CN110572827B - Safety access gateway and identity authentication method - Google Patents
Safety access gateway and identity authentication method Download PDFInfo
- Publication number
- CN110572827B CN110572827B CN201910932703.0A CN201910932703A CN110572827B CN 110572827 B CN110572827 B CN 110572827B CN 201910932703 A CN201910932703 A CN 201910932703A CN 110572827 B CN110572827 B CN 110572827B
- Authority
- CN
- China
- Prior art keywords
- data
- unit
- identity authentication
- host
- isolation
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/04—Key management, e.g. using generic bootstrapping architecture [GBA]
- H04W12/041—Key generation or derivation
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/06—Authentication
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W88/00—Devices specially adapted for wireless communication networks, e.g. terminals, base stations or access point devices
- H04W88/16—Gateway arrangements
Abstract
The invention belongs to the technical field of gateways, and particularly relates to a security access gateway and an identity authentication method. The gateway includes: the system comprises an external host, a key host, an isolation host and an internal host; the external host includes: the system comprises a first identity authentication unit, an access control unit, a protocol analysis unit, a data security check unit and a data ferrying unit; the isolated host includes: the second identity authentication unit and the data isolation unit; the internal host includes: a third identity authentication unit and a data transmission unit. Has the advantages of high safety, higher efficiency and more convenience.
Description
Technical Field
The invention belongs to the technical field of gateways, and particularly relates to a security access gateway and an identity authentication method.
Background
Security issues often become stumbling stones that hinder the widespread adoption and development of mobile banking. Most mobile devices lack the ability to securely send end-to-end encrypted communications. As a result, sensitive information such as Personal Identification Numbers (PINs) and Primary Account Numbers (PANs) may be sent in plain text, creating a vulnerability that such sensitive information may be intercepted by malicious persons and used for fraudulent purposes. Although some security measures may be provided by the mobile network operator, e.g. providing encryption capability at the base station, the protection provided by such a solution is still limited, since the communication is still sent in plaintext at some point during the transmission. Other solutions require the user's mobile device to be reconfigured, e.g., over the air (0 TA) configuration, and such solutions can be expensive both in terms of deployment and operating costs. Therefore, mobile operators must pass this cost on to their customers or themselves absorb it. Thus, the total cost of ownership (TC 0) is also often a tripwire stone that is an impediment to the rise and development of mobile banking. Without a cost-effective and efficient way to securely send and receive communications with mobile devices, mobile banking operators are all willing to incur a loss, or fail to fully launch their own mobile banking services.
Although mobile network operators strive to find a cost-effective and efficient solution for enabling mobile devices to securely send encrypted traffic, the security weaknesses of mobile banking are not limited to only the potential interception of over-the-air traffic. The interface between the mobile network and the payment processing network is also vulnerable to intrusion by malicious personnel, since the security protocols used in the two networks are typically different and the identity of the device on one of the networks is not always known to the device on the other network. As a result, a malicious person may attempt to connect to one network at an interface by masquerading as part of another network.
For example, one-way network devices that may establish a connection with each other use a three-way handshake of synchronization and acknowledgement messages. The network device may initiate a connection by sending a synchronization message to the target device. In response to receiving the synchronization message, the target device sends back a synchronization confirmation message. The initiating device then sends an acknowledgement message to the target device. Upon receiving the acknowledgement message, a connection is established between the two network devices. In order to intrude into the system, the malicious person does not have to know the identity of the target device or the port of the target device that will accept the connection. A malicious person may perform a port scan by sending out a random synchronization message and waiting for a synchronization confirmation message to reply to determine what devices are on the network and which ports of the devices can accept the connection. When receiving the synchronization confirmation message, the malicious person can learn the identity of the target device from the synchronization confirmation message and obtain the network parameters of the target device. The malicious person may then invade the network of the target device by launching an attack on the target device.
Disclosure of Invention
In view of the above, the main objective of the present invention is to provide a secure access gateway and an identity authentication method, which have the advantages of high security, higher efficiency and convenience.
In order to achieve the purpose, the technical scheme of the invention is realized as follows:
a secure access gateway, the gateway comprising: the system comprises an external host, a key host, an isolation host and an internal host; the key master includes: the device comprises a random number selection subunit, a base number generation subunit, a pairing logarithm calculation subunit and a parameter setting subunit; the random number selection subunit is configured to select an element from a plurality of elements of the cyclic group S as a random number O; the base number generation subunit is configured to select a subunit according to the random number, and map the random number O using multiple mappings according to the selected random number O, thereby calculating multiple base numbers O; a pair-number calculating subunit configured to calculate a pair number of pair values between the plurality of base numbers O in the group S as a plurality of pair-number coefficients H; the parameter setting subunit is configured to set the plurality of base numbers O calculated by the base number generation unit and the plurality of pairing logarithm coefficients H calculated by the pairing logarithm calculation unit as keys used for cryptographic operations; the base number generation subunit causes a gaussian sum operator Sj to act on the random number O selected by the random number selection subunit to calculate a plurality of base numbers O = Sj (O) of a plurality of numbers at any point on the extended field K, where j is an integer of 2O-l or more and 2O-l or less.
Further, the external host includes: the system comprises a first identity authentication unit, an access control unit, a protocol analysis unit, a data security check unit and a data ferrying unit; the key host generates three keys in each operation, and respectively sends the three keys to the external host, the isolation host and the internal host; the first identity authentication subunit generates a password according to the received secret key, and the second identity authentication subunit generates a password according to the received secret key; the third identity authentication subunit generates a password according to the received secret key; the data passing through the gateway firstly reaches an external host, after the data passes through the authentication of the first identity authentication subunit, namely after the password is verified, the access control unit sends the data to the protocol analysis unit, and the protocol analysis unit carries out protocol analysis on the data; the isolated host includes: the second identity authentication unit and the data isolation unit; the internal host includes: a third identity authentication unit and a data transmission unit; the first identity authentication unit is in signal connection with the access control unit; the access control unit is in signal connection with the data security check unit; the data safety inspection unit is in signal connection with the data ferry unit; the data ferry unit is in signal connection with the second identity authentication unit; the second identity authentication unit is in signal connection with a third identity authentication unit; the third identity authentication unit is in signal connection with the data analysis unit; the data security inspection unit performs data security inspection on data; the data subjected to the data security check is sent to the isolated host through the data ferry unit; after receiving the data, the isolation host performs second identity authentication, and if the data does not pass the authentication of the second identity authentication subunit, the isolation host sends the data to the data isolation unit for isolation; if the authentication passes through the authentication of the second identity authentication subunit, data is sent to the internal host; and the internal host performs third identity authentication on the received data, the third identity authentication unit sends the data to the data transmission unit, and the data transmission unit sends the data.
Further, the mapping system equations of the plurality of mappings are: x is the number of n+1 =μx n (1-x n ) Wherein mu is a control parameter and the value range is 0<μ≤4,x n Is a random number, x, before mapping n+1 Is mappedA random number.
Further, the random number selection subunit uses the processing device to select, from a hyperelliptic curve C over a finite field Fp: and selecting a random number O from a plurality of numbers at any point of Y = Xw +1, wherein w is a prime number, w =2O + l, and a remainder a obtained by dividing the order p by the prime number w is a generator of a multiplicative group F of a finite field Fw with the order w.
Further, sj is obtained by the following formula:
wherein P is an operator at a plurality of numbers of the arbitrary point corresponding to the operator on the hyperelliptic curve C in the expanded domain K, and is the w-th power root of I.
A method of identity authentication, the method performing the steps of: the data passing through the gateway firstly reaches an external host, passes the authentication of the first identity authentication subunit, namely passes the password, accesses the control unit, sends the data to the protocol analysis unit, and carries out protocol analysis on the data; the data security inspection unit performs data security inspection on the data; the data subjected to the data security check is sent to the isolation host through the data ferry unit; after receiving the data, the isolation host performs second identity authentication, and if the data does not pass the authentication of the second identity authentication subunit, the isolation host sends the data to the data isolation unit for isolation; if the authentication of the second identity authentication subunit is passed, sending data to the internal host; and the internal host carries out third identity authentication on the received data, the third identity authentication unit sends the data to the data transmission unit, and the data transmission unit sends the data.
Further, the expansion domain K is an algebraic expansion domain obtained by expanding the finite field Fp by 2O, and the discrete logarithm calculating subunit uses the processing device to calculate the remainder a; calculating a plurality of discrete logarithms l according to the following formula κ ,
Wherein, the first and the second end of the pipe are connected with each other,k is an integer of I or more and 2O-l or less, and the discrete logarithms l κ Is an integer of not less than O and not more than 2O-l, and the pair-number calculating subunit uses the processing device to calculate a plurality of discrete pairs l from the discrete pairs l calculated by the discrete pair-number calculating subunit κ 。
Further, a plurality of pairing logarithm coefficients H are calculated according to the following formula, wherein,
i is an integer of O or more and 2O-1 or less, the plurality of pairing logarithmic coefficients H is an integer of O or more and r-1 or less, and r is the order of the random number O.
Further, the method for sending the data to the data isolation unit for isolation includes: setting a memory space which can be called, and storing data into the memory space.
Further, the method for the first identity authentication subunit to generate a password according to the received key and the method for the second identity authentication subunit to generate a password according to the received key are as follows: the key and a pseudo-random number are symmetrically encrypted, and the result obtained by encryption is used as a password.
The invention relates to a security access gateway and an identity authentication method, which have the following beneficial effects: the invention improves the security to the utmost extent through three times of identity verification, and in the key generation, a key generation method completely different from the prior art is adopted, other operations replacing pairing operations of a composite number order are used for forming a high-function cryptographic system which is equal to or more than the cryptographic system formed by the pairing operations of the composite number order, meanwhile, data with security problems are temporarily isolated in an isolation host, and the isolated data is directly extracted after the security verification is passed, so that the transmission is not required again, and the efficiency of system operation is improved.
Drawings
Fig. 1 is a schematic structural diagram of a secure access gateway according to an embodiment of the present invention;
fig. 2 is a schematic diagram of a method of the secure access identity authentication method according to an embodiment of the present invention;
fig. 3 is a schematic diagram of the experimental effect of the security access gateway and the identity authentication method of the present invention and the gateway data security rate with the number of attacks in the prior art.
Wherein, 1-the experimental curve chart of the prior art, and 2-the experimental curve chart of the technology of the invention.
Detailed Description
The method of the present invention will be described in further detail with reference to the accompanying drawings and embodiments of the invention.
Example 1
As shown in fig. 1, a security access gateway, the gateway includes: the system comprises an external host, a key host, an isolation host and an internal host; the key master includes: the device comprises a random number selection subunit, a base number generation subunit, a pairing logarithm calculation subunit and a parameter setting subunit; the random number selection subunit is configured to select an element from a plurality of elements of the cyclic group S as a random number O; the base number generation subunit is configured to select a subunit according to the random number, and map the random number O using a plurality of mappings according to the selected random number O to calculate a plurality of base numbers O; a pair-number calculating subunit configured to calculate a pair number of pair values between the plurality of base numbers O in the group S as a plurality of pair-number coefficients H; the parameter setting subunit is configured to set the plurality of base numbers O calculated by the base number generation unit and the plurality of pairing logarithm coefficients H calculated by the pairing logarithm calculation unit as keys used in cryptographic operations; the base number generation subunit calculates a plurality of base numbers O = Sj (O) of a plurality of numbers at any point on the extended domain K by applying a gaussian sum operator Sj to the random number O selected by the random number selection subunit, where j is an integer of not less than O and not more than 2O-l, based on the random number O.
Specifically, the Gateway (Gateway) is also called an internetwork connector and a protocol converter. The gateway realizes network interconnection above a network layer, is the most complex network interconnection equipment and is only used for interconnection of two networks with different high-level protocols. The gateway can be used for interconnection of both wide area networks and local area networks. A gateway is a computer system or device that acts as a switch-operative. The gateway is a translator used between two systems that differ in communication protocol, data format or language, or even in an entirely different architecture. Instead of the bridge simply conveying the information, the gateway repackages the received information to accommodate the needs of the destination system.
Meanwhile, the ferry is actually a boat going from the river to the other side and then from the other side to the one side. The process of data ferry is also similar. To protect against network attacks, two completely disconnected computers are physically separated from each other by copying data from one computer to the other through a floppy disk, sometimes referred to visually as "data ferry". The traditional cross-network data exchange mode is an optical disk ferry. The optical disk ferrying machine simply says that the optical disk is firstly used for burning information to be transmitted, then the mechanical arm is used for switching to the network at the other end to be exchanged, and then the storage is read, so that one-way transmission is completed. The method has the advantages of low speed, high packet loss rate and difficult security guarantee, and can seriously influence the normal development of the service in case of losing important data information. Meanwhile, because the data copying is completed manually, the copied content range is difficult to monitor, the compliance of the data is difficult to guarantee, whether the data is falsified or not can not be guaranteed, the copied data and the use flow can not be traced, and a person in charge can not be traced when a problem occurs.
Example 2
Further, the external host includes: the system comprises a first identity authentication unit, an access control unit, a protocol analysis unit, a data security check unit and a data ferrying unit; the key host generates three keys in each operation, and respectively sends the three keys to the external host, the isolation host and the internal host; the first identity authentication subunit generates a password according to the received secret key, and the second identity authentication subunit generates a password according to the received secret key; the third identity authentication subunit generates a password according to the received secret key; the data passing through the gateway firstly reaches an external host, after the data passes through the authentication of the first identity authentication subunit, namely after the password is verified, the access control unit sends the data to the protocol analysis unit, and the protocol analysis unit carries out protocol analysis on the data; the isolated host includes: the second identity authentication unit and the data isolation unit; the internal host includes: a third identity authentication unit and a data transmission unit; the first identity authentication unit is in signal connection with the access control unit; the access control unit is connected with the data security inspection unit through signals; the data safety inspection unit is connected with the data ferrying unit through signals; the data ferry unit is in signal connection with the second identity authentication unit; the second identity authentication unit is in signal connection with a third identity authentication unit; the third identity authentication unit is in signal connection with the data analysis unit; the data security inspection unit performs data security inspection on data; the data subjected to the data security check is sent to the isolated host through the data ferry unit; after receiving the data, the isolation host performs second identity authentication, and if the data does not pass the authentication of the second identity authentication subunit, the isolation host sends the data to the data isolation unit for isolation; if the authentication passes through the authentication of the second identity authentication subunit, data is sent to the internal host; and the internal host carries out third identity authentication on the received data, the third identity authentication unit sends the data to the data transmission unit, and the data transmission unit sends the data.
Specifically, the core gateway needs to know the occurrence of other parts of the Internet, including routing information and subnet characteristics, in order to route the packet correctly and efficiently.
This type of information is typically used when one gateway handles heavy loads making speed particularly slow and this gateway is the only way to access the sub-network, and other gateways in the network can tailor traffic flow to relieve the load on the gateway.
GGP is a short for protocol that is used primarily to exchange routing information without obfuscating the routing information (including address, topology, and routing delay details) and the algorithms that make routing decisions. The routing algorithm is typically fixed within the gateway and is not changed by the GGP. The core gateways communicate by sending GGP messages and waiting for responses, and then update the routing table if a response containing specific information is received.
Note that the latest improvement of GGPs, read, has been used for the Internet, but it is not as popular as GGPs. GGP is known as the vector-distance protocol. To work effectively, the gateways must contain complete information about all the gateways on the internet. Otherwise, it would not be possible to calculate an efficient route to a destination. For this reason, all core gateways maintain a list of all core gateways on the Internet. This is a rather small table that the gateway can easily handle.
Example 3
Further, the mapping system equations of the plurality of mappings are: x is the number of n+1 =μx n (1-x n ) Wherein mu is a control parameter and the value range is 0<μ≤4,x n Is a random number, x, before mapping n+1 Is a mapped random number.
Example 4
Further, the random number selection subunit uses the processing device to select, from a hyperelliptic curve C over a finite field Fp: and selecting a random number O from a plurality of numbers at any point of Y = Xw +1, wherein w is a prime number, w =2O + l, and a remainder a obtained by dividing the order p by the prime number w is a generator of a multiplicative group F of a finite field Fw with the order w.
Example 5
Further, sj is obtained by the following formula:
wherein P is an operator at a plurality of numbers of the arbitrary point corresponding to the operator on the hyperelliptic curve C in the expanded domain K, and is the w-th power root of I.
In particular, the present invention, using the above method, implements the key computation of bilinear pairs, which were originally one efficiently computable bilinear map defined on an algebraic curve by Weil in 1946 (i.e., weil pairs). It is a very important concept and tool in algebraic geometry, especially in algebraic curve theory research. The earliest application of bilinear pairings in cryptography was the MOV attack to reduce the discrete logarithm problem on the super-singular elliptic curve given by Menezes, okamoto and Vanstone in 1993 to the discrete logarithm problem in the finite field. In 2000, sakai et al, joux, boneh et al discovered the use of bilinear pairs for positive in cryptography-which can be used to construct identity-based cryptosystems (IBE), three-party one-round key agreement, etc. Bilinear pairings have then attracted great interest to cryptologists and found more diverse applications, such as short signatures, some signatures with special properties (aggregate signatures, verifiable encrypted signatures, partially blind signatures, etc.), etc. Then, as the bilinear pairings are found to be capable of realizing attribute-based encryption (ABE), assertion (or Predicate) Encryption (PE), function (or Function) Encryption (FE), searchable encryption and the like, the bilinear pairing-based cryptosystem is applied to the fields of cloud computing and the like. Bilinear password research has once been a hotspot and has lasted for more than ten years.
The obtained research result creates a wonderful trail in the field of cryptology research. However, with the intensive mining and research on bilinear pairings, the bilinear pairings are found to have limited functions and are less than perfect in function when some new cryptographic protocols are designed. For example, a designed function can be encrypted by using bilinear, but the function can only be a simple function, and cannot be used for a complex function or an arbitrary function. In addition, bilinear pairings have been studied for nearly 15 years, and new or meaningful results have been less likely to occur (imaginable and interesting schemes have been designed essentially). Meanwhile, in recent years, the research on the calculation of discrete logarithm on a small characteristic finite field influences the security of the bilinear pairing password, so the research popularity of the bilinear pairing password is reduced. Bilinear pairs can be generalized to multilinear maps, but before 2012, multilinear maps were just an idea.
In 2012, garg, gentry and Halevi implemented the first cipher multilinear mapping with ideal lattices, after which Coron et al gave an implementation on integer rings. Generic lattice based multiple linear mapping GGH15 schemes were constructed in Gentry, gorbourov and Halevi 2015. Most researchers have looked at this due to the proposed multilinear mapping. The multi-linear mapping not only can realize all systems realized by bilinear pairs, but also provides stronger functions. The multi-linear mapping can not only realize multi-party one-round key agreement, broadcast encryption and the like, but also realize a circuit as a more powerful application. The Boolean circuit is a building block of a computer and is a bottom framework of all calculation functions. Attribute-based encryption and assertion encryption for any Boolean circuit can be constructed using a multi-linear mapping. More recently, multilinear mapping has been used to design indistinguishable obfuscations of arbitrary polynomial circuits, with which a wide variety of very interesting and creative protocols can be designed, such as to act as random predictive functions, arbitrary function encryption, multi-party non-interactive key agreement, repudiatable encryption, and so on. Many applications even address some of the years' public challenges in the field of cryptography.
Example 6
A method of identity authentication, the method performing the steps of: the data passing through the gateway firstly reaches an external host, passes the authentication of the first identity authentication subunit, namely after passing the password, accesses the control unit, and sends the data to the protocol analysis unit, and the protocol analysis unit analyzes the protocol of the data; the data security inspection unit performs data security inspection on the data; the data subjected to the data security check is sent to the isolated host through the data ferry unit; after receiving the data, the isolation host performs second identity authentication, and if the data does not pass the authentication of the second identity authentication subunit, the isolation host sends the data to the data isolation unit for isolation; if the authentication of the second identity authentication subunit is passed, sending data to the internal host; and the internal host carries out third identity authentication on the received data, the third identity authentication unit sends the data to the data transmission unit, and the data transmission unit sends the data.
Example 7
In a further aspect of the present invention,the expansion domain K is an algebraic expansion domain obtained by expanding the finite domain Fp by 2O, and the discrete logarithm calculation subunit uses the processing device to calculate the remainder a; calculating a plurality of discrete logarithms l according to the following formula κ ,
Wherein K is an integer of I or more and 2O-l or less, and the discrete logarithms l κ Is an integer of not less than O and not more than 2O-l, and the pair-pair calculating subunit uses the processing device to calculate a plurality of discrete logarithms l from the discrete logarithm calculating subunit κ 。
Specifically, the discrete logarithm calculated by the above method will be an element in key generation.
Example 8
Further, a plurality of pairing logarithm coefficients H are calculated according to the following formula, wherein,
i is an integer of O or more and 2O-1 or less, the plurality of pairing logarithmic coefficients H is an integer of O or more and r-1 or less, and r is the order of the random number O.
Example 9
Further, the method for sending the data to the data isolation unit for isolation includes: setting a memory space which can be called, and storing data into the memory space.
Example 10
Further, the method for the first identity authentication subunit to generate a password according to the received key and the method for the second identity authentication subunit to generate a password according to the received key are as follows: the key and a pseudo-random number are symmetrically encrypted, and the result of the encryption is used as a password.
The above description is only an embodiment of the present invention, but not intended to limit the scope of the present invention, and any structural changes made according to the present invention should be considered as being limited within the scope of the present invention without departing from the spirit of the present invention.
It can be clearly understood by those skilled in the art that, for convenience and brevity of description, the specific working process and related description of the system described above may refer to the corresponding process in the foregoing method embodiments, and will not be described herein again.
It should be noted that, the system provided in the foregoing embodiment is only illustrated by dividing the functional modules, and in practical applications, the functions may be distributed by different functional modules according to needs, that is, the modules or steps in the embodiments of the present invention are further decomposed or combined, for example, the modules in the foregoing embodiment may be combined into one module, or may be further split into multiple sub-modules, so as to complete all or part of the functions described above. The names of the modules and steps involved in the embodiments of the present invention are only for distinguishing the modules or steps, and are not to be construed as unduly limiting the present invention.
It can be clearly understood by those skilled in the art that, for convenience and brevity of description, the specific working processes and related descriptions of the storage device and the processing device described above may refer to the corresponding processes in the foregoing method embodiments, and are not described herein again.
Those of skill in the art would appreciate that the various illustrative modules, method steps, and modules described in connection with the embodiments disclosed herein may be implemented as electronic hardware, computer software, or combinations of both, and that programs corresponding to the software modules, method steps may be located in Random Access Memory (RAM), memory, read Only Memory (ROM), electrically programmable ROM, electrically erasable programmable ROM, registers, hard disk, a removable disk, a CD-ROM, or any other form of storage medium known in the art. To clearly illustrate this interchangeability of electronic hardware and software, various illustrative components and steps have been described above generally in terms of their functionality. Whether these functions are performed in electronic hardware or software depends upon the particular application and design constraints imposed on the solution. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present invention.
The terms "first," "second," and the like are used for distinguishing between similar elements and not necessarily for describing or implying a particular order or sequence.
The terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus.
So far, the technical solutions of the present invention have been described in connection with the preferred embodiments shown in the drawings, but it is apparent to those skilled in the art that the scope of the present invention is not limited to these specific embodiments. Equivalent changes or substitutions of related technical features can be made by those skilled in the art without departing from the principle of the invention, and the technical scheme after the changes or substitutions can fall into the protection scope of the invention.
The above description is only a preferred embodiment of the present invention, and is not intended to limit the scope of the present invention.
Claims (5)
1. A secure access gateway, the gateway comprising: the system comprises an external host, a key host, an isolation host and an internal host;
the key host comprises: the device comprises a random number selection subunit, a base number generation subunit, a pairing logarithm calculation subunit and a parameter setting subunit;
the random number selecting subunit is configured to select an element from a plurality of elements of the cyclic group S as a random number O;
the base number generation subunit is configured to map the random number O using multiple mappings according to the selected random number O, and calculate multiple base numbers O';
a pair-number calculating subunit configured to calculate a pair number of pair values between the plurality of base numbers O' in the group S as a plurality of pair-number coefficients H;
a parameter setting subunit configured to set the plurality of base numbers O' calculated by the base number generation unit and the plurality of pairing logarithm coefficients H calculated by the pairing logarithm calculation unit as keys used for cryptographic operations;
the base number generation subunit causes a gaussian operator Sj to act on the random number O to calculate a plurality of base numbers O' = Sj (O) of a plurality of arbitrary points on the expanded domain K, where j is an integer of 2O-l or more and 2O-l or less;
the external host includes: the system comprises a first identity authentication unit, an access control unit, a protocol analysis unit, a data security check unit and a data ferrying unit;
the key host generates three keys in each operation, and respectively sends the three keys to the external host, the isolation host and the internal host; the first identity authentication unit generates a password according to the received secret key, and the second identity authentication unit generates a password according to the received secret key; the third identity authentication unit generates a password according to the received secret key; the data passing through the gateway firstly reaches an external host, after the data passes through the authentication of the first identity authentication unit, namely after the password is verified, the access control unit sends the data to the protocol analysis unit, and the protocol analysis unit carries out protocol analysis on the data;
the isolated host includes: the second identity authentication unit and the data isolation unit;
the internal host includes: a third identity authentication unit and a data transmission unit; the first identity authentication unit is in signal connection with the access control unit; the access control unit is in signal connection with the data security check unit; the data safety inspection unit is connected with the data ferrying unit through signals; the data ferry unit is in signal connection with the second identity authentication unit; the second identity authentication unit is in signal connection with the third identity authentication unit; the third identity authentication unit is in signal connection with the protocol analysis unit; the data security inspection unit performs data security inspection on data; the data subjected to the data security check is sent to the isolation host through the data ferry unit; after receiving the data, the isolation host performs second identity authentication, and if the data does not pass the authentication of the second identity authentication unit, the isolation host sends the data to the data isolation unit for isolation; if the authentication of the second identity authentication unit is passed, the data is sent to the internal host; the internal host computer carries out third identity authentication on the received data, the third identity authentication unit sends the data to the data transmission unit, and the data transmission unit sends the data;
the mapping system equations of the plurality of mappings are: x is a radical of a fluorine atom n+1 =μx n (1-x n ) Wherein mu is a control parameter and the value range is 0<μ≤4,x n Is a random number, x, before mapping n+1 The random number after mapping;
the random number selection subunit selects a random number from a hyperelliptic curve C over a finite field Fp: selecting a random number O from a plurality of numbers of any point of Y = Xw +1, wherein w is a prime number, w =2O + l, and a remainder a obtained by dividing the order p by the prime number w is a generator of a multiplicative group F of a finite field Fw with the order w;
the Sj is obtained by the following formula:
wherein ρ is an operator at a plurality of numbers of the arbitrary point corresponding to an operator on the hyperelliptic curve C in the expanded domain K, and is a w-th power root of I; />
The expansion domain K is an algebraic expansion domain obtained by expanding the finite domain Fp by 2O order, and the discrete logarithm calculating subunit calculates the remainder a; calculating a plurality of discrete logarithms l according to the following formula κ ,
Wherein k isAn integer of not less than I and not more than 2O-l, the plurality of discrete logarithms l κ Is an integer of not less than O and not more than 2O-l, and the pair-number calculating subunit calculates the plurality of discrete pairs l calculated by the discrete-pair-number calculating subunit κ (ii) a A plurality of pairing logarithm coefficients H is calculated according to the formula, wherein>
i is an integer of O or more and 2O-1 or less, the plurality of pairing logarithmic coefficients H is an integer of O or more and r-1 or less, and r is the order of the random number O.
2. An identity authentication method for a security access gateway according to claim 1, wherein the method performs the following steps: the data passing through the gateway firstly reaches an external host, after the data passes through the authentication of the first identity authentication unit, namely after the password is verified, the access control unit sends the data to the protocol analysis unit, and the protocol analysis unit carries out protocol analysis on the data; the data security inspection unit performs data security inspection on the data; the data subjected to the data security check is sent to the isolated host through the data ferry unit; after receiving the data, the isolation host performs second identity authentication, and if the data do not pass the authentication of the second identity authentication unit, the isolation host sends the data to the data isolation unit for isolation; if the authentication of the second identity authentication unit is passed, the data is sent to the internal host; and the internal host performs third identity authentication on the received data, the third identity authentication unit sends the data to the data transmission unit, and the data transmission unit sends the data.
3. The method of claim 2, wherein the expansion domain K is an algebraic expansion domain obtained by expanding the finite field Fp by 2O, and the discrete logarithm calculating subunit calculates the algebraic expansion domain based on the remainder a; calculating a plurality of discrete logarithms l according to the following formula κ ,
Wherein k is an integer of not less than I and not more than 2O-l, and the discrete logarithms l κ Is an integer of not less than O and not more than 2O-l;
the pairing-logarithm calculating subunit calculates a plurality of discrete logarithms l from the discrete-logarithm calculating subunit κ A plurality of paired logarithmic coefficients H are calculated according to the following formula, wherein,
i is an integer of O or more and 2O-1 or less, the plurality of pairing logarithmic coefficients H is an integer of O or more and r-1 or less, and r is the order of the random number O.
4. The method of claim 3, wherein the sending the data to the data isolation unit for isolation is by: setting a memory space which can be called, and storing data into the memory space.
5. The method of claim 4, wherein the first authentication element generates a password based on the received key, and wherein the second authentication element generates a password based on the received key by: the key and a pseudo-random number are symmetrically encrypted, and the result of the encryption is used as a password.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910932703.0A CN110572827B (en) | 2019-09-29 | 2019-09-29 | Safety access gateway and identity authentication method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910932703.0A CN110572827B (en) | 2019-09-29 | 2019-09-29 | Safety access gateway and identity authentication method |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN110572827A CN110572827A (en) | 2019-12-13 |
| CN110572827B true CN110572827B (en) | 2023-03-31 |
Family
ID=68783188
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201910932703.0A Active CN110572827B (en) | 2019-09-29 | 2019-09-29 | Safety access gateway and identity authentication method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN110572827B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113179164B (en) * | 2021-04-29 | 2023-03-17 | 哈尔滨工程大学 | Multi-authority ciphertext policy attribute-based encryption method based on ideal lattices |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2012018725A1 (en) * | 2010-08-05 | 2012-02-09 | Citrix Systems, Inc. | Systems and methods for server initiated connection management in a multi-core system |
| CN106209369A (en) * | 2016-07-01 | 2016-12-07 | 中国人民解放军国防科学技术大学 | Single interactive authentication key agreement protocol of ID-based cryptosystem system |
| CN109474613A (en) * | 2018-12-11 | 2019-03-15 | 北京数盾信息科技有限公司 | A kind of Expressway Information publication private network security hardened system of identity-based certification |
| CN109905348A (en) * | 2017-12-07 | 2019-06-18 | 华为技术有限公司 | End to end authentication and cryptographic key negotiation method, apparatus and system |
Family Cites Families (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7512972B2 (en) * | 2002-09-13 | 2009-03-31 | Sun Microsystems, Inc. | Synchronizing for digital content access control |
| WO2011153539A1 (en) * | 2010-06-04 | 2011-12-08 | Northwestern University | Pseudonymous public keys based authentication |
| US10572640B2 (en) * | 2015-11-16 | 2020-02-25 | Personnus | System for identity verification |
-
2019
- 2019-09-29 CN CN201910932703.0A patent/CN110572827B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2012018725A1 (en) * | 2010-08-05 | 2012-02-09 | Citrix Systems, Inc. | Systems and methods for server initiated connection management in a multi-core system |
| CN106209369A (en) * | 2016-07-01 | 2016-12-07 | 中国人民解放军国防科学技术大学 | Single interactive authentication key agreement protocol of ID-based cryptosystem system |
| CN109905348A (en) * | 2017-12-07 | 2019-06-18 | 华为技术有限公司 | End to end authentication and cryptographic key negotiation method, apparatus and system |
| CN109474613A (en) * | 2018-12-11 | 2019-03-15 | 北京数盾信息科技有限公司 | A kind of Expressway Information publication private network security hardened system of identity-based certification |
Non-Patent Citations (2)
| Title |
|---|
| "Mitigating Threats in IoT Network using Device Isolation";Manish Thapa;《奥尔托大学硕士学位论文》;20180204;全文 * |
| 大数据安全保护技术;陈兴蜀等;《工程科学与技术》;20170914(第05期);全文 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN110572827A (en) | 2019-12-13 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Cao et al. | Anti-quantum fast authentication and data transmission scheme for massive devices in 5G NB-IoT system | |
| Cao et al. | Fast authentication and data transfer scheme for massive NB-IoT devices in 3GPP 5G network | |
| Wustrow et al. | {TapDance}:{End-to-Middle} Anticensorship without Flow Blocking | |
| Ashibani et al. | An efficient and secure scheme for smart home communication using identity-based signcryption | |
| Yu et al. | Enabling end-to-end secure communication between wireless sensor networks and the Internet | |
| Kong et al. | Achieve secure handover session key management via mobile relay in LTE-advanced networks | |
| Satapathy et al. | An ECC based lightweight authentication protocol for mobile phone in smart home | |
| CN104270249A (en) | Signcryption method from certificateless environment to identity environment | |
| Khashan et al. | Efficient hybrid centralized and blockchain-based authentication architecture for heterogeneous IoT systems | |
| CN109756877A (en) | A kind of anti-quantum rapid authentication and data transmission method of magnanimity NB-IoT equipment | |
| Shukla et al. | A bit commitment signcryption protocol for wireless transport layer security (wtls) | |
| Sengupta et al. | End to end secure anonymous communication for secure directed diffusion in IoT | |
| Ma et al. | DTLShps: SDN-based DTLS handshake protocol simplification for IoT | |
| Seferian et al. | PUF and ID-based key distribution security framework for advanced metering infrastructures | |
| CN110572827B (en) | Safety access gateway and identity authentication method | |
| Bhattacharjya et al. | An end-to-end user two-way authenticated double encrypted messaging scheme based on hybrid RSA for the future internet architectures | |
| Ghosh et al. | A Lightweight Authentication Protocol in Smart Grid. | |
| Ambareen et al. | LEES: a hybrid lightweight elliptic ElGamal-Schnorr-based cryptography for secure D2D communications | |
| Kumar | Security enhancement in mobile ad-hoc network using novel data integrity based hash protection process | |
| Vardhan et al. | Simple and secure node authentication in wireless sensor networks | |
| Wang et al. | A survey of anonymous communication methods in Internet of Things | |
| Fang et al. | A safe distribution scheme of sensitive data based on full homomorphic encryption model | |
| Khan et al. | An efficient and secure Cross-Domain authenticated key agreement scheme for unmanned aerial vehicles | |
| US11791994B1 (en) | Quantum cryptography in an internet key exchange procedure | |
| Soman | Lightweight Elliptical Curve Cryptography (ECC) for Data Integrity and User Authentication in Smart Transportation IoT System |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |