A kind of efficient double factor cross-domain authentication method based on block chain technology
Technical field
The invention belongs to the cross-domain field of authentication of PKI authentication more particularly to a kind of efficient double factors based on block chain technology
Cross-domain authentication method.
Background technique
Electric car timesharing is leased in shared platform, it is desirable that user cross-platform can use vehicle, i.e. A electric car timesharing
The vehicle that the companies such as every other B, C, D operate in alliance can be used in the user of leasing company, can utmostly expire in this way
Sufficient user's daily trip demand, user need not again with the APP of Duo Jia electric car leasing company, hand over more parts of cash pledges, and B, C, D etc.
Company need not also spend again high to be obtained objective cost and can be obtained the business of hiring a car of company A user.
However in distributed environment, each company, department manage user for convenience, and corresponding resource access control is arranged
System processed forms relatively independent domain, it is clear that in order to realize the cross-platform purpose using vehicle of above-mentioned user, the money of single company
Source cannot provide complete application service, and user needs to carry out cross-domain certification when accessing the resource of other companies.Traditional PKI
Cross-domain to authenticate the problems such as there are certificate management difficulties, certificate server cross-certification, the new technologies such as biological identification are due to using life
The problems such as object feature causes user identity privacy leakage as key transaction, therefore how efficiently and safely to realize that user is cross-domain
Certification is that this system first has to the critical issue solved.
While the user of a company realizes the access use of more company's available resources by cross-domain certification, need
Protect the transaction privacy information of user.Although having " assumed name's property " by the transaction system of representative of bit coin, due to user
Reusability public key Hash obviously can establish certain association as transaction ID between transaction, attack can be passed through by disliking attacker
System, analysis Transaction Information, monitoring trading flow direction steal privacy of user to guess.Have at present it is some by cryptological technique,
Mixed coin mechanism, data subregion protect the scheme of privacy of user safety, but this system be characterized in that user there may be
Traffic offence responsibility needs to trace, therefore devises for this system based on delegatable double-encryption mechanism.
Cross-domain certification more mature at present is typically via PKI authentication system.PKI is established based on public key theory
, it has the service functions such as public key management, authenticated encryption, integrity detection, safety time stamp.The PKI course of work is to surround
The life cycle expansion of digital certificate, responsibility is by CA (Certificate Authority) certification authority, by user
Public key information and the identification information of user be blended together, the digital certificate that can verify that identity is formed, for proving that user is
Who.By digital signature, encryption and the management of key and certificate, to guarantee information transmission security.
In general, compare there are three types of the PKI authentication models of mainstream, respectively classification authentication model, reticular structure authentication model,
Bridge ca authentication model.
All users depend on root CA, this unique trust center in hierarchical structure.Hierarchical structure authentication model is such as schemed
Shown in 1-1, if root CA breaks down or security weaknesses, entire PKI system will be on the hazard.And from alliance system
It is difficult to construct the root CA that all mechanisms all trust.
Reticular structure authentication model, as shown in Figs. 1-2, flexibility is stronger compared with hierarchical structure, if event occurs for single CA
Barrier not will lead to entire PKI system collapse.But the building of the model certification path of this two-way authentication is excessively complicated, will lead to card
Book path discovery is difficult, and the certificate chain that when cross-domain certification is verified is longer.
Bridge ca authentication model, as shown in Figure 1-3, be derivative on the basis of being classified authentication model and reticular structure authentication model
, can be used for connecting different PKI systems.The difference is that, bridge CA is not as entire with hierarchical structure authentication model
The root of trust center and certification path in system, compared with the authentication model of reticular structure, certification path discovery is relatively easy to, with
The authentication model of hierarchical structure is compared, and the discovery of certification path is with regard to relatively difficult.
For the problems such as cross-domain authentication process of conventional authentication system is complicated, certification path complex management is difficult, block
The characteristics such as decentralization that chain has, anti-tamper, traceable can effectively solve the key pipe faced in authentication and management
The problems such as reason, trust, safety and privacy, provides credible, transparent, distributed storage etc. and supports for authentication and management.Mesh
Preceding existing scholar studies block chain in cross-domain authenticated connection, such as Zhou Zhicheng, Zhang Haodi are based respectively on fuzzy extraction
Theory simultaneously combines block chain technology, proposes biological characteristic double factor ID authentication mechanism scheme, and analyze the safety of scheme
Property and efficiency.
But week, et al. scheme be not fully suitable for system designed by this paper, wherein chief reason has the most
3 points, first is that user involved by electric car timesharing lease shared platform is numerous, user's device therefor is irregular, does not have
Unified physical characteristics collecting equipment;Second is that biological characteristic is different from other features, the inherent nothing for individual subscriber
Method change, when being related to physical characteristics collecting, user has the misgivings for worrying biological characteristic leakage, is unfavorable for the popularization of system;Three
It is to be needed in verification process frequently using fuzzy extractive technique and recovery algorithms, the case where mass users high concurrent is requested
Under, efficiency is lower.
Summary of the invention
In order to solve the above technical problems, the object of the present invention is to provide a kind of efficient double factor based on block chain technology across
Domain authentication method.
To achieve the above object, the present invention adopts the following technical scheme:
A kind of efficient double factor cross-domain authentication method based on block chain technology, comprising the following steps:
Step 1: the design of system overall architecture;
According to the A of Diffie-Hellman algorithm, the step of B session key agreement mechanism are as follows:
Step 11: randomly selecting Big prime n and original g, and two information disclose, and A, B arrange two information
It is good;
Step 12: A generates a several x at random, calculates X=gxThen X is sent to B by modn;
Step 13: B generates a several y at random, calculates Y=gyThen Y is sent to B by modn;
Step 14: A calculates K=Yxmodn;
Step 15: B calculates K '=Xymodn;
Step 2: working-flow;
Step 21: user's registration process;
Step 1: the domain A user i inputs user name ID and static password password PW on local client ClientA;
Step 2: client ClientA extracts user equipment number DID, and device numbering and static password password are made respectively
Hash operation generates H (DID), H (PW), deletes local cache, passes through Diffie-Hellman algorithm and the domain A certificate server
ServerA consult session key K, and the information such as ID, H (PW), H (DID) are sent to the domain A certification clothes by session key encryption
Be engaged in device ServerA;
Step 3: the domain A certificate server ServerA receives the message that client ClientA is sent, and uses what is consulted
Session key is decrypted, and obtains ID, H (PW), H (DID), and it is to return to the registered letter of user that whether inquiry ID, which has existed,
Breath, otherwise can register;E is obtained using A domain node public key PUBA encryption user H (DID) to user H (DID) first when registrationA
(H (DID)), then ServerA node executes intelligent contract, initiates registering transaction and endorses;When common recognition node completes verifying life
After block, the information that client ClientA succeeds in registration is returned to;
Step 4: client ClientA receives the message to succeed in registration, user's other information Info is supplemented, by believing safely
Road is sent to the domain A certificate server ServerA;
Step 5: the other information Info that the domain A certificate server ServerA supplements user uses A domain node public key PUBA
It is encrypted to obtain EA(Info), then ServerA node executes intelligent contract, initiates update user information and trades and endorse;
Step 22: user's local authentication:
Step 1: the domain A user i inputs user name ID and static password password PW on local client ClientA;
Step 2: client ClientA extracts user equipment number DID, and device numbering and static password password are made respectively
Hash operation generates H (DID), H (PW), deletes local cache, passes through Diffie-Hellman algorithm and the domain A certificate server
ServerA consult session key K, and the information such as ID, H (PW), H (DID) are sent to the domain A certification clothes by session key encryption
Be engaged in device ServerA;
Step 3: the domain A certificate server ServerA receives the message that client ClientA is sent, and uses what is consulted
Session key is decrypted, and obtains ID, H (PW), H (DID), inquires whether ID in the public account book of block chain has existed, if not
In the presence of the return unregistered message of user then pulls the corresponding H of ID (PW) ', E from the public account book of block chain if it existsA(H
(DID)) ', the information such as affiliated domain;
Step 4: the domain A certificate server ServerA compares the H (PW) that client ClientA is sent and draws with from block chain
The H (PW) ' taken then further uses A domain node public key PUBA encryption user H (DID) if they are the same and obtains EA(H (DID)) is compared
EA(H (DID)) and EA(H (DID)) ', the return authentication success message if equal;
Step 23: the cross-domain certification in user strange land;
Step 1: the domain A registration user i inputs logon information ID and PW on the client ClientB of the domain B;
Step 2: client ClientB extracts user equipment number DID, makees Hash operation and generates H (DID), H (PW), deletes
Except local cache, by Diffie-Hellman algorithm and the domain B certificate server ServerB consult session key K, and by ID, H
(PW), the information such as H (DID) are sent to the domain B certificate server ServerB by session key encryption;
Step 3: the domain B certificate server ServerB receives the message that client ClientB is sent, and uses what is consulted
Session key is decrypted, and obtains ID, H (PW), H (DID), inquires whether ID in the public account book of block chain has existed, if not
In the presence of the return unregistered message of user then pulls the corresponding H of ID (PW) ', E from the public account book of block chain if it existsA(H
(DID)) ', the information such as affiliated domain;
Step 4: the domain B certificate server ServerB compares the H (PW) that client ClientB is sent and draws with from block chain
The H (PW) ' taken then further uses A domain node public key PUBA encryption user H (DID) if they are the same and obtains EA(H (DID)) is compared
EA(H (DID)) and EA(H (DID)) ', the return authentication success message if equal.
Preferably, a kind of efficient double factor cross-domain authentication method based on block chain technology, in the step 2 also
It is authenticated equipped with step 24 user more exchange device.
Preferably, a kind of efficient double factor cross-domain authentication method based on block chain technology, the step 24 are used
Family more exchange device certification the following steps are included:
Step 1: after the user's i more exchange device of the domain A, user name ID and static mouth are inputted on local client ClientA
Enable password PW;
Step 2: client ClientA extracts user equipment number DID, makees Hash operation respectively and generates H (DID), H
(PW), local cache is deleted, by Diffie-Hellman algorithm and the domain A certificate server ServerA consult session key K,
And the information such as ID, H (PW), H (DID) are sent to the domain A certificate server ServerA by session key encryption;
Step 3: the domain A certificate server ServerA receives the message that ClientA is sent, close using the session consulted
Key is decrypted, and obtains ID, H (PW), H (DID), inquires whether ID in the public account book of block chain has existed, and if it does not exist, returns
The unregistered message in reuse family then pulls the corresponding H of ID (PW) ', E from the public account book of block chain if it existsAIt is (H (DID)) ', affiliated
The information such as domain.
Step 4: the domain A certificate server ServerA compares the H (PW) that client ClientA is sent and draws with from block chain
The H (PW) ' taken then further uses A domain node public key PUBA encryption user H (DID) if they are the same and obtains EA (H (DID)), compares
EA(H (DID)) and EA(H (DID)) ', since user has replaced equipment, ServerA is decrypted using A domain node public key PRIA
User EA (Info) obtains Info, extracts wherein close guarantor's problem QSecrect, and return to client by trusted channel
ClientA。
Step 5: when the domain A user i answers close guarantor's problem ASecrect, client ClientA is by close guarantor's problem answers Hash
Change, the information such as ID, H (PW), H (DID), H (ASecrect) are sent to the domain A certificate server by session key encryption
ServerA;
Step 6: the domain A certificate server ServerA compares the H (ASecrect) that client ClientA is sent and record
In close guarantor's answer H (ASecrect) of block chain ', user information is executed if passing through and updates intelligent contract, updates the H of user
(DID), user is returned to after common recognition node completes verifying generation block successfully replace bound device information.
According to the above aspect of the present invention, the present invention has at least the following advantages:
The cryptographic Hash of present device ID is encrypted using the public key of registration domain server, only holds private key ability
Decryption device ID cryptographic Hash, therefore even if hacker steals database, it can not also decrypt the specific of the second certification factor of user
Content, and Diffie-Hellman consult session key is used in user and server interaction, therefore hacker is difficult to pass through
The real condition that user is used to authenticate is stolen, the information security of user has been effectively ensured.During strange land of the present invention is cross-domain
It authenticates domain server mainly and block chain node is interactive, since alliance's block chain network interior joint is numerous, when a node responds
When overtime, other node can be rapidly switched to and carry out information request, therefore the reliability of this paper scheme is stronger.
The above description is only an overview of the technical scheme of the present invention, in order to better understand the technical means of the present invention,
And can be implemented in accordance with the contents of the specification, the following is a detailed description of the preferred embodiments of the present invention and the accompanying drawings.
Detailed description of the invention
In order to illustrate the technical solution of the embodiments of the present invention more clearly, below will be to needed in the embodiment attached
Figure is briefly described, it should be understood that the following drawings illustrates only certain embodiments of the present invention, therefore is not construed as pair
The restriction of range for those of ordinary skill in the art without creative efforts, can also be according to this
A little attached drawings obtain other relevant attached drawings.
Fig. 1-1 is hierarchical structure authentication model;
Fig. 1-2 is reticular structure authentication model;
Fig. 1-3 is the structural schematic diagram of bridge ca authentication model;
Fig. 2 is the cross-domain authentication architecture figure of double factor of the invention;
Fig. 3 is user's registration procedure Procedure figure of the present invention;
Fig. 4 is user's local authentication flow chart of the present invention;
Fig. 5 is the cross-domain identifying procedure figure in user strange land of the present invention;
Fig. 6 is the flow chart of user of the invention more exchange device;
Fig. 7 is Zhou Zhicheng scheme local authentication flow chart;
Fig. 8 is the cross-domain identifying procedure figure in Zhou Zhicheng scheme strange land;
Fig. 9 is Zhang Haodi scheme local authentication flow chart;
Figure 10 is the cross-domain identifying procedure figure in Zhang Haodi scheme strange land;
Figure 11 is computing cost time-consuming comparison diagram.
Specific embodiment
With reference to the accompanying drawings and examples, specific embodiments of the present invention will be described in further detail.Implement below
Example is not intended to limit the scope of the invention for illustrating the present invention.
In order to enable those skilled in the art to better understand the solution of the present invention, below in conjunction with attached in the embodiment of the present invention
Figure, technical scheme in the embodiment of the invention is clearly and completely described, it is clear that described embodiment is only this
Invention a part of the embodiment, instead of all the embodiments.Embodiments of the present invention, which are generally described and illustrated herein in the accompanying drawings
Component can arrange and design with a variety of different configurations.Therefore, the implementation of the invention to providing in the accompanying drawings below
The detailed description of example is not intended to limit the range of claimed invention, but is merely representative of selected implementation of the invention
Example.Based on the embodiment of the present invention, those skilled in the art are obtained all without making creative work
Other embodiments shall fall within the protection scope of the present invention.
Embodiment
A kind of efficient double factor cross-domain authentication method based on block chain technology, comprising the following steps:
Step 1: the design of system overall architecture;
Step 2: working-flow;
Step 21: user's registration process;
Step 22: user's local authentication:
Step 23: the cross-domain certification in user strange land.
As shown in Fig. 2, system overall architecture designs, according to the A of Diffie-Hellman algorithm, B session key agreement machine
The step of processed are as follows:
Step 11: randomly selecting Big prime n and original g, and two information disclose, and A, B arrange two information
It is good;
Step 12: A generates a several x at random, calculates X=gxThen X is sent to B by modn;
Step 13: B generates a several y at random, calculates Y=gyThen Y is sent to B by modn;
Step 14: A calculates K=Yxmodn;
Step 15: B calculates K '=Xymodn;
Obvious K=YxModn=(gy)xModn=(gx)yModn=XyModn=K ', i.e. A, B obtain identical after negotiating
Session encryption key, and listener-in can only hear n, g, X, Y, can not calculate anti-x, the y for releasing two sides of discrete logarithm, therefore both sides
The session key of negotiation is difficult to be computed.
As shown in figure 3, step 21: user's registration process;
Step 1: the domain A user i inputs user name ID and static password password PW on local client ClientA;
Step 2: client ClientA extracts user equipment number DID, and device numbering and static password password are made respectively
Hash operation generates H (DID), H (PW), deletes local cache, passes through Diffie-Hellman algorithm and the domain A certificate server
ServerA consult session key K, and the information such as ID, H (PW), H (DID) are sent to the domain A certification clothes by session key encryption
Be engaged in device ServerA;
Step 3: the domain A certificate server ServerA receives the message that client ClientA is sent, and uses what is consulted
Session key is decrypted, and obtains ID, H (PW), H (DID), and it is to return to the registered letter of user that whether inquiry ID, which has existed,
Breath, otherwise can register;E is obtained using A domain node public key PUBA encryption user H (DID) to user H (DID) first when registrationA
(H (DID)), then ServerA node executes intelligent contract, initiates registering transaction and endorses;When common recognition node completes verifying life
After block, the information that client ClientA succeeds in registration is returned to;
Step 4: client ClientA receives the message to succeed in registration, user's other information Info is supplemented, by believing safely
Road is sent to the domain A certificate server ServerA;
Step 5: the other information Info that the domain A certificate server ServerA supplements user uses A domain node public key PUBA
It is encrypted to obtain EA(Info), then ServerA node executes intelligent contract, initiates update user information and trades and endorse;
As shown in figure 4, step 22: user's local authentication:
Step 1: the domain A user i inputs user name ID and static password password PW on local client ClientA;
Step 2: client ClientA extracts user equipment number DID, and device numbering and static password password are made respectively
Hash operation generates H (DID), H (PW), deletes local cache, passes through Diffie-Hellman algorithm and the domain A certificate server
ServerA consult session key K, and the information such as ID, H (PW), H (DID) are sent to the domain A certification clothes by session key encryption
Be engaged in device ServerA;
Step 3: the domain A certificate server ServerA receives the message that client ClientA is sent, and uses what is consulted
Session key is decrypted, and obtains ID, H (PW), H (DID), inquires whether ID in the public account book of block chain has existed, if not
In the presence of the return unregistered message of user then pulls the corresponding H of ID (PW) ', E from the public account book of block chain if it existsA(H
(DID)) ', the information such as affiliated domain;
Step 4: the domain A certificate server ServerA compares the H (PW) that client ClientA is sent and draws with from block chain
The H (PW) ' taken then further uses A domain node public key PUBA encryption user H (DID) if they are the same and obtains EA(H (DID)) is compared
EA(H (DID)) and EA(H (DID)) ', the return authentication success message if equal;
As shown in figure 5, step 23: the cross-domain certification in user strange land;
Step 1: the domain A registration user i inputs logon information ID and PW on the client ClientB of the domain B;
Step 2: client ClientB extracts user equipment number DID, makees Hash operation and generates H (DID), H (PW), deletes
Except local cache, by Diffie-Hellman algorithm and the domain B certificate server ServerB consult session key K, and by ID, H
(PW), the information such as H (DID) are sent to the domain B certificate server ServerB by session key encryption;
Step 3: the domain B certificate server ServerB receives the message that client ClientB is sent, and uses what is consulted
Session key is decrypted, and obtains ID, H (PW), H (DID), inquires whether ID in the public account book of block chain has existed, if not
In the presence of the return unregistered message of user then pulls the corresponding H of ID (PW) ', E from the public account book of block chain if it existsA(H
(DID)) ', the information such as affiliated domain;
Step 4: the domain B certificate server ServerB compares the H (PW) that client ClientB is sent and draws with from block chain
The H (PW) ' taken then further uses A domain node public key PUBA encryption user H (DID) if they are the same and obtains EA(H (DID)) is compared
EA(H (DID)) and EA(H (DID)) ', the return authentication success message if equal.
As shown in fig. 6, being additionally provided with the certification of step 24 user more exchange device in step 2, comprising the following steps:
Step 1: after the user's i more exchange device of the domain A, user name ID and static mouth are inputted on local client ClientA
Enable password PW;
Step 2: client ClientA extracts user equipment number DID, makees Hash operation respectively and generates H (DID), H
(PW), local cache is deleted, by Diffie-Hellman algorithm and the domain A certificate server ServerA consult session key K,
And the information such as ID, H (PW), H (DID) are sent to the domain A certificate server ServerA by session key encryption;
Step 3: the domain A certificate server ServerA receives the message that ClientA is sent, close using the session consulted
Key is decrypted, and obtains ID, H (PW), H (DID), inquires whether ID in the public account book of block chain has existed, and if it does not exist, returns
The unregistered message in reuse family then pulls the corresponding H of ID (PW) ', E from the public account book of block chain if it existsAIt is (H (DID)) ', affiliated
The information such as domain.
Step 4: the domain A certificate server ServerA compares the H (PW) that client ClientA is sent and draws with from block chain
The H (PW) ' taken then further uses A domain node public key PUBA encryption user H (DID) if they are the same and obtains EA (H (DID)), compares
EA(H (DID)) and EA(H (DID)) ', since user has replaced equipment, ServerA is decrypted using A domain node public key PRIA
User EA (Info) obtains Info, extracts wherein close guarantor's problem QSecrect, and return to client by trusted channel
ClientA。
Step 5: when the domain A user i answers close guarantor's problem ASecrect, client ClientA is by close guarantor's problem answers Hash
Change, the information such as ID, H (PW), H (DID), H (ASecrect) are sent to the domain A certificate server by session key encryption
ServerA;
Step 6: the domain A certificate server ServerA compares the H (ASecrect) that client ClientA is sent and record
In close guarantor's answer H (ASecrect) of block chain ', user information is executed if passing through and updates intelligent contract, updates the H of user
(DID), user is returned to after common recognition node completes verifying generation block successfully replace bound device information.
It is as follows to the safety and efficiency analysis of above-mentioned technology in the present invention:
Safety analysis
Preventing playback attack: Replay Attack (Replay Attacks) is primarily referred to as can by intercepting or eavesdropping acquisition system
The received packet of energy, then high frequency sends the packet and makes system that system be made to be busy with response and cannot respond to really request
Packet.By in user's registration, verification process, session key all passes through Diffie-Hellman algorithm and generates random short key, because
The key generated in this each session is not unique, and then realization prevents Replay Attack, guarantees the forward security of key.
Anti- man-in-the-middle attack: man-in-the-middle attack (Man-in-the-Middle Attack, MITM) is primarily referred to as by blocking
It cuts or eavesdrops the data in communication process and the true content of data is distorted, the content after distorting is then forwarded to
Recipient, in the case where data do not encrypt, recipient and sender are difficult to find that data have been tampered with.The present invention with
By Diffie-Hellman consult session key, go-between must the first meeting of decoding before thinking progress data tampering by family registration and user
Key is talked about, since the intractability go-between of discrete logarithm in finite field is difficult to decrypted session content.On the other hand, since user is quiet
State password and facility information are all that facility information is calculated by asymmetric encryption by hashed encryption, and in cross-domain certification
The ciphertext obtained after method is transmitted, therefore even if attacker can intercepting message, information can not be distorted.Unless recognizing
Card node is broken, and public and private key leakage, then the user information of the affiliated node may be tampered.Due to applied field of the invention
Scape is business alliance's chain, and security level is higher, with a high credibility between node, therefore does not consider such special circumstances.
Anti- guessing attack: guessing attack is password guessing attack, and usual situation attacker passes through various feelings
Condition obtains attacker after the password code of user and just grasps all account informations of the user, system be difficult to differentiate attacker with
True user, thus protect user log in password be not leaked it is particularly important.In present invention design, user logs in input
After password key, client just deletes local cache after completing Hash operation immediately, and attacker can not directly acquire user and step on
Land password.And the password backward recovery after hashed is difficult, even if attacker obtains user's hashed after cracking session key
Later log in password, it is also difficult to therefrom restore user log in password.
Secret protection and consistency: in registration phase, the bound device hashed value and supplemental information of user is by registering
Domain public key carries out asymmetric encryption, and encrypted information is stored on the public account book of block chain, and only log-on field holds corresponding private
Information could be decrypted in key.In cross-domain authenticated, other domains are not necessarily to know the specific hashed value of equipment and user
Privacy information, it is only necessary to result of the value transmitted when comparing user authentication after its log-on field adds public key encryption whether on chain
Information is consistent, that is, can determine that whether user passes through certification.This mechanism had both realized the protection of privacy of user data, in turn ensured
Data consistency, the open and clear property of transaction.
Efficiency analysis
The cross-domain certification of local authentication flow chart and strange land in the week, two people that are referred to such as Fig. 7 into Figure 10, with background technique
The scheme of flow chart is compared, the device id as used by present aspect as user authentication second factor have invariance and
Value determines that being decrypted into there is no need to the affiliated domain of user can directly come by comparing the ciphertext after public key encryption to user in plain text
It is authenticated, participates in verification process without User Registration Area in the cross-domain certification of user, reduce letter when the cross-domain certification of user
The interaction frequency and communication overhead are ceased, 1 (computing cost compares when local authentication) is shown in Table and table 2 (calculates when cross-domain certification in strange land
Expense comparison).
Table 1:
Table .2
As shown in the following table 3 (typical algorithm arithmetic speed compares), by be 8GB in RAM, processor is 2 core 3.6GB
Under Windows system, encrypting plaintext length is 160bytes, and each operation 10000 times tests available various types and calculates behaviour
The time overhead of work.
Table 3
Algorithm |
Time-consuming/s |
AES symmetric cryptography |
0.027 |
AES is symmetrically decrypted |
0.105 |
RSA asymmetric encryption |
2.25 |
The asymmetric decryption of RSA |
98.757 |
SHA256 Hash operation |
0.044 |
Exponent arithmetic (101^500) |
0.056 |
As seen from the above table, symmetric cryptography is fastest, and Hash operation and exponent arithmetic arithmetic speed are very fast, AES decryption speed
Degree is about the 1/2 of Hash operation and exponent arithmetic, and asymmetric encryption speed is about the 1/4 of Hash operation and exponent arithmetic,
Rather than symmetrically decryption speed is then nearly the 1/20 of Hash operation and exponent arithmetic.Three kinds of sides when being not counted in fuzzy extraction operation
The comparison of case computing cost time-consuming is as shown in figure 11.
In above 3 kinds of schemes, since asymmetric encryption and asymmetric decryption calculating is employed many times in Zhang Haodi scheme,
The program is time-consuming at most, and efficiency is minimum.And the present invention program and Zhou Zhicheng scheme in local authentication more done a Hash and transported
It calculates, has done primary fuzzy extraction operation less;In strange land when cross-domain certification, other types operation times are identical, done a mould less
Paste extracts operation.Even if not considering the fuzzy extraction recovery operation of fingerprint generally than relatively time-consuming, efficiency of the invention is also caused with week
It is suitable at scheme.
But it is obvious that Zhou Zhicheng scheme has the shortcomings that 2, first is that the static password cryptographic Hash y of the user in its scheme,
And all direct stored in clear of user's random key R that user recovers by fingerprint by fuzzy extraction is in the service of log-on field
Device, if registration domain server is broken at this time, the static password cryptographic Hash y of user, the random key R of user are stolen by hacker,
Then hacker can directly simulant-client logged in using information such as ID, y, R to pretend user, the information security of user will be by pole
Big threat;Second is that client directly sends the information such as ID, y, R to authenticated domain in plain text in the cross-domain verification process in strange land, if
It is monitored in the process by hacker, then the information of user has disclosure risk.And in case of the present invention, the cryptographic Hash of device id is using registration
The public key of domain server is encrypted, and only holds private key ability decryption device ID cryptographic Hash, therefore even if hacker steals data
Library can not also decrypt the particular content of the second certification factor of user, and use in user and server interaction
Diffie-Hellman consult session key, therefore hacker is difficult to the real condition for being used to authenticate by stealing user, has
Effect ensure that the information security of user.In addition, Zhou Zhicheng scheme needs the certificate server of log-on field in the cross-domain certification in strange land
Verification process is participated in, because registration domain server, there may be situations such as busy, delay machine, network delays, reality is cross-domain to recognize
Demonstrate,proving the time may relatively long, and reliability is weaker;And strange land of the present invention it is cross-domain during certification domain server is main and block chain link
Point interaction, since alliance's block chain network interior joint is numerous, when a node response timeout, can be rapidly switched to other section
Row information request is clicked through, therefore reliability of the invention is stronger.From the above analysis, safety of the invention, efficiency, reliable
Property exceeds Zhou Zhicheng scheme.
The above is only a preferred embodiment of the present invention, it is not intended to restrict the invention, it is noted that for this skill
For the those of ordinary skill in art field, without departing from the technical principles of the invention, can also make it is several improvement and
Modification, these improvements and modifications also should be regarded as protection scope of the present invention.