CN107948189A - Asymmetric cryptography authentication identifying method, device, computer equipment and storage medium - Google Patents

Asymmetric cryptography authentication identifying method, device, computer equipment and storage medium Download PDF

Info

Publication number
CN107948189A
CN107948189A CN201711375611.4A CN201711375611A CN107948189A CN 107948189 A CN107948189 A CN 107948189A CN 201711375611 A CN201711375611 A CN 201711375611A CN 107948189 A CN107948189 A CN 107948189A
Authority
CN
China
Prior art keywords
client
server
identity
result
authentication
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201711375611.4A
Other languages
Chinese (zh)
Other versions
CN107948189B (en
Inventor
张永强
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Guangdong Authentication Technology Co Ltd
Age Of Security Polytron Technologies Inc
Original Assignee
Guangdong Authentication Technology Co Ltd
Age Of Security Polytron Technologies Inc
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Guangdong Authentication Technology Co Ltd, Age Of Security Polytron Technologies Inc filed Critical Guangdong Authentication Technology Co Ltd
Priority to CN201711375611.4A priority Critical patent/CN107948189B/en
Publication of CN107948189A publication Critical patent/CN107948189A/en
Application granted granted Critical
Publication of CN107948189B publication Critical patent/CN107948189B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0442Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply asymmetric encryption, i.e. different keys for encryption and decryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0823Network architectures or network communication protocols for network security for authentication of entities using certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0869Network architectures or network communication protocols for network security for authentication of entities for achieving mutual authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/085Secret sharing or secret splitting, e.g. threshold schemes
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0869Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer And Data Communications (AREA)
  • Storage Device Security (AREA)

Abstract

The present invention relates to a kind of authentication identifying method of asymmetric cryptography, device, medium and computer equipment, the method for one embodiment includes:Identity is initiated to server-side and differentiates request, and identity differentiates that request includes number clients word certificate;Receive the identity that server-side returns and differentiate response, identity differentiates that response includes at least the encrypted result that the first random number is encrypted in client public key of the server-side based on client digital certificate;Response, which is handled, to be differentiated to identity according to client private key component, obtains handling result;Authentication request is sent to server-side based on handling result, the authentication request is used to indicate that the server-side carries out authentication process.The first random number that client public key and server-side are carried using client digital certificate carries out identity discriminating processing, when client and server-side hold private key component respectively, it can equally be realized by client public key with the private key component that client and server-side are held respectively and cooperate with decryption to differentiate to realize to client identity between client and server-side.

Description

Asymmetric cryptography authentication identifying method, device, computer equipment and storage medium
Technical field
The present invention relates to technical field of cryptology, more particularly to a kind of authentication identifying method of asymmetric cryptography, device, Computer equipment and computer-readable storage medium.
Background technology
Zero-knowledge proof (Zero-knowledge Proof) is by S.Goldwasser, S.Micali and C.Rackoff Itd is proposed in early 1980s, referring to the person of claiming can make to test in the case where not providing any useful information to verifier Card person believes that some judgement is correct, it is substantially a kind of agreement for being related to two sides or more side, i.e. two sides or more side The series of steps taken needed for accomplishing a task.In the agreement, the person of claiming proves to verifier and it is believed oneself Know or possess a certain message, but proof procedure cannot leak any information on being proved to message to verifier.
National standard《The 5th part of GB/T 15843.5-2005 information technology safe practices solid identification:Use Zero Knowledge The mechanism of technology》Define the solid identification mechanism using asymmetric encipherment system based on certificate, the solid identification machine System is related to information exchange between the person of claiming and verifier of above-mentioned zero-knowledge proof, it verifier to verify to claim The identity of person.In this traditional authentication scheme, verifier can utilize one random message of public key encryption for the person of claiming, And the person of claiming is required to return to the message decrypted.This authentication scheme requires the person of claiming to hold complete private key for user, when user is private Key is divided into multiple components, cannot be provided when being held by multiple participants, in conventional art and employ collaboration signature plus solution Implement the identity authentication protocol based on asymmetric cryptography under conditions of close mechanism.
The content of the invention
Based on this, it is necessary to can not be carried out for conventional art under conditions of collaboration signature, encryption and decryption mechanism is employed The problem of identity differentiates, there is provided a kind of authentication identifying method of asymmetric cryptography, device, computer equipment and computer storage are situated between Matter.
A kind of authentication identifying method of asymmetric cryptography, including:
Identity is initiated to server-side and differentiates request, and the identity differentiates that request includes number clients word certificate;
Receive the identity that the server-side returns and differentiate response, the identity differentiates that response is based on institute including at least server-side State the encrypted result that the first random number is encrypted in the client public key of client digital certificate;
Response, which is handled, to be differentiated to the identity according to client private key component, obtains handling result;
Authentication request is sent to the server-side based on the handling result, the authentication request is used to indicate The server-side carries out authentication process.
A kind of authentication identifying method of asymmetric cryptography, including:
Receive the identity that client is sent and differentiate request, the identity differentiates that request includes number clients word certificate;
After verifying that the client digital certificate is effective, the client public key based on the client digital certificate to first with Acquisition encrypted result is encrypted in machine number, and returns to identity to the client and differentiate response, and the identity differentiates response at least Including the encrypted result;
The client is received based on differentiating that response carries out processing acquisition to the identity according to client private key component The authentication request that handling result returns;
Authentication process is carried out according to the authentication request, obtains authentication result.
A kind of identification device of asymmetric cryptography, including:
Differentiate request sending module, differentiate request for initiating identity to server-side, the identity differentiates that request includes visitor Family end digital certificate;
Receiving module is responded, differentiates response for receiving the identity that the server-side returns, the identity differentiates response extremely Include the encryption knot that the first random number is encrypted in client public key of the server-side based on the client digital certificate less Fruit;
Response processing module, for differentiating that response is handled to the identity according to client private key component, at acquisition Manage result;
Checking request sending module, for sending authentication request, institute to the server-side based on the handling result Authentication request is stated to be used to indicate that the server-side carries out authentication process.
A kind of identification device of asymmetric cryptography, including:
Differentiate request receiving module, the identity for receiving client transmission differentiates request, and the identity differentiates request bag Include client digital certificate;
Differentiate ask respond module, after verifying that the client digital certificate is effective, based on client numeral The first random number is encrypted acquisition encrypted result in the client public key of certificate, and returns to identity to the client and differentiate sound Should, the identity differentiates that response includes at least the encrypted result;
Checking request receiving module, is based on reflecting to the identity according to client private key component for receiving the client The authentication request that the handling result of processing acquisition returns should be carried out by holding your noise;
Verification processing module, for carrying out authentication process according to the authentication request, obtains authentication knot Fruit.
A kind of computer equipment, including memory, processor and storage can be run on a memory and on a processor The step of computer program, the processor realizes the above method when performing described program.
A kind of computer-readable recording medium, is stored thereon with computer program, which realizes when being executed by processor The step of above method.
Authentication identifying method, device, computer equipment and the medium of above-mentioned asymmetric cryptography, utilize client digital certificate The first random number for carrying client public key and server-side carries out identity discriminating processing, when client and server-side hold private key respectively During component, equally client and service can be completed by the private key component that client public key and client and server-side are held respectively Collaboration decryption between end, differentiates so as to fulfill to the identity of client.
Brief description of the drawings
Fig. 1 is the schematic diagram of the application environment of a this embodiment scheme;
Fig. 2 is the flow diagram of the authentication identifying method of the asymmetric cryptography in one embodiment;
Fig. 3 is the flow diagram of the authentication identifying method of the asymmetric cryptography in another embodiment;
Fig. 4 is the flow diagram of the authentication identifying method of the asymmetric cryptography in another embodiment;
Fig. 5 is the flow diagram of the authentication identifying method of the asymmetric cryptography in another embodiment;
Fig. 6 is the structure diagram of the identification device of the asymmetric cryptography in one embodiment;
Fig. 7 is the structure diagram of the identification device of the asymmetric cryptography in another embodiment;
Fig. 8 is the interaction flow schematic diagram of the identity discrimination process of a specific example;
Fig. 9 is the interaction flow schematic diagram of the identity discrimination process of another specific example;
Figure 10 is the interaction flow schematic diagram of the identity discrimination process of another specific example;
Figure 11 is the interaction flow schematic diagram of the identity discrimination process of another specific example;
Figure 12 is the interaction flow schematic diagram of the identity discrimination process of another specific example;
Figure 13 is the interaction flow schematic diagram of the identity discrimination process of another specific example.
Embodiment
It is with reference to the accompanying drawings and embodiments, right in order to which the object, technical solution and advantage of the application are more clearly understood The application is further elaborated.It should be appreciated that specific embodiment described herein is only to explain the application, and It is not used in restriction the application.
Fig. 1 is the applied environment figure of the authentication identifying method of asymmetric cryptography in one embodiment.With reference to Fig. 1, this is non-right The authentication identifying method of password is claimed to be applied to the identity identification system of asymmetric cryptography.The identification system of the asymmetric cryptography includes Terminal 110 and server-side 120.Terminal 110 and server-side 120 pass through network connection.Terminal 110 can be specifically terminal console, Mobile terminal and other terminal devices that can or need to carry out asymmetric encryption, mobile terminal can be specifically hand At least one of machine, tablet computer, laptop etc., server-side 120 can use independent server either multiple clothes The server cluster of business device composition is realized.Terminal 110 holds client digital certificate and client private key D1, server-side 120 Hold server-side digital certificate and server-side private key D2, client private key D1With server-side private key D2Collectively form private key for user dA, i.e. dA=f (D1,D2).The private key partitioning scheme used in the application one embodiment is dA=D1·D2, it will be understood that Other private key partitioning schemes can also be used in other embodiment, using other private key partitioning schemes when needs correspondence tune Synchronizing is rapid.For example, private key partitioning scheme can be dA=D1 -1·D2 -1-1.Server-side 120 to 110 identity of terminal differentiate certification into Work(can specifically show as terminal 110 can access server-side 120, terminal 110 can be with the system at login service end 120 etc..
Fig. 2 shows the flow diagram of the authentication identifying method of the asymmetric cryptography in one embodiment, the embodiment In method be applied to the terminal 110 in above-mentioned Fig. 1 or the client that is arranged in terminal 110.With reference to Fig. 2, the embodiment In the authentication identifying method of asymmetric cryptography specifically comprise the following steps S120 to step S160.
Step S120, initiates identity to server-side 120 and differentiates request, identity differentiates that request includes number clients word certificate.
Terminal 110 is initiated when needing to access server-side 120 or need 120 system of login service end to server-side 120 Identity differentiates request.Identity differentiates that request includes number clients word certificate, and client digital certificate refers to that terminal 110 obtains mutual The string number of mark communication each side identity information in combined network communication.Identity differentiates that request can be received and rung by server-side 120 Should.
Step S140, receives the identity that server-side 120 returns and differentiates response, identity differentiates that response includes at least server-side The encrypted result that the first random number is encrypted in 120 client public key based on client digital certificate.
Client public key is part disclosed in cipher key pair with private key for user composition key pair, wherein client public key, and user is private Key is the private part of cipher key pair.The generating mode of client public key is not unique, can be based in one embodiment following Formula calculates client public key:
PA=[dA]G
Wherein, PAFor client public key, dAFor private key for user, G is elliptic curve group generation member.
Elliptic curve systems parameter (containing above-mentioned elliptic curve group generation member G), can combine actual techniques needs to be selected Take, be referred in one embodiment《The 5th part of GMT0003.5-2012SM2 ellipse curve public key ciphers algorithm:Parameter is determined Justice》Specification makes choice.Relevant parameter includes:Finite field FqScale q, define elliptic curve equation E (Fq) two element a, b∈Fq, E (Fq) on basic point G=(xG,yG) (G ≠ O), wherein xGAnd yGIt is FqIn two elements;The rank n of G and other are optional Item (the cofactor h) of such as n.
Server-side 120 differentiates that request is responded after receiving identity and differentiating request, to identity and obtains identity discriminating sound Should.Different according to the processing mode of response, the identity of acquisition differentiates that response is also different.For example, identity differentiates response at least The encrypted result that the first random number is encrypted in the client public key based on client digital certificate including server-side 120. Encrypted result refers to the data handled using Encryption Algorithm the first random number, and the encryption used when being encrypted is calculated Method is not unique, can be encrypted in one embodiment using SM2 algorithms, elliptic curve systems parameter is referred in algorithm 《The 5th part of GM/T 0003.1-2012SM2 ellipse curve public key ciphers algorithm:Parameter definition》Specification is chosen.Can be with base Encrypted result is obtained in the following formula:
Wherein, Challenge is encrypted result, and r is the first random number, functionRepresent and use Public key PSSM2 cryptographic operations are performed to incoming message, SM2 cryptographic operations are performed to the first random number r in above formula.
Step S160, differentiates that response is handled to identity according to client private key component, obtains handling result.
Terminal 110 differentiates that response is handled according to client private key component to identity, and wherein client private key component is Refer to the client private key component D that terminal 110 is held1, its server-side private key component D held with server-side 1202Collectively form use Family private key dA, i.e. dA=f (D1,D2).It is appreciated that since server-side may need to carry out body for multiple and different clients Part verification, therefore, identical or different private key partitioning scheme can be used to different clients, different to be used to client Private key partitioning scheme exemplified by, above-mentioned client private key component D at this time1With server-side private key component D2Can be held with terminal 110 Some client digital certificates are corresponding.
The private key partitioning scheme used in the application one embodiment can be dA=D1·D2, it will be understood that in other realities Other private key partitioning schemes can also be used by applying in mode, and using other private key partitioning schemes when needs correspondence adjustment step Suddenly.For example, private key partitioning scheme can be dA=D1 -1·D2 -1-1.It is appreciated that differentiating the difference of response according to identity, obtain Handling result also correspond to it is different.
Step S180, sends authentication request, the authentication request is used for based on handling result to server-side 120 Indicate that server-side carries out authentication process.
Terminal 110 is based on handling result and sends authentication request to server-side 120, it will be understood that based on handling result Difference, the information included in authentication request can be different.In certain embodiments, authentication request can be straight Connect and include the handling result, can be that the handling result is further processed (to pluck as calculated message in further embodiments Will) after, the result (such as eap-message digest) after the further processing is included in authentication request, is carried out in following each examples Illustrate.It is appreciated that accordingly, the difference of the information included in identity-based checking request, corresponding server-side Authentication process also corresponds to different.
The authentication identifying method of above-mentioned asymmetric cryptography, client public key and server-side are carried using client digital certificate First random number carries out identity discriminating processing, when client and server-side hold private key component respectively, can equally pass through user Public key is realized with the private key component that client and server-side are held respectively cooperates with decryption to realize between client and server-side Client identity is differentiated.
In one embodiment, collaboration decrypting process can be initiated by terminal.At this time, according to client in step S160 Private key component differentiates that the mode that response is handled includes to the identity:According to client private key component and encrypted result, Generate client deciphering parameter.At this time, the handling result includes client deciphering parameter, can be with above-mentioned authentication request Including the handling result.What client deciphering parameter referred to that in identity discrimination process terminal 110 generates is used for cooperateing with decryption Parameter, in this embodiment it is that the parameter for being used for cooperateing with decryption that terminal 110 generates when terminal 110 initiates collaboration decryption.Specifically It is not unique to obtain the mode of client deciphering parameter, client decryption ginseng can be obtained in one embodiment based on the following formula Number:
Wherein, u1For client deciphering parameter, D1The client private key component held for terminal,It is terminal 110 from adding Bit String C is extracted in close result1Afterwards, method Bit String provided by GM/T 0003.1-2012 standards 4.2.4 and 4.2.10 The elliptic curve group element being converted to data type.
In the present embodiment, collaboration decrypting process is initiated by terminal 110, decrypted result is finally obtained simultaneously by server-side 120 Verified, initiate collaboration decrypting process different from server-side 120, be also provided that one kind by client public key and private key for user Realize and cooperate with decryption between terminal 110 and server-side 120 to realize the method for distinguishing that reflects to 110 identity of terminal.
In one embodiment, collaboration decrypting process can be initiated by server-side.In this embodiment, identity differentiates response Further include:The server-side deciphering parameter that server-side 120 is determined based on server-side private key component and encrypted result.Server-side decryption ginseng Number refers to the parameter for being used for cooperateing with decryption generated in server-side 120.In the present embodiment, collaboration solution is initiated by server-side 120 Close process, it will be understood that when the initiation collaboration decryption of terminal 110 initiates to cooperate with decryption with server-side 120, obtained server-side is decrypted Parameter would also vary from, and the mode for specifically obtaining server-side deciphering parameter is not unique.Sent out with server-side 120 in the embodiment Exemplified by playing collaboration decryption, server-side deciphering parameter can be obtained based on the following formula:
Wherein, u2For server-side deciphering parameter, D2The server-side private key component held for server-side,For server-side 120 Bit String C is extracted from encrypted result1Afterwards, the method logarithm provided by GM/T 0003.1-2012 standards 4.2.4 and 4.2.10 The elliptic curve group element being converted to according to type.
Accordingly, in the embodiment, the identity is differentiated at response according to client private key component in step S160 The mode of reason comprises the following steps:
According to client private key component and server-side deciphering parameter generation client deciphering parameter;
Encrypted result is decrypted according to client deciphering parameter, obtains decrypted result, handling result includes decryption and ties Fruit.
Terminal 110 generates client deciphering parameter according to client private key component and server-side deciphering parameter, specific to obtain Mode to client deciphering parameter is not unique, in one embodiment, when server-side 120 initiates collaboration decryption, and terminal 110 Client client deciphering parameter can be obtained based on the following formula:
u1=[D1]u2
Wherein, u1For client deciphering parameter, u2The server-side for initiating to obtain during collaboration decryption for server-side 120 decrypts ginseng Number, D1The client private key component held for the client of terminal 110.
Terminal 110 is decrypted encrypted result according to client deciphering parameter, obtains decrypted result, at this time above-mentioned processing As a result include decrypted result, can include the decrypted result in above-mentioned authentication request.Decrypted result refers to calculate using decryption The data that encrypted result is decrypted in method, the decipherment algorithm of use is not unique, corresponding to above-mentioned steps S140 Embodiment in the Encryption Algorithm that uses, corresponding decipherment algorithm obtains encrypted result based on the following formula:
Wherein, r ' is decrypted result, and Challenge is encrypted result,Representative uses user Private key dATo perform SM2 decryption oprerations to incoming message.It is appreciated that the server-side deciphering parameter sended over due to server-side It is to be based on server-side key components D2Obtain, and the client deciphering parameter of client generation is to be based on client key component D1 Obtain, and client key component D1With server-side key components D2It is by private key for user dADecompose and obtain, therefore, client can With based on private key for user dADecrypting process is completed, specific manner of decryption the present embodiment does not limit.
In the present embodiment, by server-side 120 initiate collaboration decrypting process, terminal 110 generate decrypted result send to by Server-side 120, is verified by server-side 120, and collaboration decrypting process is initiated different from terminal 110, is also provided that a kind of logical Cross client public key and private key for user and realize and cooperateing with decryption to reflect to realize to 110 identity of terminal between terminal 110 and server-side 120 Method for distinguishing.
In one embodiment, shared key can also be negotiated between terminal and server-side, with terminal and service Escape way is established between end, realizes the secrecy transmission of communication data.Accordingly, in this embodiment, as shown in figure 3, in step Before S120, step S110 can also be included.
Step S110, generate the second random number, and the client public key based on client digital certificate to the second random number into Row encryption obtains the first shared key parameter.
At this time, identity differentiates that request further includes the first shared key parameter, and identity differentiates that response further includes server-side 120 The second shared key parameter that the 3rd random number is encrypted in client public key based on client digital certificate.
In this embodiment, terminal 110 generates the second random number, and the second random number is encrypted based on client public key Obtain the first shared key parameter.First shared key parameter refers to that terminal 110 passes through encryption for generation client shared key Handle obtained intermediate parameters.The Encryption Algorithm of use is not unique, and in one embodiment, the Encryption Algorithm of use can be based on The following formula obtains the first shared key parameter:
T1=[a] PA
Wherein, T1For the first shared key parameter, a is the second random number, PAFor client public key.
At this time, before step S180 sends authentication request based on the handling result to the server-side, may be used also With including step S166.
Step S166, client shared key is calculated according to the second random number and the second shared key parameter.
Client shared key refers to that terminal 110 is used for establishing the information transmission security passage between server-side 120 Key.The mode of client shared key is calculated not according to the second random number and the second shared key parameter in terminal 110 Uniquely, client shared key can be obtained based on the following formula in one embodiment:
(x1,y1)=[a] T2
K0=KDF (x1||y1,klen)
Wherein, (x1,y1) it is elliptic curve group element, a is the second random number, T2For the second shared key parameter, K0For visitor Family end shared key, wherein | | represent splicing, KDF (*) is pre-defined cipher key derivation function, and klen states the bit of output String length.
In the present embodiment, terminal 110 and server-side 120 perform one based on ellipse while identity discriminating is completed The ECDH agreements of circular curve cipher system, shared key through consultation so that communicating pair establishes escape way, realizes To the secrecy transmission of communication data, the reliability that identity differentiates is improved.
In one embodiment, server-side identity can be also authenticated, to realize two-way discriminating.In this embodiment, Above-mentioned identity differentiates that response can also include:Server-side digital certificate and digital signature result.Server-side digital certificate refers to The string number of mark communication each side identity information, digital signature result refer to take in the internet communication that server-side 120 obtains The data for being used to prove 120 own identification of server-side that business end 120 generates.
In the embodiment, after above-mentioned steps S140, before step S160, it can also include:Service for checking credentials end numeral Certificate and server-side digital signature result.
The method of 110 service for checking credentials end digital certificate of terminal and server-side digital signature result is not unique, a reality Apply in example, terminal 110 first verifies the validity of server-side digital certificate and its certificate chain, then is corresponded to by server-side digital certificate Public key verifications digital signature result validity, when verification result is effective, then carry out step S160.
In the present embodiment, by being verified to the server-side digital certificate of server-side 120 so that terminal 110 can lead to The identity at the server-side digital certificate trust service end 120 at service for checking credentials end 120 is crossed, man-in-the-middle attack is avoided, improves body The reliability that part differentiates.
In one embodiment, secret protection can also be completed by calculating eap-message digest.Fig. 4 shows the embodiment In identity discrimination process flow diagram.As shown in figure 4, in this embodiment, after step S160, step S180 it Before, further include step S170.
Step S170, calculates the eap-message digest of handling result, obtains client message summary.
At this time, it is to include the client message summary, i.e., eventually in the authentication request that above-mentioned steps S180 is sent Handling result is not directly sent to server-side 120 by end by authentication request, but will be calculated for handling result To client message summary be sent to server-side 120, with achieve the purpose that protect privacy of user.Terminal 110 calculates processing knot The method of the eap-message digest of fruit is not unique, can such as be plucked by obtaining the client message to handling result progress hash computing Will.In one specific example, when handling result is decrypted result, client message summary can be obtained based on the following formula:
R=SM3_Hash (r ')
Wherein, R makes a summary for client message, and SM3_Hash (*) is pre-defined hash function, and r ' is decrypted result.
In the present embodiment, the handling results such as decrypted result are not directly transmitted directly to server-side 120 by terminal 110, But the eap-message digest for calculating handling result is sent to server-side 120, server-side 120 judges end by verifying SM3 summaries Hold 110 decrypted results whether correct, effectively prevent dishonest server-side using the collaboration decryption step in identity authentication protocol The rapid sensitive data that storage is encrypted to cheat client decrypted user in server-side, improves the security of agreement.
In one embodiment, privacy can also be completed after shared key is negotiated, then by calculating eap-message digest Protection.Accordingly, in this embodiment, with reference to shown in Fig. 3, Fig. 4, before step S120, step S110 can also be included.
Step S110, generate the second random number, and the client public key based on client digital certificate to the second random number into Row encryption obtains the first shared key parameter.
At this time, identity differentiates that request further includes the first shared key parameter, and the first shared key parameter refers to terminal 110 The intermediate parameters obtained for generation client shared key by encryption, generate the mode of the first shared key parameter not Uniquely, the first shared key parameter can be obtained in one embodiment based on the following formula:
T1=[a] PA
Wherein, T1For the first shared key parameter, a is the second random number, PAFor client public key.
In the case, identity differentiates that response further includes client public key pair of the server-side 120 based on client digital certificate The second shared key parameter that 3rd random number is encrypted.
At this time, before step S180 sends authentication request based on the handling result to the server-side, may be used also With including step S166 and step S170.
Step S166, client shared key is calculated according to the second random number and the second shared key parameter;
Client shared key refers to that terminal 110 is used for establishing the information transmission security passage between server-side 120 Key.The mode of client shared key is calculated not according to the second random number and the second shared key parameter in terminal 110 Uniquely, client shared key can be obtained based on the following formula in one embodiment:
(x1,y1)=[a] T2
K0=KDF (x1||y1,klen)
Wherein, (x1,y1) it is elliptic curve group element, a is the second random number, T2For the second shared key parameter, K0For visitor Family end shared key, wherein | | represent splicing, KDF (*) is pre-defined cipher key derivation function, and klen states the bit of output String length.
Step S170, eap-message digest is calculated based on client shared key and handling result, obtains client message summary.
The method that terminal 110 calculates eap-message digest is not unique, and the client message can be such as obtained by hash computing Summary.In one specific example, when handling result is decrypted result, client message can be obtained based on the following formula and plucked Will:
R=SM3_Hash (r ' | | K0)
Wherein, R makes a summary for client message, and SM3_Hash (*) is pre-defined hash function, and r ' is decrypted result, K0For client shared key.
In the present embodiment, terminal 110 and server-side 120 are not only shared through consultation while identity discriminating is completed Key causes communicating pair to establish escape way, realizes the secrecy transmission to communication data, improve identity discriminating can By property, and the handling results such as decrypted result are not directly transmitted directly to server-side 120, but calculate handling result Eap-message digest be sent to server-side 120, effectively prevent dishonest server-side using the collaboration solution in identity authentication protocol Close step encrypts the sensitive data of storage to cheat client decrypted user in server-side, improves the security of agreement.
Fig. 5 shows the flow diagram of the authentication identifying method of the asymmetric cryptography in another embodiment, the implementation Method in example is applied to the server-side 120 in above-mentioned Fig. 1.With reference to Fig. 5, the identity of the asymmetric cryptography in the embodiment differentiates Method specifically comprises the following steps S220 to step S280.
Step S220, receives the identity that client is sent and differentiates request, identity differentiates that request includes number clients word certificate.
Step S240, after verification client digital certificate is effective, the client public key based on client digital certificate is to first Acquisition encrypted result is encrypted in random number, and returns to identity discriminating response to client, and identity differentiates that response includes at least and adds Close result.
Server-side 120 first verifies whether number clients word certificate is effective, works as client after receiving identity and differentiating request When certificate is effective, then request, which is responded, to be differentiated to identity and obtains identity discriminating response.Different, the body according to the processing mode of response It is different that part differentiates that response also corresponds to.For example, identity differentiates that response is based on client digital certificate including at least server-side 120 Client public key encrypted result that the first random number is encrypted.Encrypted result refer to using Encryption Algorithm to first with The data that machine number is handled, the Encryption Algorithm of use is not unique, and the Encryption Algorithm used in one embodiment can base Encrypted result is obtained in the following formula:
Wherein, Challenge is encrypted result, and r is the first random number, functionRepresent and use Public key PATo perform SM2 cryptographic operations to incoming message, SM2 cryptographic operations are performed to the first random number r in above formula.
Step S260, receives client and is based on differentiating the identity according to client private key component response carries out processing and obtains The authentication request that the handling result obtained returns.
Server-side 120 receives the authentication request that client returns, and differentiates the processing of response to identity according to client Difference, above-mentioned handling result also corresponds to different.Difference based on handling result, the information included in authentication request Can be different, accordingly, authentication process would also vary from.In certain embodiments, authentication request can Can be that the handling result is further processed (as calculated to disappear in further embodiments directly to include the handling result Breath summary) after, the result (such as eap-message digest) after the further processing is included in authentication request, in following each examples It is illustrated.
Step S280, carries out authentication process according to authentication request, obtains authentication result.
Server-side 120 carries out authentication process according to authentication request, according to the letter included in authentication request The difference of breath, corresponding authentication process mode are also different.
The authentication identifying method of above-mentioned asymmetric cryptography, client public key and server-side are carried using client digital certificate First random number carries out identity discriminating processing, when client and server-side hold private key component respectively, can equally pass through user Public key is realized with the private key component that client and server-side are held respectively cooperates with decryption to realize between client and server-side Client identity is differentiated.
In one embodiment, collaboration decrypting process can be initiated by client terminals.At this time, the handling result can With the client deciphering parameter generated including client according to client private key component and encrypted result, in above-mentioned authentication It can include the handling result in request.In this embodiment, above-mentioned steps S280 is tested according to authentication request progress identity The mode that card processing obtains authentication result may comprise steps of:
According to client deciphering parameter, server-side private key component generation server-side deciphering parameter;
Encrypted result is decrypted according to server-side deciphering parameter, obtains decrypted result;
Compare the uniformity of decrypted result and the first random number, obtain authentication result.
Server-side deciphering parameter refers to the parameter for being used for cooperateing with decryption generated in server-side 110.Terminal 110 initiates collaboration Decrypt the server-side deciphering parameter for initiating to cooperate with decryption to obtain with server-side 120 will be different, specifically obtain server-side decryption The mode of parameter is not also unique, and in the embodiment that the terminal 110 initiates collaboration decryption, server-side can be based on the following formula Obtain server-side deciphering parameter:
u2=[D2]u1
Wherein, u2For server-side deciphering parameter, u1The client deciphering parameter in authentication request is sent for client, D2The server-side private key component held for server-side.
Decrypted result refers to the data that encrypted result is decrypted using decipherment algorithm, and the decryption of use is calculated Method is not unique, corresponding to the Encryption Algorithm used in the embodiment in above-mentioned steps S240, corresponding decipherment algorithm be based on Lower formula obtains decrypted result:
Wherein, r ' is decrypted result, and Challenge is encrypted result,Representative uses user Private key dATo perform SM2 decryption oprerations to incoming message.It is appreciated that since server-side is sent to the server-side decryption of client Parameter is to be based on server-side key components D2Obtain, and the client deciphering parameter of client generation is based on client key point Measure D1Obtain, and client key component D1With server-side key components D2It is by private key for user dADecompose and obtain, therefore, client End can be based on private key for user dADecrypting process is completed, specific manner of decryption the present embodiment does not limit.
Server-side 120 compares the uniformity of decrypted result and the first random number, when decrypted result is consistent with the first random number When, authentication result is to be differentiated by identity;When decrypted result and inconsistent the first random number, authentication result is not Have and differentiated by identity.
In the present embodiment, collaboration decrypting process is initiated by terminal 110, decrypted result is finally obtained simultaneously by server-side 120 Verified, initiate collaboration decrypting process different from server-side 120, be also provided that one kind by client public key and private key for user Realize and cooperate with decryption between terminal 110 and server-side 120 to realize the method for distinguishing that reflects to 110 identity of terminal.
In one embodiment, collaboration decrypting process can be initiated by server-side.In this embodiment, in step S240 After obtaining encrypted result, before returning to identity discriminating response, further include:Determine to take based on server-side private key component and encrypted result Business end deciphering parameter.
Server-side deciphering parameter refers to the parameter for being used for cooperateing with decryption generated in server-side 120.It is appreciated that terminal When initiating to cooperate with decryption with server-side 120 during 110 initiation collaboration decryption, obtained server-side deciphering parameter can be different, The mode for specifically obtaining server-side deciphering parameter is not unique.Using in the embodiment server-side 120 initiate collaboration decrypting process as Example, can obtain server-side deciphering parameter based on the following formula:
Wherein, u2For server-side deciphering parameter, D2The server-side private key component held for server-side,For server-side 120 from Bit String C is extracted in encrypted result1Afterwards, the method provided by GM/T 0003.1-2012 standards 4.2.4 and 4.2.10 is to data The elliptic curve group element that type is converted to.
At this time, in this embodiment, identity differentiates that response further includes server-side deciphering parameter;Above-mentioned handling result includes visitor Family end client deciphering parameter is obtained according to client private key component and server-side deciphering parameter after, according to client deciphering parameter Encrypted result is decrypted the decrypted result of acquisition, above-mentioned authentication request includes the handling result.Above-mentioned steps S280 can specifically include:Compare the uniformity of decrypted result and the first random number, obtain authentication result.
In the present embodiment, by server-side 120 initiate collaboration decrypting process, terminal 110 generate decrypted result send to by Server-side 120, is verified by server-side 120, and collaboration decrypting process is initiated different from terminal 110, is also provided that a kind of logical Cross client public key and private key for user and realize and cooperateing with decryption to reflect to realize to 110 identity of terminal between terminal 110 and server-side 120 Method for distinguishing.
In one embodiment, shared key can also be negotiated between terminal and server-side, with terminal and service Escape way is established between end, realizes the secrecy transmission of communication data.Accordingly, in this embodiment, identity differentiates that request is also wrapped Include the first shared key ginseng that the second random number is encrypted in client public key of the client based on client digital certificate Number.
In this embodiment, in step S240 after encrypted result is obtained, before returning to identity discriminating response, further include: The 3rd random number is encrypted based on client public key and obtains the second shared key parameter.
At this time, above-mentioned identity differentiates that response further includes the second shared key parameter, and above-mentioned handling result includes client root The client shared key obtained according to the first shared key parameter and the second shared key parameter.Second shared key parameter refers to The intermediate parameters that server-side 120 obtains for generation client shared key by encryption.The Encryption Algorithm of use is not only One, in one embodiment, the Encryption Algorithm of use can obtain the second shared key parameter based on the following formula:
T2=[b] PA
Wherein, T2For server-side key parameter, b is the 3rd random number, PAFor client public key.
In this embodiment, above-mentioned handling result can be included in authentication request, i.e. authentication request includes institute State client shared key.At this time, above-mentioned steps S280 specifically may comprise steps of:
Server-side shared key is calculated according to the 3rd random number and the first shared key parameter;
Authentication is carried out according to client shared key and server-side shared key, obtains authentication result.Service End shared key refers to that server-side 120 is used for establishing the key of the information transmission security passage between terminal 110.Server-side 120 be calculated according to the 3rd random number and the first shared key parameter server-side shared key mode it is not unique, one Server-side shared key can be obtained based on the following formula in embodiment:
(x2,y2)=[b] T1
K=KDF (x2||y2,klen)
Wherein, (x2,y2) it is elliptic curve group element, b is the second random number, T1For the first close shared key parameter, K is clothes Business end shared key, wherein | | represent splicing, KDF (*) is pre-defined cipher key derivation function, and klen states the bit of output String length.
It is appreciated that under normal circumstances, the client shared key and server-side shared key calculated should be identical, What i.e. client and server-side were held is actually the client shared key that the application refers to, service with a shared key End shared key is only that the difference based on processing side is nominally distinguishing.
In the present embodiment, terminal 110 and server-side 120 perform one based on ellipse while identity discriminating is completed The ECDH agreements of circular curve cipher system, shared key through consultation so that communicating pair establishes escape way, realizes To the secrecy transmission of communication data, the reliability that identity differentiates is improved.
In one embodiment, server-side identity can be also authenticated, to realize two-way discriminating.In this embodiment, In step S240 after encrypted result is obtained, before returning to identity discriminating response, further include:According to server-side digital certificate pair The private key answered performs digital signature, obtains digital signature result.
At this time, identity differentiates that response further includes:Server-side digital certificate and digital signature result.120 basis of server-side The corresponding private key of server-side digital certificate performs digital signature, and it is not unique to perform the mode of digital signature, in one embodiment, Digital signature result can be obtained based on the following formula:
Wherein, S1For digital signature result, Challenge is encrypted result, u2For server-side deciphering parameter, | | represent to spell Connect,Representative uses 120 corresponding private key S of server-sideSCTo perform SM2 signature operations to incoming message.
In the present embodiment, signed by the server-side digital certificate of server-side 120 so that terminal 110 can pass through The identity at the server-side digital certificate trust service end 120 at service for checking credentials end 120, avoids man-in-the-middle attack, improves identity The reliability of discriminating.
In one embodiment, secret protection can also be completed by calculating eap-message digest.At this time, above-mentioned client's end group In handling result return authentication request in, including be not handling result in itself, but for handling result calculate Obtained client message summary, to achieve the purpose that to protect privacy of user.At this time, the step S280 in the embodiment include with Lower step:
Calculate and determine server-side eap-message digest;
Compare the uniformity of client message summary and server-side eap-message digest, obtain authentication result.
Server-side eap-message digest refers to that server-side 120 carries out data the summary that computing obtains.Clothes are calculated in server-side The method for end eap-message digest of being engaged in is not unique, such as can obtain the server-side eap-message digest by carrying out hash computing.One tool In body example, server-side eap-message digest can be obtained based on the following formula:
R '=SM3_Hash (r)
Wherein, R ' is server-side eap-message digest, and SM3_Hash (*) is pre-defined hash function, and r is random for first Number.
In another embodiment, following formula are also based on and calculate server-side eap-message digest:
R '=SM3_Hash (r | | K)
Wherein, R ' is server-side eap-message digest, and SM3_Hash (*) is pre-defined hash function, and r is random for first Number, K is server-side shared key.
So as to not only negotiate shared key between terminal and server-side, be pacified with being established between terminal and server-side Full tunnel, while complete secret protection by calculating eap-message digest.
Server-side 120 compares the uniformity of client message summary and server-side eap-message digest, when client message is made a summary When consistent with server-side eap-message digest, authentication result is to be differentiated by identity;When client message summary and server-side disappear When breath summary is inconsistent, authentication result is to differentiate not over identity.
In the present embodiment, the handling results such as decrypted result are not directly transmitted directly to server-side 120 by terminal 110, But the eap-message digest (SM3 summaries) for calculating handling result is sent to server-side 120, server-side 120 is by verifying that SM3 makes a summary To judge whether 110 decrypted result of terminal is correct, dishonest server-side is effectively prevent using the association in identity authentication protocol Sensitive data of the client decrypted user in server-side encryption storage is cheated with decryption step, improves the security of agreement.
As shown in fig. 6, in one embodiment, there is provided a kind of identification device of asymmetric cryptography.The present embodiment Mainly illustrated with the device applied to the terminal 110 in above-mentioned Fig. 1.With reference to Fig. 6, the identity of the asymmetric cryptography differentiates Device specifically includes as follows:
Differentiate request sending module 112, differentiate request for initiating identity to server-side, identity differentiates that request includes client Hold digital certificate;
Receiving module 114 is responded, the identity for receiving server-side return differentiates response, and identity differentiates that response includes at least The encrypted result that the first random number is encrypted in client public key of the server-side based on client digital certificate;
Response processing module 116, for differentiating that response is handled to identity according to client private key component, is handled As a result;
Checking request sending module 118, for sending authentication request, the identity to server-side based on handling result Checking request is used to indicate that server-side carries out authentication process.
The device is further included to be write in method with the above-mentioned corresponding module of step in method by taking terminal as an example, effect Go out, which is not described herein again.
As shown in fig. 7, in one embodiment, there is provided a kind of identification device of asymmetric cryptography.The present embodiment Mainly illustrated with the device applied to the server-side 120 in above-mentioned Fig. 1.With reference to Fig. 7, the identity of the asymmetric cryptography is reflected Other device specifically includes as follows:
Differentiate request receiving module 122, the identity for receiving client transmission differentiates request, and identity differentiates that request includes Client digital certificate;
Differentiate ask respond module 124, after verifying that client digital certificate is effective, based on client digital certificate The first random number is encrypted acquisition encrypted result in client public key, and returns to identity to client and differentiate response, and identity differentiates Response includes at least encrypted result;
Checking request receiving module 126, is based on reflecting to the identity according to client private key component for receiving client The authentication request that the handling result of processing acquisition returns should be carried out by holding your noise;
Block 128 is asked in verification processing, for carrying out authentication process according to authentication request, obtains authentication knot Fruit.
The device is further included to be write in method with the above-mentioned corresponding module of step in method by taking server-side as an example, effect Go out, which is not described herein again.
The identification device of above-mentioned asymmetric cryptography, client public key and server-side are carried using client digital certificate First random number carries out identity discriminating processing, when client and server-side hold private key component respectively, can equally pass through user Public key is realized with the private key component that client and server-side are held respectively cooperates with decryption to realize between client and server-side Client identity is differentiated.
It is illustrated below in conjunction with the interaction flow of the identity discrimination process in wherein several specific examples, due to body Collaboration decrypting process in part discrimination process, can be initiated by client, can also be initiated by server-side, and by different initiations When side is to initiate collaboration decrypting process, obtained deciphering parameter may and differ, therefore, in saying for following each specific examples In bright, following setting is done:
When server-side initiates collaboration decrypting process, server-side deciphering parameter that server-side obtains is known as server-side first and decrypts The client deciphering parameter that parameter, client obtain is known as the first deciphering parameter of client;
When client initiates collaboration decrypting process, server-side deciphering parameter that server-side obtains is known as server-side second and decrypts The client deciphering parameter that parameter, client obtain is known as the second deciphering parameter of client.
Fig. 8 shows the interaction flow schematic diagram of the identity discrimination process in a specific example, in the specific example with Server-side is initiated to illustrate exemplified by collaboration decrypting process.As shown in figure 8, the interaction of the identity discrimination process in the specific example Flow is as described below.
Terminal 110 sends identity and differentiates request to server-side 120, and identity differentiates that request includes number clients word certificate, visitor Client public key is carried in the digital certificate of family end.
Server-side 120 verifies client digital certificate, when being verified, extracts client public key;The selection of server-side 120 the One random number, with client public key to the first random number encryption, obtains encrypted result;Based on encrypted result, privacy key component Calculate, obtain the first deciphering parameter of server-side, return to identity and differentiate response to terminal 110, identity differentiates that response includes encryption knot The first deciphering parameter of fruit and server-side.
Terminal 110 generates the first deciphering parameter of client according to client private key component and the first deciphering parameter of server-side; Encrypted result is decrypted according to the first deciphering parameter of client, obtains decrypted result;And initiate identity to server-side 120 and test Card request, authentication request include decrypted result.
Server-side 120 compares the first random number and the uniformity of decrypted result, obtains identity identification result;Work as decrypted result When consistent with the first random number, authentication result is to be differentiated by identity;When decrypted result and inconsistent the first random number, Authentication result is to differentiate not over identity.
Fig. 9 shows the interaction flow schematic diagram of the identity discrimination process in another specific example, in the specific example Illustrated so that client initiates collaboration decrypting process as an example.As shown in figure 9, the friendship of the identity discrimination process in the specific example Mutual flow is as described below.
Terminal 110 sends identity and differentiates request to server-side 120, and identity differentiates that request includes number clients word certificate, demonstrate,proves Client public key is carried in book.
Server-side 120 verifies client digital certificate, when being verified, extracts client public key;The selection of server-side 120 the One random number, with client public key to the first random number encryption, obtains encrypted result;Returning to identity differentiates response to terminal 110, body Part differentiates that response includes encrypted result.
Terminal 110 is based on encrypted result, client private key component calculates, and obtains the second deciphering parameter of client;Terminal 110 Authentication request is initiated to server-side 120, authentication request includes the second deciphering parameter of client.
Server-side 120 is based on the second deciphering parameter of client, privacy key component calculates, and obtains server-side second and decrypts Parameter;Encrypted result is decrypted according to the second deciphering parameter of server-side, obtains decrypted result;And compare the first random number with The uniformity of decrypted result, obtains identity identification result;When decrypted result is consistent with the first random number, authentication result is Differentiated by identity;When decrypted result and inconsistent the first random number, authentication result is to differentiate not over identity.
Figure 10 shows the interaction flow schematic diagram of the identity discrimination process in another specific example, in the specific example Illustrated so that server-side initiates collaboration decrypting process and calculates eap-message digest as an example.As shown in Figure 10, in the specific example The interaction flow of identity discrimination process is as described below.
Terminal 110 sends identity and differentiates request to server-side 120, and identity differentiates that request includes number clients word certificate, demonstrate,proves Client public key is carried in book.
Server-side 120 verifies client digital certificate, when being verified, extracts client public key;The selection of server-side 120 the One random number, with client public key to the first random number encryption, obtains encrypted result;Based on encrypted result, privacy key component Calculate, obtain the first deciphering parameter of server-side, return to identity and differentiate response to terminal 110, identity differentiates that response includes encryption knot The first deciphering parameter of fruit and server-side.
Terminal 110 generates the first deciphering parameter of client according to client private key component and the first deciphering parameter of server-side; Encrypted result is decrypted according to the first deciphering parameter of client, obtains decrypted result;Client is calculated according to decrypted result Eap-message digest;Terminal 110 initiates authentication request to server-side 120, and authentication request is made a summary including client message.
Server-side 120 calculates the server-side eap-message digest of the first random number;Compare server-side eap-message digest with client to disappear The uniformity of summary is ceased, obtains identity identification result;When server-side eap-message digest and consistent client message summary, identity is tested Card result is to be differentiated by identity;When server-side eap-message digest and inconsistent client message summary, authentication result is Do not differentiated by identity.
Figure 11 shows the interaction flow schematic diagram of the identity discrimination process in another specific example, in the specific example Illustrated so that server-side initiates collaboration decrypting process and negotiates shared key as an example.As shown in figure 11, in the specific example Identity discrimination process interaction flow it is as described below.
Terminal 110 generates the second random number, and is encrypted with client public key to obtain the first shared key parameter;Terminal 110 is sent out Identity is sent to differentiate request to server-side 120, identity differentiates that request includes the first shared key parameter and client digital certificate, demonstrate,proves Client public key is carried in book.
Server-side 120 verifies client digital certificate, when being verified, extracts client public key;The selection of server-side 120 the One random number, with client public key to the first random number encryption, obtains encrypted result;Based on encrypted result, privacy key component Calculate, obtain the first deciphering parameter of server-side;Generate the 3rd random number, and encrypt to obtain the second shared key with client public key and join Number;Return to identity and differentiate response to terminal 110, identity differentiate response include encrypted result, the first deciphering parameter of server-side and Second shared key parameter.
Terminal 110 generates the first deciphering parameter of client according to client private key component and the first deciphering parameter of server-side; Encrypted result is decrypted according to the first deciphering parameter of client, obtains decrypted result;Shared according to the second random number, second Client shared key is calculated in key parameter;Client message summary is calculated according to client shared key, decrypted result; Terminal 110 initiates authentication request to server-side 120, and authentication request is made a summary including client message.
Server-side shared key is calculated according to the 3rd random number, the first shared key parameter in server-side 120;According to clothes End shared key, the first random number of being engaged in calculate server-side eap-message digest;Compare server-side eap-message digest to make a summary with client message Uniformity, obtain identity identification result;When server-side eap-message digest and consistent client message summary, authentication result To be differentiated by identity;When server-side eap-message digest and inconsistent client message summary, authentication result is without logical Cross identity discriminating.
Figure 12 shows the interaction flow schematic diagram of the identity discrimination process in another specific example, in the specific example Collaboration decrypting process is initiated by server-side and server-side is digitally signed and is illustrated exemplified by being verified to server-side. As shown in figure 12, the interaction flow of the identity discrimination process in the specific example is as described below.
Terminal 110 sends identity and differentiates request to server-side 120, and identity differentiates that request includes number clients word certificate, demonstrate,proves Client public key is carried in book.
Server-side 120 verifies client digital certificate, when being verified, extracts client public key;The selection of server-side 120 the One random number, with client public key to the first random number encryption, obtains encrypted result;Based on encrypted result, privacy key component Calculate, obtain the first deciphering parameter of server-side;Solved with the corresponding private key pair encryption result of server-side digital certificate, server-side first Close parameter performs signature operation, obtains signature result;Identity discriminating response is returned to terminal 110, identity differentiates that response includes adding Close result, the first deciphering parameter of server-side, server-side digital certificate and signature result.
110 service for checking credentials end digital certificate of terminal and signature result;When being verified, according to client private key component and The first deciphering parameter of server-side generates the first deciphering parameter of client;Encrypted result is carried out according to the first deciphering parameter of client Decryption, obtains decrypted result;Terminal 110 initiates authentication request to server-side 120, and authentication request includes decryption and ties Fruit.
Server-side 120 compares the first random number and the uniformity of decrypted result, obtains identity identification result;Work as decrypted result When consistent with the first random number, authentication result is to be differentiated by identity;When decrypted result and inconsistent the first random number, Authentication result is to differentiate not over identity.
Figure 13 shows the interaction flow schematic diagram of the identity discrimination process in another specific example, in the specific example With server-side initiate collaboration decrypting process and negotiating about cipher key shared, calculate eap-message digest and server-side be digitally signed with Illustrated exemplified by being verified to server-side.As shown in figure 13, the interaction flow of the identity discrimination process in the specific example As described below.
Terminal 110 generates the second random number, and is encrypted with client public key to obtain the first shared key parameter;Terminal 110 is sent out Identity is sent to differentiate request to server-side 120, identity differentiates that request includes the first shared key parameter and client digital certificate, demonstrate,proves Client public key is carried in book.
Server-side 120 verifies client digital certificate, when being verified, extracts client public key;The selection of server-side 120 the One random number, with client public key to the first random number encryption, obtains encrypted result;Based on encrypted result, privacy key component Calculate, obtain the first deciphering parameter of server-side;Solved with the corresponding private key pair encryption result of server-side digital certificate, server-side first Close parameter performs signature operation, obtains signature result;Generate the 3rd random number, and with client public key encrypt to obtain second shared close Key parameter;Return to identity and differentiate response to terminal 110, identity differentiate response include encrypted result, the first deciphering parameter of server-side, Second shared key parameter, server-side digital certificate and signature result.
110 service for checking credentials end digital certificate of terminal and signature result;When being verified, according to client private key component and The first deciphering parameter of server-side generates the first deciphering parameter of client;Encrypted result is carried out according to the first deciphering parameter of client Decryption, obtains decrypted result;Client shared key is calculated according to the second random number, the second shared key parameter;According to Client shared key, decrypted result calculate client message summary;Terminal 110 initiates authentication request to server-side 120, Authentication request is made a summary including client message.
Server-side shared key is calculated according to the 3rd random number, the first shared key parameter in server-side 120;According to clothes End shared key, the first random number of being engaged in calculate server-side eap-message digest;Compare server-side eap-message digest to make a summary with client message Uniformity, obtain identity identification result;When server-side eap-message digest and consistent client message summary, authentication result To be differentiated by identity;When server-side eap-message digest and inconsistent client message summary, authentication result is without logical Cross identity discriminating.
With reference to above-described each embodiment, it is assumed that user terminal Bob, server-side Alice, one of them is specific double The process of Fang Xietong decryption can be discussed further below.
Alice obtains SM2 ciphertexts (i.e. encrypted result) C=C1||C3||C2, Bit String C is extracted from ciphertext C1, and press The method that GM/T 0003.1-2012 standards 4.2.4 and 4.2.10 are provided changes data type, obtains elliptic curve group ElementThen verifyWhether it is elliptic curve E (Fq) infinite point, if then prompting mistake and exiting decryption flow.
If it is not, the private key component D that Alice is held using it1The deciphering parameter of Alice is calculated (if Alice is in service End, then be above-mentioned server-side deciphering parameter)And by T1It is sent to Bob.
After Bob receives T1, the private key component D that is held based on itself2Calculate the deciphering parameter T of Bob2=[D2]T1, then Calculate(x2,y2) it is elliptic curve group element.
Bob calculates shared key t=KDF (x2||y2, klen), wherein | | represent splicing, KDF (*) is close for what is pre-defined Key generating function, the bit-string length of klen statement outputs.If t is full 0 Bit String, reports an error and exit.
If t is not full 0 Bit String, Bob extracts Bit String C from ciphertext C2, and calculateWhereinRepresent Step-by-step XOR operation.
Bob calculates eap-message digest u=Hash (x2||M′||y2), Bit String C is then extracted from ciphertext C3If u ≠ C3Then Report an error and exit.
If u=C3Then Bob export plaintext M '.
Based on example as described above, a kind of computer equipment is also provided in one embodiment, the computer equipment bag The computer program that includes memory, processor and storage on a memory and can run on a processor, wherein, processor performs Realized during described program such as the method for any one embodiment in the various embodiments described above.
One of ordinary skill in the art will appreciate that realize all or part of flow in above-described embodiment method, being can be with Relevant hardware is instructed to complete by computer program, it is non-volatile computer-readable that the program can be stored in one Take in storage medium, in the embodiment of the present invention, which can be stored in the storage medium of computer system, and be calculated by this At least one processor in machine system performs, to realize the flow for including the embodiment such as above-mentioned each method.Wherein, it is described Storage medium can be magnetic disc, CD, read-only memory (Read-Only Memory, ROM) or random access memory (Random Access Memory, RAM) etc..
Accordingly, a kind of storage medium is also provided in one embodiment, is stored thereon with computer program, wherein, the journey Realized when sequence is executed by processor such as the method for any one embodiment in the various embodiments described above.
Each technical characteristic of embodiment described above can be combined arbitrarily, to make description succinct, not to above-mentioned reality Apply all possible combination of each technical characteristic in example to be all described, as long as however, the combination of these technical characteristics is not deposited In contradiction, the scope that this specification is recorded all is considered to be.
Embodiment described above only expresses the several embodiments of the present invention, its description is more specific and detailed, but simultaneously Cannot therefore it be construed as limiting the scope of the patent.It should be pointed out that come for those of ordinary skill in the art Say, without departing from the inventive concept of the premise, various modifications and improvements can be made, these belong to the protection of the present invention Scope.Therefore, the protection domain of patent of the present invention should be determined by the appended claims.

Claims (16)

  1. A kind of 1. authentication identifying method of asymmetric cryptography, it is characterised in that the described method includes:
    Identity is initiated to server-side and differentiates request, and the identity differentiates that request includes number clients word certificate;
    Receive the identity that the server-side returns and differentiate response, the identity differentiates that response is based on the visitor including at least server-side The encrypted result that the first random number is encrypted in the client public key of family end digital certificate;
    Response, which is handled, to be differentiated to the identity according to client private key component, obtains handling result;
    Authentication request is sent to the server-side based on the handling result, the authentication request is used to indicate described Server-side carries out authentication process.
  2. 2. the authentication identifying method of asymmetric cryptography according to claim 1, it is characterised in that:
    The mode that response is handled, which includes, to be differentiated to the identity according to client private key component:According to the client private key Component and the encrypted result, generate client deciphering parameter;
    The handling result includes the client deciphering parameter.
  3. 3. the authentication identifying method of asymmetric cryptography according to claim 1, it is characterised in that the identity differentiates response Further include:The server-side deciphering parameter that server-side is determined based on server-side private key component and the encrypted result;
    The mode that response is handled, which includes, to be differentiated to the identity according to client private key component:
    According to the client private key component and server-side deciphering parameter generation client deciphering parameter;
    The encrypted result is decrypted according to client deciphering parameter, obtains decrypted result, the handling result includes institute State decrypted result.
  4. 4. the authentication identifying method of the asymmetric cryptography according to claims 1 to 3 any one, it is characterised in that:
    Before identity is initiated to server-side and differentiates request, step is further included:The second random number is generated, and is based on the client The client public key of digital certificate is encrypted second random number to obtain the first shared key parameter;
    The identity differentiates that request further includes the first shared key parameter, and the identity differentiates that response further includes service end group In the second shared key parameter that the 3rd random number is encrypted in the client public key of the client digital certificate;
    Before sending authentication request to the server-side based on the handling result, step is further included:According to described second Client shared key is calculated in random number, the second shared key parameter.
  5. 5. the authentication identifying method of asymmetric cryptography according to claim 1, it is characterised in that the identity differentiates response Further include:Server-side digital certificate and digital signature result;
    After the identity discriminating response that the server-side returns is received, the identity is differentiated according to client private key component and is rung Before should being handled, step is further included:Verify the server-side digital certificate and server-side digital signature result.
  6. 6. the authentication identifying method of the asymmetric cryptography according to claim 1 to 5 any one, it is characterised in that:
    After the handling result is obtained, before sending authentication request to the server-side based on the handling result, Further include step:The eap-message digest of the handling result is calculated, obtains client message summary;
    The step of sending authentication request to the server-side based on the handling result includes:Body is sent to the server-side Part checking request, the authentication request include the client message and make a summary.
  7. A kind of 7. authentication identifying method of asymmetric cryptography, it is characterised in that the described method includes:
    Receive the identity that client is sent and differentiate request, the identity differentiates that request includes number clients word certificate;
    After verifying that the client digital certificate is effective, the client public key based on the client digital certificate is to the first random number Acquisition encrypted result is encrypted, and returns to identity to the client and differentiates response, the identity differentiates that response includes at least The encrypted result;
    The client is received based on the processing for carrying out processing acquisition to identity discriminating response according to client private key component As a result the authentication request returned;
    Authentication process is carried out according to the authentication request, obtains authentication result.
  8. 8. the authentication identifying method of asymmetric cryptography according to claim 7, it is characterised in that the handling result includes The client deciphering parameter that the client is generated according to the client private key component and the encrypted result, the identity Checking request includes the client deciphering parameter;
    Authentication process is carried out according to the authentication request, obtaining the mode of authentication result includes:
    According to the client deciphering parameter, server-side private key component generation server-side deciphering parameter;
    The encrypted result is decrypted according to the server-side deciphering parameter, obtains decrypted result;
    Compare the uniformity of the decrypted result and first random number, obtain authentication result.
  9. 9. the authentication identifying method of asymmetric cryptography according to claim 7, it is characterised in that:
    After encrypted result is obtained, before returning to identity discriminating response, step is further included:Based on server-side private key component and described Encrypted result determines server-side deciphering parameter;
    The identity differentiates that response further includes the server-side deciphering parameter;The handling result includes the client according to visitor Family end private key component and the server-side deciphering parameter obtain client deciphering parameter after, according to client deciphering parameter to described The decrypted result of acquisition is decrypted in encrypted result;The authentication request includes the decrypted result;
    Authentication process is carried out according to the authentication request, obtaining the mode of authentication result includes:Compare described Decrypted result and the uniformity of first random number, obtain authentication result.
  10. 10. the authentication identifying method of asymmetric cryptography according to claim 7, it is characterised in that the identity differentiates please Ask and further include what the second random number was encrypted in client public key of the client based on the client digital certificate First shared key parameter;
    After encrypted result is obtained, before returning to identity discriminating response, step is further included:Based on the client digital certificate Client public key is encrypted the 3rd random number and obtains the second shared key parameter;
    The identity differentiates that response further includes the second shared key parameter;
    Authentication process is carried out according to the authentication request, obtaining the mode of authentication result includes:According to described Server-side shared key is calculated in 3rd random number, the first shared key parameter.
  11. 11. the authentication identifying method of asymmetric cryptography according to claim 7, it is characterised in that:
    After encrypted result is obtained, before returning to identity discriminating response, step is further included:It is corresponding according to server-side digital certificate Private key performs digital signature, obtains digital signature result;
    The identity differentiates that response further includes:The server-side digital certificate and digital signature result.
  12. 12. the authentication identifying method of the asymmetric cryptography according to claim 7 to 11 any one, it is characterised in that institute Stating authentication request includes the client message summary that the client calculates acquisition for the handling result;
    Authentication process is carried out according to the authentication request, obtaining the mode of authentication result includes:
    Calculate and determine server-side eap-message digest;
    Compare the uniformity of the client message summary and server-side eap-message digest, obtain authentication result.
  13. 13. a kind of identification device of asymmetric cryptography, it is characterised in that described device includes:
    Differentiate request sending module, differentiate request for initiating identity to server-side, the identity differentiates that request includes client Digital certificate;
    Receiving module is responded, differentiates response for receiving the identity that the server-side returns, the identity differentiates that response is at least wrapped Include the encrypted result that the first random number is encrypted in client public key of the server-side based on the client digital certificate;
    Response processing module, for differentiating that response is handled to the identity according to client private key component, obtains processing knot Fruit;
    Checking request sending module, for sending authentication request, the body to the server-side based on the handling result Part checking request is used to indicate that the server-side carries out authentication process.
  14. 14. a kind of identification device of asymmetric cryptography, it is characterised in that described device includes:
    Differentiate request receiving module, the identity for receiving client transmission differentiates request, and the identity differentiates that request includes visitor Family end digital certificate;
    Differentiate ask respond module, after verifying that the client digital certificate is effective, based on the client digital certificate Client public key the first random number is encrypted acquisition encrypted result, and return to identity to the client and differentiate response, institute State identity and differentiate that response includes at least the encrypted result;
    Checking request receiving module, rings for receiving the client and being based on differentiating the identity according to client private key component It should carry out the authentication request that the handling result of processing acquisition returns;
    Verification processing module, for carrying out authentication process according to the authentication request, obtains authentication result.
  15. 15. a kind of computer equipment, including memory, processor and storage are on a memory and the meter that can run on a processor Calculation machine program, it is characterised in that the processor realizes any one of claim 1 to 12 the method when performing described program Step.
  16. 16. a kind of computer-readable recording medium, is stored thereon with computer program, it is characterised in that the program is by processor The step of any one of claim 1 to 12 the method is realized during execution.
CN201711375611.4A 2017-12-19 2017-12-19 Asymmetric password identity authentication method and device, computer equipment and storage medium Active CN107948189B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201711375611.4A CN107948189B (en) 2017-12-19 2017-12-19 Asymmetric password identity authentication method and device, computer equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201711375611.4A CN107948189B (en) 2017-12-19 2017-12-19 Asymmetric password identity authentication method and device, computer equipment and storage medium

Publications (2)

Publication Number Publication Date
CN107948189A true CN107948189A (en) 2018-04-20
CN107948189B CN107948189B (en) 2020-10-30

Family

ID=61940832

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201711375611.4A Active CN107948189B (en) 2017-12-19 2017-12-19 Asymmetric password identity authentication method and device, computer equipment and storage medium

Country Status (1)

Country Link
CN (1) CN107948189B (en)

Cited By (24)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108848094A (en) * 2018-06-22 2018-11-20 平安科技(深圳)有限公司 Data security validation method, device, system, computer equipment and storage medium
CN109068322A (en) * 2018-08-22 2018-12-21 航天信息股份有限公司 Decryption method, system, mobile terminal, server and storage medium
CN109246129A (en) * 2018-10-12 2019-01-18 天津赢达信科技有限公司 A kind of SM2 collaboration endorsement method and system can verify that client identity
CN109861816A (en) * 2019-02-22 2019-06-07 矩阵元技术(深圳)有限公司 Data processing method and device
CN109872155A (en) * 2019-02-22 2019-06-11 矩阵元技术(深圳)有限公司 Data processing method and device
CN110046515A (en) * 2019-04-18 2019-07-23 杭州尚尚签网络科技有限公司 A kind of electric endorsement method of the safety based on short-acting digital certificate
WO2019231392A1 (en) * 2018-05-30 2019-12-05 华为国际有限公司 Key exchange system, method, and apparatus
CN110601841A (en) * 2019-11-01 2019-12-20 成都卫士通信息产业股份有限公司 SM2 collaborative signature and decryption method and device
CN110932850A (en) * 2019-11-29 2020-03-27 杭州安恒信息技术股份有限公司 Communication encryption method and system
CN110958114A (en) * 2019-10-25 2020-04-03 武汉大学 Two-party cooperative SM2 key generation and ciphertext decryption method and medium
CN110971610A (en) * 2019-12-12 2020-04-07 广东电网有限责任公司电力调度控制中心 Control system identity verification method and device, computer equipment and storage medium
CN111046443A (en) * 2019-12-24 2020-04-21 合肥大唐存储科技有限公司 Hard disk anti-counterfeiting realization method, hard disk and CA server
WO2020168544A1 (en) * 2019-02-22 2020-08-27 云图有限公司 Data processing method and device
CN111600717A (en) * 2020-05-12 2020-08-28 北京海益同展信息科技有限公司 SM 2-based decryption method and system, electronic device and storage medium
CN111614637A (en) * 2020-05-08 2020-09-01 郑州信大捷安信息技术股份有限公司 Secure communication method and system based on software cryptographic module
CN112202551A (en) * 2020-09-23 2021-01-08 中国建设银行股份有限公司 Password verification method and device based on zero-knowledge proof and electronic equipment
CN112257093A (en) * 2020-11-09 2021-01-22 天冕信息技术(深圳)有限公司 Authentication method of data object, terminal and storage medium
CN113268722A (en) * 2021-05-17 2021-08-17 时昕昱 Personal digital identity management system and method
CN113486320A (en) * 2021-07-22 2021-10-08 广州炒米信息科技有限公司 Enterprise electronic signature control method and device, storage medium and terminal equipment
CN113742670A (en) * 2021-08-30 2021-12-03 建信金融科技有限责任公司 Multi-party cooperative decryption method and device
CN113852957A (en) * 2020-06-09 2021-12-28 中国移动通信有限公司研究院 Security server, SP server, terminal, security authorization method and system
WO2022135394A1 (en) * 2020-12-26 2022-06-30 西安西电捷通无线网络通信股份有限公司 Identity authentication method and apparatus, storage medium, program, and program product
WO2022135392A1 (en) * 2020-12-26 2022-06-30 西安西电捷通无线网络通信股份有限公司 Identity authentication method and apparatus, device, chip, storage medium, and program
CN116032655A (en) * 2023-02-13 2023-04-28 杭州天谷信息科技有限公司 Identity authentication method and system capable of resisting timing attack

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103491094B (en) * 2013-09-26 2016-10-05 成都三零瑞通移动通信有限公司 A kind of rapid identity authentication method based on C/S model
CN106789080B (en) * 2016-04-08 2020-05-15 数安时代科技股份有限公司 Digital signature generation method and device
CN107196763B (en) * 2017-07-06 2020-02-18 数安时代科技股份有限公司 SM2 algorithm collaborative signature and decryption method, device and system
CN107483212B (en) * 2017-08-15 2021-04-30 武汉信安珞珈科技有限公司 Method for generating digital signature by cooperation of two parties

Cited By (35)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11483142B2 (en) 2018-05-30 2022-10-25 Huawei International Pte. Ltd. Key agreement system, method, and apparatus
WO2019231392A1 (en) * 2018-05-30 2019-12-05 华为国际有限公司 Key exchange system, method, and apparatus
CN108848094A (en) * 2018-06-22 2018-11-20 平安科技(深圳)有限公司 Data security validation method, device, system, computer equipment and storage medium
CN109068322A (en) * 2018-08-22 2018-12-21 航天信息股份有限公司 Decryption method, system, mobile terminal, server and storage medium
CN109068322B (en) * 2018-08-22 2022-03-04 航天信息股份有限公司 Decryption method, system, mobile terminal, server and storage medium
CN109246129A (en) * 2018-10-12 2019-01-18 天津赢达信科技有限公司 A kind of SM2 collaboration endorsement method and system can verify that client identity
CN109246129B (en) * 2018-10-12 2020-12-25 天津赢达信科技有限公司 SM2 collaborative signature method and system capable of verifying client identity
CN109861816A (en) * 2019-02-22 2019-06-07 矩阵元技术(深圳)有限公司 Data processing method and device
WO2020168544A1 (en) * 2019-02-22 2020-08-27 云图有限公司 Data processing method and device
CN109872155A (en) * 2019-02-22 2019-06-11 矩阵元技术(深圳)有限公司 Data processing method and device
CN110046515A (en) * 2019-04-18 2019-07-23 杭州尚尚签网络科技有限公司 A kind of electric endorsement method of the safety based on short-acting digital certificate
CN110046515B (en) * 2019-04-18 2021-03-23 杭州尚尚签网络科技有限公司 Safe electronic signature method based on short-lived digital certificate
CN110958114A (en) * 2019-10-25 2020-04-03 武汉大学 Two-party cooperative SM2 key generation and ciphertext decryption method and medium
CN110601841A (en) * 2019-11-01 2019-12-20 成都卫士通信息产业股份有限公司 SM2 collaborative signature and decryption method and device
CN110601841B (en) * 2019-11-01 2022-06-14 成都卫士通信息产业股份有限公司 SM2 collaborative signature and decryption method and device
CN110932850A (en) * 2019-11-29 2020-03-27 杭州安恒信息技术股份有限公司 Communication encryption method and system
CN110932850B (en) * 2019-11-29 2023-01-20 杭州安恒信息技术股份有限公司 Communication encryption method and system
CN110971610A (en) * 2019-12-12 2020-04-07 广东电网有限责任公司电力调度控制中心 Control system identity verification method and device, computer equipment and storage medium
CN111046443A (en) * 2019-12-24 2020-04-21 合肥大唐存储科技有限公司 Hard disk anti-counterfeiting realization method, hard disk and CA server
CN111046443B (en) * 2019-12-24 2022-10-14 合肥大唐存储科技有限公司 Hard disk anti-counterfeiting realization method, hard disk and CA server
CN111614637A (en) * 2020-05-08 2020-09-01 郑州信大捷安信息技术股份有限公司 Secure communication method and system based on software cryptographic module
CN111600717A (en) * 2020-05-12 2020-08-28 北京海益同展信息科技有限公司 SM 2-based decryption method and system, electronic device and storage medium
CN111600717B (en) * 2020-05-12 2024-01-12 京东科技信息技术有限公司 SM 2-based decryption method, system, electronic equipment and storage medium
CN113852957A (en) * 2020-06-09 2021-12-28 中国移动通信有限公司研究院 Security server, SP server, terminal, security authorization method and system
CN112202551A (en) * 2020-09-23 2021-01-08 中国建设银行股份有限公司 Password verification method and device based on zero-knowledge proof and electronic equipment
CN112257093B (en) * 2020-11-09 2024-03-26 天冕信息技术(深圳)有限公司 Authentication method, terminal and storage medium for data object
CN112257093A (en) * 2020-11-09 2021-01-22 天冕信息技术(深圳)有限公司 Authentication method of data object, terminal and storage medium
WO2022135394A1 (en) * 2020-12-26 2022-06-30 西安西电捷通无线网络通信股份有限公司 Identity authentication method and apparatus, storage medium, program, and program product
WO2022135392A1 (en) * 2020-12-26 2022-06-30 西安西电捷通无线网络通信股份有限公司 Identity authentication method and apparatus, device, chip, storage medium, and program
CN113268722A (en) * 2021-05-17 2021-08-17 时昕昱 Personal digital identity management system and method
CN113486320A (en) * 2021-07-22 2021-10-08 广州炒米信息科技有限公司 Enterprise electronic signature control method and device, storage medium and terminal equipment
CN113486320B (en) * 2021-07-22 2024-03-29 广州炒米信息科技有限公司 Enterprise electronic signature management and control method and device, storage medium and terminal equipment
CN113742670B (en) * 2021-08-30 2023-06-06 建信金融科技有限责任公司 Multiparty collaborative decryption method and device
CN113742670A (en) * 2021-08-30 2021-12-03 建信金融科技有限责任公司 Multi-party cooperative decryption method and device
CN116032655A (en) * 2023-02-13 2023-04-28 杭州天谷信息科技有限公司 Identity authentication method and system capable of resisting timing attack

Also Published As

Publication number Publication date
CN107948189B (en) 2020-10-30

Similar Documents

Publication Publication Date Title
CN107948189A (en) Asymmetric cryptography authentication identifying method, device, computer equipment and storage medium
CN106411521B (en) Identity authentication method, device and system for quantum key distribution process
CN108352015B (en) Secure multi-party loss-resistant storage and encryption key transfer for blockchain based systems in conjunction with wallet management systems
CN103763631B (en) Authentication method, server and television set
EP2304636B1 (en) Mobile device assisted secure computer network communications
Acar et al. Single password authentication
CN108111301A (en) The method and its system for realizing SSH agreements are exchanged based on rear quantum key
US9065642B2 (en) Intercepting key sessions
US20230155816A1 (en) Internet of things security with multi-party computation (mpc)
CN105307165B (en) Communication means, server-side and client based on mobile application
CN110268676A (en) The private cipher key computing system and method for the Self-certified signature scheme of identity-based
CN105991285A (en) Identity authentication methods, devices and system applied to quantum key distribution process
Gorantla et al. Modeling key compromise impersonation attacks on group key exchange protocols
CN108243166A (en) A kind of identity identifying method and system based on USBKey
WO2007011897A2 (en) Cryptographic authentication, and/or establishment of shared cryptographic keys, using a signing key encrypted with a non-one-time-pad encryption, including (but not limited to) techniques with improved security against malleability attacks
WO2002051049A9 (en) One time password entry to access multiple network sites
CN110247881A (en) Identity identifying method and system based on wearable device
CN104468126B (en) A kind of safe communication system and method
CN108809633A (en) A kind of identity authentication method, apparatus and system
CN110493162A (en) Identity identifying method and system based on wearable device
CN105025036B (en) A kind of Cognitive Aptitude Test value Internet-based encryption and transmission method
CN114553441B (en) Electronic contract signing method and system
CN114915396B (en) Hopping key digital communication encryption system and method based on national encryption algorithm
Tan et al. MPCAuth: multi-factor authentication for distributed-trust systems
CN113545004A (en) Authentication system with reduced attack surface

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant