CN109088888B - Secure communication method and system based on smart card - Google Patents

Secure communication method and system based on smart card Download PDF

Info

Publication number
CN109088888B
CN109088888B CN201811198551.8A CN201811198551A CN109088888B CN 109088888 B CN109088888 B CN 109088888B CN 201811198551 A CN201811198551 A CN 201811198551A CN 109088888 B CN109088888 B CN 109088888B
Authority
CN
China
Prior art keywords
user
server
smart card
information
bio
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Expired - Fee Related
Application number
CN201811198551.8A
Other languages
Chinese (zh)
Other versions
CN109088888A (en
Inventor
陈建铭
项斌
王景行
吴祖扬
吴明泰
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shandong University of Science and Technology
Original Assignee
Shandong University of Science and Technology
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shandong University of Science and Technology filed Critical Shandong University of Science and Technology
Priority to CN201811198551.8A priority Critical patent/CN109088888B/en
Publication of CN109088888A publication Critical patent/CN109088888A/en
Application granted granted Critical
Publication of CN109088888B publication Critical patent/CN109088888B/en
Expired - Fee Related legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0853Network architectures or network communication protocols for network security for authentication of entities using an additional device, e.g. smartcard, SIM or a different communication terminal
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0861Network architectures or network communication protocols for network security for authentication of entities using biometrical features, e.g. fingerprint, retina-scan
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • H04L63/205Network architectures or network communication protocols for network security for managing network security; network security policies in general involving negotiation or determination of the one or more network security mechanisms to be used, e.g. by negotiation between the client and the server or between peers or by selection according to the capabilities of the entities involved
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3297Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving time stamps, e.g. generation of time stamps

Abstract

The invention provides a secure communication method based on a smart card, wherein the method comprises the following steps: an input step: receiving an inserted smart card and a user name and a password input by a user, wherein result data for calculating registration information of the user registered in a server is stored in the smart card; a verification step: verifying whether the user is the holder of the smart card according to the result data and the user name and the password input by the user; an output step: after the user is verified to be the holder of the smart card, the user name and the password input by the user are operated by using a preset algorithm, and an operation result is sent to the server as login information. The invention also provides a secure communication system based on the smart card. The technical scheme provided by the invention can effectively improve the data security.

Description

Secure communication method and system based on smart card
Technical Field
The invention relates to the technical field of data security, in particular to a secure communication method and a secure communication system based on a smart card.
Background
Advances in the field of computer networks and communications have led to a number of internet-of-things-based application systems, such as internet banking systems, cloud storage systems, telemedicine systems, and so on. In these applications, the user can log into the system at any time and any place, and the related matters of the individual are processed. However, the information exchange between these application systems and users uses a public channel, and an attacker can obtain information transmitted by both parties through monitoring and other means, and if only plaintext is used for transmitting data, some private information of the users is completely exposed to the attacker.
Therefore, how to ensure the reliability and security of communication is always an urgent objective in the industry.
Disclosure of Invention
In view of the above, the present invention provides a secure communication method and system based on a smart card, and aims to solve the problem of how to improve the security of communication data in the prior art.
The invention provides a safe communication method based on a smart card, which is applied to client equipment and comprises the following steps:
an input step: receiving an inserted smart card and a user name and a password input by a user, wherein result data for calculating registration information of the user registered in a server is stored in the smart card;
a first verification step: verifying whether the user is the holder of the smart card according to the result data and the user name and the password input by the user;
an output step: after the user is verified to be the holder of the smart card, operating the user name and the password input by the user by using a preset algorithm, and sending an operation result as login information to the server communicated with the client device;
a second verification step: receiving return information from the server, and verifying the server according to the return information;
a calculation step: after the server is authenticated, a session key for communicating with the server is calculated.
Preferably, in the inputting step, the step of completing registration of the user at the server specifically includes:
the user selects the username IDiAnd the password PWiAnd inputting the BIO-information BIO of the useriBy generating the algorithm Gen (BIO)i)=(Ri,Pi) Extraction (R)i,Pi) And calculating RPWi=h(PWi||Ri) Then { ID }i,RPWiSending R as registration information to the serveri,PiAre respectively a user UiThe private parameters and reconstruction parameters of the biometric of (1), and | represents the join operation.
Preferably, in the inputting step, the step of calculating the registration information of the user registered in the server specifically includes:
computing
Figure BDA0001829426210000021
Ci=h(IDi||RPWi) And will { Bi,Ci,PpubH (-) P } sending the smart card to user U after storing the smart card as the result dataiWherein P ispubH (-) is a hash function for the public key of the server, P is a base point on an elliptic curve selected by the server in initialization related parameters, and P ispubX is the private key of the server,
Figure BDA0001829426210000022
indicating an exclusive or operation.
Preferably, in the first verification step, the step of verifying whether the user is the holder of the smart card specifically includes:
the user UiInputting the user name IDiAnd the password PWiAnd inputs said user UiBIO-information of (BIO)iAccording to a reconstruction algorithm
Figure BDA0001829426210000023
Extracting the user UiIs a private parameter R of the biometric characteristic ofi
Calculating RPWi=h(PWi||Ri) And Ci′=h(IDi||RPWi) And verify ci′=ciWhether the result is true or not;
if so, verifying that the user is the holder of the smart card;
if not, the login is terminated.
Preferably, in the outputting step, the step of presetting the algorithm specifically includes:
selecting a random number alpha and calculating Ei=αP,Hi=αPpub=αxP,
Figure BDA0001829426210000031
And Fi=h(IDi||Ai||Ei||Hi||Ti);
Will operation result { AIDi,Ei,Fi,TiSending it as login information to the server in communication with the client device.
In another aspect, the present invention further provides a secure communication system based on a smart card, applied to a client device, the system including:
the system comprises an input module, a server and a server, wherein the input module is used for receiving an inserted smart card and a user name and a password input by a user, and the smart card stores result data for calculating registration information registered by the user in the server;
a first verification module for verifying whether the user is the holder of the smart card according to the result data and the user name and the password input by the user;
the output module is used for operating the user name and the password input by the user by using a preset algorithm after the user is verified to be the holder of the smart card, and sending an operation result as login information to the server communicated with the client equipment;
the second verification module is used for receiving return information from the server and verifying the server according to the return information;
and the calculation module is used for calculating the session key communicated with the server after the server passes the verification.
Preferably, in the input module, the step of completing registration of the user at the server specifically includes:
the user selects the username IDiAnd the password PWiAnd inputting the BIO-information BIO of the useriBy generating the algorithm Gen (BIO)i)=(Ri,Pi) Extraction (R)i,Pi) And calculating RPWi=h(PWi||Ri) Then { ID }i,RPWiSending R as registration information to the serveri,PiAre respectively a user UiThe private parameters and reconstruction parameters of the biometric of (1), and | represents the join operation.
Preferably, in the input module, the step of calculating the registration information of the user registered in the server specifically includes:
computing
Figure BDA0001829426210000032
Ci=h(IDi||RPWi) And will { Bi,Ci,PpubH (·), P) sending the smart card to user U after storing the smart card as the result dataiWherein P ispubH (-) is a hash function for the public key of the server, P is a base point on an elliptic curve selected by the server in initialization related parameters, and P ispubX is the private key of the server,
Figure BDA0001829426210000041
indicating an exclusive or operation.
Preferably, the first verification module is specifically configured to:
the user UiInputting the user name IDiAnd the password PWiAnd inputs said user UiBIO-information of (BIO)iAccording to a reconstruction algorithm
Figure BDA0001829426210000042
Extracting the user UiIs a private parameter R of the biometric characteristic ofi
Calculating RPWi=h(PWi||Ri) And C'i=h(IDi||RPWi) And verify C'i=CiWhether the result is true or not;
if so, verifying that the user is the holder of the smart card;
if not, the login is terminated.
Preferably, the output module is specifically configured to:
selecting a random number alpha and calculating Ei=αP,Hi=αPpub=αxP,
Figure BDA0001829426210000043
And Fi=h(IDi||Ai||Ei||Hi||Ti);
Will operation result { AIDi,Ei,Fi,TiSending it as login information to the server in communication with the client device.
In another aspect, the present invention further provides a secure communication method based on a smart card, applied to a server, wherein the method includes:
and (3) checking: after receiving the above-mentioned login information, check Ti-T′iIf < Δ T is true, where TiIs a time stamp, T ', of when the user transmits information'iIs the timestamp of the user when receiving the information, Δ T is a preset time threshold;
a calculation step: calculate H'i=xEi=xαP,
Figure BDA0001829426210000044
F′i=h(ID′i||A′i||Ei||H′i||Ti) And check for F'i=FiIf yes, the user U is selected for the ith useriThe authentication of (2) is passed;
a sending step: for the ith user UiAfter passing the authentication, a random number β is selected and M is calculatedi=βP,Gi=h(ID′i||A′i||Mi||H′i||Ts) Then will { Mi,Gi,TsReturning to the ith user U as the return informationiTo be selected by the ith user UiAuthenticating the server;
a key generation step: when the ith user UiAfter the authentication of the server is passed, a session key SK ═ h (α M) for communication with the client device is calculatedi||Ai||Ti||Ts)=h(βEi||A′i||Ti||Ts)。
In another aspect, the present invention further provides a smart card-based secure communication system, applied to a server, wherein the system includes:
a checking module for checking T after receiving the login informationi-T′iIf < Δ T is true, where TiIs a time stamp, T ', of when the user transmits information'iIs the timestamp of the user when receiving the information, Δ T is a preset time threshold;
a calculation module to calculate H'i=xEi=xαP,
Figure BDA0001829426210000051
F′i=h(ID′i||A′i||EiIf yes, the authentication on the ith user Ui is passed;
a sending module for the ith user UiAfter passing the authentication, a random number β is selected and M is calculatedi=βP,Gi=h((ID′i||A′i||Mi||H′i||Ts) Then will { Mi,Gi,TsReturning to the ith user U as the return informationiTo be selected by the ith user UiAuthenticating the server;
a key generation module for generating the I-th user UiAfter the authentication of the server is passed, a session key SK ═ h (α M) for communication with the client device is calculatedi||Ai||Ti||Ts)=h((βEi||A′i||Ti||Ts)。
The technical scheme provided by the invention adopts the intelligent card to store the registration information of the user and carry out identity verification on the client equipment at the user side, thereby greatly improving the authentication efficiency, and because the design of carrying out identity verification at the server side is abandoned, the server side does not need to store a large amount of registration information of the user, the pressure of the server side is greatly reduced, the possibility that the server side is attacked is also reduced, and the data security is greatly improved.
Drawings
FIG. 1 is a flow chart of a secure communication method based on a smart card according to an embodiment of the present invention;
fig. 2 is a schematic diagram of the internal structure of the secure communication system 10 based on a smart card according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, the present invention is described in further detail below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention.
A smart card-based secure communication method provided by the present invention will be described in detail below.
Fig. 1 is a flowchart illustrating a secure communication method based on a smart card according to an embodiment of the present invention.
In this embodiment, the secure communication method based on the smart card is applied to the client device on the user side, where the client device communicates with a remote server, Authentication Key Exchange (AKE) is an Authentication and Key agreement mechanism, so as to implement authenticity and confidentiality of security requirements, and before the AKE operates in a real session, Authentication and negotiation between the client device on the user side and the server are required to obtain a Key for the communication. The remote user authentication and key exchange scheme based on the smart card (such as a U disk) mainly comprises 5 stages, which are respectively as follows: the method comprises an initialization stage, a registration stage, a login stage, an authentication stage and a password modification stage.
In the initialization phase, the server initializes the relevant parameters, mainly selecting an elliptic curve and a base point on the elliptic curve, selecting a hash function h (-), selecting a private key x and calculating Ppubx.P, wherein PpubThe public key of the server is represented by P, which is a base point on an elliptic curve selected by the server in initialization related parameters, and x is a private key of the server.
In step S1, the input step is: and receiving an inserted smart card and a user name and a password input by a user, wherein result data of calculation of registration information of the user registered in a server is stored in the smart card.
In this embodiment, in the inputting step, the step of completing registration of the user at the server specifically includes:
the user selects the username IDiAnd the password PWiAnd inputting the BIO-information BIO of the useriBy generating the algorithm Gen (BIO)i)=(Ri,Pi) Extraction (R)i,Pi) And calculating RPWi=h(PWi||Ri) Then { ID }i,RPWiSending R as registration information to the serveri,PiAre respectively a user UiThe private parameters and reconstruction parameters of the biometric of (1), and | represents the join operation.
In this embodiment, in the inputting step, the calculating the registration information of the user registered in the server specifically includes:
computing
Figure BDA0001829426210000071
Ci=h(IDi||RPWi) And will { Bi,Ci,PpubH (-) P } sending the smart card to user U after storing the smart card as the result dataiWherein P ispubH (-) is a hash function for the public key of the server, P is a base point on an elliptic curve selected by the server in initialization related parameters, and P ispubX is the private key of the server,
Figure BDA0001829426210000072
indicating an exclusive or operation. The server is sending { Bi,Ci,PpubH (-) P } after storing the result data in the smart card, the smart card is returned to the user Ui
When the user UiAfter receiving the smart card returned by the server, the user U is also sentiIs measured by the biometric sensoriStored in it.
At this point, the registration phase is completed.
In step S2, the first verification step: verifying whether the user is the holder of the smart card according to the result data and the user name and the password input by the user.
In the present embodiment, the registered user UiA login request may be sent to the server.
In this embodiment, in the verifying step, the step of verifying whether the user is the holder of the smart card may specifically include:
the user UiInputting the user name IDiAnd the password PWiAnd inputs said user UiBIO-information of (BIO)iAccording to a reconstruction algorithm Rep (BIO)i,Pi)=RiExtracting the user UiIs a private parameter R of the biometric characteristic ofi
Calculating RPWi=h(PWi||Ri) And C'i=h(IDi||RPWi) And verify C'i=CiWhether the result is true or not;
if so, verifying that the user is the holder of the smart card;
if not, the login is terminated.
In step S3, the output step: after the user is authenticated to be the holder of the smart card, the user name and the password input by the user are operated by using a preset algorithm, and the operation result is sent to the server communicating with the client device as login information.
In this embodiment, in the outputting step, the step of presetting the algorithm specifically includes:
selecting a random number alpha and calculating Ei=αP,Hi=αPpub=αxP,
Figure BDA0001829426210000073
And Fi=h(IDi||Ai||Ei||Hi||Ti);
Will operation result { AIDi,Ei,Fi,TiSending the information to the server as login information.
In the present embodiment, the above-described verification steps S1-S3 are all performed on the client device of the user Ui.
To this end, the login phase is completed.
In step S4, the second verification step: receiving return information from the server, and verifying the server according to the return information;
in step S5, the calculation step: after the server is authenticated, a session key for communicating with the server is calculated.
Receiving the user U at the serveriAfter the login request message, performing identity verification and key agreement, wherein the process belongs to an authentication phase, and the process of the authentication phase is completed on the server, and the authentication step also comprises the following steps:
and (3) checking: upon receiving user UiAfter the login information of (2), check Ti-T′iIf < Δ T is true, where TiIs a time stamp, T ', of when the user transmits information'iIs the timestamp of the user when receiving the information, Δ T is a preset time threshold; if the answer is positive, executing the subsequent steps, and if the answer is negative, terminating the session between the client equipment at the user side and the remote server;
a calculation step: calculate H'i=xEi=xαP,
Figure BDA0001829426210000081
F′i=h(ID′i||A′i||Ei||H′i||Ti) And check for F'i=FiIf yes, the user U is selected for the ith useriIf the authentication is not successful, terminating the session between the client device at the user side and the remote server;
a sending step: for the ith user UiAfter passing the authentication, a random number β is selected and M is calculatedi=βP,Gi=h(ID′i||A′i||Mi||H′i||Ts) Then will { Mi,Gi,TsReturning to the ith user U as the return informationiTo be selected by the ith user UiAuthenticating the server; wherein, the ith user UiThe step of verifying whether the server is authenticated comprises: at the ith user UiChecking received information Mi,Gi,TsAfter that, T is examineds-T′sIf < Δ T is true, performing the subsequent steps, if not, terminating the session between the client device of the user side and the remote server, wherein TsTime stamp, T 'indicating when the server transmits information'sA time stamp indicating when the server receives the information, and a judgment Ts-T′sAfter < Δ T is established, user UiCalculating G'i=h(IDi||Ai||Mi||Hi||Ts) And test G'i=GiIf the answer is positive, executing the subsequent steps, and if the answer is negative, terminating the session between the client equipment at the user side and the remote server;
a key generation step: when the ith user UiAfter the authentication of the server is passed, a session key SK ═ h (α M) for communication with the client device is calculatedi||Ai||Ti||Ts)=h(βEi||A′i||Ti||Ts)。
In this embodiment, when the user U is presentiAnd when the risk of leakage of the own password is sensed, the password modification stage can be used for completing the password modification. This phase does not require any assistance from the server, the main steps are as follows:
(1) user UiEnter a username IDiAnd password PWiThen inputting the biological information BIO of itselfiTo user UiClient, user UiAccording to a reconstruction algorithm
Figure BDA0001829426210000091
Extracting Ri
(2) User UiCalculates RPWi=h(PWi||Ri) And C'i=h(IDi||RPWi) And verify C'i=CiWhether or not this is true. If so, the user U is declarediIs the holder of the smart card, and then the step (3) is executed; otherwise, the password modification is terminated.
(3) User UiEnter a username IDiAnd password PWiSmart card computing to generate HPWi=h(PWiB) and
Figure BDA0001829426210000092
and compare
Figure BDA0001829426210000093
And BiWhether or not equal. If equal, indicate user UiThe owner of the smart card, and the subsequent steps are continuously executed; otherwise, the modify password request is terminated.
(4) User UiInputting new password
Figure BDA0001829426210000094
User UiCalculating the generated parameters by the client
Figure BDA0001829426210000095
Figure BDA0001829426210000096
And
Figure BDA0001829426210000097
(5) user UiClient use of
Figure BDA0001829426210000098
And
Figure BDA0001829426210000099
to replace BiAnd CiAnd writes the new value to the smart card.
Referring to fig. 2, a schematic structural diagram of a secure communication system 10 based on a smart card according to an embodiment of the present invention is shown.
In this embodiment, the smart card based secure communication system 10 mainly includes an input module 11, a first authentication module 12, an output module 13, a second authentication module 14, and a calculation module 15, and the smart card based secure communication system 10 is applied to a client device on a user side, which communicates with a remote server.
And the input module 11 is configured to receive an inserted smart card and a user name and a password input by a user, where result data obtained by calculating registration information of the user registered in the server is stored in the smart card.
In this embodiment, in the input module 11, the step of completing registration of the user at the server specifically includes:
the user selects the username IDiAnd the password PWiAnd inputting the BIO-information BIO of the useriBy generating the algorithm gen (biei) ═ (R)i,Pi) Extraction (R)i,Pi) And calculating RPWi=h(PWi||Ri) Then { ID }i,RPWiSending R as registration information to the serveri,PiAre respectively a user UiThe private parameters and reconstruction parameters of the biometric of (1), and | represents the join operation.
In this embodiment, in the input module 11, the step of calculating the registration information of the user registered in the server specifically includes:
computing
Figure BDA0001829426210000101
Ci=h(IDi||RPWi) And will { Bi,Ci,PpubH (-) P } sending the smart card to user U after storing the smart card as the result dataiWherein P ispubH (-) is a hash function for the public key of the server, P is a base point on an elliptic curve selected by the server in initialization related parameters, and P ispubX is the private key of the server,
Figure BDA0001829426210000102
indicating an exclusive or operation.
A first verification module 12, configured to verify whether the user is the holder of the smart card according to the result data and the user name and the password input by the user.
In this embodiment, the verification module 12 is specifically configured to:
the user UiInputting the user name IDiAnd the password PWiAnd inputs said user UiBIO-information of (BIO)iAccording to a reconstruction algorithm
Figure BDA0001829426210000103
Extracting the user UiIs a private parameter R of the biometric characteristic ofi
Calculating RPWi=h(PWi||Ri) And C'i=h(IDi||RPWi) And verify C'i=CiWhether the result is true or not;
if so, verifying that the user is the holder of the smart card;
if not, the login is terminated.
And the output module 13 is configured to, after the user is authenticated as the holder of the smart card, perform an operation on the user name and the password input by the user by using a preset algorithm, and send an operation result as login information to the server in communication with the client device.
In this embodiment, the output module is specifically configured to:
selecting a random number alpha and calculating Ei=αP,Hi=αPpub=αxP,
Figure BDA0001829426210000104
And Fi=h(IDi||Ai||Ei||Hi||Ti);
Will operation result { AIDi,Ei,Fi,TiSending it as login information to the server in communication with the client device.
A second verification module 14, configured to receive a return message from the server, and verify the server according to the return message;
a calculating module 15, configured to calculate a session key for communicating with the server after the server is authenticated.
In addition, the present invention also provides a secure communication system based on a smart card, which is applied to a server, the server communicates with a client device at a remote user side, wherein the system comprises:
a checking module for checking T after receiving the login informationi-T′iIf < Δ T is true, where TiIs a time stamp, T ', of when the user transmits information'iIs the timestamp of the user when receiving the information, Δ T is a preset time threshold;
a calculation module to calculate H'i=xEi=xαP,
Figure BDA0001829426210000111
F′i=h(ID′i||A′i||EiIf yes, the authentication on the ith user Ui is passed;
a sending module for the ith user UiAfter passing the authentication, a random number β is selected and M is calculatedi=βP,Gi=h(ID′i||A′i||Mi||H′i||Ts) Then will { Mi,Gi,TsReturning to the ith user U as the return informationiTo be selected by the ith user UiAuthenticating the server;
a key generation module for generating the I-th user UiAfter the authentication of the server is passed, a session key SK ═ h (α M) for communication with the client device is calculatedi||Ai||Ti||Ts)=h(βEi||A′i||Ti||Ts)。
The technical scheme provided by the invention adopts the intelligent card to store the registration information of the user and carry out identity verification on the client equipment at the user side, thereby greatly improving the authentication efficiency, and because the design of carrying out identity verification at the server side is abandoned, the server side does not need to store a large amount of registration information of the user, the pressure of the server side is greatly reduced, the possibility that the server side is attacked is also reduced, and the data security is greatly improved.
It should be noted that, in the above embodiments, the included units are only divided according to functional logic, but are not limited to the above division as long as the corresponding functions can be realized; in addition, specific names of the functional units are only for convenience of distinguishing from each other, and are not used for limiting the protection scope of the present invention.
In addition, it can be understood by those skilled in the art that all or part of the steps in the method for implementing the embodiments described above can be implemented by instructing the relevant hardware through a program, and the corresponding program can be stored in a computer-readable storage medium, such as a ROM/RAM, a magnetic disk, an optical disk, or the like.
The above description is only for the purpose of illustrating the preferred embodiments of the present invention and is not to be construed as limiting the invention, and any modifications, equivalents and improvements made within the spirit and principle of the present invention are intended to be included within the scope of the present invention.

Claims (4)

1. A secure communication method based on a smart card is applied to a client device, and is characterized by comprising the following steps:
an input step: receiving an inserted smart card and a user name and a password input by a user, wherein result data for calculating registration information of the user registered in a server is stored in the smart card;
a first verification step: verifying whether the user is the holder of the smart card according to the result data and the user name and the password input by the user;
an output step: after the user is verified to be the holder of the smart card, operating the user name and the password input by the user by using a preset algorithm, and sending an operation result as login information to the server communicated with the client device;
a second verification step: receiving return information from the server, and verifying the server according to the return information;
a calculation step: calculating a session key for communicating with the server after the server is authenticated;
in the inputting step, the step of completing registration of the user at the server specifically includes:
the user selects the username IDiAnd the password PWiAnd inputting the BIO-information BIO of the useriBy generating the algorithm Gen (BIO)i)=(Ri,Pi) Extraction (R)i,Pi) And calculating RPWi=h(PWi||Ri) Then { ID }i,RPWiSending R as registration information to the serveri,PiAre respectively a user UiThe private parameters and reconstruction parameters of the biological characteristics of (1), wherein | represents the connection operation;
in the inputting step, the calculating the registration information of the user registered in the server specifically includes:
computing
Figure FDA0002774577640000011
Ci=h(IDi||RPWi) And will { Bi,Ci,PpubH (-) P } sending the smart card to user U after storing the smart card as the result dataiWherein P ispubH (-) is a hash function for the public key of the server, P is a base point on an elliptic curve selected by the server in initialization related parameters, and P ispubX is the private key of the server,
Figure FDA0002774577640000012
represents an exclusive or operation;
wherein, in the first verification step, the step of verifying whether the user is the holder of the smart card specifically includes:
the user UiInputting the user name IDiAnd the password PWiAnd inputs said user UiBIO-information of (BIO)iAccording to the reconstruction algorithm Rep (BIO)i *,Pi)=RiExtracting the user UiIs a private parameter R of the biometric characteristic ofi
Calculating RPWi=h(PWi||Ri) And C'i=h(IDi||RPWi) And verify C'i=CiWhether the result is true or not;
if so, verifying that the user Ui is the holder of the smart card;
if not, the login is terminated.
2. The smart card-based secure communication method of claim 1, wherein in the outputting step, the step of presetting the algorithm specifically includes:
a random number alpha is selected and calculated
Figure FDA0002774577640000021
And Fi=h(IDi||Ai||Ei||Hi||Ti) Wherein, TiIs the timestamp of when the user sent the information;
will operation result { AIDi,Ei,Fi,TiSending it as login information to the server in communication with the client device.
3. A secure communication system based on a smart card, applied to a client device, the system comprising:
the system comprises an input module, a server and a server, wherein the input module is used for receiving an inserted smart card and a user name and a password input by a user, and the smart card stores result data for calculating registration information registered by the user in the server;
a first verification module for verifying whether the user is the holder of the smart card according to the result data and the user name and the password input by the user;
the output module is used for operating the user name and the password input by the user by using a preset algorithm after the user is verified to be the holder of the smart card, and sending an operation result as login information to the server communicated with the client equipment;
the second verification module is used for receiving return information from the server and verifying the server according to the return information;
the computing module is used for computing a session key communicated with the server after the server passes the verification;
in the input module, the step of completing registration of the user at the server specifically includes:
the user selects the username IDiAnd the password PWiAnd inputting the BIO-information BIO of the useriBy generating the algorithm Gen (BIO)i)=(Ri,Pi) Extraction (R)i,Pi) And calculating RPWi=h(PWi||Ri) Then { ID }i,RPWiSending R as registration information to the serveri,PiAre respectively a user UiThe private parameters and reconstruction parameters of the biological characteristics of (1), wherein | represents the connection operation;
in the input module, the step of calculating the registration information of the user registered in the server specifically includes:
computing
Figure FDA0002774577640000031
Ci=h(IDi||RPWi) And will { Bi,Ci,PpubH (-) P } sending the smart card after storing the result data in the smart cardFor user UiWherein P ispubH (-) is a hash function for the public key of the server, P is a base point on an elliptic curve selected by the server in initialization related parameters, and P ispubX is the private key of the server,
Figure FDA0002774577640000032
represents an exclusive or operation;
wherein the first verification module is specifically configured to:
the user UiInputting the user name IDiAnd the password PWiAnd inputs said user UiBIO-information of (BIO)iAccording to the reconstruction algorithm Rep (BIO)i *,Pi)=RiExtracting the user UiIs a private parameter R of the biometric characteristic ofi
Calculating RPWi=h(PWi||Ri) And C'i=h(IDi||RPWi) And verify C'i=CiWhether the result is true or not;
if so, verifying that the user is the holder of the smart card;
if not, the login is terminated.
4. A smart card-based secure communication system according to claim 3, wherein the output module is specifically configured to:
a random number alpha is selected and calculated
Figure FDA0002774577640000033
And Fi=h(IDi||Ai||Ei||Hi||Ti) Wherein, TiIs the timestamp of when the user sent the information;
will operation result { AIDi,Ei,Fi,TiSending it as login information to the server in communication with the client device.
CN201811198551.8A 2018-10-15 2018-10-15 Secure communication method and system based on smart card Expired - Fee Related CN109088888B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201811198551.8A CN109088888B (en) 2018-10-15 2018-10-15 Secure communication method and system based on smart card

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201811198551.8A CN109088888B (en) 2018-10-15 2018-10-15 Secure communication method and system based on smart card

Publications (2)

Publication Number Publication Date
CN109088888A CN109088888A (en) 2018-12-25
CN109088888B true CN109088888B (en) 2021-02-05

Family

ID=64843490

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201811198551.8A Expired - Fee Related CN109088888B (en) 2018-10-15 2018-10-15 Secure communication method and system based on smart card

Country Status (1)

Country Link
CN (1) CN109088888B (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109714167B (en) * 2019-03-15 2020-08-25 北京邮电大学 Identity authentication and key agreement method and equipment suitable for mobile application signature
CN113765856B (en) * 2020-06-04 2023-09-08 中移(成都)信息通信科技有限公司 Identity authentication method, device, equipment and medium

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1463117A (en) * 2003-05-22 2003-12-24 中国科学院计算技术研究所 Safety communication method between communication system of networking computer and user oriented network layer
CN103338201A (en) * 2013-07-02 2013-10-02 山东科技大学 Remote identity authentication method participated in by registration center under multi-sever environment
CN105119721A (en) * 2015-08-06 2015-12-02 山东科技大学 Three-factor remote identity authentication method based on intelligent card

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1463117A (en) * 2003-05-22 2003-12-24 中国科学院计算技术研究所 Safety communication method between communication system of networking computer and user oriented network layer
CN103338201A (en) * 2013-07-02 2013-10-02 山东科技大学 Remote identity authentication method participated in by registration center under multi-sever environment
CN105119721A (en) * 2015-08-06 2015-12-02 山东科技大学 Three-factor remote identity authentication method based on intelligent card

Non-Patent Citations (3)

* Cited by examiner, † Cited by third party
Title
《On the Security of a Mutual Authentication and Key Agreement Protocol Based on Chaotic Maps》;chien ming chen 等;《2015 Third International Conference on Robot, Vision and Signal Processing (RVSP)》;20151120;正文1-4 *
《基于口令的智能卡认证密钥协商协议的研究与设计》;王倩;《中国优秀硕士学位论文全文数据库信息科技辑》;20140815;第2014卷(第08期);正文第4-6章 *
《高速公路信息管理模式与应用研究》;娄进举;《中国优秀硕士学位论文全文数据库工程科技Ⅱ辑》;20070215;第2007卷(第02期);正文1-92页 *

Also Published As

Publication number Publication date
CN109088888A (en) 2018-12-25

Similar Documents

Publication Publication Date Title
US11855983B1 (en) Biometric electronic signature authenticated key exchange token
CN112218294B (en) 5G-based access method and system for Internet of things equipment and storage medium
US8627424B1 (en) Device bound OTP generation
TW202011242A (en) Blockchain cross-chain authentication method and system, and server and readable storage medium
Li et al. Applying biometrics to design three‐factor remote user authentication scheme with key agreement
Kim et al. Cryptanalysis and improvement of a biometrics-based multi-server authentication with key agreement scheme
US20160125416A1 (en) Authentication system
US9935953B1 (en) Secure authenticating an user of a device during a session with a connected server
CN106130716A (en) Cipher key exchange system based on authentication information and method
CN110661800A (en) Multi-factor identity authentication method supporting guarantee level
CN110351727A (en) A kind of certifiede-mail protocol method suitable for wireless sensor network
CN112422587B (en) Identity verification method and device, computer equipment and storage medium
CN106059764B (en) Based on the password and fingerprint tripartite&#39;s authentication method for terminating key derivation functions
CN113971274B (en) Identity recognition method and device
CN109088888B (en) Secure communication method and system based on smart card
CN110690969A (en) Method and system for completing bidirectional SSL/TLS authentication in cooperation of multiple parties
CN113055394A (en) Multi-service double-factor authentication method and system suitable for V2G network
US11405387B1 (en) Biometric electronic signature authenticated key exchange token
Agrawal et al. Game-set-MATCH: Using mobile devices for seamless external-facing biometric matching
CN111767531B (en) Authentication system and method based on biological characteristics
Guo et al. An improved three-factor session initiation protocol using Chebyshev chaotic map
CN116112242B (en) Unified safety authentication method and system for power regulation and control system
CN110519219A (en) A kind of password authentication key exchange method and system based on lattice
TWM592113U (en) Anti-counterfeiting inspection equipment and anti-counterfeiting inspection machine thereof
CN115955320A (en) Video conference identity authentication method

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
CF01 Termination of patent right due to non-payment of annual fee
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20210205

Termination date: 20211015