reliability that identity differentiates is improved.
In one embodiment, server-side identity can be also authenticated, to realize two-way discriminating.In this embodiment,
Above-mentioned identity differentiates that response can also include:Server-side digital certificate and digital signature result.Server-side digital certificate refers to
The string number of mark communication each side identity information, digital signature result refer to take in the internet communication that server-side 120 obtains
The data for being used to prove 120 own identification of server-side that business end 120 generates.
In the embodiment, after above-mentioned steps S140, before step S160, it can also include:Service for checking credentials end numeral
Certificate and server-side digital signature result.
The method of 110 service for checking credentials end digital certificate of terminal and server-side digital signature result is not unique, a reality
Apply in example, terminal 110 first verifies the validity of server-side digital certificate and its certificate chain, then is corresponded to by server-side digital certificate
Public key verifications digital signature result validity, when verification result is effective, then carry out step S160.
In the present embodiment, by being verified to the server-side digital certificate of server-side 120 so that terminal 110 can lead to
The identity at the server-side digital certificate trust service end 120 at service for checking credentials end 120 is crossed, man-in-the-middle attack is avoided, improves body
The reliability that part differentiates.
In one embodiment, secret protection can also be completed by calculating eap-message digest.Fig. 4 shows the embodiment
In identity discrimination process flow diagram.As shown in figure 4, in this embodiment, after step S160, step S180 it
Before, further include step S170.
Step S170, calculates the eap-message digest of handling result, obtains client message summary.
At this time, it is to include the client message summary, i.e., eventually in the authentication request that above-mentioned steps S180 is sent
Handling result is not directly sent to server-side 120 by end by authentication request, but will be calculated for handling result
To client message summary be sent to server-side 120, with achieve the purpose that protect privacy of user.Terminal 110 calculates processing knot
The method of the eap-message digest of fruit is not unique, can such as be plucked by obtaining the client message to handling result progress hash computing
Will.In one specific example, when handling result is decrypted result, client message summary can be obtained based on the following formula:
R=SM3_Hash (r ')
Wherein, R makes a summary for client message, and SM3_Hash (*) is pre-defined hash function, and r ' is decrypted result.
In the present embodiment, the handling results such as decrypted result are not directly transmitted directly to server-side 120 by terminal 110,
But the eap-message digest for calculating handling result is sent to server-side 120, server-side 120 judges end by verifying SM3 summaries
Hold 110 decrypted results whether correct, effectively prevent dishonest server-side using the collaboration decryption step in identity authentication protocol
The rapid sensitive data that storage is encrypted to cheat client decrypted user in server-side, improves the security of agreement.
In one embodiment, privacy can also be completed after shared key is negotiated, then by calculating eap-message digest
Protection.Accordingly, in this embodiment, with reference to shown in Fig. 3, Fig. 4, before step S120, step S110 can also be included.
Step S110, generate the second random number, and the client public key based on client digital certificate to the second random number into
Row encryption obtains the first shared key parameter.
At this time, identity differentiates that request further includes the first shared key parameter, and the first shared key parameter refers to terminal 110
The intermediate parameters obtained for generation client shared key by encryption, generate the mode of the first shared key parameter not
Uniquely, the first shared key parameter can be obtained in one embodiment based on the following formula:
T1=[a] PA
Wherein, T1For the first shared key parameter, a is the second random number, PAFor client public key.
In the case, identity differentiates that response further includes client public key pair of the server-side 120 based on client digital certificate
The second shared key parameter that 3rd random number is encrypted.
At this time, before step S180 sends authentication request based on the handling result to the server-side, may be used also
With including step S166 and step S170.
Step S166, client shared key is calculated according to the second random number and the second shared key parameter;
Client shared key refers to that terminal 110 is used for establishing the information transmission security passage between server-side 120
Key.The mode of client shared key is calculated not according to the second random number and the second shared key parameter in terminal 110
Uniquely, client shared key can be obtained based on the following formula in one embodiment:
(x1,y1)=[a] T2
K0=KDF (x1||y1,klen)
Wherein, (x1,y1) it is elliptic curve group element, a is the second random number, T2For the second shared key parameter, K0For visitor
Family end shared key, wherein | | represent splicing, KDF (*) is pre-defined cipher key derivation function, and klen states the bit of output
String length.
Step S170, eap-message digest is calculated based on client shared key and handling result, obtains client message summary.
The method that terminal 110 calculates eap-message digest is not unique, and the client message can be such as obtained by hash computing
Summary.In one specific example, when handling result is decrypted result, client message can be obtained based on the following formula and plucked
Will:
R=SM3_Hash (r ' | | K0)
Wherein, R makes a summary for client message, and SM3_Hash (*) is pre-defined hash function, and r ' is decrypted result,
K0For client shared key.
In the present embodiment, terminal 110 and server-side 120 are not only shared through consultation while identity discriminating is completed
Key causes communicating pair to establish escape way, realizes the secrecy transmission to communication data, improve identity discriminating can
By property, and the handling results such as decrypted result are not directly transmitted directly to server-side 120, but calculate handling result
Eap-message digest be sent to server-side 120, effectively prevent dishonest server-side using the collaboration solution in identity authentication protocol
Close step encrypts the sensitive data of storage to cheat client decrypted user in server-side, improves the security of agreement.
Fig. 5 shows the flow diagram of the authentication identifying method of the asymmetric cryptography in another embodiment, the implementation
Method in example is applied to the server-side 120 in above-mentioned Fig. 1.With reference to Fig. 5, the identity of the asymmetric cryptography in the embodiment differentiates
Method specifically comprises the following steps S220 to step S280.
Step S220, receives the identity that client is sent and differentiates request, identity differentiates that request includes number clients word certificate.
Step S240, after verification client digital certificate is effective, the client public key based on client digital certificate is to first
Acquisition encrypted result is encrypted in random number, and returns to identity discriminating response to client, and identity differentiates that response includes at least and adds
Close result.
Server-side 120 first verifies whether number clients word certificate is effective, works as client after receiving identity and differentiating request
When certificate is effective, then request, which is responded, to be differentiated to identity and obtains identity discriminating response.Different, the body according to the processing mode of response
It is different that part differentiates that response also corresponds to.For example, identity differentiates that response is based on client digital certificate including at least server-side 120
Client public key encrypted result that the first random number is encrypted.Encrypted result refer to using Encryption Algorithm to first with
The data that machine number is handled, the Encryption Algorithm of use is not unique, and the Encryption Algorithm used in one embodiment can base
Encrypted result is obtained in the following formula:
Wherein, Challenge is encrypted result, and r is the first random number, functionRepresent and use
Public key PATo perform SM2 cryptographic operations to incoming message, SM2 cryptographic operations are performed to the first random number r in above formula.
Step S260, receives client and is based on differentiating the identity according to client private key component response carries out processing and obtains
The authentication request that the handling result obtained returns.
Server-side 120 receives the authentication request that client returns, and differentiates the processing of response to identity according to client
Difference, above-mentioned handling result also corresponds to different.Difference based on handling result, the information included in authentication request
Can be different, accordingly, authentication process would also vary from.In certain embodiments, authentication request can
Can be that the handling result is further processed (as calculated to disappear in further embodiments directly to include the handling result
Breath summary) after, the result (such as eap-message digest) after the further processing is included in authentication request, in following each examples
It is illustrated.
Step S280, carries out authentication process according to authentication request, obtains authentication result.
Server-side 120 carries out authentication process according to authentication request, according to the letter included in authentication request
The difference of breath, corresponding authentication process mode are also different.
The authentication identifying method of above-mentioned asymmetric cryptography, client public key and server-side are carried using client digital certificate
First random number carries out identity discriminating processing, when client and server-side hold private key component respectively, can equally pass through user
Public key is realized with the private key component that client and server-side are held respectively cooperates with decryption to realize between client and server-side
Client identity is differentiated.
In one embodiment, collaboration decrypting process can be initiated by client terminals.At this time, the handling result can
With the client deciphering parameter generated including client according to client private key component and encrypted result, in above-mentioned authentication
It can include the handling result in request.In this embodiment, above-mentioned steps S280 is tested according to authentication request progress identity
The mode that card processing obtains authentication result may comprise steps of:
According to client deciphering parameter, server-side private key component generation server-side deciphering parameter;
Encrypted result is decrypted according to server-side deciphering parameter, obtains decrypted result;
Compare the uniformity of decrypted result and the first random number, obtain authentication result.
Server-side deciphering parameter refers to the parameter for being used for cooperateing with decryption generated in server-side 110.Terminal 110 initiates collaboration
Decrypt the server-side deciphering parameter for initiating to cooperate with decryption to obtain with server-side 120 will be different, specifically obtain server-side decryption
The mode of parameter is not also unique, and in the embodiment that the terminal 110 initiates collaboration decryption, server-side can be based on the following formula
Obtain server-side deciphering parameter:
u2=[D2]u1
Wherein, u2For server-side deciphering parameter, u1The client deciphering parameter in authentication request is sent for client,
D2The server-side private key component held for server-side.
Decrypted result refers to the data that encrypted result is decrypted using decipherment algorithm, and the decryption of use is calculated
Method is not unique, corresponding to the Encryption Algorithm used in the embodiment in above-mentioned steps S240, corresponding decipherment algorithm be based on
Lower formula obtains decrypted result:
Wherein, r ' is decrypted result, and Challenge is encrypted result,Representative uses user
Private key dATo perform SM2 decryption oprerations to incoming message.It is appreciated that since server-side is sent to the server-side decryption of client
Parameter is to be based on server-side key components D2Obtain, and the client deciphering parameter of client generation is based on client key point
Measure D1Obtain, and client key component D1With server-side key components D2It is by private key for user dADecompose and obtain, therefore, client
End can be based on private key for user dADecrypting process is completed, specific manner of decryption the present embodiment does not limit.
Server-side 120 compares the uniformity of decrypted result and the first random number, when decrypted result is consistent with the first random number
When, authentication result is to be differentiated by identity;When decrypted result and inconsistent the first random number, authentication result is not
Have and differentiated by identity.
In the present embodiment, collaboration decrypting process is initiated by terminal 110, decrypted result is finally obtained simultaneously by server-side 120
Verified, initiate collaboration decrypting process different from server-side 120, be also provided that one kind by client public key and private key for user
Realize and cooperate with decryption between terminal 110 and server-side 120 to realize the method for distinguishing that reflects to 110 identity of terminal.
In one embodiment, collaboration decrypting process can be initiated by server-side.In this embodiment, in step S240
After obtaining encrypted result, before returning to identity discriminating response, further include:Determine to take based on server-side private key component and encrypted result
Business end deciphering parameter.
Server-side deciphering parameter refers to the parameter for being used for cooperateing with decryption generated in server-side 120.It is appreciated that terminal
When initiating to cooperate with decryption with server-side 120 during 110 initiation collaboration decryption, obtained server-side deciphering parameter can be different,
The mode for specifically obtaining server-side deciphering parameter is not unique.Using in the embodiment server-side 120 initiate collaboration decrypting process as
Example, can obtain server-side deciphering parameter based on the following formula:
Wherein, u2For server-side deciphering parameter, D2The server-side private key component held for server-side,For server-side 120 from
Bit String C is extracted in encrypted result1Afterwards, the method provided by GM/T 0003.1-2012 standards 4.2.4 and 4.2.10 is to data
The elliptic curve group element that type is converted to.
At this time, in this embodiment, identity differentiates that response further includes server-side deciphering parameter;Above-mentioned handling result includes visitor
Family end client deciphering parameter is obtained according to client private key component and server-side deciphering parameter after, according to client deciphering parameter
Encrypted result is decrypted the decrypted result of acquisition, above-mentioned authentication request includes the handling result.Above-mentioned steps
S280 can specifically include:Compare the uniformity of decrypted result and the first random number, obtain authentication result.
In the present embodiment, by server-side 120 initiate collaboration decrypting process, terminal 110 generate decrypted result send to by
Server-side 120, is verified by server-side 120, and collaboration decrypting process is initiated different from terminal 110, is also provided that a kind of logical
Cross client public key and private key for user and realize and cooperateing with decryption to reflect to realize to 110 identity of terminal between terminal 110 and server-side 120
Method for distinguishing.
In one embodiment, shared key can also be negotiated between terminal and server-side, with terminal and service
Escape way is established between end, realizes the secrecy transmission of communication data.Accordingly, in this embodiment, identity differentiates that request is also wrapped
Include the first shared key ginseng that the second random number is encrypted in client public key of the client based on client digital certificate
Number.
In this embodiment, in step S240 after encrypted result is obtained, before returning to identity discriminating response, further include:
The 3rd random number is encrypted based on client public key and obtains the second shared key parameter.
At this time, above-mentioned identity differentiates that response further includes the second shared key parameter, and above-mentioned handling result includes client root
The client shared key obtained according to the first shared key parameter and the second shared key parameter.Second shared key parameter refers to
The intermediate parameters that server-side 120 obtains for generation client shared key by encryption.The Encryption Algorithm of use is not only
One, in one embodiment, the Encryption Algorithm of use can obtain the second shared key parameter based on the following formula:
T2=[b] PA
Wherein, T2For server-side key parameter, b is the 3rd random number, PAFor client public key.
In this embodiment, above-mentioned handling result can be included in authentication request, i.e. authentication request includes institute
State client shared key.At this time, above-mentioned steps S280 specifically may comprise steps of:
Server-side shared key is calculated according to the 3rd random number and the first shared key parameter;
Authentication is carried out according to client shared key and server-side shared key, obtains authentication result.Service
End shared key refers to that server-side 120 is used for establishing the key of the information transmission security passage between terminal 110.Server-side
120 be calculated according to the 3rd random number and the first shared key parameter server-side shared key mode it is not unique, one
Server-side shared key can be obtained based on the following formula in embodiment:
(x2,y2)=[b] T1
K=KDF (x2||y2,klen)
Wherein, (x2,y2) it is elliptic curve group element, b is the second random number, T1For the first close shared key parameter, K is clothes
Business end shared key, wherein | | represent splicing, KDF (*) is pre-defined cipher key derivation function, and klen states the bit of output
String length.
It is appreciated that under normal circumstances, the client shared key and server-side shared key calculated should be identical,
What i.e. client and server-side were held is actually the client shared key that the application refers to, service with a shared key
End shared key is only that the difference based on processing side is nominally distinguishing.
In the present embodiment, terminal 110 and server-side 120 perform one based on ellipse while identity discriminating is completed
The ECDH agreements of circular curve cipher system, shared key through consultation so that communicating pair establishes escape way, realizes
To the secrecy transmission of communication data, the reliability that identity differentiates is improved.
In one embodiment, server-side identity can be also authenticated, to realize two-way discriminating.In this embodiment,
In step S240 after encrypted result is obtained, before returning to identity discriminating response, further include:According to server-side digital certificate pair
The private key answered performs digital signature, obtains digital signature result.
At this time, identity differentiates that response further includes:Server-side digital certificate and digital signature result.120 basis of server-side
The corresponding private key of server-side digital certificate performs digital signature, and it is not unique to perform the mode of digital signature, in one embodiment,
Digital signature result can be obtained based on the following formula:
Wherein, S1For digital signature result, Challenge is encrypted result, u2For server-side deciphering parameter, | | represent to spell
Connect,Representative uses 120 corresponding private key S of server-sideSCTo perform SM2 signature operations to incoming message.
In the present embodiment, signed by the server-side digital certificate of server-side 120 so that terminal 110 can pass through
The identity at the server-side digital certificate trust service end 120 at service for checking credentials end 120, avoids man-in-the-middle attack, improves identity
The reliability of discriminating.
In one embodiment, secret protection can also be completed by calculating eap-message digest.At this time, above-mentioned client's end group
In handling result return authentication request in, including be not handling result in itself, but for handling result calculate
Obtained client message summary, to achieve the purpose that to protect privacy of user.At this time, the step S280 in the embodiment include with
Lower step:
Calculate and determine server-side eap-message digest;
Compare the uniformity of client message summary and server-side eap-message digest, obtain authentication result.
Server-side eap-message digest refers to that server-side 120 carries out data the summary that computing obtains.Clothes are calculated in server-side
The method for end eap-message digest of being engaged in is not unique, such as can obtain the server-side eap-message digest by carrying out hash computing.One tool
In body example, server-side eap-message digest can be obtained based on the following formula:
R '=SM3_Hash (r)
Wherein, R ' is server-side eap-message digest, and SM3_Hash (*) is pre-defined hash function, and r is random for first
Number.
In another embodiment, following formula are also based on and calculate server-side eap-message digest:
R '=SM3_Hash (r | | K)
Wherein, R ' is server-side eap-message digest, and SM3_Hash (*) is pre-defined hash function, and r is random for first
Number, K is server-side shared key.
So as to not only negotiate shared key between terminal and server-side, be pacified with being established between terminal and server-side
Full tunnel, while complete secret protection by calculating eap-message digest.
Server-side 120 compares the uniformity of client message summary and server-side eap-message digest, when client message is made a summary
When consistent with server-side eap-message digest, authentication result is to be differentiated by identity;When client message summary and server-side disappear
When breath summary is inconsistent, authentication result is to differentiate not over identity.
In the present embodiment, the handling results such as decrypted result are not directly transmitted directly to server-side 120 by terminal 110,
But the eap-message digest (SM3 summaries) for calculating handling result is sent to server-side 120, server-side 120 is by verifying that SM3 makes a summary
To judge whether 110 decrypted result of terminal is correct, dishonest server-side is effectively prevent using the association in identity authentication protocol
Sensitive data of the client decrypted user in server-side encryption storage is cheated with decryption step, improves the security of agreement.
As shown in fig. 6, in one embodiment, there is provided a kind of identification device of asymmetric cryptography.The present embodiment
Mainly illustrated with the device applied to the terminal 110 in above-mentioned Fig. 1.With reference to Fig. 6, the identity of the asymmetric cryptography differentiates
Device specifically includes as follows:
Differentiate request sending module 112, differentiate request for initiating identity to server-side, identity differentiates that request includes client
Hold digital certificate;
Receiving module 114 is responded, the identity for receiving server-side return differentiates response, and identity differentiates that response includes at least
The encrypted result that the first random number is encrypted in client public key of the server-side based on client digital certificate;
Response processing module 116, for differentiating that response is handled to identity according to client private key component, is handled
As a result;
Checking request sending module 118, for sending authentication request, the identity to server-side based on handling result
Checking request is used to indicate that server-side carries out authentication process.
The device is further included to be write in method with the above-mentioned corresponding module of step in method by taking terminal as an example, effect
Go out, which is not described herein again.
As shown in fig. 7, in one embodiment, there is provided a kind of identification device of asymmetric cryptography.The present embodiment
Mainly illustrated with the device applied to the server-side 120 in above-mentioned Fig. 1.With reference to Fig. 7, the identity of the asymmetric cryptography is reflected
Other device specifically includes as follows:
Differentiate request receiving module 122, the identity for receiving client transmission differentiates request, and identity differentiates that request includes
Client digital certificate;
Differentiate ask respond module 124, after verifying that client digital certificate is effective, based on client digital certificate
The first random number is encrypted acquisition encrypted result in client public key, and returns to identity to client and differentiate response, and identity differentiates
Response includes at least encrypted result;
Checking request receiving module 126, is based on reflecting to the identity according to client private key component for receiving client
The authentication request that the handling result of processing acquisition returns should be carried out by holding your noise;
Block 128 is asked in verification processing, for carrying out authentication process according to authentication request, obtains authentication knot
Fruit.
The device is further included to be write in method with the above-mentioned corresponding module of step in method by taking server-side as an example, effect
Go out, which is not described herein again.
The identification device of above-mentioned asymmetric cryptography, client public key and server-side are carried using client digital certificate
First random number carries out identity discriminating processing, when client and server-side hold private key component respectively, can equally pass through user
Public key is realized with the private key component that client and server-side are held respectively cooperates with decryption to realize between client and server-side
Client identity is differentiated.
It is illustrated below in conjunction with the interaction flow of the identity discrimination process in wherein several specific examples, due to body
Collaboration decrypting process in part discrimination process, can be initiated by client, can also be initiated by server-side, and by different initiations
When side is to initiate collaboration decrypting process, obtained deciphering parameter may and differ, therefore, in saying for following each specific examples
In bright, following setting is done:
When server-side initiates collaboration decrypting process, server-side deciphering parameter that server-side obtains is known as server-side first and decrypts
The client deciphering parameter that parameter, client obtain is known as the first deciphering parameter of client;
When client initiates collaboration decrypting process, server-side deciphering parameter that server-side obtains is known as server-side second and decrypts
The client deciphering parameter that parameter, client obtain is known as the second deciphering parameter of client.
Fig. 8 shows the interaction flow schematic diagram of the identity discrimination process in a specific example, in the specific example with
Server-side is initiated to illustrate exemplified by collaboration decrypting process.As shown in figure 8, the interaction of the identity discrimination process in the specific example
Flow is as described below.
Terminal 110 sends identity and differentiates request to server-side 120, and identity differentiates that request includes number clients word certificate, visitor
Client public key is carried in the digital certificate of family end.
Server-side 120 verifies client digital certificate, when being verified, extracts client public key;The selection of server-side 120 the
One random number, with client public key to the first random number encryption, obtains encrypted result;Based on encrypted result, privacy key component
Calculate, obtain the first deciphering parameter of server-side, return to identity and differentiate response to terminal 110, identity differentiates that response includes encryption knot
The first deciphering parameter of fruit and server-side.
Terminal 110 generates the first deciphering parameter of client according to client private key component and the first deciphering parameter of server-side;
Encrypted result is decrypted according to the first deciphering parameter of client, obtains decrypted result;And initiate identity to server-side 120 and test
Card request, authentication request include decrypted result.
Server-side 120 compares the first random number and the uniformity of decrypted result, obtains identity identification result;Work as decrypted result
When consistent with the first random number, authentication result is to be differentiated by identity;When decrypted result and inconsistent the first random number,
Authentication result is to differentiate not over identity.
Fig. 9 shows the interaction flow schematic diagram of the identity discrimination process in another specific example, in the specific example
Illustrated so that client initiates collaboration decrypting process as an example.As shown in figure 9, the friendship of the identity discrimination process in the specific example
Mutual flow is as described below.
Terminal 110 sends identity and differentiates request to server-side 120, and identity differentiates that request includes number clients word certificate, demonstrate,proves
Client public key is carried in book.
Server-side 120 verifies client digital certificate, when being verified, extracts client public key;The selection of server-side 120 the
One random number, with client public key to the first random number encryption, obtains encrypted result;Returning to identity differentiates response to terminal 110, body
Part differentiates that response includes encrypted result.
Terminal 110 is based on encrypted result, client private key component calculates, and obtains the second deciphering parameter of client;Terminal 110
Authentication request is initiated to server-side 120, authentication request includes the second deciphering parameter of client.
Server-side 120 is based on the second deciphering parameter of client, privacy key component calculates, and obtains server-side second and decrypts
Parameter;Encrypted result is decrypted according to the second deciphering parameter of server-side, obtains decrypted result;And compare the first random number with
The uniformity of decrypted result, obtains identity identification result;When decrypted result is consistent with the first random number, authentication result is
Differentiated by identity;When decrypted result and inconsistent the first random number, authentication result is to differentiate not over identity.
Figure 10 shows the interaction flow schematic diagram of the identity discrimination process in another specific example, in the specific example
Illustrated so that server-side initiates collaboration decrypting process and calculates eap-message digest as an example.As shown in Figure 10, in the specific example
The interaction flow of identity discrimination process is as described below.
Terminal 110 sends identity and differentiates request to server-side 120, and identity differentiates that request includes number clients word certificate, demonstrate,proves
Client public key is carried in book.
Server-side 120 verifies client digital certificate, when being verified, extracts client public key;The selection of server-side 120 the
One random number, with client public key to the first random number encryption, obtains encrypted result;Based on encrypted result, privacy key component
Calculate, obtain the first deciphering parameter of server-side, return to identity and differentiate response to terminal 110, identity differentiates that response includes encryption knot
The first deciphering parameter of fruit and server-side.
Terminal 110 generates the first deciphering parameter of client according to client private key component and the first deciphering parameter of server-side;
Encrypted result is decrypted according to the first deciphering parameter of client, obtains decrypted result;Client is calculated according to decrypted result
Eap-message digest;Terminal 110 initiates authentication request to server-side 120, and authentication request is made a summary including client message.
Server-side 120 calculates the server-side eap-message digest of the first random number;Compare server-side eap-message digest with client to disappear
The uniformity of summary is ceased, obtains identity identification result;When server-side eap-message digest and consistent client message summary, identity is tested
Card result is to be differentiated by identity;When server-side eap-message digest and inconsistent client message summary, authentication result is
Do not differentiated by identity.
Figure 11 shows the interaction flow schematic diagram of the identity discrimination process in another specific example, in the specific example
Illustrated so that server-side initiates collaboration decrypting process and negotiates shared key as an example.As shown in figure 11, in the specific example
Identity discrimination process interaction flow it is as described below.
Terminal 110 generates the second random number, and is encrypted with client public key to obtain the first shared key parameter;Terminal 110 is sent out
Identity is sent to differentiate request to server-side 120, identity differentiates that request includes the first shared key parameter and client digital certificate, demonstrate,proves
Client public key is carried in book.
Server-side 120 verifies client digital certificate, when being verified, extracts client public key;The selection of server-side 120 the
One random number, with client public key to the first random number encryption, obtains encrypted result;Based on encrypted result, privacy key component
Calculate, obtain the first deciphering parameter of server-side;Generate the 3rd random number, and encrypt to obtain the second shared key with client public key and join
Number;Return to identity and differentiate response to terminal 110, identity differentiate response include encrypted result, the first deciphering parameter of server-side and
Second shared key parameter.
Terminal 110 generates the first deciphering parameter of client according to client private key component and the first deciphering parameter of server-side;
Encrypted result is decrypted according to the first deciphering parameter of client, obtains decrypted result;Shared according to the second random number, second
Client shared key is calculated in key parameter;Client message summary is calculated according to client shared key, decrypted result;
Terminal 110 initiates authentication request to server-side 120, and authentication request is made a summary including client message.
Server-side shared key is calculated according to the 3rd random number, the first shared key parameter in server-side 120;According to clothes
End shared key, the first random number of being engaged in calculate server-side eap-message digest;Compare server-side eap-message digest to make a summary with client message
Uniformity, obtain identity identification result;When server-side eap-message digest and consistent client message summary, authentication result
To be differentiated by identity;When server-side eap-message digest and inconsistent client message summary, authentication result is without logical
Cross identity discriminating.
Figure 12 shows the interaction flow schematic diagram of the identity discrimination process in another specific example, in the specific example
Collaboration decrypting process is initiated by server-side and server-side is digitally signed and is illustrated exemplified by being verified to server-side.
As shown in figure 12, the interaction flow of the identity discrimination process in the specific example is as described below.
Terminal 110 sends identity and differentiates request to server-side 120, and identity differentiates that request includes number clients word certificate, demonstrate,proves
Client public key is carried in book.
Server-side 120 verifies client digital certificate, when being verified, extracts client public key;The selection of server-side 120 the
One random number, with client public key to the first random number encryption, obtains encrypted result;Based on encrypted result, privacy key component
Calculate, obtain the first deciphering parameter of server-side;Solved with the corresponding private key pair encryption result of server-side digital certificate, server-side first
Close parameter performs signature operation, obtains signature result;Identity discriminating response is returned to terminal 110, identity differentiates that response includes adding
Close result, the first deciphering parameter of server-side, server-side digital certificate and signature result.
110 service for checking credentials end digital certificate of terminal and signature result;When being verified, according to client private key component and
The first deciphering parameter of server-side generates the first deciphering parameter of client;Encrypted result is carried out according to the first deciphering parameter of client
Decryption, obtains decrypted result;Terminal 110 initiates authentication request to server-side 120, and authentication request includes decryption and ties
Fruit.
Server-side 120 compares the first random number and the uniformity of decrypted result, obtains identity identification result;Work as decrypted result
When consistent with the first random number, authentication result is to be differentiated by identity;When decrypted result and inconsistent the first random number,
Authentication result is to differentiate not over identity.
Figure 13 shows the interaction flow schematic diagram of the identity discrimination process in another specific example, in the specific example
With server-side initiate collaboration decrypting process and negotiating about cipher key shared, calculate eap-message digest and server-side be digitally signed with
Illustrated exemplified by being verified to server-side.As shown in figure 13, the interaction flow of the identity discrimination process in the specific example
As described below.
Terminal 110 generates the second random number, and is encrypted with client public key to obtain the first shared key parameter;Terminal 110 is sent out
Identity is sent to differentiate request to server-side 120, identity differentiates that request includes the first shared key parameter and client digital certificate, demonstrate,proves
Client public key is carried in book.
Server-side 120 verifies client digital certificate, when being verified, extracts client public key;The selection of server-side 120 the
One random number, with client public key to the first random number encryption, obtains encrypted result;Based on encrypted result, privacy key component
Calculate, obtain the first deciphering parameter of server-side;Solved with the corresponding private key pair encryption result of server-side digital certificate, server-side first
Close parameter performs signature operation, obtains signature result;Generate the 3rd random number, and with client public key encrypt to obtain second shared close
Key parameter;Return to identity and differentiate response to terminal 110, identity differentiate response include encrypted result, the first deciphering parameter of server-side,
Second shared key parameter, server-side digital certificate and signature result.
110 service for checking credentials end digital certificate of terminal and signature result;When being verified, according to client private key component and
The first deciphering parameter of server-side generates the first deciphering parameter of client;Encrypted result is carried out according to the first deciphering parameter of client
Decryption, obtains decrypted result;Client shared key is calculated according to the second random number, the second shared key parameter;According to
Client shared key, decrypted result calculate client message summary;Terminal 110 initiates authentication request to server-side 120,
Authentication request is made a summary including client message.
Server-side shared key is calculated according to the 3rd random number, the first shared key parameter in server-side 120;According to clothes
End shared key, the first random number of being engaged in calculate server-side eap-message digest;Compare server-side eap-message digest to make a summary with client message
Uniformity, obtain identity identification result;When server-side eap-message digest and consistent client message summary, authentication result
To be differentiated by identity;When server-side eap-message digest and inconsistent client message summary, authentication result is without logical
Cross identity discriminating.
With reference to above-described each embodiment, it is assumed that user terminal Bob, server-side Alice, one of them is specific double
The process of Fang Xietong decryption can be discussed further below.
Alice obtains SM2 ciphertexts (i.e. encrypted result) C=C1||C3||C2, Bit String C is extracted from ciphertext C1, and press
The method that GM/T 0003.1-2012 standards 4.2.4 and 4.2.10 are provided changes data type, obtains elliptic curve group
ElementThen verifyWhether it is elliptic curve E (Fq) infinite point, if then prompting mistake and exiting decryption flow.
If it is not, the private key component D that Alice is held using it1The deciphering parameter of Alice is calculated (if Alice is in service
End, then be above-mentioned server-side deciphering parameter)And by T1It is sent to Bob.
After Bob receives T1, the private key component D that is held based on itself2Calculate the deciphering parameter T of Bob2=[D2]T1, then
Calculate(x2,y2) it is elliptic curve group element.
Bob calculates shared key t=KDF (x2||y2, klen), wherein | | represent splicing, KDF (*) is close for what is pre-defined
Key generating function, the bit-string length of klen statement outputs.If t is full 0 Bit String, reports an error and exit.
If t is not full 0 Bit String, Bob extracts Bit String C from ciphertext C2, and calculateWhereinRepresent
Step-by-step XOR operation.
Bob calculates eap-message digest u=Hash (x2||M′||y2), Bit String C is then extracted from ciphertext C3If u ≠ C3Then
Report an error and exit.
If u=C3Then Bob export plaintext M '.
Based on example as described above, a kind of computer equipment is also provided in one embodiment, the computer equipment bag
The computer program that includes memory, processor and storage on a memory and can run on a processor, wherein, processor performs
Realized during described program such as the method for any one embodiment in the various embodiments described above.
One of ordinary skill in the art will appreciate that realize all or part of flow in above-described embodiment method, being can be with
Relevant hardware is instructed to complete by computer program, it is non-volatile computer-readable that the program can be stored in one
Take in storage medium, in the embodiment of the present invention, which can be stored in the storage medium of computer system, and be calculated by this
At least one processor in machine system performs, to realize the flow for including the embodiment such as above-mentioned each method.Wherein, it is described
Storage medium can be magnetic disc, CD, read-only memory (Read-Only Memory, ROM) or random access memory
(Random Access Memory, RAM) etc..
Accordingly, a kind of storage medium is also provided in one embodiment, is stored thereon with computer program, wherein, the journey
Realized when sequence is executed by processor such as the method for any one embodiment in the various embodiments described above.
Each technical characteristic of embodiment described above can be combined arbitrarily, to make description succinct, not to above-mentioned reality
Apply all possible combination of each technical characteristic in example to be all described, as long as however, the combination of these technical characteristics is not deposited
In contradiction, the scope that this specification is recorded all is considered to be.
Embodiment described above only expresses the several embodiments of the present invention, its description is more specific and detailed, but simultaneously
Cannot therefore it be construed as limiting the scope of the patent.It should be pointed out that come for those of ordinary skill in the art
Say, without departing from the inventive concept of the premise, various modifications and improvements can be made, these belong to the protection of the present invention
Scope.Therefore, the protection domain of patent of the present invention should be determined by the appended claims.
Claims (16)
- A kind of 1. authentication identifying method of asymmetric cryptography, it is characterised in that the described method includes:Identity is initiated to server-side and differentiates request, and the identity differentiates that request includes number clients word certificate;Receive the identity that the server-side returns and differentiate response, the identity differentiates that response is based on the visitor including at least server-side The encrypted result that the first random number is encrypted in the client public key of family end digital certificate;Response, which is handled, to be differentiated to the identity according to client private key component, obtains handling result;Authentication request is sent to the server-side based on the handling result, the authentication request is used to indicate described Server-side carries out authentication process.
- 2. the authentication identifying method of asymmetric cryptography according to claim 1, it is characterised in that:The mode that response is handled, which includes, to be differentiated to the identity according to client private key component:According to the client private key Component and the encrypted result, generate client deciphering parameter;The handling result includes the client deciphering parameter.
- 3. the authentication identifying method of asymmetric cryptography according to claim 1, it is characterised in that the identity differentiates response Further include:The server-side deciphering parameter that server-side is determined based on server-side private key component and the encrypted result;The mode that response is handled, which includes, to be differentiated to the identity according to client private key component:According to the client private key component and server-side deciphering parameter generation client deciphering parameter;The encrypted result is decrypted according to client deciphering parameter, obtains decrypted result, the handling result includes institute State decrypted result.
- 4. the authentication identifying method of the asymmetric cryptography according to claims 1 to 3 any one, it is characterised in that:Before identity is initiated to server-side and differentiates request, step is further included:The second random number is generated, and is based on the client The client public key of digital certificate is encrypted second random number to obtain the first shared key parameter;The identity differentiates that request further includes the first shared key parameter, and the identity differentiates that response further includes service end group In the second shared key parameter that the 3rd random number is encrypted in the client public key of the client digital certificate;Before sending authentication request to the server-side based on the handling result, step is further included:According to described second Client shared key is calculated in random number, the second shared key parameter.
- 5. the authentication identifying method of asymmetric cryptography according to claim 1, it is characterised in that the identity differentiates response Further include:Server-side digital certificate and digital signature result;After the identity discriminating response that the server-side returns is received, the identity is differentiated according to client private key component and is rung Before should being handled, step is further included:Verify the server-side digital certificate and server-side digital signature result.
- 6. the authentication identifying method of the asymmetric cryptography according to claim 1 to 5 any one, it is characterised in that:After the handling result is obtained, before sending authentication request to the server-side based on the handling result, Further include step:The eap-message digest of the handling result is calculated, obtains client message summary;The step of sending authentication request to the server-side based on the handling result includes:Body is sent to the server-side Part checking request, the authentication request include the client message and make a summary.
- A kind of 7. authentication identifying method of asymmetric cryptography, it is characterised in that the described method includes:Receive the identity that client is sent and differentiate request, the identity differentiates that request includes number clients word certificate;After verifying that the client digital certificate is effective, the client public key based on the client digital certificate is to the first random number Acquisition encrypted result is encrypted, and returns to identity to the client and differentiates response, the identity differentiates that response includes at least The encrypted result;The client is received based on the processing for carrying out processing acquisition to identity discriminating response according to client private key component As a result the authentication request returned;Authentication process is carried out according to the authentication request, obtains authentication result.
- 8. the authentication identifying method of asymmetric cryptography according to claim 7, it is characterised in that the handling result includes The client deciphering parameter that the client is generated according to the client private key component and the encrypted result, the identity Checking request includes the client deciphering parameter;Authentication process is carried out according to the authentication request, obtaining the mode of authentication result includes:According to the client deciphering parameter, server-side private key component generation server-side deciphering parameter;The encrypted result is decrypted according to the server-side deciphering parameter, obtains decrypted result;Compare the uniformity of the decrypted result and first random number, obtain authentication result.
- 9. the authentication identifying method of asymmetric cryptography according to claim 7, it is characterised in that:After encrypted result is obtained, before returning to identity discriminating response, step is further included:Based on server-side private key component and described Encrypted result determines server-side deciphering parameter;The identity differentiates that response further includes the server-side deciphering parameter;The handling result includes the client according to visitor Family end private key component and the server-side deciphering parameter obtain client deciphering parameter after, according to client deciphering parameter to described The decrypted result of acquisition is decrypted in encrypted result;The authentication request includes the decrypted result;Authentication process is carried out according to the authentication request, obtaining the mode of authentication result includes:Compare described Decrypted result and the uniformity of first random number, obtain authentication result.
- 10. the authentication identifying method of asymmetric cryptography according to claim 7, it is characterised in that the identity differentiates please Ask and further include what the second random number was encrypted in client public key of the client based on the client digital certificate First shared key parameter;After encrypted result is obtained, before returning to identity discriminating response, step is further included:Based on the client digital certificate Client public key is encrypted the 3rd random number and obtains the second shared key parameter;The identity differentiates that response further includes the second shared key parameter;Authentication process is carried out according to the authentication request, obtaining the mode of authentication result includes:According to described Server-side shared key is calculated in 3rd random number, the first shared key parameter.
- 11. the authentication identifying method of asymmetric cryptography according to claim 7, it is characterised in that:After encrypted result is obtained, before returning to identity discriminating response, step is further included:It is corresponding according to server-side digital certificate Private key performs digital signature, obtains digital signature result;The identity differentiates that response further includes:The server-side digital certificate and digital signature result.
- 12. the authentication identifying method of the asymmetric cryptography according to claim 7 to 11 any one, it is characterised in that institute Stating authentication request includes the client message summary that the client calculates acquisition for the handling result;Authentication process is carried out according to the authentication request, obtaining the mode of authentication result includes:Calculate and determine server-side eap-message digest;Compare the uniformity of the client message summary and server-side eap-message digest, obtain authentication result.
- 13. a kind of identification device of asymmetric cryptography, it is characterised in that described device includes:Differentiate request sending module, differentiate request for initiating identity to server-side, the identity differentiates that request includes client Digital certificate;Receiving module is responded, differentiates response for receiving the identity that the server-side returns, the identity differentiates that response is at least wrapped Include the encrypted result that the first random number is encrypted in client public key of the server-side based on the client digital certificate;Response processing module, for differentiating that response is handled to the identity according to client private key component, obtains processing knot Fruit;Checking request sending module, for sending authentication request, the body to the server-side based on the handling result Part checking request is used to indicate that the server-side carries out authentication process.
- 14. a kind of identification device of asymmetric cryptography, it is characterised in that described device includes:Differentiate request receiving module, the identity for receiving client transmission differentiates request, and the identity differentiates that request includes visitor Family end digital certificate;Differentiate ask respond module, after verifying that the client digital certificate is effective, based on the client digital certificate Client public key the first random number is encrypted acquisition encrypted result, and return to identity to the client and differentiate response, institute State identity and differentiate that response includes at least the encrypted result;Checking request receiving module, rings for receiving the client and being based on differentiating the identity according to client private key component It should carry out the authentication request that the handling result of processing acquisition returns;Verification processing module, for carrying out authentication process according to the authentication request, obtains authentication result.
- 15. a kind of computer equipment, including memory, processor and storage are on a memory and the meter that can run on a processor Calculation machine program, it is characterised in that the processor realizes any one of claim 1 to 12 the method when performing described program Step.
- 16. a kind of computer-readable recording medium, is stored thereon with computer program, it is characterised in that the program is by processor The step of any one of claim 1 to 12 the method is realized during execution.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201711375611.4A CN107948189B (en) | 2017-12-19 | 2017-12-19 | Asymmetric password identity authentication method and device, computer equipment and storage medium |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201711375611.4A CN107948189B (en) | 2017-12-19 | 2017-12-19 | Asymmetric password identity authentication method and device, computer equipment and storage medium |
Publications (2)
Publication Number | Publication Date |
---|---|
CN107948189A true CN107948189A (en) | 2018-04-20 |
CN107948189B CN107948189B (en) | 2020-10-30 |
Family
ID=61940832
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201711375611.4A Active CN107948189B (en) | 2017-12-19 | 2017-12-19 | Asymmetric password identity authentication method and device, computer equipment and storage medium |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN107948189B (en) |
Cited By (24)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN108848094A (en) * | 2018-06-22 | 2018-11-20 | 平安科技(深圳)有限公司 | Data security validation method, device, system, computer equipment and storage medium |
CN109068322A (en) * | 2018-08-22 | 2018-12-21 | 航天信息股份有限公司 | Decryption method, system, mobile terminal, server and storage medium |
CN109246129A (en) * | 2018-10-12 | 2019-01-18 | 天津赢达信科技有限公司 | A kind of SM2 collaboration endorsement method and system can verify that client identity |
CN109861816A (en) * | 2019-02-22 | 2019-06-07 | 矩阵元技术(深圳)有限公司 | Data processing method and device |
CN109872155A (en) * | 2019-02-22 | 2019-06-11 | 矩阵元技术(深圳)有限公司 | Data processing method and device |
CN110046515A (en) * | 2019-04-18 | 2019-07-23 | 杭州尚尚签网络科技有限公司 | A kind of electric endorsement method of the safety based on short-acting digital certificate |
WO2019231392A1 (en) * | 2018-05-30 | 2019-12-05 | 华为国际有限公司 | Key exchange system, method, and apparatus |
CN110601841A (en) * | 2019-11-01 | 2019-12-20 | 成都卫士通信息产业股份有限公司 | SM2 collaborative signature and decryption method and device |
CN110932850A (en) * | 2019-11-29 | 2020-03-27 | 杭州安恒信息技术股份有限公司 | Communication encryption method and system |
CN110958114A (en) * | 2019-10-25 | 2020-04-03 | 武汉大学 | Two-party cooperative SM2 key generation and ciphertext decryption method and medium |
CN110971610A (en) * | 2019-12-12 | 2020-04-07 | 广东电网有限责任公司电力调度控制中心 | Control system identity verification method and device, computer equipment and storage medium |
CN111046443A (en) * | 2019-12-24 | 2020-04-21 | 合肥大唐存储科技有限公司 | Hard disk anti-counterfeiting realization method, hard disk and CA server |
WO2020168544A1 (en) * | 2019-02-22 | 2020-08-27 | 云图有限公司 | Data processing method and device |
CN111600717A (en) * | 2020-05-12 | 2020-08-28 | 北京海益同展信息科技有限公司 | SM 2-based decryption method and system, electronic device and storage medium |
CN111614637A (en) * | 2020-05-08 | 2020-09-01 | 郑州信大捷安信息技术股份有限公司 | Secure communication method and system based on software cryptographic module |
CN112202551A (en) * | 2020-09-23 | 2021-01-08 | 中国建设银行股份有限公司 | Password verification method and device based on zero-knowledge proof and electronic equipment |
CN112257093A (en) * | 2020-11-09 | 2021-01-22 | 天冕信息技术(深圳)有限公司 | Authentication method of data object, terminal and storage medium |
CN113268722A (en) * | 2021-05-17 | 2021-08-17 | 时昕昱 | Personal digital identity management system and method |
CN113486320A (en) * | 2021-07-22 | 2021-10-08 | 广州炒米信息科技有限公司 | Enterprise electronic signature control method and device, storage medium and terminal equipment |
CN113742670A (en) * | 2021-08-30 | 2021-12-03 | 建信金融科技有限责任公司 | Multi-party cooperative decryption method and device |
CN113852957A (en) * | 2020-06-09 | 2021-12-28 | 中国移动通信有限公司研究院 | Security server, SP server, terminal, security authorization method and system |
WO2022135394A1 (en) * | 2020-12-26 | 2022-06-30 | 西安西电捷通无线网络通信股份有限公司 | Identity authentication method and apparatus, storage medium, program, and program product |
WO2022135392A1 (en) * | 2020-12-26 | 2022-06-30 | 西安西电捷通无线网络通信股份有限公司 | Identity authentication method and apparatus, device, chip, storage medium, and program |
CN116032655A (en) * | 2023-02-13 | 2023-04-28 | 杭州天谷信息科技有限公司 | Identity authentication method and system capable of resisting timing attack |
Family Cites Families (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103491094B (en) * | 2013-09-26 | 2016-10-05 | 成都三零瑞通移动通信有限公司 | A kind of rapid identity authentication method based on C/S model |
CN106789080B (en) * | 2016-04-08 | 2020-05-15 | 数安时代科技股份有限公司 | Digital signature generation method and device |
CN107196763B (en) * | 2017-07-06 | 2020-02-18 | 数安时代科技股份有限公司 | SM2 algorithm collaborative signature and decryption method, device and system |
CN107483212B (en) * | 2017-08-15 | 2021-04-30 | 武汉信安珞珈科技有限公司 | Method for generating digital signature by cooperation of two parties |
-
2017
- 2017-12-19 CN CN201711375611.4A patent/CN107948189B/en active Active
Cited By (35)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US11483142B2 (en) | 2018-05-30 | 2022-10-25 | Huawei International Pte. Ltd. | Key agreement system, method, and apparatus |
WO2019231392A1 (en) * | 2018-05-30 | 2019-12-05 | 华为国际有限公司 | Key exchange system, method, and apparatus |
CN108848094A (en) * | 2018-06-22 | 2018-11-20 | 平安科技(深圳)有限公司 | Data security validation method, device, system, computer equipment and storage medium |
CN109068322A (en) * | 2018-08-22 | 2018-12-21 | 航天信息股份有限公司 | Decryption method, system, mobile terminal, server and storage medium |
CN109068322B (en) * | 2018-08-22 | 2022-03-04 | 航天信息股份有限公司 | Decryption method, system, mobile terminal, server and storage medium |
CN109246129A (en) * | 2018-10-12 | 2019-01-18 | 天津赢达信科技有限公司 | A kind of SM2 collaboration endorsement method and system can verify that client identity |
CN109246129B (en) * | 2018-10-12 | 2020-12-25 | 天津赢达信科技有限公司 | SM2 collaborative signature method and system capable of verifying client identity |
CN109861816A (en) * | 2019-02-22 | 2019-06-07 | 矩阵元技术(深圳)有限公司 | Data processing method and device |
WO2020168544A1 (en) * | 2019-02-22 | 2020-08-27 | 云图有限公司 | Data processing method and device |
CN109872155A (en) * | 2019-02-22 | 2019-06-11 | 矩阵元技术(深圳)有限公司 | Data processing method and device |
CN110046515A (en) * | 2019-04-18 | 2019-07-23 | 杭州尚尚签网络科技有限公司 | A kind of electric endorsement method of the safety based on short-acting digital certificate |
CN110046515B (en) * | 2019-04-18 | 2021-03-23 | 杭州尚尚签网络科技有限公司 | Safe electronic signature method based on short-lived digital certificate |
CN110958114A (en) * | 2019-10-25 | 2020-04-03 | 武汉大学 | Two-party cooperative SM2 key generation and ciphertext decryption method and medium |
CN110601841A (en) * | 2019-11-01 | 2019-12-20 | 成都卫士通信息产业股份有限公司 | SM2 collaborative signature and decryption method and device |
CN110601841B (en) * | 2019-11-01 | 2022-06-14 | 成都卫士通信息产业股份有限公司 | SM2 collaborative signature and decryption method and device |
CN110932850A (en) * | 2019-11-29 | 2020-03-27 | 杭州安恒信息技术股份有限公司 | Communication encryption method and system |
CN110932850B (en) * | 2019-11-29 | 2023-01-20 | 杭州安恒信息技术股份有限公司 | Communication encryption method and system |
CN110971610A (en) * | 2019-12-12 | 2020-04-07 | 广东电网有限责任公司电力调度控制中心 | Control system identity verification method and device, computer equipment and storage medium |
CN111046443A (en) * | 2019-12-24 | 2020-04-21 | 合肥大唐存储科技有限公司 | Hard disk anti-counterfeiting realization method, hard disk and CA server |
CN111046443B (en) * | 2019-12-24 | 2022-10-14 | 合肥大唐存储科技有限公司 | Hard disk anti-counterfeiting realization method, hard disk and CA server |
CN111614637A (en) * | 2020-05-08 | 2020-09-01 | 郑州信大捷安信息技术股份有限公司 | Secure communication method and system based on software cryptographic module |
CN111600717A (en) * | 2020-05-12 | 2020-08-28 | 北京海益同展信息科技有限公司 | SM 2-based decryption method and system, electronic device and storage medium |
CN111600717B (en) * | 2020-05-12 | 2024-01-12 | 京东科技信息技术有限公司 | SM 2-based decryption method, system, electronic equipment and storage medium |
CN113852957A (en) * | 2020-06-09 | 2021-12-28 | 中国移动通信有限公司研究院 | Security server, SP server, terminal, security authorization method and system |
CN112202551A (en) * | 2020-09-23 | 2021-01-08 | 中国建设银行股份有限公司 | Password verification method and device based on zero-knowledge proof and electronic equipment |
CN112257093B (en) * | 2020-11-09 | 2024-03-26 | 天冕信息技术(深圳)有限公司 | Authentication method, terminal and storage medium for data object |
CN112257093A (en) * | 2020-11-09 | 2021-01-22 | 天冕信息技术(深圳)有限公司 | Authentication method of data object, terminal and storage medium |
WO2022135394A1 (en) * | 2020-12-26 | 2022-06-30 | 西安西电捷通无线网络通信股份有限公司 | Identity authentication method and apparatus, storage medium, program, and program product |
WO2022135392A1 (en) * | 2020-12-26 | 2022-06-30 | 西安西电捷通无线网络通信股份有限公司 | Identity authentication method and apparatus, device, chip, storage medium, and program |
CN113268722A (en) * | 2021-05-17 | 2021-08-17 | 时昕昱 | Personal digital identity management system and method |
CN113486320A (en) * | 2021-07-22 | 2021-10-08 | 广州炒米信息科技有限公司 | Enterprise electronic signature control method and device, storage medium and terminal equipment |
CN113486320B (en) * | 2021-07-22 | 2024-03-29 | 广州炒米信息科技有限公司 | Enterprise electronic signature management and control method and device, storage medium and terminal equipment |
CN113742670B (en) * | 2021-08-30 | 2023-06-06 | 建信金融科技有限责任公司 | Multiparty collaborative decryption method and device |
CN113742670A (en) * | 2021-08-30 | 2021-12-03 | 建信金融科技有限责任公司 | Multi-party cooperative decryption method and device |
CN116032655A (en) * | 2023-02-13 | 2023-04-28 | 杭州天谷信息科技有限公司 | Identity authentication method and system capable of resisting timing attack |
Also Published As
Publication number | Publication date |
---|---|
CN107948189B (en) | 2020-10-30 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN107948189A (en) | Asymmetric cryptography authentication identifying method, device, computer equipment and storage medium | |
CN106411521B (en) | Identity authentication method, device and system for quantum key distribution process | |
CN108352015B (en) | Secure multi-party loss-resistant storage and encryption key transfer for blockchain based systems in conjunction with wallet management systems | |
CN103763631B (en) | Authentication method, server and television set | |
EP2304636B1 (en) | Mobile device assisted secure computer network communications | |
Acar et al. | Single password authentication | |
CN108111301A (en) | The method and its system for realizing SSH agreements are exchanged based on rear quantum key | |
US9065642B2 (en) | Intercepting key sessions | |
US20230155816A1 (en) | Internet of things security with multi-party computation (mpc) | |
CN105307165B (en) | Communication means, server-side and client based on mobile application | |
CN110268676A (en) | The private cipher key computing system and method for the Self-certified signature scheme of identity-based | |
CN105991285A (en) | Identity authentication methods, devices and system applied to quantum key distribution process | |
Gorantla et al. | Modeling key compromise impersonation attacks on group key exchange protocols | |
CN108243166A (en) | A kind of identity identifying method and system based on USBKey | |
WO2007011897A2 (en) | Cryptographic authentication, and/or establishment of shared cryptographic keys, using a signing key encrypted with a non-one-time-pad encryption, including (but not limited to) techniques with improved security against malleability attacks | |
WO2002051049A9 (en) | One time password entry to access multiple network sites | |
CN110247881A (en) | Identity identifying method and system based on wearable device | |
CN104468126B (en) | A kind of safe communication system and method | |
CN108809633A (en) | A kind of identity authentication method, apparatus and system | |
CN110493162A (en) | Identity identifying method and system based on wearable device | |
CN105025036B (en) | A kind of Cognitive Aptitude Test value Internet-based encryption and transmission method | |
CN114553441B (en) | Electronic contract signing method and system | |
CN114915396B (en) | Hopping key digital communication encryption system and method based on national encryption algorithm | |
Tan et al. | MPCAuth: multi-factor authentication for distributed-trust systems | |
CN113545004A (en) | Authentication system with reduced attack surface |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |