CN109005037A - The command identifying and method of identity-based - Google Patents

The command identifying and method of identity-based Download PDF

Info

Publication number
CN109005037A
CN109005037A CN201810627700.1A CN201810627700A CN109005037A CN 109005037 A CN109005037 A CN 109005037A CN 201810627700 A CN201810627700 A CN 201810627700A CN 109005037 A CN109005037 A CN 109005037A
Authority
CN
China
Prior art keywords
user
server
key
ciphertext
forward direction
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201810627700.1A
Other languages
Chinese (zh)
Other versions
CN109005037B (en
Inventor
张宇波
张佳妮
张韵茹
何德彪
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Wuhan Chain Core Block Chain Technology Co Ltd
Original Assignee
Wuhan Chain Core Block Chain Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Wuhan Chain Core Block Chain Technology Co Ltd filed Critical Wuhan Chain Core Block Chain Technology Co Ltd
Priority to CN201810627700.1A priority Critical patent/CN109005037B/en
Publication of CN109005037A publication Critical patent/CN109005037A/en
Application granted granted Critical
Publication of CN109005037B publication Critical patent/CN109005037B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3226Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a predetermined code, e.g. password, passphrase or PIN
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/45Structures or tools for the administration of authentication
    • G06F21/46Structures or tools for the administration of authentication by designing passwords or checking the strength of passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0478Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload applying multiple layers of encryption, e.g. nested tunnels or encrypting the content with a first key and then with at least a second key
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Computing Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Storage Device Security (AREA)
  • Financial Or Insurance-Related Operations Such As Payment And Settlement (AREA)

Abstract

The invention discloses a kind of command identifying of identity-based and methods.The present invention by using this two server framework, when the identity to user authenticates, the second ciphertext and user's trapdoor of pre-stored corresponding entry password are searched according to the login account that user terminal provides by forward direction server, then the first ciphertext and the second ciphertext of user terminal offer are calculated respectively using user's trapdoor, and to server after corresponding first intermediate result of obtain and the first ciphertext and the second intermediate result corresponding with the second ciphertext are transmitted to, by backward server according to preset proof rule respectively to the first intermediate result, obtain the first verification result, the second intermediate result is handled according to proof rule, obtain the second verification result, pass through the matching to two verification results, when determining the two matching, determine that subscriber authentication can successfully carry out data access operation, significantly Improve the safety and stability of command identifying.

Description

The command identifying and method of identity-based
Technical field
The present invention relates to identity identifying technology field more particularly to the command identifyings and method of a kind of identity-based.
Background technique
Password authentication is the identity identifying technology generally used on a kind of internet, it is therefore an objective to enter system in the network user Or when access constrained system resource, the identity of user is identified.Password authentication technology be prevent active attack technology it One, it can substantially be divided into static password authentication technology and dynamic password authentication technology at present.
Due to password have the characteristics that lower deployment cost it is low, easily give for change, it is easy to use, be that other substitutes can not reach, Therefore password authentication is most popular ID authentication mechanism on current internet, before the appearance of better authentication mechanism, Password will be used for authentication for a long time.
But in recent years, user password data leak event happens occasionally on internet.By to the password number leaked It is found according to analysis is carried out, in server end storage, in addition to minority stores plaintext, what is be commonly stored is password cryptographic Hash (being obtained using Encryption Tools such as Bcrypt, PBKDF2).However there are the corresponding certain phases of output of identical input for hash algorithm Same problem.Moreover, remembering for convenience, the usually not enough complexities of user password, this is easy to user password By guessing attack.Especially in the case where attacker possesses a large amount of password cryptographic Hash, attack is had higher success rate.
Above content is only used to facilitate the understanding of the technical scheme, and is not represented and is recognized that above content is existing skill Art.
Summary of the invention
The main purpose of the present invention is to provide a kind of command identifying of identity-based and methods, it is intended to solve existing The entry password that user holds in technology is too simple, causes the safety and stability of command identifying poor, authenticates mouth Order is easy the technical issues of being cracked.
To achieve the above object, the present invention provides a kind of command identifying of identity-based, the system comprises: it uses Family end and server end;
The server end includes preceding to server and backward server, and the forward direction server is communicated with the user terminal Connection is connected in series with the backward server;
The user terminal, the data access instruction for being triggered in response to user, obtain user input login account and The plaintext of entry password is handled according to plaintext of the preset encryption rule to the entry password, obtains the login mouth The first ciphertext enabled, is transmitted to the forward direction server for the login account and first ciphertext;
The forward direction server, for searching the entry password in the local database according to the login account Second ciphertext calculates first ciphertext using pre-stored user's trapdoor corresponding with the login account, obtains To the first intermediate result, second ciphertext is calculated using user's trapdoor, obtains the second intermediate result, and by institute It states the first intermediate result and second intermediate result is transmitted to the backward server;
The backward server is obtained for being handled according to preset proof rule first intermediate result First verification result handles second intermediate result according to the preset proof rule, obtains the second verifying knot Fruit, and first verification result is matched with second verification result, however, it is determined that matching, then subscriber authentication at Function can carry out data access operation.
Preferably, the key generation centre and the user terminal, described the system also includes key generation centre Forward direction server and the backward server communicate to connect respectively;
The key generation centre, for distributing first key for the forward direction server, and according to the first key Calculate the first public key of the forward direction server;
The key generation centre is also used to distribute the second key for the backward server, and close according to described second Key calculates the second public key of the backward server;
Correspondingly, the user terminal, for utilizing first public key and second public affairs according to preset encryption rule Key handles the plaintext of the entry password, obtains the first ciphertext of the entry password;
Correspondingly, the backward server, for utilizing described in second key pair the according to preset proof rule One intermediate result is handled, and the first verification result is obtained, and utilizes second key pair according to the preset proof rule Second intermediate result is handled, and obtains the second verification result, and first verification result and described second are verified As a result it is matched, however, it is determined that matching, then subscriber authentication can successfully carry out data access operation.
Preferably, the key generation centre is also used to when receiving the registration request that the user terminal is sent, according to First private key calculates user key, and feeds back to the user terminal for the user key obtained is calculated.
Preferably, the user terminal is also used to choose one in the user key according to preset trapdoor create-rule User's trapdoor is transmitted to the forward direction server and deposited by part as the corresponding user's trapdoor of the login account Storage.
Preferably, the forward direction server and the backward server are connected in series using common signal channel or one-way channel.
In addition, to achieve the above object, the present invention also provides a kind of command identifying method of identity-based, this method is answered For the command identifying of identity-based provided by the invention, the described method comprises the following steps:
Data access instruction that user terminal is triggered in response to user obtains the login account and entry password of user's input In plain text, it is handled according to plaintext of the preset encryption rule to the entry password, obtain the entry password first is close The login account and first ciphertext are transmitted to the forward direction server by text;
Forward direction server searches the second ciphertext of the entry password according to the login account in the local database, First ciphertext is calculated using pre-stored user's trapdoor corresponding with the login account, is obtained among first As a result, calculate using user's trapdoor second ciphertext, the second intermediate result is obtained, and will be among described first As a result the backward server is transmitted to second intermediate result;
Backward server is handled first intermediate result according to preset proof rule, obtains the first verifying knot Fruit is handled second intermediate result according to the preset proof rule, obtains the second verification result, and will be described First verification result is matched with second verification result, however, it is determined that matching, then subscriber authentication can successfully carry out Data access operation.
Preferably, the data access instruction that the user terminal is triggered in response to user obtains the login account of user's input Before the plaintext of entry password, the method also includes:
Key generation centre be the forward direction server distribute first key, and according to the first key calculate it is described before To the first public key of server;
The key generation centre is also the second key of the backward server distribution, and according to second cipher key calculation Second public key of the backward server;
Correspondingly, the user terminal is handled according to plaintext of the preset encryption rule to the entry password, is obtained First ciphertext of the entry password, specifically includes:
According to preset encryption rule, using first public key and second public key to the plaintext of the entry password It is handled, obtains the first ciphertext of the entry password;
Correspondingly, the backward server is handled first intermediate result according to preset proof rule, is obtained To the first verification result, second intermediate result is handled, the second verification result is obtained, specifically includes:
It is handled according to preset proof rule using the first intermediate result described in second key pair, obtains first Verification result is handled using the second intermediate result described in second key pair according to the preset proof rule, is obtained It is matched to the second verification result, and by first verification result with second verification result, however, it is determined that matching is then used Family authentication can successfully carry out data access operation.
Preferably, the data access instruction that the user terminal is triggered in response to user obtains the login account of user's input Before the plaintext of entry password, the method also includes:
Key generation centre is calculated according to first private key and is used when receiving the registration request that the user terminal is sent Family key, and the user terminal is fed back to by the user key obtained is calculated.
Preferably, the user terminal by the login account and first ciphertext be transmitted to the forward direction server it Before, the method also includes:
The user terminal is chosen and is stepped on described in a part conduct in the user key according to preset trapdoor create-rule The corresponding user's trapdoor of account is recorded, and user's trapdoor is transmitted to the forward direction server and is stored.
Preferably, the user terminal and before user's trapdoor is transmitted to forward direction server storage, the side Method further include:
Determine user's trapdoor whether has been stored in the forward direction server;
Correspondingly, it the user terminal and user's trapdoor is transmitted to the forward direction server stores, specifically include:
If it is determined that not stored in the forward direction server have user's trapdoor, by user's trapdoor be transmitted to it is described before It is stored to server.
The present invention is by the pre-stored user's trapdoor corresponding with each login account of forward direction server, in forward direction service After device receives the first ciphertext and the login account of the entry password of user terminal offer, found according to the logon account received Second ciphertext of corresponding user's trapdoor and entry password, it is then close to first respectively using the user's trapdoor found Text and the second ciphertext are calculated, and by corresponding first intermediate result of obtain and the first ciphertext and corresponding with the second ciphertext Second intermediate result be transmitted to after to server, by backward server according to preset proof rule respectively to the first intermediate result It is handled, and will be tied among obtained the first verification result corresponding with the first intermediate result and second with the second intermediate result Corresponding second verification result of fruit is matched, and in the second verification result matching for determining the first verification result sum, is determined Subscriber authentication can successfully carry out data access operation.It, can be to avoid single clothes by using the framework of this two server Business device is captured bring safety problem, so that command identifying more safety and stability.
Detailed description of the invention
Fig. 1 is that the present invention is based on the structural schematic diagrams of the command identifying first embodiment of identity;
Fig. 2 is that the present invention is based on the structural schematic diagrams of the command identifying second embodiment of identity;
Fig. 3 is that the present invention is based on the flow diagrams of the command identifying method first embodiment of identity;
Fig. 4 is that the present invention is based on the flow diagrams of the command identifying method second embodiment of identity.
The embodiments will be further described with reference to the accompanying drawings for the realization, the function and the advantages of the object of the present invention.
Specific embodiment
It should be appreciated that the specific embodiments described herein are merely illustrative of the present invention, it is not intended to limit the present invention.
Referring to Fig.1, Fig. 1 is that the present invention is based on the structural schematic diagrams of the command identifying first embodiment of identity.
In the first embodiment, the command identifying of the identity-based includes: user terminal 100 and server end 200。
Specifically, the server end 200 in the present embodiment includes preceding to server 201 and backward server 202。
Wherein, the forward direction server 201 is communicated to connect with the user terminal 100, is such as passed through wired connection or is wirelessly connected It the modes such as connects and realizes connection.
In addition, the forward direction server 201 is also connected in series with the backward server 202, common signal channel string is such as used Row connection.
Further, in the concrete realization, in order to guarantee the safety of verification process, avoid verification result from backward service Device 202 can also use unidirectionally before being back to server 201, the forward direction server 201 and the backward server 202 Multi-channel serial connection.
It should be noted that having the above is only for example, not constituting any restriction to technical solution of the present invention In body application, those skilled in the art, which can according to need, to be configured, and the present invention is without limitation.
In order to make it easy to understand, being specifically described below for the function of above-mentioned each equipment:
Specifically, the user terminal 100, the data access instruction for triggering in response to user obtain user's input Login account and entry password plaintext, handled, obtained according to plaintext of the preset encryption rule to the entry password To the first ciphertext of the entry password, the login account and first ciphertext are transmitted to the forward direction server 201.
The forward direction server 201, for searching the entry password in the local database according to the login account The second ciphertext, first ciphertext is calculated using pre-stored user's trapdoor corresponding with the login account, The first intermediate result is obtained, second ciphertext is calculated using user's trapdoor, obtains the second intermediate result, and will First intermediate result and second intermediate result are transmitted to the backward server 202.
The backward server 202 is obtained for being handled according to preset proof rule first intermediate result To the first verification result, second intermediate result is handled according to the preset proof rule, obtains the second verifying As a result, and first verification result is matched with second verification result, however, it is determined that matching, then subscriber authentication Success can carry out data access operation.
By foregoing description it is not difficult to find that the command identifying of the identity-based provided in the present embodiment, by preceding To the pre-stored user's trapdoor corresponding with each login account of server, stepping on for user terminal offer is received in forward direction server Record password the first ciphertext and login account after, according to the logon account received find corresponding user's trapdoor and Then second ciphertext of entry password respectively calculates the first ciphertext and the second ciphertext using the user's trapdoor found, And after corresponding first intermediate result of obtain and the first ciphertext and the second intermediate result corresponding with the second ciphertext are transmitted to To server, the first intermediate result and the second intermediate result are carried out respectively according to preset proof rule by backward server Reason, and by corresponding first verification result of obtain and the first intermediate result the second verification result corresponding with the second intermediate result It is matched, and in the second verification result matching for determining the first verification result sum, determines that subscriber authentication successfully can be with Carry out data access operation.By using the framework of this two server, bring safety can be captured to avoid single server Problem, so that command identifying more safety and stability.
Further, as shown in Fig. 2, proposing that the present invention is based on the of the command identifying of identity based on first embodiment Two embodiments, in the present embodiment, the command identifying of identity-based further comprise key generation centre 300.
Wherein, the key generation centre 300 and the user terminal 100, the forward direction server 201 and the backward clothes Business device 202 communicates to connect respectively.
Specifically, the key generation centre 300 in the present embodiment is mainly used for as the forward direction server 201 First key is distributed, and calculates the first public key of the forward direction server 201 according to the first key, and is described backward Server 202 distributes the second key, and the second public key of the backward server 202 according to second cipher key calculation.
Correspondingly, in the concrete realization, the user terminal 100 is according to preset encryption rule to the bright of the entry password Text is handled, and the operation of the first ciphertext of the entry password is obtained specifically: according to preset encryption rule, using described First public key and second public key handle the plaintext of the entry password, and obtain the entry password first is close Text.
However, it should be understood that in the concrete realization, the operation of the backward server 201 specifically: according to default Proof rule handled using the first intermediate result described in second key pair, the first verification result is obtained, according to pre- If the proof rule handled using the second intermediate result described in second key pair, obtain the second verification result, And first verification result is matched with second verification result, however, it is determined that matching, then subscriber authentication success It can carry out data access operation.
In addition, the key generation centre 300, is also used in the registration request for receiving the transmission of user terminal 100 When, user key is calculated according to first private key, and feed back to the user terminal for the user key obtained is calculated 100。
Correspondingly, the user terminal 100, can root when receiving the user key that the key generation centre 300 is fed back According to preset trapdoor create-rule, a part in the user key is chosen as the corresponding user of the login account Trapdoor, and user's trapdoor is transmitted to the forward direction server 201 and is stored.
In addition, it is necessary to illustrate, described key generation centre is specifically existing Key in the present embodiment Generate Center (referred to as: KGC), about the use of KGC, those skilled in the art can be by checking existing make Corresponding function is realized with problem, and details are not described herein again.
By foregoing description it is not difficult to find that the command identifying of the identity-based provided in the present embodiment, passes through utilization Key generation centre be before the first public key for being provided to server and the second public key provided to server after being to entry password Plaintext be encrypted, solve the existing password that stores using hash algorithm and be subject to asking for guessing attack Topic, on the basis of two server framework, further improves the stability and safety of Verification System.
Based on the command identifying of above-mentioned identity-based, propose that the present invention is based on the implementations of the command identifying method of identity Example.
It is that the present invention is based on the flow diagrams of the command identifying method first embodiment of identity referring to Fig. 3, Fig. 3.
In the first embodiment, the identity-based command identifying method the following steps are included:
S10: the data access instruction that user terminal is triggered in response to user obtains the login account of user's input and logs in mouth The plaintext of order is handled according to plaintext of the preset encryption rule to the entry password, obtains the of the entry password The login account and first ciphertext are transmitted to the forward direction server by one ciphertext.
It should be understood that user terminal described in the present embodiment can be smart phone, tablet computer, laptop Deng, it can the terminal device that server is accessed by network data will not enumerate herein, also limit not to this System.
S20: for forward direction server according to the login account, search the entry password in the local database second is close Text calculates first ciphertext using pre-stored user's trapdoor corresponding with the login account, obtains first Intermediate result calculates second ciphertext using user's trapdoor, obtains the second intermediate result, and by described first Intermediate result and second intermediate result are transmitted to the backward server.
S30: backward server is handled first intermediate result according to preset proof rule, is obtained first and is tested Card obtains the second verification result as a result, handle according to the preset proof rule second intermediate result, and will First verification result is matched with second verification result, however, it is determined that matching, then subscriber authentication successfully can be with Carry out data access operation.
It should be understood that forward direction server and backward server described in the present embodiment can be the clothes of physical mechanism Business device, is also possible to be deployed in the virtual Cloud Server in cloud, and those skilled in the art, which can according to need, to be configured, this Place is with no restrictions.
By foregoing description it is not difficult to find that the command identifying method of the identity-based provided in the present embodiment, by preceding To the pre-stored user's trapdoor corresponding with each login account of server, stepping on for user terminal offer is received in forward direction server Record password the first ciphertext and login account after, according to the logon account received find corresponding user's trapdoor and Then second ciphertext of entry password respectively calculates the first ciphertext and the second ciphertext using the user's trapdoor found, And after corresponding first intermediate result of obtain and the first ciphertext and the second intermediate result corresponding with the second ciphertext are transmitted to To server, the first intermediate result and the second intermediate result are carried out respectively according to preset proof rule by backward server Reason, and by corresponding first verification result of obtain and the first intermediate result the second verification result corresponding with the second intermediate result It is matched, and in the second verification result matching for determining the first verification result sum, determines that subscriber authentication successfully can be with Carry out data access operation.By using the framework of this two server, bring safety can be captured to avoid single server Problem, so that command identifying more safety and stability.
Further, as shown in figure 4, proposing that the present invention is based on the of the command identifying method of identity based on first embodiment Two embodiments, in the present embodiment, the data access instruction that user terminal is triggered in response to user obtains the login account of user's input Number and entry password plaintext before, key generation centre also needs to be previously-completed a series of processing, be detailed in Fig. 4 increase newly step Rapid S00, S01 and S02.
In order to make it easy to understand, being specifically described referring to fig. 4 below:
In step S00, key generation centre is forward direction server distribution first key, and close according to described first Key calculates the first public key of the forward direction server.
In step S01, the key generation centre is that the backward server distributes the second key, and according to described the Second public key of backward server described in two cipher key calculations.
Correspondingly, the user terminal is handled according to plaintext of the preset encryption rule to the entry password, is obtained First ciphertext of the entry password, specifically includes: according to preset encryption rule, utilizing first public key and described second Public key handles the plaintext of the entry password, obtains the first ciphertext of the entry password.
Correspondingly, the backward server is handled first intermediate result according to preset proof rule, is obtained To the first verification result, second intermediate result is handled, the second verification result is obtained, specifically includes: according to default Proof rule handled using the first intermediate result described in second key pair, the first verification result is obtained, according to pre- If the proof rule handled using the second intermediate result described in second key pair, obtain the second verification result, And first verification result is matched with second verification result, however, it is determined that matching, then subscriber authentication success It can carry out data access operation.
In step S02, key generation centre is when receiving the registration request that the user terminal is sent, according to described the One private key calculates user key, and feeds back to the user terminal for the user key obtained is calculated.
It should be understood that in the concrete realization, in order to be mentioned to server is available always to user terminal before guaranteeing The corresponding user's trapdoor of the login account of confession, to guarantee the first intermediate result needed in subsequent authentication and the second intermediate result energy Enough to obtain, the login account and first ciphertext are transmitted to described by user terminal after receiving the user key Before forward direction server, it is also necessary to according to preset trapdoor create-rule, choose a part in the user key as institute The corresponding user's trapdoor of login account is stated, and user's trapdoor is transmitted to the forward direction server and is stored.
Further, since user terminal is also needed to server transport user's trapdoor using network data to preceding, in order to reduce The waiting time of user and the use of network traffic data, especially in the case where the network data of user terminal is bad, user Before the login account and first ciphertext are transmitted to the forward direction server by end, the forward direction service can be first determined It whether has been stored with user's trapdoor in device, for example situation is sent by user's trapdoor of local record, described in determination It is not stored when having user's trapdoor in forward direction server, then user's trapdoor is transmitted to the forward direction server and is stored, Otherwise, skip send user's trapdoor the step of, directly execute by the login account and first ciphertext be transmitted to it is described before The step of to server.
By foregoing description it is not difficult to find that the command identifying method of the identity-based provided in the present embodiment, passes through utilization Key generation centre be before the first public key for being provided to server and the second public key provided to server after being to entry password Plaintext be encrypted, solve the existing password that stores using hash algorithm and be subject to asking for guessing attack Topic, on the basis of two server framework, further improves the stability and safety of Verification System.
In addition, the use of the Verification System of the identity-based provided in order to better understand the present invention and recognizing for identity-based Card method, is specifically described below:
In order to facilitate narration, the symbol first used to needs is arranged as follows:
KGC: key generation centre.
SF: forward direction server.
SB: backward server.
ID: user identity.
Z*: Positive Integer Set.
Q: prime number.
p:G1, GTGeneration member.
G1, GT: the cyclic group generated by p.
E: from G1×G1To GTBilinear map.
h1: from { 0,1 }*To { 0,1 }*Hash function.
h2: from GTTo { 0,1 }*Hash function.
h3: from G1To { 0,1 }*Hash function.
r1, r2, r3: random number.
Ppub1, Ppub2: the public key of forward direction server.
Ppub3: the public key of backward server.
(s1, s2): the private key of forward direction server.
s3: the private key of backward server.
dkID: user key.
tdID: user's trapdoor.
M: password is in plain text (i.e. the plaintext of entry password).
C: password ciphertext.
X | | the splicing of y:x and y, wherein x and y is Bit String or byte serial.
The exclusive or of x and y, wherein x and y is Bit String or byte serial.
AQ: dot product, wherein a is integer, and Q is cyclic group G1On point.
For ease of description, at the beginning of the verification process of identity-based provided by the invention being divided into KGC carry out system below Beginningization, user terminal generate user's trapdoor, user terminal the plaintext of entry password is encrypted, forward direction server authentication password and after To five parts of server authentication password, i.e., firstly, KGC is private to server, the public and private key of backward server, user before generating Key and relevant parameter (various parameters that subsequent authentication is used);Then, user terminal generates user's trapdoor using user key, and will User's trapdoor is sent to preceding to server;Finally, user terminal sends out encrypted password (i.e. the first ciphertext) in login process To server before giving, forward direction server by this ciphertext and storage original cipher text (i.e. the second ciphertext) in the local database into Row primary comparison processing, and second of comparison processing is carried out by backward server, if passing through to server after sending result to Success is then authenticated, detailed step is as follows:
1, KGC carries out system initialization:
(1) KGC selectes the cyclic group G that rank is prime number q1, GT(wherein G1Generation member be p), Bilinear map e:Hash function h1, h2, h3
KGC selects random number (s1, s2) it is used as preceding server SFKey and calculate Ppub1=s1.p, Ppub2=s2.p.Choosing Select random number s3As rear server SBKey and calculate Ppub3=s3.p。
Finally, KGC announces parameter Params=(P, G1, GT, e, Ppub1, Ppub2, Ppub3, h1, h2, h3)。
It should be noted that above is only a part of example using KGC, in the concrete realization, the technology of this field Personnel can realize more functional requirements using KGC, details are not described herein again according to existing document.
(2) user terminal sends registration request to KGC with identity ID (i.e. login account), and KGC calculates hID=h1(ID), it uses Family keyAnd by user key dkIDUser terminal is sent to safe lane.
2, user terminal generates user's trapdoor:
User terminal is by user keyA partIt is sent out as user's trapdoor Give preceding server SF
It should be understood that in the concrete realization, also can according to need using another part in user key as use Family trapdoor is sent to preceding server SF, herein with no restrictions.
3, user terminal encrypts the plaintext of entry password:
User terminal selects password plaintext M, calculates hID=h1(ID).Select random number r1, r2, r3, calculate the first ciphertext C= (C1, C2, C3, C4, C5).Wherein, C1=r1·(hID·P+Ppin1), C2=r2P,C4=r3·(hID·P+Ppub2),
This sentences C=(C1, B, C2, B, C3, B, C4, B, C5, B) as the entry password provided according to user terminal plaintext calculate Obtain the first ciphertext, and by the first ciphertext C=(C1, B, C2, B, C3, B, C4, B, C5, B) and user input login account be sent to Forward direction server SF
4, forward direction server authentication password:
Forward direction server SFReceiving the first ciphertext C=(C1, B, C2, B, C3, B, C4, B, C5, B) and user input login After account, user's trapdoor corresponding with the account is found in the local database using login accountAnd Second ciphertext C=(C1, A, C2, A, C3, A, C4, A, C5, A).Then user's trapdoor is utilizedAnd the second ciphertext C= (C1, A, C2, A, C3, A, C4, A, C5, A), calculate intermediate result EAAnd XA
Based on same operation, user's trapdoor is utilizedAnd the first cryptogram computation intermediate result, herein for Convenient for distinguishing, by user's trapdoorWithIt indicates, obtains intermediate result E accordinglyBWith XBIt indicates.
That is: Then by calculated result (EA, XA, EB, XB) it is sent to rear server SB
5, backward server authentication password:
Backward server SBY is calculated according to default ruleA(the first verification result), YB(the second verification result), wherein
Then, the first verification result and the second verification result that calculate acquisition are verified, specifically can be judgement etc. FormulaIt is whether true.
If so, 1 is then exported, shows MA=MB, subscriber authentication can successfully carry out data access operation, otherwise defeated Out 0, refusal user carries out data access operation.
By foregoing description it is not difficult to find that the present invention has the characteristics that high security, implementation complexity are low.With traditional Kazakhstan Uncommon algorithm is compared, and present invention uses public key encryption algorithms to store password, even if attacker possesses a large amount of password ciphertext sample This, can not also crack the password of most of user easily, realize higher safety.This agreement has used two server simultaneously Framework authenticates password, realizes higher system stability.
Due to above are only for example, do not constitute any restriction to technical solution of the present invention, in a particular application, Those skilled in the art, which can according to need, to be configured, and the present invention is without limitation.
It should be noted that, in this document, the terms "include", "comprise" or its any other variant are intended to non-row His property includes, so that the process, method, article or the system that include a series of elements not only include those elements, and And further include other elements that are not explicitly listed, or further include for this process, method, article or system institute it is intrinsic Element.In the absence of more restrictions, the element limited by sentence "including a ...", it is not excluded that including being somebody's turn to do There is also other identical elements in the process, method of element, article or system.
The serial number of the above embodiments of the invention is only for description, does not represent the advantages or disadvantages of the embodiments.
Through the above description of the embodiments, those skilled in the art can be understood that above-described embodiment side Method can be realized by means of software and necessary general hardware platform, naturally it is also possible to by hardware, but in many cases The former is more preferably embodiment.Based on this understanding, technical solution of the present invention substantially in other words does the prior art The part contributed out can be embodied in the form of software products, which is stored in one as described above In storage medium (such as ROM/RAM, magnetic disk, CD), including some instructions are used so that terminal device (it can be mobile phone, Computer, server, air conditioner or network equipment etc.) execute method described in each embodiment of the present invention.
The above is only a preferred embodiment of the present invention, is not intended to limit the scope of the invention, all to utilize this hair Equivalent structure or equivalent flow shift made by bright specification and accompanying drawing content is applied directly or indirectly in other relevant skills Art field, is included within the scope of the present invention.

Claims (10)

1. a kind of command identifying of identity-based, which is characterized in that the system comprises: user terminal and server end;
The server end includes preceding to server and backward server, the forward direction server and the user terminal communication link It connects, is connected in series with the backward server;
The user terminal, the data access instruction for triggering in response to user obtain login account and the login of user's input The plaintext of password handles according to plaintext of the preset encryption rule to the entry password, obtains the entry password The login account and first ciphertext are transmitted to the forward direction server by the first ciphertext;
The forward direction server, for searching the second of the entry password in the local database according to the login account Ciphertext calculates first ciphertext using pre-stored user's trapdoor corresponding with the login account, obtains One intermediate result calculates second ciphertext using user's trapdoor, obtains the second intermediate result, and by described One intermediate result and second intermediate result are transmitted to the backward server;
The backward server obtains first for handling according to preset proof rule first intermediate result Verification result handles second intermediate result according to the preset proof rule, obtains the second verification result, and First verification result is matched with second verification result, however, it is determined that matching, then subscriber authentication successfully may be used To carry out data access operation.
2. the system as claimed in claim 1, which is characterized in that the system also includes: key generation centre, the key are raw It is communicated to connect respectively at center and the user terminal, the forward direction server and the backward server;
The key generation centre for distributing first key for the forward direction server, and is calculated according to the first key First public key of the forward direction server;
The key generation centre is also used to distribute the second key for the backward server, and according to the second key meter Calculate the second public key of the backward server;
Correspondingly, the user terminal, for utilizing first public key and second public key pair according to preset encryption rule The plaintext of the entry password is handled, and the first ciphertext of the entry password is obtained;
Correspondingly, the backward server, for according to preset proof rule using in described in second key pair first Between result handled, the first verification result is obtained, according to the preset proof rule using described in second key pair Second intermediate result is handled, and obtains the second verification result, and by first verification result and second verification result It is matched, however, it is determined that matching, then subscriber authentication can successfully carry out data access operation.
3. system as claimed in claim 2, which is characterized in that the key generation centre is also used to receiving the use When the registration request that family end is sent, user key is calculated according to first private key, and the user key obtained will be calculated Feed back to the user terminal.
4. system as claimed in claim 3, which is characterized in that the user terminal is also used to be generated according to preset trapdoor and advise Then, a part in the user key is chosen as the corresponding user's trapdoor of the login account, and by the user Trapdoor is transmitted to the forward direction server storage.
5. such as the described in any item systems of Claims 1-4, which is characterized in that the forward direction server and the backward service Device is connected in series using common signal channel or one-way channel.
6. a kind of command identifying method of identity-based, which is characterized in that be applied to as described in any one of claim 1 to 5 The command identifying of identity-based;It the described method comprises the following steps:
The data access instruction that user terminal is triggered in response to user, obtain user input login account and entry password it is bright Text is handled according to plaintext of the preset encryption rule to the entry password, obtains the first ciphertext of the entry password, The login account and first ciphertext are transmitted to the forward direction server;
Forward direction server searches the second ciphertext of the entry password according to the login account in the local database, utilizes Pre-stored user's trapdoor corresponding with the login account calculates first ciphertext, obtains knot among first Fruit calculates second ciphertext using user's trapdoor, obtains the second intermediate result, and first centre is tied Fruit and second intermediate result are transmitted to the backward server;
Backward server is handled first intermediate result according to preset proof rule, obtains the first verification result, Second intermediate result is handled according to the preset proof rule, obtains the second verification result, and by described One verification result is matched with second verification result, however, it is determined that matching, then subscriber authentication can successfully be counted According to access operation.
7. method as claimed in claim 6, which is characterized in that the data access that the user terminal is triggered in response to user refers to It enables, before obtaining the login account of user's input and the plaintext of entry password, the method also includes:
Key generation centre is that the forward direction server distributes first key, and calculates the forward direction according to the first key and take First public key of business device;
The key generation centre is also the second key of the backward server distribution, and according to second cipher key calculation Second public key of backward server;
Correspondingly, the user terminal is handled according to plaintext of the preset encryption rule to the entry password, is obtained described First ciphertext of entry password, specifically includes:
According to preset encryption rule, the plaintext of the entry password is carried out using first public key and second public key Processing, obtains the first ciphertext of the entry password;
Correspondingly, the backward server is handled first intermediate result according to preset proof rule, obtains One verification result handles second intermediate result, obtains the second verification result, specifically include:
It is handled according to preset proof rule using the first intermediate result described in second key pair, obtains the first verifying As a result, being handled according to the preset proof rule using the second intermediate result described in second key pair, is obtained Two verification results, and first verification result is matched with second verification result, however, it is determined that it matches, then user's body Part, which is proved to be successful, can carry out data access operation.
8. the method for claim 7, which is characterized in that the data access that the user terminal is triggered in response to user refers to It enables, before obtaining the login account of user's input and the plaintext of entry password, the method also includes:
It is close that key generation centre calculates user when receiving the registration request that the user terminal is sent, according to first private key Key, and the user terminal is fed back to by the user key obtained is calculated.
9. method according to claim 8, which is characterized in that the user terminal is by the login account and first ciphertext It is transmitted to before the forward direction server, the method also includes:
The user terminal chooses a part in the user key as the login account according to preset trapdoor create-rule Number corresponding user's trapdoor, and user's trapdoor is transmitted to the forward direction server and is stored.
10. method as claimed in claim 9, which is characterized in that user's trapdoor is simultaneously transmitted to described by the user terminal Before the storage of forward direction server, the method also includes:
Determine user's trapdoor whether has been stored in the forward direction server;
Correspondingly, it the user terminal and user's trapdoor is transmitted to the forward direction server stores, specifically include:
If it is determined that not stored in the forward direction server have user's trapdoor, user's trapdoor is transmitted to the forward direction and is taken Business device storage.
CN201810627700.1A 2018-06-15 2018-06-15 Password authentication system and method based on identity Active CN109005037B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201810627700.1A CN109005037B (en) 2018-06-15 2018-06-15 Password authentication system and method based on identity

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201810627700.1A CN109005037B (en) 2018-06-15 2018-06-15 Password authentication system and method based on identity

Publications (2)

Publication Number Publication Date
CN109005037A true CN109005037A (en) 2018-12-14
CN109005037B CN109005037B (en) 2021-06-29

Family

ID=64601958

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201810627700.1A Active CN109005037B (en) 2018-06-15 2018-06-15 Password authentication system and method based on identity

Country Status (1)

Country Link
CN (1) CN109005037B (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110059458A (en) * 2019-03-12 2019-07-26 北京中海闻达信息技术有限公司 A kind of user password encryption and authentication method, apparatus and system

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101582761A (en) * 2008-05-15 2009-11-18 郑建德 Identity authentication system adopting password firewall
KR101382626B1 (en) * 2013-01-03 2014-04-07 고려대학교 산학협력단 System and method for id-based strong designated verifier signature
CN107634927A (en) * 2016-07-18 2018-01-26 武汉微诚科技股份有限公司 A kind of highway electromechanical equipment management system and method based on B/S framework
CN107707360A (en) * 2017-11-10 2018-02-16 西安电子科技大学 Isomerization polymerization label decryption method under environment of internet of things

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101582761A (en) * 2008-05-15 2009-11-18 郑建德 Identity authentication system adopting password firewall
KR101382626B1 (en) * 2013-01-03 2014-04-07 고려대학교 산학협력단 System and method for id-based strong designated verifier signature
CN107634927A (en) * 2016-07-18 2018-01-26 武汉微诚科技股份有限公司 A kind of highway electromechanical equipment management system and method based on B/S framework
CN107707360A (en) * 2017-11-10 2018-02-16 西安电子科技大学 Isomerization polymerization label decryption method under environment of internet of things

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
吴黎兵等: "云计算中基于身份的双服务器密文等值判定协议", 《计算机研究与发展》 *

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110059458A (en) * 2019-03-12 2019-07-26 北京中海闻达信息技术有限公司 A kind of user password encryption and authentication method, apparatus and system
CN110059458B (en) * 2019-03-12 2021-06-18 北京中海闻达信息技术有限公司 User password encryption authentication method, device and system

Also Published As

Publication number Publication date
CN109005037B (en) 2021-06-29

Similar Documents

Publication Publication Date Title
EP3698514B1 (en) System and method for generating and depositing keys for multi-point authentication
US20220058655A1 (en) Authentication system
CN106357649B (en) User identity authentication system and method
CN106529327B (en) Mix the data access arrangement and method below cloud environment to encrypting database
CN103763631B (en) Authentication method, server and television set
CN106656907A (en) Authentication method, apparatus, terminal device and system
US9444801B2 (en) Method, device and system for verifying communication sessions
CN107800539A (en) Authentication method, authentication device and Verification System
CA2457493A1 (en) Data certification method and apparatus
CN109766707A (en) Data processing method, device, equipment and medium based on block chain
CN107248909A (en) It is a kind of based on SM2 algorithms without Credential-Security endorsement method
CN106534150B (en) Identity identifying method and system, user terminal, Website server
CN105187382B (en) Prevent from hitting the multiple-factor identity identifying method of storehouse attack
CN109040060B (en) Terminal matching method and system and computer equipment
CN106059764B (en) Based on the password and fingerprint tripartite's authentication method for terminating key derivation functions
CN104683357B (en) A kind of dynamic password authentication method and system based on software token
CN112861153A (en) Keyword searchable delay encryption method and system
CN111884991B (en) User supervision anonymous identity authentication method facing smart home
CN106789032A (en) The single password tripartite authentication method of privacy sharing between server and mobile device
CN109245885A (en) Cryptographic key negotiation method, equipment, storage medium and system
CN108833431A (en) A kind of method, apparatus, equipment and the storage medium of password resetting
CN106453321A (en) Authentication server, system and method, and to-be-authenticated terminal
CN109754322A (en) A kind of data service system
CN109274659B (en) Certificateless online/offline searchable ciphertext method
US9292671B1 (en) Multi-server authentication using personalized proactivization

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant