CN108155989B - Multi-user authentication method and system - Google Patents
Multi-user authentication method and system Download PDFInfo
- Publication number
- CN108155989B CN108155989B CN201711465576.5A CN201711465576A CN108155989B CN 108155989 B CN108155989 B CN 108155989B CN 201711465576 A CN201711465576 A CN 201711465576A CN 108155989 B CN108155989 B CN 108155989B
- Authority
- CN
- China
- Prior art keywords
- authentication
- numerical values
- values
- numerical
- numerical value
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/085—Secret sharing or secret splitting, e.g. threshold schemes
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/0819—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
- H04L9/0822—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) using key encryption key
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/0819—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
- H04L9/0825—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) using asymmetric-key encryption or public key infrastructure [PKI], e.g. key signature or public key certificates
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/0819—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
- H04L9/083—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) involving central third party, e.g. key distribution center [KDC] or trusted third party [TTP]
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Storage Device Security (AREA)
Abstract
The invention relates to a multi-user authentication method and a system, wherein the method comprises the following steps: acquiring a random authentication key generated by a key management center, and generating a plurality of different authentication shares by using the random authentication key; randomly transmitting a plurality of different authentication shares to a plurality of network terminals and a plurality of memories; and generating numerical values in each entity, sending each numerical value to an authentication verification node, calculating each numerical value, and if the numerical value obtained by calculation is matched with a preset numerical value, successfully authenticating. A plurality of different authentication shares are generated for the authentication key and distributed to each participant, and the authentication result is judged by adopting a numerical operation mode. The defect that shares owned by users are leaked is avoided, and the safety of the system is greatly improved.
Description
Technical Field
The invention relates to the technical field of Internet of things and big data, in particular to a multi-user authentication method and a multi-user authentication system.
Background
The traditional multi-user authentication system mainly adopts a secret sharing mode to carry out authentication, namely, a key is authenticated, and the secret sharing idea is to split a secret in a proper mode, each split share is managed by different participants, a single participant cannot recover secret information, and only a plurality of participants cooperate together can the secret information be recovered.
In practice, the system distributes the authentication key to each user in a secret sharing manner, the participating users need to highlight shares owned by themselves during authentication, and after a complete authentication factor is recovered together, the participating users are compared with the authentication key in the system so as to judge whether the authentication passes, and the secret sharing manner causes the shares of the users and the authentication key to be leaked.
Moreover, the traditional authentication system mainly uses a mode of 'single authentication server' as a main mode, the authentication key is only stored in a single server, and great potential safety hazards exist, for example, a hacker only needs to break the single server to steal the authentication key.
In summary, it is an urgent need to solve the technical problem to provide a multi-user authentication method with high security.
Disclosure of Invention
The technical problem to be solved by the present invention is to provide a multi-user authentication method and system, aiming at the defects of the prior art.
The technical scheme for solving the technical problems is as follows:
a multi-user authentication method is applied to a plurality of network terminals, and comprises the following steps:
acquiring a random authentication key generated by a key management center;
generating M different first authentication shares and N different second authentication shares, respectively, based on the random authentication key, wherein M, N are integers greater than 2;
randomly storing the M different first authentication shares to P network terminals, wherein each network terminal stores 1 first authentication share;
randomly storing the N different second authentication shares into Q different memories, wherein each memory stores 1 second authentication share, P, Q is an integer greater than 2, M is equal to P, N is equal to Q, and each network terminal corresponds to 1 user;
and generating M first numerical values according to the M different first authentication shares, generating N second numerical values according to the N different second authentication shares, sending all the first numerical values and all the second numerical values to an authentication verification node, operating each numerical value through the authentication verification node, and if the numerical value obtained by operation is matched with a preset numerical value, successfully authenticating.
The invention has the beneficial effects that: the authentication key is generated into a plurality of different authentication shares to be distributed to each participant, and the information sent by each participant is analyzed at the authentication verification node to judge the authentication result, so that the defect that the shares owned by the user are leaked is avoided, and the safety of the system is greatly improved.
On the basis of the technical scheme, the invention can be further improved as follows.
Further, in the process of generating the first value and the second value, the method includes:
generating a third numerical value at each network terminal according to a preset rule, and generating a fourth numerical value at each memory according to the preset rule;
decomposing each third numerical value into a plurality of fifth numerical values according to a preset operation rule;
decomposing each fourth numerical value into a plurality of sixth numerical values according to the preset operation rule;
exchanging values between the M network terminals and the N memories based on all of the fifth and sixth values;
calculating the exchanged numerical values in each network terminal to obtain the M first numerical values;
and operating the exchanged numerical values in the memories to obtain the N second numerical values.
Further, in the process of generating the third value and the fourth value, the method includes:
taking an absolute value of the numerical value generated by each network terminal as the third numerical value;
and taking all positive values in the values generated by each memory as the fourth value. Further, before the process of generating the first value and the second value, the method further includes:
and if the first authentication share input by each user through the corresponding network terminal is obtained, triggering an execution command for generating the M first numerical values and the N second numerical values.
Further, before the process of sending each value to the authentication verification node, the method further comprises:
respectively calculating the numerical values in the M network terminals and the N storages by adopting a symmetric encryption algorithm and a Hash algorithm;
respectively packaging the M first numerical values and the N second numerical values after operation, and generating M third encrypted messages carrying the first numerical values and N fourth encrypted messages carrying the second numerical values;
and the authentication verification node processes the received encrypted message according to the inverse operation of the symmetric encryption algorithm and the Hash algorithm.
The beneficial effect of adopting the further scheme is that: the authentication share is converted into a numerical value, numerical value interaction is carried out between each entity terminal, a new numerical value is obtained again, and the security level is further improved through encryption operation, so that a hacker is prevented from stealing the authentication share of the user.
Another technical solution of the present invention for solving the above technical problems is as follows:
a multi-user authentication system, the system comprising:
the acquisition module is used for acquiring a random authentication key generated by the key management center;
a first generation module, configured to generate M different first authentication shares and N different second authentication shares, respectively, based on the random authentication key, where M, N are integers greater than 2;
a storage module, configured to store the M different first authentication shares to P network terminals at random, where each network terminal stores 1 first authentication share;
the storage module is further configured to store the N different second authentication shares randomly into Q different memories, where each memory stores 1 second authentication share, P, Q are integers greater than 2, M is equal to P, N is equal to Q, and each network terminal corresponds to 1 user;
and the authentication module is used for generating M first numerical values according to the M different first authentication shares, generating N second numerical values according to the N different second authentication shares, sending all the first numerical values and all the second numerical values to an authentication verification node, calculating all the numerical values through the authentication verification node, and if the calculated numerical values are matched with preset numerical values, the authentication is successful.
The invention has the beneficial effects that: the authentication result is determined by generating a plurality of different authentication shares for the authentication key, assigning them to the respective participants, and analyzing the information sent by the respective participants at the authentication verification node. The defect that shares owned by users are leaked is avoided, and the safety of the system is greatly improved.
Advantages of additional aspects of the invention will be set forth in part in the description which follows, and in part will be obvious from the description, or may be learned by practice of the invention.
Drawings
Fig. 1 is a schematic flowchart of a multi-user authentication according to an embodiment of the present invention;
fig. 2 is a schematic diagram of a multi-user authentication system according to an embodiment of the present invention;
fig. 3 is a schematic flowchart of a multi-user authentication according to an embodiment of the present invention;
fig. 4 is a schematic flowchart of a multi-user authentication according to an embodiment of the present invention;
fig. 5 is a logic structure diagram of a multi-user authentication system according to a second embodiment of the present invention.
Detailed Description
The principles and features of this invention are described below in conjunction with the following drawings, which are set forth by way of illustration only and are not intended to limit the scope of the invention.
Fig. 1 is a multi-user authentication method provided in an embodiment of the present invention, applied to multiple network terminals, in which an architecture of a multi-user authentication system is shown in fig. 2, and the system includes four entities: the system comprises a network terminal group (comprising M cipher keys), a memory group (comprising N memories), a cipher key management center and an authentication verification node, wherein network connection is arranged among entities.
As shown in fig. 2, each entity is configured with a uniform symmetric encryption algorithm and Hash algorithm, and the symmetric encryption algorithm and the Hash algorithm are used for performing encryption operation or inverse operation on the secret key. The M key devices and the N authentication modules share an independent key tunnel, the key management center and each network terminal share an independent key tunnel, the key management center and each memory share an independent key tunnel, and the authentication node, each key device and the authentication modules share an independent key tunnel.
The method comprises the following steps:
s101, acquiring a random authentication key generated by a key management center;
s102, respectively generating M different first authentication shares and N different second authentication shares based on the random authentication key, wherein M, N are integers greater than 2;
s103, randomly storing the M different first authentication shares to P network terminals, wherein each network terminal stores 1 first authentication share;
s104, randomly storing the N different second authentication shares into Q different memories, wherein each memory stores 1 second authentication share, P, Q is an integer greater than 2, M is equal to P, N is equal to Q, and each network terminal corresponds to 1 user;
s105, generating M first numerical values according to the M different first authentication shares, generating N second numerical values according to the N different second authentication shares, sending all the first numerical values and all the second numerical values to an authentication verification node, calculating all the numerical values through the authentication verification node, and if the numerical values obtained through calculation are matched with preset numerical values, the authentication is successful.
In this embodiment, the key management center is a core server in the entire multi-user authentication system, and the key management center is used for generating keys, distributing keys and modifying keys. In S101, the key management center may randomly generate an authentication key according to a processor built therein, for example, the random authentication key is K, and after the random authentication key is generated, only a record is recorded at the key management center, and no other network terminal, other memory, and the authentication verification node may obtain the random key.
K is then preprocessed to generate M certified shares UK1, UK2, …, UKMAnd respectively stored to the network terminal 1, the network terminal 2, … and the network terminal M through a key tunnel as an authentication key of the user, and the authentication share in the embodiment is equal to the authentication key.
In addition, before the key management center randomly stores the generated authentication shares to the network terminals, each authentication share needs to be encrypted and encapsulated, each authentication share is encrypted and encapsulated by adopting a symmetric encryption algorithm and a Hash algorithm to obtain an encrypted message carrying each authentication share, when the key management center randomly stores the generated authentication shares to the network terminals, the encrypted message is randomly sent to each network terminal, the network terminals also adopt a uniform symmetric encryption algorithm and a Hash algorithm to perform inverse operation on the received encrypted message, and a plaintext is decrypted, namely information which can be obtained by a user can be obtained by the user, and the user can obtain the authentication shares according to the plaintext information.
It should be noted that M authentication shares are randomly stored in P network terminals at the key management center, where M, P are integers greater than 0, M is P, each network terminal only stores one authentication share, and is not a specific relationship or mapping relationship, for example, UK1 may be sent to network terminal 1, network terminal 2, or other network terminals, and similarly, UK2 and UKMAnd also randomly to the network terminal. The network terminal can be an intelligent mobile device, a computer device or a cloud disk and the like.
Then K is used to generate N authentication shares SK1, SK2, …, SKNAnd stored to memory 1, memory 2, …, memory N, respectively, via a key tunnel.
In addition, before the key management center randomly stores the generated authentication shares in the memory, each authentication share needs to be encrypted and encapsulated, each authentication share is encrypted and encapsulated by adopting a symmetric encryption algorithm and a Hash algorithm to obtain an encrypted message carrying each authentication share, when the key management center randomly stores the generated authentication share in the memory, the encrypted message is randomly sent to each memory, the received encrypted message is subjected to inverse operation at the memory by adopting a uniform symmetric encryption algorithm and a Hash algorithm, and a plaintext is decrypted, wherein the plaintext is different from the plaintext obtained by the inverse operation of the network terminal, and the plaintext at the position is information which can be read by the memory.
It should be noted that the memory stores the information of each authentication share in a secret manner, and other entities cannot acquire the information of the authentication share, including the key management center. At a key management center, randomly storing N authentication shares into Q memories, wherein N, Q are integers larger than 0, N is Q, each memory only stores one authentication share without a specified relationship or mapping relationship, for example, SK1 can be sent to memory 1, memory 2 or other memories, and SK2 and SKNAnd also sent to memory randomly. The memory can be computer equipment or privateDense cloud disks, and the like.
After the key management center distributes the authentication shares to the network terminals and the memory, the information of K will be cleared at the management center.
In step S105, M first numerical values are generated according to M different first authentication shares, and N second numerical values are generated according to N different second authentication shares. In order to prevent the stealing of the authentication share, after a user inputs an authentication key at a corresponding network terminal, the system randomly generates different first numerical values at each network terminal, randomly generates different second numerical values at each memory, and when recovering the authentication key K, the numerical values are operated at the authentication verification node by sending numerical value information, wherein the operation can adopt addition, multiplication or division and the like, and the operated values are matched with the numerical values prestored by the authentication verification node, and when the operation is matched, the authentication key K is recovered, and then the authentication is successful.
It is noted that only through UK1, UK2, … and UKMThe correct authentication key K, absent any one of shares UKi or any one of shares UKi error, can not be recovered. The user inputs the authentication key, i.e. the authentication share, which the user owns via the network terminal, for example, the authentication share of the user 1, i.e. the first authentication share, is input to the network terminal 2, the first authentication share of the user is not sent to any entity other than the network terminal 2, but is only matched with the authentication share stored in the network terminal 2, and if the matching is successful, the system randomly generates different first and second values at each entity.
The same requirements are met: only through SK1, SK2, …, SKNThe correct authentication key K, the absence of any one of shares SKj, or any one of shares SKj errors, can be recovered without any information of K. For example, after the memory 1 receives the command of the system, the memory 1 retrieves the second authentication share stored therein, and the second authentication share is not sent to any entity except the memory 1.
In the authentication process, the key management center does not participate in executing authentication and is in an off-line state. The M network terminals, the N memories and the authentication verification node are in an online state. Each user corresponds to a network terminal, and the network terminal reads in the authentication key of the user. If each user inputs the correct authentication key, the authentication must be successful: authentication is unsuccessful as long as there are 1 users entering the wrong key.
For example, if the user 2 inputs "#% @" at the network terminal 3, and the authentication share actually stored in the network terminal is "#% &", the authentication system cannot acquire a corresponding numerical value or the numerical value is a messy code for "#% @", which may cause an operation at the authentication verification node to be incorrect, so that the calculated numerical value is not matched with the preset numerical value, and the authentication is unsuccessful.
In addition, only when all users input the corresponding authentication keys within a certain time, for example, within 1 hour, and the system acquires that all users input the authentication keys, the execution command is triggered, and the execution command is triggered, otherwise, the process of generating the first numerical value and the second numerical value is not executed.
The invention has the beneficial effects that: a plurality of different authentication shares are generated for the authentication key and distributed to each participant, and the authentication result is judged by analyzing the numerical information sent by each participant at the authentication verification node, so that the defect that the share owned by the user is leaked is avoided, and the safety of the system is greatly improved.
Preferably, as shown in fig. 3, in the generating the first numerical value and the generating the second numerical value, the method includes:
s1051, generating a third numerical value at each network terminal according to a preset rule, and generating a fourth numerical value at each memory according to the preset rule;
s1052, decomposing each third numerical value into a plurality of fifth numerical values according to a preset operation rule;
s1053, decomposing each fourth numerical value into a plurality of sixth numerical values according to the preset operation rule;
s1054, exchanging values between the M network terminals and the N storages based on all the fifth values and the sixth values;
s1055, calculating the exchanged numerical values in each network terminal to obtain the M first numerical values;
and S1056, calculating the exchanged numerical values in the memories to obtain the N second numerical values.
In this embodiment, not every entity, here, the entity mainly refers to a network terminal and a storage, and performs a simple operation of generating a numerical value, in order to ensure the security of the system, in the preferred embodiment, in the process of generating the first numerical value and the second numerical value, the processes of numerical value decomposition, exchange, recombination, operation, and the like need to be performed, and finally, a numerical value with extremely high security is generated.
For example, in the present scheme, M network terminals and N memories are adopted, the i (i is 1, 2.., M) network terminal generates a third numerical value, the j (j) is 1, 2.., N) memory generates a fourth numerical value, and the numerical value generated by each entity is random, may be a positive numerical value, may also be a negative numerical value, may also be an integer, and may also be a rational number, and there is a case where the numerical value is 0, which does not affect the present invention scheme.
Then the following steps are carried out:
generating a third numerical value and a fourth numerical value, namely X, by each space terminal and each memory according to a preset algorithm, and independently and randomly decomposing M + N fifth numerical values and sixth numerical values by each space terminal or each memory, wherein the fifth numerical values can be X1, … and XM+NThe sixth value may be-X1, …, -XM+N,An additive algorithm is used to illustrate the present invention, for example, X ═ X1+. + XM+N. Then, exchanging values among all entities, leaving 1 Xi or-Xi value in each space terminal or each memory, sending the rest M + N-1 values to one rest of participators, sending a piece of information to each rest of participators by each participator, sending an encrypted message through a key tunnel, packaging by adopting a symmetric encryption algorithm and a hash algorithm, receiving the information from the rest of participators by each participator, and storing the information by the participators comprising a network terminalA reservoir.
Each participant decrypts the information from other participants, adopts a symmetric encryption algorithm and a Hash algorithm for inverse operation, sums the M + N-1 pieces of plaintext information (namely numerical information) with one piece of information Xi reserved in a current network terminal or a memory, and after numerical value exchange, each participant sends the own summation result to the authentication verification node in an encryption mode.
After the verification node receives and decrypts the information of all M + N participants, the M + N pieces of plaintext information are summed, the plaintext information is numerical value information, the numerical value of the network terminal side is a first numerical value, and the numerical value sent by the memory is a second numerical value. If the result is 0, the authentication is passed, otherwise the authentication is not passed.
It should be noted that, in the authentication process, a summation operation manner is adopted, which is only a preferred embodiment of the present invention, and the preset value at the authentication verification node being 0 is also a preset value in a preferred embodiment of the present invention, and if other operation manners or other preset values are adopted, they are within the protection scope of the present invention, such as product, quotient, square sum, and the like.
For convenience of explanation, M is 3, N is 3, where UK1 is 10, UK2 is 20, UK3 is 30 as three third values, SK1 is-10, SK2 is 20, SK3 is-30, since SK2 is 20 positive values, it is necessary to perform inversion processing on the values, SK2 is inverted to obtain-20, and-10, -20, -30 is used as three fourth values, and then UK1 is decomposed into 6 fifth values, each of which is 2, 3, 1, and 1 in this order; decomposing UK2 into 6 fifth values, each value being 4, 2 in sequence; decomposing UK3 into 6 fifth values, each value being 10, 4, 1, 10 in sequence; SK1 is decomposed into 6 sixth values, each value is-2, -1 in sequence; decomposing-SK 2 into 6 sixth values, each value being-1, -2, -3, -5, -8, -1 in sequence; SK3 is decomposed into 6 sixth values, each value is-9, -1, -2, -4, -5; all fifth values and all sixth values are then exchanged between the network terminal and the memory via a key tunnel. After the exchange of values, the result is that the values at the network terminal 1 are 2, 4, -2, -9; the values at network terminal 2 are 2, 4, -2, -3, -1; the values at network terminal 3 are 3, 4, 10, -2, -5, -2; the values at memory 1 are 1, 4, 1, -2, -8, -4; the values at memory 2 are 1,2, 1, -5; the values at memory 3 are 1,2, 10, -1, -9. And summing all the fifth numerical values and all the sixth numerical values after numerical value exchange on each entity respectively to obtain a first numerical value and a second numerical value, namely, the numerical value at the network terminal 1 is-3, the numerical value at the network terminal 2 is 4, the numerical value at the network terminal 3 is 8, the numerical value at the memory 1 is-8, the numerical value at the memory 2 is-3, and the numerical value at the memory 3 is 2. And then, performing encryption encapsulation on the values, which has been described above and is not described herein again, sending the encrypted messages from the 3 network terminals and the 3 servers to the authentication verification node, and then, summing up all the first values and the second values, that is (-3) +4+8+ (-8) + (-3) +2 ═ 0, to match the preset value 0 at the authentication verification node, so that the authentication is successful.
It should be noted that the generation of the first and second values is only one of the preferred embodiments of the present invention. The operation by summation is also one of the preferred embodiments of the present invention.
Preferably, in the process of generating the third numerical value and the fourth numerical value, the method includes:
taking an absolute value of the numerical value generated by each network terminal as the third numerical value;
and taking all positive values in the values generated by each memory as the fourth value.
In this embodiment, the value generated by each network terminal may be an integer, a rational number, or the like, for example, if the network terminal 1 generates-1, and the absolute value is 1, then 1 is the third value at the network terminal 1; if the value 2 is generated at the memory 1, the inverse value-2 is taken, and then-2 is the fourth value at the memory 1, and if the value in the memory is a negative value, the inverse value is not taken, and the negative value is the fourth value on the memory.
Preferably, as shown in fig. 4, before the process of sending each value to the authentication verification node, the method further comprises:
s201, respectively calculating the numerical values in the M network terminals and the N storages by adopting a symmetric encryption algorithm and a Hash algorithm;
s202, respectively packaging the M first numerical values and the N second numerical values after operation, and generating M third encrypted messages carrying the first numerical values and N fourth encrypted messages carrying the second numerical values;
s203, the authentication verification node processes the received encrypted message according to the inverse operation of the symmetric encryption algorithm and the Hash algorithm.
In this embodiment, the system configures a uniform symmetric encryption algorithm and a hash algorithm in all entities, and the specific implementation process of the algorithm is disclosed in the prior art and is not described herein again. In addition, in order to prevent the numerical value from leaking, the first numerical value and the second numerical value are encapsulated, namely, the first numerical value and the second numerical value are encapsulated into the encrypted message, wherein the encapsulation processing principle of the third confidential message is the same as that of the fourth encrypted message, and the third confidential message and the fourth encrypted message are just used for conveniently explaining the numbers of different types of entities, wherein the first encrypted message corresponds to the first numerical value at the network terminal, and the second encrypted message corresponds to the second numerical value at the memory.
It should be noted that, if a problem occurs in the memory, the system may change the operation policy or repair the memory in time according to the diagnosis result, which does not affect the solution of the present invention.
In a specific application scenario, when a user needs to modify an authentication key, M network terminals, N memories, and a key management center are in an online state, and an authentication verification node does not participate in the online state and can be in an offline state. And the method comprises the following steps:
(1) and (3) confirming the old key: each network terminal reads in the current authentication key of the user and takes the current authentication key as input, each memory takes the authentication share stored in the memory as input, the steps are the same as the steps in the authentication process, M network terminals and N memories jointly execute a numerical value conversion process, finally, each party respectively sends a secret message to a key management center, which is equivalent to realizing encryption packaging by adopting a symmetric encryption algorithm and a Hash algorithm, and the key management center verifies whether the old key confirmation process passes or not according to the received message. If the key passes through, the next step is executed, otherwise, the key modification is refused. Here the same procedure as the authentication procedure is followed except that the operating body is replaced by an authentication verification node for a key management center.
(2) The user types in the new key: (a) each user keys in a new key, and the network terminal encrypts the new key of the user and sends the encrypted new key to the key management center; (b) the key management center decrypts the messages from all the network terminals, performs inverse operation of a symmetric encryption algorithm and a hash algorithm, synthesizes an authentication key K by using the obtained M plaintext messages, generates N authentication shares SK1, SK2, … and SK N by using K, and encrypts and sends the authentication keys K, SK1, SK2, … and SK N to the network terminal 1, the network terminals 2 and … and the network terminal N respectively.
And satisfies: with SK1, SK2, SK N, no information of K can be recovered for any of the shares SK j, or any of the shares SK j in error.
(3) And (3) confirming the new key: each network terminal reads in a new authentication key of a user and takes the new authentication key as input, and each memory takes SK i sent by a key management center as input: m network terminals and N storages combine with the value conversion process, and finally each party respectively sends a secret message to a key management center, and the key management center verifies whether the new key confirmation process passes or not according to the received message. If not, returning to the step (2) or failing to modify the key, and quitting the operation of modifying the key; if the authentication share passes, the user is prompted to be successfully modified, the network terminal erases the old authentication share and stores the new authentication share. Here the same procedure as the authentication procedure is followed except that the operating body is replaced by an authentication verification node for a key management center.
It should be noted that, the above-mentioned process of modifying the key is similar to the process of multi-user authentication, the key modification needs the participation of the key management center, the process of multi-user authentication needs the participation of the authentication verification node, and the two are independent from each other, thereby ensuring the security of the system.
The beneficial effect who adopts above-mentioned scheme is: the authentication share is converted into a numerical value, numerical value interaction is carried out between each entity terminal, a new numerical value is obtained again, and the security level is further improved through encryption operation, so that a hacker is prevented from stealing the authentication share of the user.
In addition, the authentication scheme adopts a special security key protocol, the share owned by the user is not leaked in any way in the authentication process, the share can be reused, and the authentication key K does not need to be recovered. The share of the user and the authentication key K do not have the risk of being leaked, the system authentication key is not stored on a single server any more, but is stored on a plurality of authentication servers in a separated mode, and the authentication shares stored in all the servers are needed to recover the complete authentication key. Hackers need to hack all servers or an internal administrator needs to enter all servers to get a complete authentication key, or else no information of the system authentication key will be obtained, greatly improving the security of the system.
Fig. 5 shows a multi-user authentication system according to a second embodiment of the present invention, which includes:
the 51 obtaining module is used for obtaining a random authentication key generated by the key management center;
a first generation module 52 configured to generate M different first authentication shares and N different second authentication shares, respectively, based on the random authentication key, wherein M, N are integers greater than 2;
a 53 storage module, configured to store the M different first authentication shares to P network terminals at random, where each network terminal stores 1 first authentication share;
the storage module is further configured to store the N different second authentication shares randomly into Q different memories, where each memory stores 1 second authentication share, P, Q are integers greater than 2, M is equal to P, N is equal to Q, and each network terminal corresponds to 1 user;
and the authentication module 54 is configured to generate M first numerical values according to the M different first authentication shares, generate N second numerical values according to the N different second authentication shares, send all the first numerical values and all the second numerical values to an authentication verification node, perform an operation on each numerical value through the authentication verification node, and if the calculated numerical value is matched with a preset numerical value, perform an authentication successfully.
The system further comprises:
the second generation module is used for generating a third numerical value at each network terminal according to a preset rule and generating a fourth numerical value at each memory according to the preset rule;
the first operation module is used for decomposing each third numerical value into a plurality of fifth numerical values according to a preset operation rule;
the first operation module is further configured to decompose each fourth numerical value into a plurality of sixth numerical values according to the predetermined operation rule;
a value exchange module for exchanging values between the M network terminals and the N memories based on all of the fifth and sixth values;
the second operation module is used for operating the exchanged numerical values in each network terminal to obtain the M first numerical values;
the second operation module is further configured to operate the exchanged numerical values in each memory to obtain the N second numerical values.
The system further comprises:
the second generating module is further configured to use an absolute value of the numerical value generated by each network terminal as the third numerical value, and use all positive values in the numerical values generated by each memory as inverse numbers as the fourth numerical value.
The system further comprises:
and the triggering module is used for triggering the execution commands for generating the M first numerical values and the N second numerical values if the first authentication share input by each user through the corresponding network terminal is obtained.
The system further comprises:
the third operation module is used for respectively operating the numerical values in the M network terminals and the N storages by adopting a symmetric encryption algorithm and a Hash algorithm;
the encapsulation module is used for respectively encapsulating the M first numerical values and the N second numerical values after the operation, generating M third encryption messages carrying the first numerical values and generating N fourth encryption messages carrying the second numerical values;
and the decryption module is used for processing the received encrypted message by the authentication verification node according to the inverse operation of the symmetric encryption algorithm and the Hash algorithm.
For the system, the system authentication key K is separately stored on a plurality of authentication network terminals, and the complete authentication key K can be recovered by the authentication shares stored in all the network terminals, so that the safety of the system is greatly improved. In the authentication process, the system authentication key K, the authentication key of each user, the key of each network terminal and the key in each memory are not disclosed or leaked.
While the invention has been described with reference to specific embodiments, it will be understood by those skilled in the art that various changes in form and details may be made therein without departing from the spirit and scope of the invention as defined by the appended claims. Therefore, the protection scope of the present invention shall be subject to the protection scope of the claims.
Claims (8)
1. A multi-user authentication method is applied to a plurality of network terminals, and comprises the following steps:
acquiring a random authentication key generated by a key management center;
generating M different first authentication shares and N different second authentication shares, respectively, based on the random authentication key, wherein M, N are integers greater than 2;
randomly storing the M different first authentication shares to P network terminals, wherein each network terminal stores 1 first authentication share;
randomly storing the N different second authentication shares into Q different memories, wherein each memory stores 1 second authentication share, P, Q is an integer greater than 2, M is equal to P, N is equal to Q, and each network terminal corresponds to 1 user;
the network terminal generates M first numerical values according to the M different first authentication shares, the memory generates N second numerical values according to the N different second authentication shares, all the first numerical values and all the second numerical values are sent to an authentication verification node, each numerical value is operated through the authentication verification node, and if the numerical value obtained through operation is matched with a preset numerical value, authentication is successful.
2. The method of claim 1, wherein generating the M first values and generating the N second values comprises:
generating a third numerical value at each network terminal according to a preset rule, and generating a fourth numerical value at each memory according to the preset rule;
decomposing each third numerical value into a plurality of fifth numerical values according to a preset operation rule;
decomposing each fourth numerical value into a plurality of sixth numerical values according to the preset operation rule;
exchanging values between the M network terminals and the N memories based on all of the fifth and sixth values;
calculating the exchanged numerical values in each network terminal to obtain the M first numerical values;
and operating the exchanged numerical values in the memories to obtain the N second numerical values.
3. The method of claim 2, wherein the generating the third value and the fourth value comprises:
taking an absolute value of the numerical value generated by each network terminal as the third numerical value;
and taking all positive values in the values generated by each memory as the fourth value.
4. The method of claim 1, wherein prior to the sending all of the first numerical values and all of the second numerical values to the authentication verification node, the method further comprises:
respectively calculating the numerical values in the M network terminals and the N storages by adopting a symmetric encryption algorithm and a Hash algorithm;
respectively packaging the M first numerical values and the N second numerical values after operation, and generating M third encrypted messages carrying the first numerical values and N fourth encrypted messages carrying the second numerical values;
and the authentication verification node processes the received third encrypted message and the fourth encrypted message according to the inverse operation of the symmetric encryption algorithm and the Hash algorithm.
5. A multi-user authentication system, the system comprising:
the acquisition module is used for acquiring a random authentication key generated by the key management center;
a first generation module, configured to generate M different first authentication shares and N different second authentication shares, respectively, based on the random authentication key, where M, N are integers greater than 2;
a storage module, configured to store the M different first authentication shares to P network terminals at random, where each network terminal stores 1 first authentication share;
the storage module is further configured to store the N different second authentication shares randomly into Q different memories, where each memory stores 1 second authentication share, P, Q are integers greater than 2, M is equal to P, N is equal to Q, and each network terminal corresponds to 1 user;
and the authentication module is used for generating M first numerical values by the network terminal according to the M different first authentication shares, generating N second numerical values by the memory according to the N different second authentication shares, sending all the first numerical values and all the second numerical values to the authentication verification node, calculating all the numerical values through the authentication verification node, and if the calculated numerical values are matched with preset numerical values, the authentication is successful.
6. The system of claim 5, further comprising:
the second generation module is used for generating a third numerical value at each network terminal according to a preset rule and generating a fourth numerical value at each memory according to the preset rule;
the first operation module is used for decomposing each third numerical value into a plurality of fifth numerical values according to a preset operation rule;
the first operation module is further used for decomposing each fourth numerical value into a plurality of sixth numerical values according to the preset operation rule;
a value exchange module for exchanging values between the M network terminals and the N memories based on all of the fifth and sixth values;
the second operation module is used for operating the exchanged numerical values in each network terminal to obtain the M first numerical values;
the second operation module is further configured to operate the exchanged numerical values in each memory to obtain the N second numerical values.
7. The system of claim 6, further comprising:
the second generating module is further configured to use an absolute value of the numerical value generated by each network terminal as the third numerical value, and use all positive values in the numerical values generated by each memory as inverse numbers as the fourth numerical value.
8. The system of claim 5, further comprising:
the third operation module is used for respectively operating the numerical values in the M network terminals and the N storages by adopting a symmetric encryption algorithm and a Hash algorithm;
the encapsulation module is used for respectively encapsulating the M first numerical values and the N second numerical values after the operation, generating M third encryption messages carrying the first numerical values and generating N fourth encryption messages carrying the second numerical values;
and the decryption module is used for processing the received third encrypted message and the fourth encrypted message by the authentication verification node according to the inverse operation of the symmetric encryption algorithm and the Hash algorithm.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201711465576.5A CN108155989B (en) | 2017-12-28 | 2017-12-28 | Multi-user authentication method and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201711465576.5A CN108155989B (en) | 2017-12-28 | 2017-12-28 | Multi-user authentication method and system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN108155989A CN108155989A (en) | 2018-06-12 |
| CN108155989B true CN108155989B (en) | 2020-11-03 |
Family
ID=62463572
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201711465576.5A Active CN108155989B (en) | 2017-12-28 | 2017-12-28 | Multi-user authentication method and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN108155989B (en) |
Family Cites Families (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| JP3604737B2 (en) * | 1994-07-29 | 2004-12-22 | キヤノン株式会社 | Secret information processing method in communication system having a plurality of information processing devices and communication system thereof |
| WO2002087145A1 (en) * | 2001-03-16 | 2002-10-31 | International Business Machines Corporation | Method of verifiably sharing a secret in potentially asynchronous networks |
| JP5214474B2 (en) * | 2007-02-16 | 2013-06-19 | パナソニック株式会社 | Distributed information distribution device, holding device, certificate authority device and system |
| JP5960678B2 (en) * | 2011-03-15 | 2016-08-02 | パナソニック株式会社 | Tamper monitoring system, management device, protection control module and detection module |
| US9509506B2 (en) * | 2011-09-30 | 2016-11-29 | Los Alamos National Security, Llc | Quantum key management |
-
2017
- 2017-12-28 CN CN201711465576.5A patent/CN108155989B/en active Active
Also Published As
| Publication number | Publication date |
|---|---|
| CN108155989A (en) | 2018-06-12 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109255247B (en) | Multi-party security calculation method and device and electronic equipment | |
| CN105871538B (en) | Quantum key distribution system, quantum key delivering method and device | |
| CN110519046B (en) | Quantum communication service station key negotiation method and system based on one-time asymmetric key pair and QKD | |
| CN109274492B (en) | Self-secure tightly coupled secret sharing method | |
| CN110380859B (en) | Quantum communication service station identity authentication method and system based on asymmetric key pool pair and DH protocol | |
| CN109088810A (en) | Communication means, device, relevant device, system and the storage medium of group message | |
| CN110493177B (en) | Method and system for quantum communication service station AKA key negotiation based on asymmetric key pool pair and serial number | |
| JP2014530554A (en) | Group secret management by group members | |
| CN110557248A (en) | Secret key updating method and system for resisting quantum computation signcryption based on certificateless cryptography | |
| CN114631285A (en) | Key generation for use in secure communications | |
| CN112084525A (en) | Distributed key encryption method and device, electronic equipment and storage medium | |
| CN110635912A (en) | Data processing method and device | |
| CN110557367B (en) | Secret key updating method and system for quantum computing secure communication resistance based on certificate cryptography | |
| EP2847923A1 (en) | Byzantine fault tolerance and threshold coin tossing | |
| CN114117406A (en) | Data processing method, device, equipment and storage medium | |
| CN113365264A (en) | Block chain wireless network data transmission method, device and system | |
| JP2022107460A (en) | Key exchange system, communication terminal, information processing device, key exchange method, and program | |
| CN110266483B (en) | Quantum communication service station key negotiation method, system and device based on asymmetric key pool pair and QKD | |
| CN112003690B (en) | Password service system, method and device | |
| CN108155989B (en) | Multi-user authentication method and system | |
| CN110740034A (en) | Method and system for generating QKD network authentication key based on alliance chain | |
| CN115834038A (en) | Encryption method and device based on national commercial cryptographic algorithm | |
| CN115567203A (en) | Method, device, equipment and storage medium for recovering secret information | |
| Zhang et al. | Building PUF as a Service: Distributed Authentication and Recoverable Data Sharing With Multidimensional CRPs Security Protection | |
| CN112968877A (en) | Compatible multi-terminal editor |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |