CN108737099A - 虎符密钥认证技术方法 - Google Patents
虎符密钥认证技术方法 Download PDFInfo
- Publication number
- CN108737099A CN108737099A CN201710259165.4A CN201710259165A CN108737099A CN 108737099 A CN108737099 A CN 108737099A CN 201710259165 A CN201710259165 A CN 201710259165A CN 108737099 A CN108737099 A CN 108737099A
- Authority
- CN
- China
- Prior art keywords
- tiger
- generals
- ancient china
- loop movement
- private key
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3263—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
- H04L9/3268—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements using certificate validation, registration, distribution or revocation, e.g. certificate revocation list [CRL]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/0819—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
- H04L9/0825—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) using asymmetric-key encryption or public key infrastructure [PKI], e.g. key signature or public key certificates
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3218—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using proof of knowledge, e.g. Fiat-Shamir, GQ, Schnorr, ornon-interactive zero-knowledge proofs
- H04L9/3221—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using proof of knowledge, e.g. Fiat-Shamir, GQ, Schnorr, ornon-interactive zero-knowledge proofs interactive zero-knowledge proofs
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3297—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving time stamps, e.g. generation of time stamps
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
- Mobile Radio Communication Systems (AREA)
Abstract
本发明为虎符密钥认证技术方法,属于信息安全技术领域,涉及密钥认证体制。当前的认证方法主要有证书认证、标识认证、基于标识的证书认证。不管对于哪种认证体制,在用户的认证设备丢失的情况下,一般需要进行挂失,这就使得认证过程无法去中心化,为此,我们发明了虎符密钥认证技术方法。本发明用户的工作私钥为多组。本发明认证过程去中心化,支持进程认证、现场认证、及时认证、快速认证。
Description
技术领域
本发明属于信息安全技术领域,涉及密钥认证体制。
背景技术
当前的正在应用的认证体制主要有PKI、IBC、CFL认证体制。PKI是证书认证体制,IBC是标识认证体制,CFL是基于标识的证书认证体制。不管对于哪种认证体制,在用户的认证设备丢失的情况下,一般需要进行挂失。这就需要认证中心存储认证设备的挂失信息,在用户之间认证时,都要到认证中心访问被认证方的挂失信息,这种认证方式,使得认证过程无法去中心化,不能支持进程认证、现场认证、及时认证、快速认证等问题,且认证资源消耗大,不能满足当前大规模网络认证的需求,为此,我们发明了虎符密钥认证技术方法。
发明内容
本发明目的是给出一种认证过程去中心化,支持进程认证、现场认证、及时认证、快速认证的认证方法。本发明为虎符密钥认证技术方法,解决了上述需求。
本发明描述如下:
(1)用户的工作私钥由两组构成,即虎符私钥1、虎符私钥2;
(2)虎符私钥1对应的虎符公钥1可绑定在用户的证书中,或者标识中;虎符私钥2对应的虎符公钥2同样可绑定在用户的证书中,或者标识中;
(3)用户的认证设备在应用时,内部含有虎符私钥1,从认证设备外部安全输入虎符私钥2;在离线时,虎符私钥2自动从认证设备中消失;
(4)虎符私钥1的签名、虎符私钥2的签名以及它们的动态签名都认证通过后,才能认证通过;此处的动态签名是在认证设备应用时,添加时间戳的再次扩展签名;
(5)本发明中的认证设备在离线丢失情况下,无需挂失,重新申请即可;
(6)本发明可用于证书认证、标识认证、基于标识的证书认证中。
虎符密钥认证技术方法的安全性分析:
命题1 虎符密钥认证技术方法,理论上是可证明安全的。
命题2 虎符密钥认证技术方法是满足统计零知识交互的。
命题3 本发明中的认证设备在离线丢失情况下,无需挂失,仍然是安全的。
证明 因为在认证设备离线丢失的情况下,虎符私钥2仍然是保密的,因此是安全的。
命题4 本发明中的认证过程是可以去中心化的。
证明 由命题3可知,因为无须挂失仍是安全的,因此,本命题成立。
命题5 本发明满足认证过程去中心化,支持进程认证、现场认证、及时认证、快速认证。
证明 由命题4可知,本命题成立。
Claims (7)
1.一种认证技术方法方法,其特征在于包括:
虎符私钥认证技术方法:
(1)用户的工作私钥由两组构成,即虎符私钥1、虎符私钥2;
(2)虎符私钥1对应的虎符公钥1,可绑定在用户的证书中,或者标识中;虎符私钥2对应的虎符公钥2,同样可绑定在用户的证书中,或者标识中;
(3)用户的认证设备在应用时,内部含有虎符私钥1,从认证设备外部安全输入虎符私钥2;在离线时,虎符私钥2自动从认证设备中消失;
(4)虎符私钥1的签名、虎符私钥2的签名以及它们的动态签名都认证通过后,才能认证通过;此处的动态签名是在认证设备应用时,添加时间戳的再次扩展签名;
(5)本方法中的认证设备在离线丢失情况下,无需挂失,重新申请即可;
(6)本方法可用于证书认证、标识认证、基于标识的证书认证中。
2.根据权利要求1所述的方法,其特征在于:用户的工作私钥由两组构成,即虎符私钥1、虎符私钥2。
3.根据权利要求1所述的方法,其特征在于:虎符私钥1对应的虎符公钥1,可绑定在用户的证书中,或者标识中;虎符私钥2对应的虎符公钥2,同样可绑定在用户的证书中,或者标识中。
4.根据权利要求1所述的方法,其特征在于:用户的认证设备在应用时,内部含有虎符私钥1,从认证设备外部安全输入虎符私钥2;在离线时,虎符私钥2自动从认证设备中消失。
5.根据权利要求1所述的方法,其特征在于:虎符私钥1的签名、虎符私钥2的签名以及它们的动态签名都认证通过后,才能认证通过;此处的动态签名是在认证设备应用时,添加时间戳的再次扩展签名。
6.根据权利要求1所述的方法,其特征在于:本方法中的认证设备在离线丢失情况下,无需挂失,重新申请即可。
7.根据权利要求1所述的方法,其特征在于:本方法可用于证书认证、标识认证、基于标识的证书认证中。
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201710259165.4A CN108737099B (zh) | 2017-04-20 | 2017-04-20 | 虎符密钥认证技术方法 |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201710259165.4A CN108737099B (zh) | 2017-04-20 | 2017-04-20 | 虎符密钥认证技术方法 |
Publications (2)
Publication Number | Publication Date |
---|---|
CN108737099A true CN108737099A (zh) | 2018-11-02 |
CN108737099B CN108737099B (zh) | 2021-04-30 |
Family
ID=63925386
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201710259165.4A Active CN108737099B (zh) | 2017-04-20 | 2017-04-20 | 虎符密钥认证技术方法 |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN108737099B (zh) |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102170357A (zh) * | 2011-05-31 | 2011-08-31 | 北京虎符科技有限公司 | 组合密钥动态安全管理系统 |
CN103546284A (zh) * | 2012-07-10 | 2014-01-29 | 北京虎符科技有限公司 | 虎符令牌认证系统 |
CN105247833A (zh) * | 2013-05-16 | 2016-01-13 | 迅安科技私人有限公司 | 自认证设备与方法 |
WO2016177674A1 (en) * | 2015-05-01 | 2016-11-10 | Assa Abloy Ab | Wearable misplacement |
CN106161035A (zh) * | 2016-06-07 | 2016-11-23 | 北京博文广成信息安全技术有限公司 | Cfl个人隐私保护模式实现方法 |
-
2017
- 2017-04-20 CN CN201710259165.4A patent/CN108737099B/zh active Active
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102170357A (zh) * | 2011-05-31 | 2011-08-31 | 北京虎符科技有限公司 | 组合密钥动态安全管理系统 |
CN103546284A (zh) * | 2012-07-10 | 2014-01-29 | 北京虎符科技有限公司 | 虎符令牌认证系统 |
CN105247833A (zh) * | 2013-05-16 | 2016-01-13 | 迅安科技私人有限公司 | 自认证设备与方法 |
WO2016177674A1 (en) * | 2015-05-01 | 2016-11-10 | Assa Abloy Ab | Wearable misplacement |
CN106161035A (zh) * | 2016-06-07 | 2016-11-23 | 北京博文广成信息安全技术有限公司 | Cfl个人隐私保护模式实现方法 |
Non-Patent Citations (1)
Title |
---|
杜春玲、范修斌: "CFL认证体制及其在区块链中的应用", 《信息安全研究》 * |
Also Published As
Publication number | Publication date |
---|---|
CN108737099B (zh) | 2021-04-30 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN106411528B (zh) | 一种基于隐式证书的轻量级认证密钥协商方法 | |
WO2016175914A3 (en) | Transaction signing utilizing asymmetric cryptography | |
CN102664739A (zh) | 一种基于安全证书的pki实现方法 | |
MY171903A (en) | Bluetooth pairing system, method, and apparatus | |
SG10201903265PA (en) | Parameter based key derivation | |
WO2016126052A3 (ko) | 인증 방법 및 시스템 | |
RU2011140850A (ru) | Способ аутентификации пользовательского терминала и сервер аутентификации и пользовательский терминал для него | |
WO2015056010A3 (en) | Registry apparatus, agent device, application providing apparatus and corresponding methods | |
CN103530924A (zh) | 一种用于自助设备网络管理的动态密码锁系统与方法 | |
CN103634265B (zh) | 安全认证的方法、设备及系统 | |
CN106056313A (zh) | 一种印章信息的管控方法、系统及印章 | |
WO2010115913A3 (en) | Authenticating a node in a communication network | |
MX352041B (es) | Método seguro para concesión remota de los derechos de operación. | |
CN106357394A (zh) | 一种母pos灌装密钥的安全方法 | |
CN103338202A (zh) | 一种基于智能卡的远程用户密码双重验证方法 | |
NZ613485A (en) | Method for authenticating first communication equipment by means of second communication equipment | |
JP2014060742A5 (ja) | 認証および鍵合意(AKA)機構に基づくKerberos対応アプリケーションへの認証されたユーザアクセスのための方法および装置 | |
CN106059775A (zh) | Cfl集中管理模式实现方法 | |
MY151315A (en) | System and method for issuing endorsement key credential in trusted computing environment using local certificate authority | |
CN104753682A (zh) | 一种会话秘钥的生成系统及方法 | |
CN108737099A (zh) | 虎符密钥认证技术方法 | |
CN108599932A (zh) | 一种用于电力系统的身份认证方法 | |
PH12019501641A1 (en) | Methods and devices for parameter exchange during emergency access | |
CN106789010B (zh) | Cfl去中心化应用方法 | |
CN107294713A (zh) | 一种加密认证方法 |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |