CN109005037A - The command identifying and method of identity-based - Google Patents
The command identifying and method of identity-based Download PDFInfo
- Publication number
- CN109005037A CN109005037A CN201810627700.1A CN201810627700A CN109005037A CN 109005037 A CN109005037 A CN 109005037A CN 201810627700 A CN201810627700 A CN 201810627700A CN 109005037 A CN109005037 A CN 109005037A
- Authority
- CN
- China
- Prior art keywords
- user
- server
- key
- ciphertext
- forward direction
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3226—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a predetermined code, e.g. password, passphrase or PIN
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/45—Structures or tools for the administration of authentication
- G06F21/46—Structures or tools for the administration of authentication by designing passwords or checking the strength of passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
- H04L63/0478—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload applying multiple layers of encryption, e.g. nested tunnels or encrypting the content with a first key and then with at least a second key
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/083—Network architectures or network communication protocols for network security for authentication of entities using passwords
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Computing Systems (AREA)
- Theoretical Computer Science (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Storage Device Security (AREA)
- Financial Or Insurance-Related Operations Such As Payment And Settlement (AREA)
Abstract
The invention discloses a kind of command identifying of identity-based and methods.The present invention by using this two server framework, when the identity to user authenticates, the second ciphertext and user's trapdoor of pre-stored corresponding entry password are searched according to the login account that user terminal provides by forward direction server, then the first ciphertext and the second ciphertext of user terminal offer are calculated respectively using user's trapdoor, and to server after corresponding first intermediate result of obtain and the first ciphertext and the second intermediate result corresponding with the second ciphertext are transmitted to, by backward server according to preset proof rule respectively to the first intermediate result, obtain the first verification result, the second intermediate result is handled according to proof rule, obtain the second verification result, pass through the matching to two verification results, when determining the two matching, determine that subscriber authentication can successfully carry out data access operation, significantly Improve the safety and stability of command identifying.
Description
Technical field
The present invention relates to identity identifying technology field more particularly to the command identifyings and method of a kind of identity-based.
Background technique
Password authentication is the identity identifying technology generally used on a kind of internet, it is therefore an objective to enter system in the network user
Or when access constrained system resource, the identity of user is identified.Password authentication technology be prevent active attack technology it
One, it can substantially be divided into static password authentication technology and dynamic password authentication technology at present.
Due to password have the characteristics that lower deployment cost it is low, easily give for change, it is easy to use, be that other substitutes can not reach,
Therefore password authentication is most popular ID authentication mechanism on current internet, before the appearance of better authentication mechanism,
Password will be used for authentication for a long time.
But in recent years, user password data leak event happens occasionally on internet.By to the password number leaked
It is found according to analysis is carried out, in server end storage, in addition to minority stores plaintext, what is be commonly stored is password cryptographic Hash
(being obtained using Encryption Tools such as Bcrypt, PBKDF2).However there are the corresponding certain phases of output of identical input for hash algorithm
Same problem.Moreover, remembering for convenience, the usually not enough complexities of user password, this is easy to user password
By guessing attack.Especially in the case where attacker possesses a large amount of password cryptographic Hash, attack is had higher success rate.
Above content is only used to facilitate the understanding of the technical scheme, and is not represented and is recognized that above content is existing skill
Art.
Summary of the invention
The main purpose of the present invention is to provide a kind of command identifying of identity-based and methods, it is intended to solve existing
The entry password that user holds in technology is too simple, causes the safety and stability of command identifying poor, authenticates mouth
Order is easy the technical issues of being cracked.
To achieve the above object, the present invention provides a kind of command identifying of identity-based, the system comprises: it uses
Family end and server end;
The server end includes preceding to server and backward server, and the forward direction server is communicated with the user terminal
Connection is connected in series with the backward server;
The user terminal, the data access instruction for being triggered in response to user, obtain user input login account and
The plaintext of entry password is handled according to plaintext of the preset encryption rule to the entry password, obtains the login mouth
The first ciphertext enabled, is transmitted to the forward direction server for the login account and first ciphertext;
The forward direction server, for searching the entry password in the local database according to the login account
Second ciphertext calculates first ciphertext using pre-stored user's trapdoor corresponding with the login account, obtains
To the first intermediate result, second ciphertext is calculated using user's trapdoor, obtains the second intermediate result, and by institute
It states the first intermediate result and second intermediate result is transmitted to the backward server;
The backward server is obtained for being handled according to preset proof rule first intermediate result
First verification result handles second intermediate result according to the preset proof rule, obtains the second verifying knot
Fruit, and first verification result is matched with second verification result, however, it is determined that matching, then subscriber authentication at
Function can carry out data access operation.
Preferably, the key generation centre and the user terminal, described the system also includes key generation centre
Forward direction server and the backward server communicate to connect respectively;
The key generation centre, for distributing first key for the forward direction server, and according to the first key
Calculate the first public key of the forward direction server;
The key generation centre is also used to distribute the second key for the backward server, and close according to described second
Key calculates the second public key of the backward server;
Correspondingly, the user terminal, for utilizing first public key and second public affairs according to preset encryption rule
Key handles the plaintext of the entry password, obtains the first ciphertext of the entry password;
Correspondingly, the backward server, for utilizing described in second key pair the according to preset proof rule
One intermediate result is handled, and the first verification result is obtained, and utilizes second key pair according to the preset proof rule
Second intermediate result is handled, and obtains the second verification result, and first verification result and described second are verified
As a result it is matched, however, it is determined that matching, then subscriber authentication can successfully carry out data access operation.
Preferably, the key generation centre is also used to when receiving the registration request that the user terminal is sent, according to
First private key calculates user key, and feeds back to the user terminal for the user key obtained is calculated.
Preferably, the user terminal is also used to choose one in the user key according to preset trapdoor create-rule
User's trapdoor is transmitted to the forward direction server and deposited by part as the corresponding user's trapdoor of the login account
Storage.
Preferably, the forward direction server and the backward server are connected in series using common signal channel or one-way channel.
In addition, to achieve the above object, the present invention also provides a kind of command identifying method of identity-based, this method is answered
For the command identifying of identity-based provided by the invention, the described method comprises the following steps:
Data access instruction that user terminal is triggered in response to user obtains the login account and entry password of user's input
In plain text, it is handled according to plaintext of the preset encryption rule to the entry password, obtain the entry password first is close
The login account and first ciphertext are transmitted to the forward direction server by text;
Forward direction server searches the second ciphertext of the entry password according to the login account in the local database,
First ciphertext is calculated using pre-stored user's trapdoor corresponding with the login account, is obtained among first
As a result, calculate using user's trapdoor second ciphertext, the second intermediate result is obtained, and will be among described first
As a result the backward server is transmitted to second intermediate result;
Backward server is handled first intermediate result according to preset proof rule, obtains the first verifying knot
Fruit is handled second intermediate result according to the preset proof rule, obtains the second verification result, and will be described
First verification result is matched with second verification result, however, it is determined that matching, then subscriber authentication can successfully carry out
Data access operation.
Preferably, the data access instruction that the user terminal is triggered in response to user obtains the login account of user's input
Before the plaintext of entry password, the method also includes:
Key generation centre be the forward direction server distribute first key, and according to the first key calculate it is described before
To the first public key of server;
The key generation centre is also the second key of the backward server distribution, and according to second cipher key calculation
Second public key of the backward server;
Correspondingly, the user terminal is handled according to plaintext of the preset encryption rule to the entry password, is obtained
First ciphertext of the entry password, specifically includes:
According to preset encryption rule, using first public key and second public key to the plaintext of the entry password
It is handled, obtains the first ciphertext of the entry password;
Correspondingly, the backward server is handled first intermediate result according to preset proof rule, is obtained
To the first verification result, second intermediate result is handled, the second verification result is obtained, specifically includes:
It is handled according to preset proof rule using the first intermediate result described in second key pair, obtains first
Verification result is handled using the second intermediate result described in second key pair according to the preset proof rule, is obtained
It is matched to the second verification result, and by first verification result with second verification result, however, it is determined that matching is then used
Family authentication can successfully carry out data access operation.
Preferably, the data access instruction that the user terminal is triggered in response to user obtains the login account of user's input
Before the plaintext of entry password, the method also includes:
Key generation centre is calculated according to first private key and is used when receiving the registration request that the user terminal is sent
Family key, and the user terminal is fed back to by the user key obtained is calculated.
Preferably, the user terminal by the login account and first ciphertext be transmitted to the forward direction server it
Before, the method also includes:
The user terminal is chosen and is stepped on described in a part conduct in the user key according to preset trapdoor create-rule
The corresponding user's trapdoor of account is recorded, and user's trapdoor is transmitted to the forward direction server and is stored.
Preferably, the user terminal and before user's trapdoor is transmitted to forward direction server storage, the side
Method further include:
Determine user's trapdoor whether has been stored in the forward direction server;
Correspondingly, it the user terminal and user's trapdoor is transmitted to the forward direction server stores, specifically include:
If it is determined that not stored in the forward direction server have user's trapdoor, by user's trapdoor be transmitted to it is described before
It is stored to server.
The present invention is by the pre-stored user's trapdoor corresponding with each login account of forward direction server, in forward direction service
After device receives the first ciphertext and the login account of the entry password of user terminal offer, found according to the logon account received
Second ciphertext of corresponding user's trapdoor and entry password, it is then close to first respectively using the user's trapdoor found
Text and the second ciphertext are calculated, and by corresponding first intermediate result of obtain and the first ciphertext and corresponding with the second ciphertext
Second intermediate result be transmitted to after to server, by backward server according to preset proof rule respectively to the first intermediate result
It is handled, and will be tied among obtained the first verification result corresponding with the first intermediate result and second with the second intermediate result
Corresponding second verification result of fruit is matched, and in the second verification result matching for determining the first verification result sum, is determined
Subscriber authentication can successfully carry out data access operation.It, can be to avoid single clothes by using the framework of this two server
Business device is captured bring safety problem, so that command identifying more safety and stability.
Detailed description of the invention
Fig. 1 is that the present invention is based on the structural schematic diagrams of the command identifying first embodiment of identity;
Fig. 2 is that the present invention is based on the structural schematic diagrams of the command identifying second embodiment of identity;
Fig. 3 is that the present invention is based on the flow diagrams of the command identifying method first embodiment of identity;
Fig. 4 is that the present invention is based on the flow diagrams of the command identifying method second embodiment of identity.
The embodiments will be further described with reference to the accompanying drawings for the realization, the function and the advantages of the object of the present invention.
Specific embodiment
It should be appreciated that the specific embodiments described herein are merely illustrative of the present invention, it is not intended to limit the present invention.
Referring to Fig.1, Fig. 1 is that the present invention is based on the structural schematic diagrams of the command identifying first embodiment of identity.
In the first embodiment, the command identifying of the identity-based includes: user terminal 100 and server end
200。
Specifically, the server end 200 in the present embodiment includes preceding to server 201 and backward server
202。
Wherein, the forward direction server 201 is communicated to connect with the user terminal 100, is such as passed through wired connection or is wirelessly connected
It the modes such as connects and realizes connection.
In addition, the forward direction server 201 is also connected in series with the backward server 202, common signal channel string is such as used
Row connection.
Further, in the concrete realization, in order to guarantee the safety of verification process, avoid verification result from backward service
Device 202 can also use unidirectionally before being back to server 201, the forward direction server 201 and the backward server 202
Multi-channel serial connection.
It should be noted that having the above is only for example, not constituting any restriction to technical solution of the present invention
In body application, those skilled in the art, which can according to need, to be configured, and the present invention is without limitation.
In order to make it easy to understand, being specifically described below for the function of above-mentioned each equipment:
Specifically, the user terminal 100, the data access instruction for triggering in response to user obtain user's input
Login account and entry password plaintext, handled, obtained according to plaintext of the preset encryption rule to the entry password
To the first ciphertext of the entry password, the login account and first ciphertext are transmitted to the forward direction server 201.
The forward direction server 201, for searching the entry password in the local database according to the login account
The second ciphertext, first ciphertext is calculated using pre-stored user's trapdoor corresponding with the login account,
The first intermediate result is obtained, second ciphertext is calculated using user's trapdoor, obtains the second intermediate result, and will
First intermediate result and second intermediate result are transmitted to the backward server 202.
The backward server 202 is obtained for being handled according to preset proof rule first intermediate result
To the first verification result, second intermediate result is handled according to the preset proof rule, obtains the second verifying
As a result, and first verification result is matched with second verification result, however, it is determined that matching, then subscriber authentication
Success can carry out data access operation.
By foregoing description it is not difficult to find that the command identifying of the identity-based provided in the present embodiment, by preceding
To the pre-stored user's trapdoor corresponding with each login account of server, stepping on for user terminal offer is received in forward direction server
Record password the first ciphertext and login account after, according to the logon account received find corresponding user's trapdoor and
Then second ciphertext of entry password respectively calculates the first ciphertext and the second ciphertext using the user's trapdoor found,
And after corresponding first intermediate result of obtain and the first ciphertext and the second intermediate result corresponding with the second ciphertext are transmitted to
To server, the first intermediate result and the second intermediate result are carried out respectively according to preset proof rule by backward server
Reason, and by corresponding first verification result of obtain and the first intermediate result the second verification result corresponding with the second intermediate result
It is matched, and in the second verification result matching for determining the first verification result sum, determines that subscriber authentication successfully can be with
Carry out data access operation.By using the framework of this two server, bring safety can be captured to avoid single server
Problem, so that command identifying more safety and stability.
Further, as shown in Fig. 2, proposing that the present invention is based on the of the command identifying of identity based on first embodiment
Two embodiments, in the present embodiment, the command identifying of identity-based further comprise key generation centre 300.
Wherein, the key generation centre 300 and the user terminal 100, the forward direction server 201 and the backward clothes
Business device 202 communicates to connect respectively.
Specifically, the key generation centre 300 in the present embodiment is mainly used for as the forward direction server 201
First key is distributed, and calculates the first public key of the forward direction server 201 according to the first key, and is described backward
Server 202 distributes the second key, and the second public key of the backward server 202 according to second cipher key calculation.
Correspondingly, in the concrete realization, the user terminal 100 is according to preset encryption rule to the bright of the entry password
Text is handled, and the operation of the first ciphertext of the entry password is obtained specifically: according to preset encryption rule, using described
First public key and second public key handle the plaintext of the entry password, and obtain the entry password first is close
Text.
However, it should be understood that in the concrete realization, the operation of the backward server 201 specifically: according to default
Proof rule handled using the first intermediate result described in second key pair, the first verification result is obtained, according to pre-
If the proof rule handled using the second intermediate result described in second key pair, obtain the second verification result,
And first verification result is matched with second verification result, however, it is determined that matching, then subscriber authentication success
It can carry out data access operation.
In addition, the key generation centre 300, is also used in the registration request for receiving the transmission of user terminal 100
When, user key is calculated according to first private key, and feed back to the user terminal for the user key obtained is calculated
100。
Correspondingly, the user terminal 100, can root when receiving the user key that the key generation centre 300 is fed back
According to preset trapdoor create-rule, a part in the user key is chosen as the corresponding user of the login account
Trapdoor, and user's trapdoor is transmitted to the forward direction server 201 and is stored.
In addition, it is necessary to illustrate, described key generation centre is specifically existing Key in the present embodiment
Generate Center (referred to as: KGC), about the use of KGC, those skilled in the art can be by checking existing make
Corresponding function is realized with problem, and details are not described herein again.
By foregoing description it is not difficult to find that the command identifying of the identity-based provided in the present embodiment, passes through utilization
Key generation centre be before the first public key for being provided to server and the second public key provided to server after being to entry password
Plaintext be encrypted, solve the existing password that stores using hash algorithm and be subject to asking for guessing attack
Topic, on the basis of two server framework, further improves the stability and safety of Verification System.
Based on the command identifying of above-mentioned identity-based, propose that the present invention is based on the implementations of the command identifying method of identity
Example.
It is that the present invention is based on the flow diagrams of the command identifying method first embodiment of identity referring to Fig. 3, Fig. 3.
In the first embodiment, the identity-based command identifying method the following steps are included:
S10: the data access instruction that user terminal is triggered in response to user obtains the login account of user's input and logs in mouth
The plaintext of order is handled according to plaintext of the preset encryption rule to the entry password, obtains the of the entry password
The login account and first ciphertext are transmitted to the forward direction server by one ciphertext.
It should be understood that user terminal described in the present embodiment can be smart phone, tablet computer, laptop
Deng, it can the terminal device that server is accessed by network data will not enumerate herein, also limit not to this
System.
S20: for forward direction server according to the login account, search the entry password in the local database second is close
Text calculates first ciphertext using pre-stored user's trapdoor corresponding with the login account, obtains first
Intermediate result calculates second ciphertext using user's trapdoor, obtains the second intermediate result, and by described first
Intermediate result and second intermediate result are transmitted to the backward server.
S30: backward server is handled first intermediate result according to preset proof rule, is obtained first and is tested
Card obtains the second verification result as a result, handle according to the preset proof rule second intermediate result, and will
First verification result is matched with second verification result, however, it is determined that matching, then subscriber authentication successfully can be with
Carry out data access operation.
It should be understood that forward direction server and backward server described in the present embodiment can be the clothes of physical mechanism
Business device, is also possible to be deployed in the virtual Cloud Server in cloud, and those skilled in the art, which can according to need, to be configured, this
Place is with no restrictions.
By foregoing description it is not difficult to find that the command identifying method of the identity-based provided in the present embodiment, by preceding
To the pre-stored user's trapdoor corresponding with each login account of server, stepping on for user terminal offer is received in forward direction server
Record password the first ciphertext and login account after, according to the logon account received find corresponding user's trapdoor and
Then second ciphertext of entry password respectively calculates the first ciphertext and the second ciphertext using the user's trapdoor found,
And after corresponding first intermediate result of obtain and the first ciphertext and the second intermediate result corresponding with the second ciphertext are transmitted to
To server, the first intermediate result and the second intermediate result are carried out respectively according to preset proof rule by backward server
Reason, and by corresponding first verification result of obtain and the first intermediate result the second verification result corresponding with the second intermediate result
It is matched, and in the second verification result matching for determining the first verification result sum, determines that subscriber authentication successfully can be with
Carry out data access operation.By using the framework of this two server, bring safety can be captured to avoid single server
Problem, so that command identifying more safety and stability.
Further, as shown in figure 4, proposing that the present invention is based on the of the command identifying method of identity based on first embodiment
Two embodiments, in the present embodiment, the data access instruction that user terminal is triggered in response to user obtains the login account of user's input
Number and entry password plaintext before, key generation centre also needs to be previously-completed a series of processing, be detailed in Fig. 4 increase newly step
Rapid S00, S01 and S02.
In order to make it easy to understand, being specifically described referring to fig. 4 below:
In step S00, key generation centre is forward direction server distribution first key, and close according to described first
Key calculates the first public key of the forward direction server.
In step S01, the key generation centre is that the backward server distributes the second key, and according to described the
Second public key of backward server described in two cipher key calculations.
Correspondingly, the user terminal is handled according to plaintext of the preset encryption rule to the entry password, is obtained
First ciphertext of the entry password, specifically includes: according to preset encryption rule, utilizing first public key and described second
Public key handles the plaintext of the entry password, obtains the first ciphertext of the entry password.
Correspondingly, the backward server is handled first intermediate result according to preset proof rule, is obtained
To the first verification result, second intermediate result is handled, the second verification result is obtained, specifically includes: according to default
Proof rule handled using the first intermediate result described in second key pair, the first verification result is obtained, according to pre-
If the proof rule handled using the second intermediate result described in second key pair, obtain the second verification result,
And first verification result is matched with second verification result, however, it is determined that matching, then subscriber authentication success
It can carry out data access operation.
In step S02, key generation centre is when receiving the registration request that the user terminal is sent, according to described the
One private key calculates user key, and feeds back to the user terminal for the user key obtained is calculated.
It should be understood that in the concrete realization, in order to be mentioned to server is available always to user terminal before guaranteeing
The corresponding user's trapdoor of the login account of confession, to guarantee the first intermediate result needed in subsequent authentication and the second intermediate result energy
Enough to obtain, the login account and first ciphertext are transmitted to described by user terminal after receiving the user key
Before forward direction server, it is also necessary to according to preset trapdoor create-rule, choose a part in the user key as institute
The corresponding user's trapdoor of login account is stated, and user's trapdoor is transmitted to the forward direction server and is stored.
Further, since user terminal is also needed to server transport user's trapdoor using network data to preceding, in order to reduce
The waiting time of user and the use of network traffic data, especially in the case where the network data of user terminal is bad, user
Before the login account and first ciphertext are transmitted to the forward direction server by end, the forward direction service can be first determined
It whether has been stored with user's trapdoor in device, for example situation is sent by user's trapdoor of local record, described in determination
It is not stored when having user's trapdoor in forward direction server, then user's trapdoor is transmitted to the forward direction server and is stored,
Otherwise, skip send user's trapdoor the step of, directly execute by the login account and first ciphertext be transmitted to it is described before
The step of to server.
By foregoing description it is not difficult to find that the command identifying method of the identity-based provided in the present embodiment, passes through utilization
Key generation centre be before the first public key for being provided to server and the second public key provided to server after being to entry password
Plaintext be encrypted, solve the existing password that stores using hash algorithm and be subject to asking for guessing attack
Topic, on the basis of two server framework, further improves the stability and safety of Verification System.
In addition, the use of the Verification System of the identity-based provided in order to better understand the present invention and recognizing for identity-based
Card method, is specifically described below:
In order to facilitate narration, the symbol first used to needs is arranged as follows:
KGC: key generation centre.
SF: forward direction server.
SB: backward server.
ID: user identity.
Z*: Positive Integer Set.
Q: prime number.
p:G1, GTGeneration member.
G1, GT: the cyclic group generated by p.
E: from G1×G1To GTBilinear map.
h1: from { 0,1 }*To { 0,1 }*Hash function.
h2: from GTTo { 0,1 }*Hash function.
h3: from G1To { 0,1 }*Hash function.
r1, r2, r3: random number.
Ppub1, Ppub2: the public key of forward direction server.
Ppub3: the public key of backward server.
(s1, s2): the private key of forward direction server.
s3: the private key of backward server.
dkID: user key.
tdID: user's trapdoor.
M: password is in plain text (i.e. the plaintext of entry password).
C: password ciphertext.
X | | the splicing of y:x and y, wherein x and y is Bit String or byte serial.
The exclusive or of x and y, wherein x and y is Bit String or byte serial.
AQ: dot product, wherein a is integer, and Q is cyclic group G1On point.
For ease of description, at the beginning of the verification process of identity-based provided by the invention being divided into KGC carry out system below
Beginningization, user terminal generate user's trapdoor, user terminal the plaintext of entry password is encrypted, forward direction server authentication password and after
To five parts of server authentication password, i.e., firstly, KGC is private to server, the public and private key of backward server, user before generating
Key and relevant parameter (various parameters that subsequent authentication is used);Then, user terminal generates user's trapdoor using user key, and will
User's trapdoor is sent to preceding to server;Finally, user terminal sends out encrypted password (i.e. the first ciphertext) in login process
To server before giving, forward direction server by this ciphertext and storage original cipher text (i.e. the second ciphertext) in the local database into
Row primary comparison processing, and second of comparison processing is carried out by backward server, if passing through to server after sending result to
Success is then authenticated, detailed step is as follows:
1, KGC carries out system initialization:
(1) KGC selectes the cyclic group G that rank is prime number q1, GT(wherein G1Generation member be p), Bilinear map e:Hash function h1, h2, h3。
KGC selects random number (s1, s2) it is used as preceding server SFKey and calculate Ppub1=s1.p, Ppub2=s2.p.Choosing
Select random number s3As rear server SBKey and calculate Ppub3=s3.p。
Finally, KGC announces parameter Params=(P, G1, GT, e, Ppub1, Ppub2, Ppub3, h1, h2, h3)。
It should be noted that above is only a part of example using KGC, in the concrete realization, the technology of this field
Personnel can realize more functional requirements using KGC, details are not described herein again according to existing document.
(2) user terminal sends registration request to KGC with identity ID (i.e. login account), and KGC calculates hID=h1(ID), it uses
Family keyAnd by user key dkIDUser terminal is sent to safe lane.
2, user terminal generates user's trapdoor:
User terminal is by user keyA partIt is sent out as user's trapdoor
Give preceding server SF。
It should be understood that in the concrete realization, also can according to need using another part in user key as use
Family trapdoor is sent to preceding server SF, herein with no restrictions.
3, user terminal encrypts the plaintext of entry password:
User terminal selects password plaintext M, calculates hID=h1(ID).Select random number r1, r2, r3, calculate the first ciphertext C=
(C1, C2, C3, C4, C5).Wherein, C1=r1·(hID·P+Ppin1), C2=r2P,C4=r3·(hID·P+Ppub2),
This sentences C=(C1, B, C2, B, C3, B, C4, B, C5, B) as the entry password provided according to user terminal plaintext calculate
Obtain the first ciphertext, and by the first ciphertext C=(C1, B, C2, B, C3, B, C4, B, C5, B) and user input login account be sent to
Forward direction server SF。
4, forward direction server authentication password:
Forward direction server SFReceiving the first ciphertext C=(C1, B, C2, B, C3, B, C4, B, C5, B) and user input login
After account, user's trapdoor corresponding with the account is found in the local database using login accountAnd
Second ciphertext C=(C1, A, C2, A, C3, A, C4, A, C5, A).Then user's trapdoor is utilizedAnd the second ciphertext C=
(C1, A, C2, A, C3, A, C4, A, C5, A), calculate intermediate result EAAnd XA。
Based on same operation, user's trapdoor is utilizedAnd the first cryptogram computation intermediate result, herein for
Convenient for distinguishing, by user's trapdoorWithIt indicates, obtains intermediate result E accordinglyBWith
XBIt indicates.
That is:
Then by calculated result (EA, XA, EB, XB) it is sent to rear server SB。
5, backward server authentication password:
Backward server SBY is calculated according to default ruleA(the first verification result), YB(the second verification result), wherein
Then, the first verification result and the second verification result that calculate acquisition are verified, specifically can be judgement etc.
FormulaIt is whether true.
If so, 1 is then exported, shows MA=MB, subscriber authentication can successfully carry out data access operation, otherwise defeated
Out 0, refusal user carries out data access operation.
By foregoing description it is not difficult to find that the present invention has the characteristics that high security, implementation complexity are low.With traditional Kazakhstan
Uncommon algorithm is compared, and present invention uses public key encryption algorithms to store password, even if attacker possesses a large amount of password ciphertext sample
This, can not also crack the password of most of user easily, realize higher safety.This agreement has used two server simultaneously
Framework authenticates password, realizes higher system stability.
Due to above are only for example, do not constitute any restriction to technical solution of the present invention, in a particular application,
Those skilled in the art, which can according to need, to be configured, and the present invention is without limitation.
It should be noted that, in this document, the terms "include", "comprise" or its any other variant are intended to non-row
His property includes, so that the process, method, article or the system that include a series of elements not only include those elements, and
And further include other elements that are not explicitly listed, or further include for this process, method, article or system institute it is intrinsic
Element.In the absence of more restrictions, the element limited by sentence "including a ...", it is not excluded that including being somebody's turn to do
There is also other identical elements in the process, method of element, article or system.
The serial number of the above embodiments of the invention is only for description, does not represent the advantages or disadvantages of the embodiments.
Through the above description of the embodiments, those skilled in the art can be understood that above-described embodiment side
Method can be realized by means of software and necessary general hardware platform, naturally it is also possible to by hardware, but in many cases
The former is more preferably embodiment.Based on this understanding, technical solution of the present invention substantially in other words does the prior art
The part contributed out can be embodied in the form of software products, which is stored in one as described above
In storage medium (such as ROM/RAM, magnetic disk, CD), including some instructions are used so that terminal device (it can be mobile phone,
Computer, server, air conditioner or network equipment etc.) execute method described in each embodiment of the present invention.
The above is only a preferred embodiment of the present invention, is not intended to limit the scope of the invention, all to utilize this hair
Equivalent structure or equivalent flow shift made by bright specification and accompanying drawing content is applied directly or indirectly in other relevant skills
Art field, is included within the scope of the present invention.
Claims (10)
1. a kind of command identifying of identity-based, which is characterized in that the system comprises: user terminal and server end;
The server end includes preceding to server and backward server, the forward direction server and the user terminal communication link
It connects, is connected in series with the backward server;
The user terminal, the data access instruction for triggering in response to user obtain login account and the login of user's input
The plaintext of password handles according to plaintext of the preset encryption rule to the entry password, obtains the entry password
The login account and first ciphertext are transmitted to the forward direction server by the first ciphertext;
The forward direction server, for searching the second of the entry password in the local database according to the login account
Ciphertext calculates first ciphertext using pre-stored user's trapdoor corresponding with the login account, obtains
One intermediate result calculates second ciphertext using user's trapdoor, obtains the second intermediate result, and by described
One intermediate result and second intermediate result are transmitted to the backward server;
The backward server obtains first for handling according to preset proof rule first intermediate result
Verification result handles second intermediate result according to the preset proof rule, obtains the second verification result, and
First verification result is matched with second verification result, however, it is determined that matching, then subscriber authentication successfully may be used
To carry out data access operation.
2. the system as claimed in claim 1, which is characterized in that the system also includes: key generation centre, the key are raw
It is communicated to connect respectively at center and the user terminal, the forward direction server and the backward server;
The key generation centre for distributing first key for the forward direction server, and is calculated according to the first key
First public key of the forward direction server;
The key generation centre is also used to distribute the second key for the backward server, and according to the second key meter
Calculate the second public key of the backward server;
Correspondingly, the user terminal, for utilizing first public key and second public key pair according to preset encryption rule
The plaintext of the entry password is handled, and the first ciphertext of the entry password is obtained;
Correspondingly, the backward server, for according to preset proof rule using in described in second key pair first
Between result handled, the first verification result is obtained, according to the preset proof rule using described in second key pair
Second intermediate result is handled, and obtains the second verification result, and by first verification result and second verification result
It is matched, however, it is determined that matching, then subscriber authentication can successfully carry out data access operation.
3. system as claimed in claim 2, which is characterized in that the key generation centre is also used to receiving the use
When the registration request that family end is sent, user key is calculated according to first private key, and the user key obtained will be calculated
Feed back to the user terminal.
4. system as claimed in claim 3, which is characterized in that the user terminal is also used to be generated according to preset trapdoor and advise
Then, a part in the user key is chosen as the corresponding user's trapdoor of the login account, and by the user
Trapdoor is transmitted to the forward direction server storage.
5. such as the described in any item systems of Claims 1-4, which is characterized in that the forward direction server and the backward service
Device is connected in series using common signal channel or one-way channel.
6. a kind of command identifying method of identity-based, which is characterized in that be applied to as described in any one of claim 1 to 5
The command identifying of identity-based;It the described method comprises the following steps:
The data access instruction that user terminal is triggered in response to user, obtain user input login account and entry password it is bright
Text is handled according to plaintext of the preset encryption rule to the entry password, obtains the first ciphertext of the entry password,
The login account and first ciphertext are transmitted to the forward direction server;
Forward direction server searches the second ciphertext of the entry password according to the login account in the local database, utilizes
Pre-stored user's trapdoor corresponding with the login account calculates first ciphertext, obtains knot among first
Fruit calculates second ciphertext using user's trapdoor, obtains the second intermediate result, and first centre is tied
Fruit and second intermediate result are transmitted to the backward server;
Backward server is handled first intermediate result according to preset proof rule, obtains the first verification result,
Second intermediate result is handled according to the preset proof rule, obtains the second verification result, and by described
One verification result is matched with second verification result, however, it is determined that matching, then subscriber authentication can successfully be counted
According to access operation.
7. method as claimed in claim 6, which is characterized in that the data access that the user terminal is triggered in response to user refers to
It enables, before obtaining the login account of user's input and the plaintext of entry password, the method also includes:
Key generation centre is that the forward direction server distributes first key, and calculates the forward direction according to the first key and take
First public key of business device;
The key generation centre is also the second key of the backward server distribution, and according to second cipher key calculation
Second public key of backward server;
Correspondingly, the user terminal is handled according to plaintext of the preset encryption rule to the entry password, is obtained described
First ciphertext of entry password, specifically includes:
According to preset encryption rule, the plaintext of the entry password is carried out using first public key and second public key
Processing, obtains the first ciphertext of the entry password;
Correspondingly, the backward server is handled first intermediate result according to preset proof rule, obtains
One verification result handles second intermediate result, obtains the second verification result, specifically include:
It is handled according to preset proof rule using the first intermediate result described in second key pair, obtains the first verifying
As a result, being handled according to the preset proof rule using the second intermediate result described in second key pair, is obtained
Two verification results, and first verification result is matched with second verification result, however, it is determined that it matches, then user's body
Part, which is proved to be successful, can carry out data access operation.
8. the method for claim 7, which is characterized in that the data access that the user terminal is triggered in response to user refers to
It enables, before obtaining the login account of user's input and the plaintext of entry password, the method also includes:
It is close that key generation centre calculates user when receiving the registration request that the user terminal is sent, according to first private key
Key, and the user terminal is fed back to by the user key obtained is calculated.
9. method according to claim 8, which is characterized in that the user terminal is by the login account and first ciphertext
It is transmitted to before the forward direction server, the method also includes:
The user terminal chooses a part in the user key as the login account according to preset trapdoor create-rule
Number corresponding user's trapdoor, and user's trapdoor is transmitted to the forward direction server and is stored.
10. method as claimed in claim 9, which is characterized in that user's trapdoor is simultaneously transmitted to described by the user terminal
Before the storage of forward direction server, the method also includes:
Determine user's trapdoor whether has been stored in the forward direction server;
Correspondingly, it the user terminal and user's trapdoor is transmitted to the forward direction server stores, specifically include:
If it is determined that not stored in the forward direction server have user's trapdoor, user's trapdoor is transmitted to the forward direction and is taken
Business device storage.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201810627700.1A CN109005037B (en) | 2018-06-15 | 2018-06-15 | Password authentication system and method based on identity |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201810627700.1A CN109005037B (en) | 2018-06-15 | 2018-06-15 | Password authentication system and method based on identity |
Publications (2)
Publication Number | Publication Date |
---|---|
CN109005037A true CN109005037A (en) | 2018-12-14 |
CN109005037B CN109005037B (en) | 2021-06-29 |
Family
ID=64601958
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201810627700.1A Active CN109005037B (en) | 2018-06-15 | 2018-06-15 | Password authentication system and method based on identity |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN109005037B (en) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110059458A (en) * | 2019-03-12 | 2019-07-26 | 北京中海闻达信息技术有限公司 | A kind of user password encryption and authentication method, apparatus and system |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101582761A (en) * | 2008-05-15 | 2009-11-18 | 郑建德 | Identity authentication system adopting password firewall |
KR101382626B1 (en) * | 2013-01-03 | 2014-04-07 | 고려대학교 산학협력단 | System and method for id-based strong designated verifier signature |
CN107634927A (en) * | 2016-07-18 | 2018-01-26 | 武汉微诚科技股份有限公司 | A kind of highway electromechanical equipment management system and method based on B/S framework |
CN107707360A (en) * | 2017-11-10 | 2018-02-16 | 西安电子科技大学 | Isomerization polymerization label decryption method under environment of internet of things |
-
2018
- 2018-06-15 CN CN201810627700.1A patent/CN109005037B/en active Active
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101582761A (en) * | 2008-05-15 | 2009-11-18 | 郑建德 | Identity authentication system adopting password firewall |
KR101382626B1 (en) * | 2013-01-03 | 2014-04-07 | 고려대학교 산학협력단 | System and method for id-based strong designated verifier signature |
CN107634927A (en) * | 2016-07-18 | 2018-01-26 | 武汉微诚科技股份有限公司 | A kind of highway electromechanical equipment management system and method based on B/S framework |
CN107707360A (en) * | 2017-11-10 | 2018-02-16 | 西安电子科技大学 | Isomerization polymerization label decryption method under environment of internet of things |
Non-Patent Citations (1)
Title |
---|
吴黎兵等: "云计算中基于身份的双服务器密文等值判定协议", 《计算机研究与发展》 * |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110059458A (en) * | 2019-03-12 | 2019-07-26 | 北京中海闻达信息技术有限公司 | A kind of user password encryption and authentication method, apparatus and system |
CN110059458B (en) * | 2019-03-12 | 2021-06-18 | 北京中海闻达信息技术有限公司 | User password encryption authentication method, device and system |
Also Published As
Publication number | Publication date |
---|---|
CN109005037B (en) | 2021-06-29 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
EP3698514B1 (en) | System and method for generating and depositing keys for multi-point authentication | |
US20220058655A1 (en) | Authentication system | |
CN106357649B (en) | User identity authentication system and method | |
CN106529327B (en) | Mix the data access arrangement and method below cloud environment to encrypting database | |
CN103763631B (en) | Authentication method, server and television set | |
CN106656907A (en) | Authentication method, apparatus, terminal device and system | |
US9444801B2 (en) | Method, device and system for verifying communication sessions | |
CN107800539A (en) | Authentication method, authentication device and Verification System | |
CA2457493A1 (en) | Data certification method and apparatus | |
CN109766707A (en) | Data processing method, device, equipment and medium based on block chain | |
CN107248909A (en) | It is a kind of based on SM2 algorithms without Credential-Security endorsement method | |
CN106534150B (en) | Identity identifying method and system, user terminal, Website server | |
CN105187382B (en) | Prevent from hitting the multiple-factor identity identifying method of storehouse attack | |
CN109040060B (en) | Terminal matching method and system and computer equipment | |
CN106059764B (en) | Based on the password and fingerprint tripartite's authentication method for terminating key derivation functions | |
CN104683357B (en) | A kind of dynamic password authentication method and system based on software token | |
CN112861153A (en) | Keyword searchable delay encryption method and system | |
CN111884991B (en) | User supervision anonymous identity authentication method facing smart home | |
CN106789032A (en) | The single password tripartite authentication method of privacy sharing between server and mobile device | |
CN109245885A (en) | Cryptographic key negotiation method, equipment, storage medium and system | |
CN108833431A (en) | A kind of method, apparatus, equipment and the storage medium of password resetting | |
CN106453321A (en) | Authentication server, system and method, and to-be-authenticated terminal | |
CN109754322A (en) | A kind of data service system | |
CN109274659B (en) | Certificateless online/offline searchable ciphertext method | |
US9292671B1 (en) | Multi-server authentication using personalized proactivization |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |