CN111490967B - Unified identity authentication method and system for providing user-friendly strong authentication and anonymous authentication - Google Patents

Unified identity authentication method and system for providing user-friendly strong authentication and anonymous authentication Download PDF

Info

Publication number
CN111490967B
CN111490967B CN201910086040.5A CN201910086040A CN111490967B CN 111490967 B CN111490967 B CN 111490967B CN 201910086040 A CN201910086040 A CN 201910086040A CN 111490967 B CN111490967 B CN 111490967B
Authority
CN
China
Prior art keywords
user
authentication
password
certificate
credential
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201910086040.5A
Other languages
Chinese (zh)
Other versions
CN111490967A (en
Inventor
张振峰
王宇辰
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Institute of Software of CAS
Original Assignee
Institute of Software of CAS
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Institute of Software of CAS filed Critical Institute of Software of CAS
Priority to CN201910086040.5A priority Critical patent/CN111490967B/en
Publication of CN111490967A publication Critical patent/CN111490967A/en
Application granted granted Critical
Publication of CN111490967B publication Critical patent/CN111490967B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0407Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the identity of one or more communicating identities is hidden
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3226Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a predetermined code, e.g. password, passphrase or PIN
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3271Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using challenge-response

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Storage Device Security (AREA)

Abstract

The present invention relates to a unified identity authentication method and system providing user-friendly strong authentication and anonymous authentication. The method provides a credential scheme based on the password, and a user can perform strong authentication or anonymous authentication based on a 'challenge-response' mode to a verifier by using the credential of the user through the password, and specifically comprises six algorithms of system establishment, key generation, credential issuance, credential acquisition, presentation certificate generation and presentation certificate verification. The password-based certificate scheme is compatible with a standard unified identity authentication protocol and a common user name-password authentication mode, does not need to use special hardware or modify a bottom-layer cryptography library, and is suitable for large-scale application and popularization. The efficiency of the unified identity authentication system is basically equivalent to that of a system using 'user name-password' authentication, and the performance requirement of practical application can be met.

Description

Unified identity authentication method and system for providing user-friendly strong authentication and anonymous authentication
Technical Field
The invention belongs to the technical field of computer technology and information security, and relates to a method for implementing strong authentication and anonymous authentication based on a 'challenge-response' mechanism by using unified identity authentication, zero knowledge proof and the like under the condition of no special hardware. The unified identity authentication method and system are particularly user-friendly and can provide a strong authentication mechanism and an anonymous authentication mechanism.
Background
With the rapid development of the internet and information technology, people have become more and more unable to leave out various digital services and applications. When users use the applications and services on the network, the users often need to prove their identities to Service Providers (SPs), and the authentication is passed before the next operation can be performed. In most cases, the SP uses a "username-password" authentication mechanism, which is advantageous in that the user can authenticate the SP by only memorizing the password, but the SP generally stores the user credentials on the server in a centralized manner, so that the user credentials can be leaked out on a large scale in the event of data leakage, and the security of accounts of a plurality of users is threatened.
In order to reduce the burden of a user to manage multiple credentials simultaneously, many service providers have established a unified identity authentication system. Such systems allow a user to access services provided by multiple Relying Parties (RPs) using identities managed by one identity provider (IdP), i.e. the user can access multiple services through one credential. Most currently operated unified identity authentication systems still use a "username-password" authentication mechanism, which exposes the user credentials to large-scale leakage risks. The leakage of the credentials in the unified identity authentication system can cause more serious harm, and an attacker can log in a plurality of RPs simultaneously by using the leaked credentials and use the services provided by the RPs, so that the account registered by the user at the plurality of RPs is simultaneously broken in one data leakage event.
Another serious risk caused by the "username-password" authentication mechanism is the leakage of user privacy: this mechanism requires the user to explicitly send his identity information to the SP so that private data belonging to the user can be easily collected, revealed and even resellerd. In this context, anonymous authentication has received a great deal of attention from the industry, namely: the service provider can confirm that the user is a registered legal user, but cannot acquire the specific identity of the user, and cannot judge whether the two sessions are participated in by the same user. In particular, as blockchain technology has evolved, a range of cryptocurrencies providing anonymous functionality have become well known and accepted by the public, and super-ledgers also provide anonymous membership service functionality. The existing anonymous authentication schemes all require a user to use special hardware to protect secret information or modify the library function implementation of the system bottom layer, and are difficult to directly run on general equipment and compatible with the existing system.
To address the large-scale risk of leakage caused by centralized credential storage in traditional authentication, the FIDO alliance proposes a protocol called FIDO Unified Authentication Framework (UAF) that provides a strong authentication scheme based on digital signatures and "challenge-response" mechanisms. The FIDO UAF can eliminate the risk of large-scale leakage of user credentials and enhance the safety of the user authentication process. However, to protect the user private key, FIDO UAF also requires the user to authenticate using special hardware (called FIDO authenticator). This means that the user needs to carry the dedicated device at any time, and cannot perform authentication through the general-purpose device, and if the dedicated device is damaged or lost, the authentication process cannot be performed. From the perspective of privacy protection, FIDO UAF cannot achieve true anonymous authentication, and the server can still acquire the registered identity of the user and collect the privacy of the user each time the user logs in.
In order to solve the privacy disclosure problem of the unified identity authentication system, some privacy respecting protocols are developed (such as browser id and SPRESSO) to ensure that IdP cannot acquire the specific RP logged in by the user in the authentication process. The system is independent of the widely applied uniform identity authentication standard, and still adopts a user name-password authentication mechanism during design, so that the leakage risk caused by centralized storage is difficult to avoid; in addition, the IdP and RP can still acquire the identity of the user and collect privacy information.
Based on this, a unified identity authentication system that does not require the use of dedicated hardware by the user, is capable of providing both strong authentication and anonymous authentication, and is compatible with existing wide deployments is highly desirable.
Disclosure of Invention
The present invention contributes to providing a password-based credential scheme and a unified identity authentication method and system providing strong authentication/anonymous authentication.
The invention comprises the following two aspects:
password-based credential scheme
The invention provides a credential scheme based on a password, a user can use the credential to carry out strong authentication or anonymous authentication based on a 'challenge-response' mode to a verifier through the password, and the scheme specifically comprises six algorithms of system establishment, key generation, credential issuance, credential acquisition, presentation certificate generation and presentation certificate verification.
The general properties of this approach include:
1) the user uses the password to encrypt the certificate, and the certificate encrypted by the password can be stored on the general-purpose equipment without using special equipment to protect the certificate. The 'certificate' refers to information used for proving the identity of a user when the user authenticates the SP.
2) The password-encrypted credentials may be resistant to offline attacks, i.e., adversaries may not be able to obtain the credentials by performing an offline dictionary attack on the password-encrypted credentials.
3) The user may use the same credential to perform strong authentication or anonymous authentication based on a "challenge-response" mechanism to the verifier, i.e. the same credential may be presented in different ways.
4) The verifier does not need to store the user certificate, and the risk of data leakage caused by centralized storage of the certificate is avoided.
5) The user needs to input the correct password to decrypt the credential before authenticating with the verifier.
6) The user can update his password of the encrypted credential at any time, which does not require interaction with the server (i.e., verifier).
Second, provide the strong authentication and anonymous authentication's unified identity authentication method
The invention provides a unified identity authentication method for providing strong authentication/anonymous authentication, which combines a certificate scheme based on password in content I and a standard unified identity authentication protocol (such as OpenID Connect), and has the basic properties of:
1) the user registers password-based credentials on the IdP and can access multiple RPs using this credentials.
2) The user can use the same credentials to strongly authenticate/anonymously authenticate to the IdP based on a "challenge-response" mechanism and further access the RP.
3) Neither IdP nor RP need to centrally maintain user credentials.
4) In the process of implementing anonymous authentication, neither IdP nor RP can acquire the identity of the user, nor can it collect user privacy with the help of the identity of the authenticated user.
5) The method can be compatible with a unified identity authentication protocol such as OpenID Connect and the like and a common 'username-password' authentication mode, can be used in a system together with the 'username-password' mode, and does not need to use special hardware or modify a bottom-layer cryptography library.
6) Based on the password whitebox or the security hardware, the user can register and reuse the pseudonym on the RP, and user-controllable (non-) linkable property is realized, namely, the user can select whether to reuse the pseudonym used in authentication or not.
Specifically, the technical scheme adopted by the invention is as follows:
a unified identity authentication method providing user-friendly strong authentication and anonymous authentication, comprising the steps of:
1) the user side encrypts the certificate by using the password to obtain and store the certificate based on the password;
2) the user side performs strong authentication or anonymous authentication to the verification side by using the password-based certificate.
Further, the password-based credentials are stored on a generic device without requiring the use of a dedicated device to protect the credentials.
Furthermore, the user side updates the password of the encrypted certificate at any time, and the updating process does not interact with the verification side; the authentication end does not store the credentials of the user end so as to avoid the risk of data leakage caused by centralized storage of the credentials.
Further, step 1) obtains the password-based credential by calling an algebraic message authentication code scheme and a password encryption scheme.
Further, step 1) comprises 6 algorithms: system establishment, key generation, credential issuance, credential acquisition, presentation generation, and presentation verification, which are respectively denoted as Setup, KeyGen, Issue, Obtain, Show:
Setup(1λ): inputting a security parameter lambda, selecting and outputting a domain parameter according to the security parameter lambda by the algorithm
Figure GDA0003369467840000031
Wherein
Figure GDA0003369467840000032
Is a cyclic group of order p, p being a prime number of at least 2 lambda bits, g being a group
Figure GDA0003369467840000033
A generator of (2);
KeyGen (pp): inputting a public parameter pp, and calling a Gen algorithm in an algebraic message authentication code scheme by the algorithm to generate a public parameter par and a private key sk, wherein the par is publicly visible to users participating in the scheme;
Figure GDA0003369467840000041
wherein uid is a user identifier, and pw is a password; the Obtain and Issue run in an interactive manner between the user and the credential issuer, where the user registers and obtains the password-based credential;
Show(tag,par,uid,pw,[σ]pwand, M): tag is label, and presentation proof is generated in different modes according to the value of the label, [ sigma ]]pwThe certificate is encrypted by the password; the algorithm, executed by a user who has registered a password-based credential, for conducting authentication to a verifier, computes σ ← Dec (pw, [ σ ← Dec)]pw) Then using uid, σ generate proof of presentation about message M ← ShowMAC(tag, par, uid, σ, M); inputting a corresponding tag value of the tag according to whether the user wants to implement strong authentication or anonymous authentication;
ShowVerify (sk, uid, M, Σ): the algorithm is executed by a verifier, who shares a private key sk with a credential issuer, whose inputs include the private key sk, a user identity uid, a message M, and a presence certificate Σ about the message M, where a null user identity corresponds to the case of anonymous authentication, and a non-null identity corresponds to the case of strong authentication.
Further, step 2) combines the certificate of password encryption with standard uniform identity authentication protocol to realize strong authentication or anonymous authentication.
Further, based on the password whitebox or the security hardware, the user side registers and reuses the pseudonym on the RP, and user-controllable (non-) linkable property is realized, that is, the user can select whether to reuse the pseudonym used in authentication or not.
A unified identity authentication system for providing user-friendly strong authentication and anonymous authentication using the above method, comprising a user side and a verification side; the user side encrypts the certificate by using the password to obtain and store the certificate based on the password; the user side performs strong authentication or anonymous authentication to the verification side by using the password-based certificate.
Compared with the prior art, the invention has the advantages that:
1) the same credential can be used to perform both strong and anonymous authentications.
2) A strong authentication and anonymous authentication scheme based on a 'challenge-response' mechanism is provided without the need for dedicated hardware.
3) Compared with other anonymous authentication mechanisms, the invention avoids the problem of anonymous credential lending, i.e., the owner of the credential may lend the credential to a user outside the system, and the anonymity makes the SP unable to detect the problem. More specifically, in the present invention, the credential can be used for both real-name authentication and anonymous authentication, which enables the user to lend the credential and simultaneously lend his real-name account, and the SP can easily detect the lending of the credential in the present invention through the detection mechanism of the lending of the real-name account.
4) The server does not need to store the user credentials in a centralized manner, so that the risk of centralized leakage of the credentials is eliminated.
5) The user can change the password used to encrypt the credentials at any time without interacting with the server.
6) The scheme of the invention can resist the attack of an off-line dictionary, and the password is only used for encrypting and decrypting the certificate at the user terminal, thereby reducing the risk of password leakage.
7) The invention is compatible with widely applied uniform identity authentication standards and deployed systems, does not need to modify a bottom-layer cryptography library, and is suitable for large-scale application and popularization.
8) The efficiency of the unified identity authentication system is basically equivalent to that of a system using 'user name-password' authentication, and the performance requirements of practical application can be met.
Drawings
FIG. 1 is a schematic diagram of a unified identity authentication method of the present invention that provides strong authentication/anonymous authentication.
Detailed Description
In order to make the aforementioned and other objects, features and advantages of the present invention comprehensible, embodiments accompanied with figures are described in detail below.
In the following embodiments, an existing Proof of Knowledge Signature scheme (Signature Proof of Knowledge) needs to be invoked as a construction component. A knowledgeThe certificate signature scheme comprises an algorithm (SPK, Verify)SPK) Wherein the SPK algorithm is used to zero-knowledge prove that the signer knows evidence about a certain proposition, and to output a signature about a certain message generated using the evidence; verifySPKAlgorithms are used to verify whether a certain signature results from the effect of legitimate evidence on a proposition on a message. In the following examples, three proof of knowledge signature schemes are called, denoted
Figure GDA0003369467840000051
Example 1 general construction of password-based credential scheme
The password-based certificate scheme is constructed by a general algebraic message authentication code scheme, and consists of six algorithms of system establishment, key generation, certificate issuance, certificate acquisition, presentation certificate generation and presentation certificate verification, which are respectively marked as Setup, KeyGen, Issue, obetin, Show and ShowVerify. Specifically, the algebraic message authentication code scheme in the present scheme may use some academic accepted schemes (such as MAC)SDH)。
The embodiment invokes an algebraic message authentication code scheme and a password encryption scheme as construction components: an algebraic message authentication code scheme consists of three algorithms (Gen, MAC, Verify), wherein the Gen algorithm is used for generating a public parameter par and a private key sk of the algebraic message authentication code scheme; the MAC algorithm is used for generating an algebraic message authentication code related to the message M, the algebraic message authentication code is input into the private key sk and the message M, and the algebraic message authentication code is output as a message authentication code sigma; the Verify algorithm is used to Verify whether a message authentication code sigma is legitimate with respect to the message M and the private key sk. When the generation message authentication code is considered as a credential, a corresponding credential presentation algorithm and credential verification algorithm may be constructed, denoted separately (Show)MAC,ShowVerifyMAC) Wherein ShowMACGenerating a presentation proof for proving that the user has a legal certificate, ShowVerifyMACThe algorithm verifies that the presentation proof is legitimate. In particular, ShowMACThe algorithm allows the user to enter a specific tag and generate the presentation proof in different ways depending on the tag value. In this example, tag ∈ { "expl { (X) } is usedicit and anon, wherein "explicit" represents that the message M and the private key sk (corresponding to the case of strong authentication) need to be used simultaneously when the proof of presentation is verified; "anon" stands for the fact that only the private key sk needs to be used when verifying the presentation certificate (corresponding to the case of anonymous authentication). The password encryption scheme consists of an algorithm (Enc, Dec) for encrypting (Enc) and decrypting (Dec) the input using the password.
The algorithm of this construction is described as follows:
1)Setup(1λ): inputting a security parameter lambda, selecting and outputting a domain parameter according to the security parameter lambda by the algorithm
Figure GDA0003369467840000061
Wherein
Figure GDA0003369467840000062
Is a cyclic group of order p, p being a prime number of at least 2 lambda bits, g being a group
Figure GDA0003369467840000067
The generator of (1).
2) KeyGen (pp): and inputting a public parameter pp, and calling a Gen algorithm in an algebraic message authentication code scheme by the algorithm to generate a public parameter par and a private key sk. Where par is publicly visible to users participating in the scheme.
3)
Figure GDA0003369467840000063
The Obtain and Issue run in an interactive manner between the user and the credential issuer where the user registers and obtains the password-based credential. The specific operation steps of the interaction are as follows:
a) the user sends its user identifier uid to the credential issuer.
b) Credential issuer calculation H1(uid), wherein H1Is a cryptographic hash function, maps an arbitrary bit string to the message space of an algebraic message authentication code scheme
Figure GDA0003369467840000064
Then generate a credential σ ← MAC ← MAC: (sk, uid), and calculates:
π1←SPK1{(sk):Verify(sk,uid,σ)=1∧(par,sk)←Gen(pp)}
finally, the credential issuer will (σ, π1) And sending the data to the user.
Wherein the content of the first and second substances,
Figure GDA0003369467840000065
represented in the expression is an interactive process running between the two participants, and "←" indicates that the expression on the left is computed from the expression on the right.
c) The user receives (sigma, pi)1) Then, H is calculated1(uid), and execute
Figure GDA0003369467840000066
If the algorithm returns 1, then σ is declared legal, and then the user computes σ]pwAnd (e) asci (pw, σ), i.e. encrypting the credential σ with the password pw, and storing the password-encrypted credential [ σ [ ]]pw(ii) a Otherwise, the sigma is not a legal certificate, and the user terminates the operation of the scheme.
4)Show(tag,par,uid,pw,[σ]pwAnd, M): the algorithm is executed by a user who has registered a password-based credential for conducting authentication to a verifier, and specifically, the algorithm calculates σ ← Dec (pw, [ σ ← Dec)]pw) I.e. decryption, and then using uid, sigma to generate proof of presentation for message M ← ShowMAC(tag, par, uid, σ, M). If the user wishes to perform strong authentication, tag is input as "explicit", and if anonymous authentication is desired, tag is input as "anon".
5) ShowVerify (sk, uid, M, Σ): the algorithm is executed by a verifier, who shares the private key sk with the credential issuer. The inputs to the algorithm include the private key sk, the user identity uid, the message M and a proof of presence Σ for the message M. The condition that the user identity is null corresponds to anonymous authentication, and the condition that the identity is not null corresponds to strong authentication. Specifically, the algorithm calls ShowVerifyMAC(sk, uid, M, Σ) verifies the validity of the presentation certification and outputs the result. ShowVerify hereinMAC(sk,uid,M, Σ) corresponds to a credential verification algorithm in an algebraic message authentication code scheme.
Example 2A specific construction of password-based credentials
The present embodiment is directed to a specific algebraic message authentication code (denoted MAC)SDH) And the corresponding password encryption scheme PE ═ (Enc, Dec), describes the construction of an efficient password-based credential, a concrete instantiation of the general construction described in example 1. To make the description more concise, only the MAC is described belowSDHThe specific structure of the password-based credential in this embodiment can be obtained by applying the structure of each algorithm and the structure of the password encryption scheme in (1).
Algebraic message authentication code scheme MACSDH(Gen, MAC, Verify) and (Show)MAC,ShowVerifyMAC) The structure of (1):
1) gen (pp): input as a common parameter
Figure GDA0003369467840000071
The algorithm selects a random number gamma and calculates omega ← gγThe public parameter isp ω and the private key sk γ of the issuing voucher issuer.
2) MAC (sk, uid): inputting the private key sk ═ γ and the user identity identifier uid, and calculating
Figure GDA0003369467840000072
Output σ ═ a
3) Verify (sk, uid, σ): the input private key sk ═ γ, the user identity identifier uid, and the message authentication code σ, if
Figure GDA0003369467840000073
Then 1 is output, otherwise 0 is output.
4)ShowMAC(tag, par, uid, σ, M) selecting a random number a and calculating T ← σa. If tag is equal to "explicit", then calculate
Figure GDA0003369467840000074
And outputs sigma ═ T, pi2). If tag is equal to "anon", then the calculation is made
Figure GDA0003369467840000075
And outputs sigma ═ T, pi3)。
5)ShowVerifyMAC(sk, uid, M, Σ): for the input Σ (T, pi), if T is 1, 0 is returned as it is. Otherwise: when uid is not equal to ≠ then execute
Figure GDA0003369467840000076
And outputs the result. Wherein, £ denotes that the message value is null. When uid is ═ T, execution is carried out
Figure GDA0003369467840000077
And outputs the result.
Configuration of password encryption scheme PE ═ of (Enc, Dec):
1) enc (pw, M): inputting password pw and plaintext M, and calculating C ← M · H2(pw), and outputs C as a ciphertext. Wherein H2Is a cryptographic hash function.
2) Dec (pw, C): inputting password pw and ciphertext C, calculating and outputting M ← C.H2(pw)-1As a result of the decryption.
In this embodiment, the cryptographic hash function is instantiated with a standard hash function (e.g., SHA-256 and SM 3).
Embodiment 3. a unified identity authentication system providing strong authentication/anonymous authentication
The present embodiment is directed to constructing a unified identity authentication system that is compatible with a general unified identity authentication standard and can provide strong authentication/anonymous authentication. For explaining the work flow of the present disclosure, in the present embodiment, OpenID Connect is taken as an example, and other unified identity authentication standards (such as SAML 2.0 and OAuth 2.0) may also be similarly constructed, which are not described herein again.
Specifically, the unified identity authentication system for providing strong authentication/anonymous authentication described in this embodiment includes three stages of system establishment, registration, and login, and the specific operations of each stage are as follows:
1) a system establishment stage: IdP and RP generate the public and private keys needed in the system operation. Specifically, the IdP call to the key generation algorithm in embodiment 1 produces the public and private keys (isp, sk) ← keygen (pp) and has (pp, isp) as part of its public key and sk as part of its private key.
2) A registration stage: this phase must be performed under a secure channel and can be established by executing the TLS protocol. The specific process is as follows:
a) the RP registers with IdP as specified by the OpenID Connect standard.
b) User's use of embodiment 1
Figure GDA0003369467840000081
Registering by an interactive protocol to finally obtain the user identity uid and password encryption certificate [ sigma ]]pw
3) A login stage: user-specific (isp, uid, pw, [ sigma ]]pw) And authenticating the IdP and the RP, wherein the specific flow is described as follows (see figure 1):
a) the user first accesses the RP, which redirects the user to IdP as specified by OpenID Connect. In particular, the RP defines, through an acr _ values parameter specified by the standard, the authentication manner (e.g., strong authentication or anonymous authentication) that the user is allowed to employ when authenticating to the IdP.
b) IdP authenticates users as specified by the standard. Specifically, the IdP selects an acceptable user authentication mode according to the acr _ values sent by the RP, and encapsulates an identifier (denoted as amr in OpenID Connect) thereof as a parameter amr _ values; then a random number n is selectedIAnd will amr _ values and nIAnd sending the data to the user. For convenience of description, the strong authentication of the present invention is denoted as amr and the anonymous authentication is denoted as pbcs and pbca.
c) After receiving the IdP message, the user selects the authentication method according to the amr _ values, which is specifically as follows: if pbcs belongs to amr _ values, the user performs strong authentication using the password-based credential, i.e. executes the Show algorithm with "exploret" as tag. Then, the user uses the output Σ of the Show algorithm and the identity uid as a user _ token, and sends the user _ token and the authentication mode amr — pbcs together to IdP. If pbca ∈ amr _ values, the user performs anonymous authentication using password-based credentials, i.e., performs the Show algorithm with "anon" as tag. Then, the user takes the Show algorithm output Σ as the user _ token, and sends it to the IdP together with the authentication method amr — pbca.
d) After receiving the message sent by the user, the IdP checks whether or not the amr is within the limited range of the amr _ values that can be accepted by the IdP, if the range is exceeded, the IdP determines that the authentication fails, otherwise, the following steps are performed: if amr ═ pbcs, ShowVerify (sk, uid, n) is performedIΣ), execution continues only when the algorithm returns to 1. If amr ═ pbca, perform ShowVerify (sk,. quadrature.n)IΣ), execution continues only when the algorithm returns to 1, and a uid is randomly generated as the user's identifier while execution continues.
e) The user, RP and IdP then continue to operate as specified by the OpenID Connect standard.
Embodiment 4. specific construction of a unified identity authentication system with high efficiency and pseudonymization mechanism
The embodiment aims to provide a specific structure of a uniform identity authentication system which is efficient and can provide a pseudonym mechanism. The advantages of using the pseudonym mechanism are that: it is possible to provide a privacy-preserving authentication that can be linked, i.e. a user can authenticate several times with the same pseudonym, while the SP cannot associate pseudonyms with the user's real identity, nor with different pseudonyms used by the same user, i.e. so-called user-controllable (non-) linkability. In this embodiment, the password-based credentials described in embodiment 3 will be instantiated using the scheme in embodiment 2. For the sake of brevity, the steps described in the previous embodiment are omitted, and only the pseudonym creation and storage mechanism after application of embodiment 2 is described:
1) establishing a pseudonym: when password-based anonymous credential construction is employed as described in example 2, the user sends a special token with ∑ (T, pi) in the login phase of example 3, representing a "set-up pseudonym" operation, after which IdP stores T as the user's pseudonym. When IdP presents the user identity to RP, T is used as the user's identity identifier.
2) Reuse pseudonyms: the user can repeatedly use the random number a to generate the same T for the purpose of reusing the pseudonym registered in step 1). Is composed ofHere, the user needs to store a securely. To reduce memory overhead, a pseudo-random function PRF is usedK(. where K is a secret key) storage pseudonyms, e.g. a ═ PRFK(uid||IDIdP||IDRP) Wherein IDIdPAnd IDRPThe identity of IdP and RP, respectively. The pseudo-random function may be implemented in secure hardware or a cryptographic white-box.
3) When secure hardware is employed, password-based credentials may be stored and protected using hardware, which protection also increases the security of the credentials from another aspect.
The above embodiments are only intended to illustrate the technical solution of the present invention and not to limit the same, and a person skilled in the art can modify the technical solution of the present invention or substitute the same without departing from the spirit and scope of the present invention, and the scope of the present invention should be determined by the claims.

Claims (5)

1. A unified identity authentication method providing user-friendly strong authentication and anonymous authentication, comprising the steps of:
1) the user side encrypts the certificate by using the password to obtain and store the certificate based on the password;
2) the user side uses the certificate based on the password to carry out strong authentication or anonymous authentication on the verification side;
the user side updates the password of the encrypted certificate at any time, and the updating process does not interact with the verification side; the authentication end does not store the certificate of the user end so as to avoid the risk of data leakage caused by centralized storage of the certificate;
the method comprises the following steps that 1) a password-based certificate is obtained by calling an algebraic message authentication code scheme and a password encryption scheme; step 1) comprises 6 algorithms: system establishment, key generation, credential issuance, credential acquisition, presentation generation, and presentation verification, which are respectively denoted as Setup, KeyGen, Issue, Obtain, Show verify, where:
Setup(1λ): inputting a security parameter lambda, and selecting and outputting a domain parameter according to the security parameter by the Setup algorithm
Figure FDA0003369467830000011
Wherein
Figure FDA0003369467830000012
Is a cyclic group of order p, p being a prime number of at least 2 lambda bits, g being a group
Figure FDA0003369467830000013
A generator of (2);
KeyGen (pp): inputting a public parameter pp, and calling a Gen algorithm in an algebraic message authentication code scheme by the KeyGen algorithm to generate a public parameter par and a private key sk, wherein the par is publicly visible to users participating in the scheme;
Figure FDA0003369467830000014
wherein uid is a user identifier, and pw is a password; the Obtain and Issue run in an interactive manner between the user and the credential issuer, where the user registers and obtains the password-based credential;
Show(tag,par,uid,pw,[σ]pwand, M): tag is label, and presentation proof is generated in different modes according to the value of the label, [ sigma ]]pwThe certificate is encrypted by the password; the Show algorithm, executed by a user who has registered a password-based credential, for conducting authentication with a verifier, computes σ ← Dec (pw, [ σ ← Dec)]pw) Where Dec denotes the decryption algorithm, then using uid, σ generates a proof of presentation about message M ← ShowMAC(tag, par, uid, σ, M), wherein ShowMACGenerating a presentation certificate for proving that the user has a legal certificate; inputting a corresponding tag value of the tag according to whether the user wants to implement strong authentication or anonymous authentication;
ShowVerify (sk, uid, M, Σ): the ShowVerify algorithm is executed by a verifier, the verifier shares a private key sk with a credential issuer, and the input of the ShowVerify algorithm comprises the private key sk, a user identifier uid, a message M and a presentation certificate Σ about the message M, wherein the user identity is null corresponding to the case of anonymous authentication, and the identity is not null corresponding to the case of strong authentication;
the interactive process of the Obtain and the Issue comprises the following steps:
a) the user sends a user identifier uid of the user to the credential issuer;
b) credential issuer calculation H1(uid), wherein H1Is a cryptographic hash function, mapping any bit string to the message space of the algebraic message authentication code scheme, and then generating a credential σ ← MAC (sk, uid), where the MAC algorithm is used to generate an algebraic message authentication code for a message M, and compute:
π1←SPK1{(sk):Verify(sk,uid,σ)=1∧(par,sk)←Gen(pp)}
the Verify algorithm is used for verifying whether a message authentication code sigma is legal about a message M and a private key sk;
finally, the credential issuer will (σ, π1) Sending the data to a user;
c) the user receives (sigma, pi)1) Then, H is calculated1(uid), and execute VerifySPK1((g,par,uid,σ),π1) If 1 is returned, then σ is declared legal, and then the user calculates [ σ ]]pwOid ← Enc (pw, σ), in which Enc represents an encryption algorithm, and stores [ σ [ ]]pw(ii) a Otherwise, the sigma is not a legal certificate, and the user terminates the operation of the scheme;
wherein, step 2) includes:
a) the user side registers a certificate based on a password on the identity provider IdP, and uses the certificate to access a plurality of relying parties RP;
b) the user uses the same certificate to perform strong authentication or anonymous authentication based on a 'challenge-response' mechanism on the IdP, and further accesses the RP;
c) both the IdP and the RP do not need to store user credentials in a centralized way;
d) in the process of implementing anonymous authentication, neither IdP nor RP can acquire the identity of the user, nor can it collect user privacy with the help of the identity of the authenticated user.
2. The method of claim 1, wherein the password-based credentials are stored on a generic device without requiring the credentials to be protected using a dedicated device.
3. The method of claim 1, wherein step 2) combines password-encrypted credentials with standard unified identity authentication protocols to achieve strong authentication or anonymous authentication.
4. The method of claim 1, wherein the user side registers and reuses the pseudonym on the RP based on password whitebox or security hardware, so as to achieve user-controlled linkability, i.e. the user can select whether to reuse the pseudonym for authentication.
5. A unified identity authentication system providing user-friendly strong authentication and anonymous authentication using the method of any one of claims 1 to 4, comprising a user side and a verification side; the user side encrypts the certificate by using the password to obtain and store the certificate based on the password; the user side performs strong authentication or anonymous authentication to the verification side by using the password-based certificate.
CN201910086040.5A 2019-01-29 2019-01-29 Unified identity authentication method and system for providing user-friendly strong authentication and anonymous authentication Active CN111490967B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910086040.5A CN111490967B (en) 2019-01-29 2019-01-29 Unified identity authentication method and system for providing user-friendly strong authentication and anonymous authentication

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910086040.5A CN111490967B (en) 2019-01-29 2019-01-29 Unified identity authentication method and system for providing user-friendly strong authentication and anonymous authentication

Publications (2)

Publication Number Publication Date
CN111490967A CN111490967A (en) 2020-08-04
CN111490967B true CN111490967B (en) 2022-02-25

Family

ID=71812165

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910086040.5A Active CN111490967B (en) 2019-01-29 2019-01-29 Unified identity authentication method and system for providing user-friendly strong authentication and anonymous authentication

Country Status (1)

Country Link
CN (1) CN111490967B (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112953888B (en) * 2020-12-29 2023-10-31 合肥达朴汇联科技有限公司 Block chain anonymous user auditing method and system applied to block chain client
CN113221089B (en) * 2021-03-15 2023-11-07 东北大学 Privacy protection attribute authentication system and method based on verifiable statement

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101674304A (en) * 2009-10-15 2010-03-17 浙江师范大学 Network identity authentication system and method
CN104901804A (en) * 2014-08-28 2015-09-09 赵捷 User autonomy-based identity authentication implementation method
CN104935608A (en) * 2015-07-07 2015-09-23 成都睿峰科技有限公司 Identity authentication method in cloud computing network
CN106341232A (en) * 2016-09-18 2017-01-18 中国科学院软件研究所 Anonymous entity identification method based on password

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101329720B (en) * 2008-08-01 2011-06-01 西安西电捷通无线网络通信股份有限公司 Anonymous bidirectional authentication method based on pre-sharing cipher key
CN104283899B (en) * 2014-10-30 2017-10-13 西安电子科技大学 User anonymity identity identifying method based on k assumed name set in wireless network

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101674304A (en) * 2009-10-15 2010-03-17 浙江师范大学 Network identity authentication system and method
CN104901804A (en) * 2014-08-28 2015-09-09 赵捷 User autonomy-based identity authentication implementation method
CN104935608A (en) * 2015-07-07 2015-09-23 成都睿峰科技有限公司 Identity authentication method in cloud computing network
CN106341232A (en) * 2016-09-18 2017-01-18 中国科学院软件研究所 Anonymous entity identification method based on password

Also Published As

Publication number Publication date
CN111490967A (en) 2020-08-04

Similar Documents

Publication Publication Date Title
US9882717B2 (en) System and method for generating a server-assisted strong password from a weak secret
Acar et al. Single password authentication
Chattaraj et al. A new two-server authentication and key agreement protocol for accessing secure cloud services
CN106341232B (en) A kind of anonymous entity discrimination method based on password
Choi et al. Security enhanced anonymous multiserver authenticated key agreement scheme using smart cards and biometrics
Farash et al. Cryptanalysis and improvement of a robust smart card secured authentication scheme on SIP using elliptic curve cryptography
Azad et al. Authentic caller: Self-enforcing authentication in a next-generation network
Szalachowski Password-authenticated decentralized identities
Tong et al. CCAP: a complete cross-domain authentication based on blockchain for Internet of Things
CN111490967B (en) Unified identity authentication method and system for providing user-friendly strong authentication and anonymous authentication
Mishra et al. A provably secure content distribution framework for portable DRM systems
Abusukhon et al. An authenticated, secure, and mutable multiple‐session‐keys protocol based on elliptic curve cryptography and text‐to‐image encryption algorithm
US20230041237A1 (en) Key generation and pace with protection against side channel attacks
Das et al. A decentralized open web cryptographic standard
Li et al. A secure two-factor authentication scheme from password-protected hardware tokens
Shin et al. Security analysis of password-authenticated key retrieval
CN110784305B (en) Single sign-on authentication method based on careless pseudorandom function and signcryption
Song et al. Hardening password-based credential databases
Chaudhary et al. A construction of three party post quantum secure authenticated key exchange using ring learning with errors and ecc cryptography
CN114389808B (en) OpenID protocol design method based on SM9 blind signature
Wang et al. Chaotic map-based authentication protocol for multiple servers architecture
Hammami et al. Security issues in cloud computing and associated alleviation approaches
Quan et al. Cryptanalysis of a chaotic chebyshev polynomials based remote user authentication scheme
JP5099771B2 (en) Two-factor authentication system
Kumar et al. Advance remote user authentication scheme using smart card

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant