CN112671544A - System and method for managing message authentication key - Google Patents

System and method for managing message authentication key Download PDF

Info

Publication number
CN112671544A
CN112671544A CN202011614135.9A CN202011614135A CN112671544A CN 112671544 A CN112671544 A CN 112671544A CN 202011614135 A CN202011614135 A CN 202011614135A CN 112671544 A CN112671544 A CN 112671544A
Authority
CN
China
Prior art keywords
key
public key
terminal
certificate
root
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202011614135.9A
Other languages
Chinese (zh)
Other versions
CN112671544B (en
Inventor
刘婷
陈潇
万红霞
杨光
巩应奎
袁洪
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Aerospace Information Research Institute of CAS
Original Assignee
Aerospace Information Research Institute of CAS
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Aerospace Information Research Institute of CAS filed Critical Aerospace Information Research Institute of CAS
Priority to CN202011614135.9A priority Critical patent/CN112671544B/en
Publication of CN112671544A publication Critical patent/CN112671544A/en
Application granted granted Critical
Publication of CN112671544B publication Critical patent/CN112671544B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Abstract

The invention relates to the technical field of satellite navigation, and provides a system and a method for managing a text authentication key, wherein the system comprises: a first terminal, a second terminal and a third terminal; the first terminal is used for generating a one-way key chain and a public key password, and the public key password comprises: the private key and the corresponding public key are used for digitally signing the root key of the unidirectional key chain by using the private key to obtain a root key digital signature, and the related information of the unidirectional key chain, the root key digital signature and the public key certificate is sent to a second terminal; the second terminal is used for arranging the related information of the one-way key chain, the root key digital signature and the public key certificate in the telegraph text and sending the telegraph text to the third terminal; and the third terminal is used for verifying the authenticity of the public key, the root key digital signature and the subsequent key of the unidirectional key chain. The method provides safer navigation service for the user by increasing the integrity of the telegraph text, the identity authentication of the signal source and the like so as to resist the cheating attack.

Description

System and method for managing message authentication key
Technical Field
The invention relates to the technical field of satellite navigation, in particular to a system and a method for managing a text authentication key.
Background
The Satellite-Based Augmentation System (SBAS) aims to better meet the Navigation System requirements from an airway flight phase to a vertical guidance precision approach phase, and provides a wide-area differential System of Global Navigation Satellite System (GNSS) differential correction and integrity data by using geostationary earth satellites (GEO) as a communication medium. Because the SBAS signal format is open, the receiver is easy to be threatened by deception interference, and particularly the navigation safety problem of the receiver is particularly attractive in the high integrity application field facing civil aviation and the like.
At present, aiming at the information enhancement characteristic of a navigation system (no matter GNSS or SBAS), the existing attack mode is mostly text tampering, so that a receiver is deceived.
Disclosure of Invention
The invention provides a message authentication key management system and a message authentication key management method, which are used for solving the problem that a receiver is deceived by tampering a message in the prior art.
The invention provides a message authentication key management system, comprising: a first terminal, a second terminal and a third terminal;
the first terminal is configured to generate a one-way key chain and a public key password, where the public key password includes: the public key is used for generating a corresponding public key certificate by a third-party certification authority, carrying out digital signature on a root key of the unidirectional key chain by using the private key to obtain a root key digital signature, and sending the unidirectional key chain, the root key digital signature and relevant information of the public key certificate to the second terminal;
the second terminal is used for arranging the related information of the one-way key chain, the root key digital signature and the public key certificate in a message and sending the message to the third terminal;
and the third terminal is used for verifying the authenticity of the public key by adopting a pre-stored public key of the certification authority, performing signature verification on the digital signature of the root key by adopting the verified public key to judge the authenticity of the root key, and verifying the authenticity of the subsequent key of the one-way key chain based on the real root key.
According to the message authentication key management system provided by the invention, the first terminal adopts the pseudo-random number generator to generate the seed key, and the seed key sequentially generates the one-way key chain through SM3 hash operation.
According to the message authentication key management system provided by the invention, the first terminal is further used for performing truncation operation on each key in the generated unidirectional key chain.
According to the message authentication key management system provided by the invention, the third terminal adopts weak collision resistance calculated by the one-way key chain generation algorithm SM3 to verify the authenticity of each key of the one-way key chain.
According to the message authentication key management system provided by the invention, the first terminal is further used for sequentially issuing the keys of the one-way key chain at preset time intervals, and delaying the issuance of the keys relative to the message verification code generated by the corresponding key in the one-way key chain.
According to the message authentication key management system provided by the invention, the first terminal is further used for updating the unidirectional key chain and broadcasting the identifier of the current unidirectional key chain and the corresponding root key digital signature through a space signal.
According to the message authentication key management system provided by the invention, the related information of the public key certificate is the public key certificate.
According to the message authentication key management system provided by the invention, the related information of the public key certificate is the certificate identification of the currently used public key certificate, and at least one public key certificate is arranged in the third terminal.
According to a text authentication key management system provided by the present invention, the first terminal includes: a control center unit and a public key management unit,
the public key management unit is used for sending a downloading instruction of a public key certificate issuing request to the control center unit, verifying the validity of the public key certificate issuing request and the equipment identity of the control center unit after receiving the public key certificate issuing request, sending the public key certificate issuing request to the third-party certification authority after verification, receiving a public key certificate issued by the third-party certification authority and loading the public key certificate to the control center unit;
the control center unit is used for generating the private key and the public key after receiving a downloading instruction, storing the private key, generating a public key certificate issuing request according to the public key and the identity information of the control center unit, sending the public key certificate issuing request to the public key management unit, and verifying and storing the public key certificate after receiving the loaded public key certificate.
The invention also provides a message authentication key management method based on any one of the message authentication key management systems, which comprises the following steps:
s1: the first terminal generates a one-way key chain and a public key password, wherein the public key password comprises: the public key generates a corresponding public key certificate by a third-party certification authority, and the private key is used for digitally signing the root key of the unidirectional key chain to obtain a root key digital signature;
s2: the first terminal sends the related information of the unidirectional key chain, the root key digital signature and the public key certificate to the second terminal;
s3: the second terminal arranges the related information of the unidirectional key chain, the root key digital signature and the public key certificate in a message and sends the message to the third terminal;
s4: and the third terminal adopts a pre-stored public key of the certification authority to verify the authenticity of the public key, adopts the verified public key to carry out signature verification on the digital signature of the root key so as to judge the authenticity of the root key, and verifies the authenticity of the subsequent key of the one-way key chain based on the real root key.
The invention provides a message authentication key management system, which is characterized in that a one-way key chain, a private key and a corresponding public key are generated at a first terminal, the private key is adopted to sign a root key of the one-way key chain, a root key digital signature and a public key certificate are arranged in a message through a second terminal and then are sent to a third terminal, the third terminal verifies the public key certificate according to a preset public key of an authentication authority, the public key is adopted to verify the root key digital signature after the verification is passed so as to judge the authenticity of the root key, the authenticity of a subsequent key of the one-way key chain is verified based on a real root key, namely, a safer navigation service is provided for a user by increasing message integrity signal sources, identity authentication and other methods so as to resist spoofing attack, avoid being attacked and falsified in the message transmission process and prevent the third terminal from being spoofed.
Drawings
In order to more clearly illustrate the technical solutions of the present invention or the prior art, the drawings needed for the description of the embodiments or the prior art will be briefly described below, and it is obvious that the drawings in the following description are some embodiments of the present invention, and those skilled in the art can also obtain other drawings according to the drawings without creative efforts.
FIG. 1 is a schematic diagram of a message authentication key management system according to the present invention;
FIG. 2 schematically illustrates an SBAS message authentication one-way keychain generation algorithm in an embodiment of the disclosure;
FIG. 3 schematically illustrates a public key certificate management flow diagram for SBAS message authentication in an embodiment of the present disclosure;
fig. 4 schematically illustrates a structure diagram of an SBAS L5 frequency point signal text data block in the embodiment of the present disclosure;
fig. 5 schematically illustrates an SBAS authentication enhancement signal generation diagram in an embodiment of the present disclosure;
fig. 6 is a flowchart of a text authentication key management method provided by the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention clearer, the technical solutions of the present invention will be clearly and completely described below with reference to the accompanying drawings, and it is obvious that the described embodiments are some, but not all embodiments of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
The following describes the text-based authenticated key management system of the present invention with reference to fig. 1 to 5, and the text-based authenticated key management system of the present invention can be applied to, but not limited to, an SBAS system, and can also be applied to a GNSS system. In this embodiment, an SBAS system is taken as an example, and the SBAS system includes a ground control center, a GEO satellite and a user receiver, as shown in fig. 1, wherein a first terminal 1 corresponds to the SBAS ground control center, a second terminal 2 corresponds to the GEO satellite, and a third terminal 3 corresponds to the user receiver.
The first terminal 1 is used for generating a one-way keychain K0,K1,……KNAnd public key cryptography, wherein K0As a root key, public key cryptography includes: private key KpriAnd a corresponding public key KpubPublic key KpubGeneration of corresponding public key certificate C by third-party certification authoritypubAnd using a private key KpriRoot key K for one-way keychain0Digital signature is carried out to obtain root key digital signature SIGRkeyOne-way key chain K0,K1,……KNRoot Key digital signature SIGRkeyAnd the related information of the public key certificate is sent to the second terminal 2, wherein KiAlso called shared key, i is an integer greater than zero and less than or equal to N. In the SBAS system, the first terminal 1 pairs a one-way keychain K0,K1,……KNRoot Key digital signature SIGRkeyAnd public key KpubCorresponding public key certificate CpubPerforms code modulation to generate an uplink signal to the second terminal 2.
The second terminal 2 is arranged to use the one-way keychain K0,K1,……KNRoot Key digital signature SIGRkeyInformation relating to the public key certificate is arranged in a text,and sends the message to the third terminal 3.
The third terminal 3 is used for adopting a prestored public key of the certification authority
Figure BDA0002875920860000051
Verifying public key KpubIn particular, using certificate authority public keys
Figure BDA0002875920860000052
To public key certificate CpubDigital signature in (1)
Figure BDA0002875920860000053
Verification is carried out by adopting a public key K passing verificationpubAnd digitally signing SIG with root keyRkeyCarrying out signature verification, if the signature verification is passed, the corresponding root key K0To be authentic, the one-way keychain subsequent key, K, is then verified based on the authentic root key1,……KNThe authenticity of.
The invention provides a message authentication key management system, which generates a one-way key chain K at a first terminal 10,K1,……KNPrivate key KpriAnd a corresponding public key KpubAnd using a private key KpriRoot key K for one-way keychain0Sign and forward a keychain K0,K1,……KNRoot Key digital signature SIGRkeyAnd public key KpubCorresponding public key certificate CpubThe second terminal 2 is arranged in the message and then is sent to the third terminal 3, and the third terminal 3 sends the message to the third terminal 3 according to the preset public key of the certification authority
Figure BDA0002875920860000061
To public key certificate CpubThe verification is carried out, and the public key K is adopted after the verification is passedpubDigitally signing SIG for root KeyRkeyPerforming verification and verifying the one-way keychain K0,K1,……KNThe authenticity of (1) providing safer navigation service for users by increasing the integrity of the text and the identity authentication of the signal source, and the like, so as to resistAnd (4) cheating attack, which avoids being tampered by attack in the process of transmitting the telegraph text and prevents the third terminal 3 from being cheated.
As shown in fig. 2, in the present invention, the first terminal 1 uses a pseudo random number generator to generate a seed key, and the seed key is used to sequentially generate a one-way key chain through SM3 hash operation. Specifically, the first terminal 1 generates a seed key by a pseudo-random number generator based on TESLA (time Efficient Stream Loss-free Authentication) protocol, and sequentially generates a key K by the seed key through SM3 hash operationN,……,K1,K0
Under the computing power of the current computer, the secret key KiThe length of the encryption key chain is 80-128 bits, so that the use safety requirement of years can be met, therefore, in the generation process of the one-way key chain, the output sequence of the SM3 cryptographic hash algorithm is truncated to obtain the key information with the required length, and the truncation length in the SBAS and the GNSS system is different.
Since the one-way keychain is generated using SM3, the weak collision resistance of the third terminal 3 operating using the one-way keychain generation algorithm SM3 is applied to each key K of the one-way keychainiAnd performing authenticity verification.
The first terminal 1 is further arranged to concatenate the one-way key K0,K1,……KNKey K ofiSequentially releasing the keys at preset intervals, and corresponding to the keys K in the one-way key chainiThe generated message verification code is released in a delayed mode, so that an asymmetric authentication mechanism is constructed, and the requirements of SBAS broadcast communication authentication are met.
The first terminal 1 is also arranged to update the one-way keychain K0,K1,……KNAnd broadcasts the identifier of the current one-way key chain and the corresponding root key digital signature SIG through the space signalRkeyAnd the one-way key chain is updated at certain time intervals, so that the system security is further improved.
In the invention, public key cryptography generation is based on a key pair generation algorithm in the China's commercial cryptography standard SM2 elliptic curve public key cryptography algorithm, and a private key KpriAlso called signature key, and the first terminal 1 utilizes the private key KpriDigital signature algorithm pair root key K based on commercial cipher standard SM2 elliptic curve public key cipher algorithm0Performing a digital signature operation to generate a root key digital signature SIGRkeyThe private key can only be held and kept secret by the first terminal 1. Public key KpubAlso called verification key, for the third terminal 3 to verify the root key digital signature SIGRkey
In the invention, the related information of the public key certificate can be the public key certificate, namely the public key certificate itself, the public key certificate is sent to the second terminal 2 along with the one-way key chain and the root key digital signature by the first terminal 1 through the air signal of SBAS uplink, and is sent to the third terminal 3 after the second terminal 2 generates the message.
In the invention, the related information of the public key certificate can also be the certificate identifier of the currently used public key certificate, the certificate identifier is sent to the second terminal 2 along with the one-way key chain and the root key digital signature by the first terminal 1 through the air signal of SBAS uplink, and the second terminal 2 generates a message and then sends the message to the third terminal 3. At least one public key certificate is built in the third terminal 3, and specifically, one or more public key certificates are embedded in the third terminal 3 offline when the third terminal leaves a factory. Taking into account the private key KpriThe updating frequency is low, in order to cope with the updating of the certificate key and the updating of the certificate which may occur, therefore, a plurality of public key certificates are built in the third terminal 3, so as to ensure that the number and the valid period of the public key certificates can cover the whole life cycle of the third terminal 3, the first terminal 1 broadcasts the current valid certificate identifier in the uplink space signal, preferably, a public key certificate updating identifier bit is set in the uplink space signal, so as to prompt the third terminal 3 whether the public key certificate needs to be updated, and if so, the public key certificate corresponding to the current certificate identifier is selected. Specifically, the certification authority public key of the third party certification authority 4
Figure BDA0002875920860000071
The device is built in the user receiver when the device leaves the factory in an off-line mode.
To ensure the public key KpubThe first terminal 1 is used for requesting the third party certification authority 4 to generate the public key certificate CpubI.e. issuing a public key certificate C using a trusted third party certification authority 4pub. Public key certificate CpubIs essentially a public key KpubAdding digital signature, public key certificate contains public key KpubThe third party certification authority 4 uses its private key
Figure BDA0002875920860000081
To public key KpubApplied digital signature
Figure BDA0002875920860000082
And an Identity.
Fig. 3 schematically shows a management flow of public key cryptography, and the first terminal 1 includes: a control center unit 11 and a public key management unit 12.
The public key management unit 12 is configured to send a download instruction of a public key certificate issuing request to the control center unit 11, verify the identity of the control center unit 11 after receiving the public key certificate issuing request, send the public key certificate issuing request to the third-party certification authority 4 after verification, receive a public key certificate issued by the third-party certification authority 4, and load the public key certificate to the control center unit 11.
The control center unit 11 is configured to generate a private key and a public key after receiving the download instruction, store the private key, generate a public key certificate issuance request according to the public key and the identity information of the control center unit, send the public key certificate issuance request to the public key management unit 12, and verify and store the public key certificate after receiving the loaded public key certificate.
In the SBAS system, SBAS authentication service providers are divided into a control center unit 11 (also referred to as a ground control center device) and a public key management unit 12 (also referred to as a device originator) according to functions and roles. The ground control center equipment is responsible for generating enhanced information, generating a secret key and generating and processing authentication information; the equipment initiator is an SBAS authentication service provider representative and is responsible for guaranteeing the equipment identity of the ground control center, requesting a public key certificate on behalf of the equipment, managing the life cycle of the certificate on behalf of the equipment and verifying the identity of the equipment during registration, and the equipment initiator is generally granted a public key certificate of the equipment initiator
Figure BDA0002875920860000083
The third party certification authority 4 is responsible for verifying identity and approving certificate issuance requests, generating and issuing public key certificates.
The whole public key password management process is as follows:
(1) initiate a public key certificate issuance request (CSR) download-the device originator generates a work order to initiate the download of the CSR;
(2) generation of public key password-SBAS ground control center equipment generates private key KpriAnd a corresponding public key Kpub
(3) Secure storage private key-SBAS ground control center device stores private key K in a secure mannerpriTo protect against unauthorized leakage or modification, such as storage in non-volatile memory;
(4) generating CSR-SBAS ground control center generates CSR, CSR includes ground control center equipment Identity information Identity and public key Kpub. The CSR is generated in PKCS #10 format and uses the private key K before the device originator verifies the CSRpriPerforming digital signature operation on the CSR to obtain a signature SIGCSR
(5) Verification of CSR-the device originator verifies whether the CSR is valid for the device, including checking the validity of the CSR field. If the CSR is valid, then go to the next step;
(6) authentication of identity information-the device originator authenticates the device identity according to a certificate policy, and if valid, utilizes the device originator's own private key
Figure BDA0002875920860000091
Carrying out digital signature operation on the Identity information of the equipment to obtain a signature
Figure BDA0002875920860000092
And mixing the CSR and SIGCSRAnd
Figure BDA0002875920860000093
forwarding to a third party certification authority;
(7) approval CSR-third party certification authority verifies the correctness of the device identity information and approves or denies the certificate request. First verifying the certificate of the device originator
Figure BDA0002875920860000094
To ensure that the initiator is authorized to execute the request, to prevent the attack of impersonating the device initiator; then, the public key of the device initiator is utilized
Figure BDA0002875920860000095
To pair
Figure BDA0002875920860000096
And (4) carrying out digital signature verification to obtain Identity ', comparing the Identity ' with the Identity, and if the Identity ' is consistent with the Identity, passing the verification of the equipment Identity information.
(8) Certificate generation-after receiving a CSR, the public key K contained in the CSR is utilizedpubTo SIGCSRPerforming digital signature verification to obtain CSR ', comparing CSR' and CSR, and if they are identical, indicating signature SIGCSRIs to use the corresponding private key KpriGenerated, i.e. having verified, the applicant's private key KpriIs given ownership of. If these checks are successful, the certification authority will generate a certificate containing the Identity of the device and the public key KpubThe certificate being digitally signed by a third party certification authority
Figure BDA0002875920860000097
(9) Issue a certificate — the certificate will be returned to the requestor in one of three formats: privacy Enhanced Mail (PEM) according to RFC 7468, Distinguished Encoding Rules according to ITU-T X.690 or Public Key encryption Standard #7(PKCS #7) according to RFC 2315.
(10) Loading a certificate-the organization responsible for the device loads the certificate into the device. This process may be manual or automatic. At the same time, the certificate authority stores the certificate in a repository.
(11) Certificate verification-after loading, the device verifies the certificate to check whether the public key contained in the certificate performs a complementary function to the private key.
(12) Store certificate — if the certificate verification is successful, the ground control center device will store the certificate.
In the SBAS system, the second terminal 2 receives the uplink signal demodulation shared key KiRoot Key digital signature SIGRkeyAnd public key certificate CpubThe related key data is arranged in a preset SBAS L5 message data block, an authentication enhancement message is generated by encoding, and then the authentication enhancement message is modulated to generate an authentication enhancement signal. At time t, the second terminal 2 transmits an authentication enhancing signal to the third terminal 3.
In particular, the second terminal 2 (i.e. the GE0 satellite) first demodulates the uplink signal and resolves the shared secret KiRoot Key digital signature SIGRkeyAnd public key certificate CpubAnd so on.
Then, the related key data is arranged in a preset SBAS L5 message data block and encoded together with the SBAS enhanced data to generate an authentication enhanced message. The enhanced data is arranged in an SBAS L5-I branch, the format of a data block follows the definition of an SBAS L5DFMC ICD, the length of each data block is 250 bits, the broadcasting period is 1 second, the structure of the data block is shown in FIG. 4, the first 10 bits are respectively a message lead code and a message type identifier, the last 24 bits are cyclic redundancy check bits, the rest 216 bits are data bits for transmitting the enhanced data, and the specific data bit information arrangement format follows various enhanced message information data formats defined by the SBAS L5DFMC ICD; shared secret key KiRoot Key digital signature SIGRkeyAnd public key certificate CpubArranged in the SBAS L5-Q branch, the data block format is the same as that of the SBAS L5-I branch, and 216 bits of data bits are used for transmitting the shared secret key KiRoot Key digital signature SIGRkeyAnd public key certificate CpubThe key data is required to transmit a message authentication code for enhancing message authentication, and the specific data bit information format is not specifically limited in the embodiment of the present invention.
Finally, the enhancement data and the authentication data are modulated to generate an authentication enhancement signal, the signal generation process is shown in FIG. 5, the signal is generated by the common modulation of an I branch and a Q branch, and in the embodiment, the I branch is generated by the mth enhancement message data and the pseudo code C of 10.23McpsL5_IMultiplying, and BPSK modulating the L5 in-phase carrier with the resulting combined data stream; mth authentication text data of Q branch and pseudo code C of 10.23McpsL5_QThe resulting combined data stream BPSK modulates the L5 quadrature carrier. In this embodiment, the power ratio of the I branch and the Q branch may be selected to include 1:1, 2:1, 3:1, and 4: 1. The GEO satellite transmits the authentication enhanced signal to the user terminal device at time t.
The third terminal 3 receives the authentication enhancement signal at the time of t + delta t, extracts the key data in the authentication enhancement signal and completes the public key KpubAuthenticity verification, root key digital signature verification and shared key KiThe authenticity verification of (1).
At time t + deltat, the user receiver receives the authentication enhancing signal and extracts the shared secret key K from the authentication enhancing signaliRoot Key digital signature SIGRkeyAnd public key certificate CpubFirst, the public key certificate C is verifiedpubMiddle corresponding public key KpubThe specific verification method comprises the following steps: the public key of certification authority is prestored in user receiver
Figure BDA0002875920860000111
Utilizing certificate authority public keys of certificate providers
Figure BDA0002875920860000112
Certificate pair CpubDigital signature in (1)
Figure BDA0002875920860000113
The verification is carried out, if the verification is successful, the public key K is confirmedpubThe validity of (2).
Public key KpubAfter the verification is passed, the public key K passing the verification is utilizedpubDigitally signing SIG for received root KeyRkeyCarrying out signature verification, if the signature verification is passed, the corresponding root key K0Is true.
Subsequently, the shared key K is subjected to weak collision resistance based on the operation of the key chain generation algorithm SM3iAnd performing authenticity verification.
The following describes the text authentication key management method provided by the present invention, and the text authentication key management method described below and the text authentication key management system described above may be referred to in correspondence with each other. As shown in fig. 6, the method includes:
step S1: the first terminal generates a one-way key chain and a public key password, wherein the public key password comprises: the public key generates a corresponding public key certificate by a third-party certification authority, and the private key is used for digitally signing the root key of the unidirectional key chain to obtain a root key digital signature;
step S2: the first terminal sends the related information of the unidirectional key chain, the root key digital signature and the public key certificate to the second terminal;
step S3: the second terminal arranges the related information of the unidirectional key chain, the root key digital signature and the public key certificate in a message and sends the message to the third terminal;
step S4: and the third terminal adopts a pre-stored public key of the certification authority to verify the authenticity of the public key, adopts the verified public key to carry out signature verification on the digital signature of the root key so as to judge the authenticity of the root key, and verifies the authenticity of the subsequent key of the one-way key chain based on the real root key.
The above-described embodiments of the apparatus or system are merely illustrative, and the units described as separate parts may or may not be physically separate, and the parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of the present embodiment. One of ordinary skill in the art can understand and implement it without inventive effort.
Through the above description of the embodiments, those skilled in the art will clearly understand that each embodiment can be implemented by software plus a necessary general hardware platform, and certainly can also be implemented by hardware. With this understanding in mind, the above-described technical solutions may be embodied in the form of a software product, which can be stored in a computer-readable storage medium such as ROM/RAM, magnetic disk, optical disk, etc., and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to execute the methods described in the embodiments or some parts of the embodiments.
Finally, it should be noted that: the above examples are only intended to illustrate the technical solution of the present invention, but not to limit it; although the present invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; and such modifications or substitutions do not depart from the spirit and scope of the corresponding technical solutions of the embodiments of the present invention.

Claims (10)

1. A text-authenticated key management system, comprising: a first terminal, a second terminal and a third terminal;
the first terminal is configured to generate a one-way key chain and a public key password, where the public key password includes: the public key is used for generating a corresponding public key certificate by a third-party certification authority, carrying out digital signature on a root key of the unidirectional key chain by using the private key to obtain a root key digital signature, and sending the unidirectional key chain, the root key digital signature and relevant information of the public key certificate to the second terminal;
the second terminal is used for arranging the related information of the one-way key chain, the root key digital signature and the public key certificate in a message and sending the message to the third terminal;
and the third terminal is used for verifying the authenticity of the public key by adopting a pre-stored public key of the certification authority, performing signature verification on the digital signature of the root key by adopting the verified public key to judge the authenticity of the root key, and verifying the authenticity of the subsequent key of the one-way key chain based on the real root key.
2. The text-authenticated key management system of claim 1 wherein the first terminal employs a pseudo-random number generator to generate a seed key from which the one-way keychain is generated in turn by SM3 hash operations.
3. The text-authenticated key management system of claim 2 wherein the first terminal is further configured to truncate each key in the generated one-way keychain.
4. The text-authenticated key management system of claim 2 wherein the third terminal verifies authenticity of each key of the one-way keychain with weak collision resistance as computed by the one-way keychain generation algorithm SM 3.
5. The text-to-text authenticated key management system according to claim 1, wherein the first terminal is further configured to issue the keys of the one-way keychain in sequence at preset time intervals, and to delay issuance with respect to the message authentication code generated by the corresponding key in the one-way keychain.
6. The textual authentication key management system of claim 1, wherein the first terminal is further configured to update the unidirectional keychain and broadcast an identification of a current unidirectional keychain and a corresponding root key digital signature via a spatial signal.
7. The text-authenticated key management system of claim 1 wherein the information associated with the public key certificate is a public key certificate.
8. The system according to claim 1, wherein the information related to the public key certificate is a certificate identifier of a currently used public key certificate, and at least one of the public key certificates is embedded in the third terminal.
9. The text authentication key management system according to any one of claims 1 to 8, wherein the first terminal comprises: a control center unit and a public key management unit,
the public key management unit is used for sending a downloading instruction of a public key certificate issuing request to the control center unit, verifying the validity of the public key certificate issuing request and the equipment identity of the control center unit after receiving the public key certificate issuing request, sending the public key certificate issuing request to the third-party certification authority after verification, receiving a public key certificate issued by the third-party certification authority and loading the public key certificate to the control center unit;
the control center unit is used for generating the private key and the public key after receiving a downloading instruction, storing the private key, generating a public key certificate issuing request according to the public key and the identity information of the control center unit, sending the public key certificate issuing request to the public key management unit, and verifying and storing the public key certificate after receiving the loaded public key certificate.
10. A message authentication key management method based on the message authentication key management system according to any one of claims 1 to 9, comprising the steps of:
s1: the first terminal generates a one-way key chain and a public key password, wherein the public key password comprises: the public key generates a corresponding public key certificate by a third-party certification authority, and the private key is used for digitally signing the root key of the unidirectional key chain to obtain a root key digital signature;
s2: the first terminal sends the related information of the unidirectional key chain, the root key digital signature and the public key certificate to the second terminal;
s3: the second terminal arranges the related information of the unidirectional key chain, the root key digital signature and the public key certificate in a message and sends the message to the third terminal;
s4: and the third terminal adopts a pre-stored public key of the certification authority to verify the authenticity of the public key, adopts the verified public key to carry out signature verification on the digital signature of the root key so as to judge the authenticity of the root key, and verifies the authenticity of the subsequent key of the one-way key chain based on the real root key.
CN202011614135.9A 2020-12-30 2020-12-30 System and method for managing message authentication key Active CN112671544B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202011614135.9A CN112671544B (en) 2020-12-30 2020-12-30 System and method for managing message authentication key

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202011614135.9A CN112671544B (en) 2020-12-30 2020-12-30 System and method for managing message authentication key

Publications (2)

Publication Number Publication Date
CN112671544A true CN112671544A (en) 2021-04-16
CN112671544B CN112671544B (en) 2023-04-07

Family

ID=75411263

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202011614135.9A Active CN112671544B (en) 2020-12-30 2020-12-30 System and method for managing message authentication key

Country Status (1)

Country Link
CN (1) CN112671544B (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116879925A (en) * 2023-09-06 2023-10-13 中国人民解放军国防科技大学 Satellite navigation signal authentication structure combining spread spectrum code and text and receiving method

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109617693A (en) * 2018-12-18 2019-04-12 中国民航大学 The anti-deception measures of Beidou II system based on elliptic curve
CN109639431A (en) * 2018-11-19 2019-04-16 中国科学院光电研究院 A kind of text authentication method, equipment, system and medium

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109639431A (en) * 2018-11-19 2019-04-16 中国科学院光电研究院 A kind of text authentication method, equipment, system and medium
CN109617693A (en) * 2018-12-18 2019-04-12 中国民航大学 The anti-deception measures of Beidou II system based on elliptic curve

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
GIANLUCA CAPARRA等: "Design Drivers and New Trends for Navigation Message Authentication Schemes for GNSS Systems", 《INSIDEGNSS》 *
穆盛林等: "面向BDSBAS电文认证的OTAR播发策略设计", 《HTTPS://KNS. CNKI. NET /KCMS /DETAIL /11. 2625. V. 20200805. 1000. 001. HTML》 *

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116879925A (en) * 2023-09-06 2023-10-13 中国人民解放军国防科技大学 Satellite navigation signal authentication structure combining spread spectrum code and text and receiving method
CN116879925B (en) * 2023-09-06 2023-11-10 中国人民解放军国防科技大学 Satellite navigation signal authentication structure combining spread spectrum code and text and receiving method

Also Published As

Publication number Publication date
CN112671544B (en) 2023-04-07

Similar Documents

Publication Publication Date Title
CN107196966B (en) Identity authentication method and system based on block chain multi-party trust
CN101207482B (en) System and method for implementation of single login
Lo et al. Authenticating aviation augmentation system broadcasts
CN102170352B (en) Method of using ECDSA with winternitz one time signature
US8391488B2 (en) Method and apparatus for using navigation signal information for geoencryption to enhance security
EP1906584B1 (en) Method, system and device for game data transmission
EP1714420B1 (en) One way authentication
Wullems et al. Signal authentication and integrity schemes for next generation global navigation satellite systems
CN108768652A (en) It is a kind of can the attack of anti-quantum alliance's block chain bottom encryption method
JPH06223041A (en) Rarge-area environment user certification system
US20080130879A1 (en) Method and system for a secure PKI (Public Key Infrastructure) key registration process on mobile environment
CN101931536B (en) Method for encrypting and authenticating efficient data without authentication center
JP2020530726A (en) NFC tag authentication to remote servers with applications that protect supply chain asset management
CN113111379B (en) Bidirectional anonymous authentication method supporting location privacy protection in intelligent medical treatment
US20030167407A1 (en) Authenticated file loader
CN112671544B (en) System and method for managing message authentication key
CN110808953A (en) Cloud data verifiable backup method with position perception
CN111682937B (en) Method and device for applying and distributing key of enhanced CPK
CN116318739B (en) Electronic data exchange method and system
Caparra et al. Navigation message authentication schemes
CN114697038A (en) Quantum attack resistant electronic signature method and system
Cogdell et al. Australia/New Zealand DFMC SBAS and navigation message authentication
CN115174277A (en) Data communication and file exchange method based on block chain
CN102487321B (en) Signcryption method and system
CN112423298B (en) Identity authentication system and method for road traffic signal management and control facility

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant