CN112713997B - Key agreement method and system - Google Patents

Key agreement method and system Download PDF

Info

Publication number
CN112713997B
CN112713997B CN202011578115.0A CN202011578115A CN112713997B CN 112713997 B CN112713997 B CN 112713997B CN 202011578115 A CN202011578115 A CN 202011578115A CN 112713997 B CN112713997 B CN 112713997B
Authority
CN
China
Prior art keywords
key
public key
point
temporary
elliptic curve
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202011578115.0A
Other languages
Chinese (zh)
Other versions
CN112713997A (en
Inventor
王慧
郑江东
张渊
王幼君
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Watchdata Co ltd
Original Assignee
Beijing Watchdata Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Watchdata Co ltd filed Critical Beijing Watchdata Co ltd
Priority to CN202011578115.0A priority Critical patent/CN112713997B/en
Publication of CN112713997A publication Critical patent/CN112713997A/en
Application granted granted Critical
Publication of CN112713997B publication Critical patent/CN112713997B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/30Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy
    • H04L9/3066Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy involving algebraic varieties, e.g. elliptic or hyper-elliptic curves
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0838Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/085Secret sharing or secret splitting, e.g. threshold schemes
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3226Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a predetermined code, e.g. password, passphrase or PIN

Abstract

The invention discloses a key agreement system. The SM2 algorithm based password authentication key exchange protocol is realized, and the shared password of two parties is converted into a shared key with higher security level and required length through two or three rounds of information transfer. The two communication parties respectively generate temporary private keys, calculate a temporary public key and a password public key, and calculate a combined public key on the basis of the two keys and transmit the combined public key to the other party. After both sides receive the combined public key of the other side, the temporary public key of the other side is recovered by using the password, a common secret value is calculated by using the own public-private key pair, the own temporary public-private key pair, the temporary public key of the other side and the public key of the other side, and a shared key is calculated according to an agreed algorithm on the basis.

Description

Key agreement method and system
Technical Field
The invention belongs to the field of information security, and particularly relates to a key agreement method and a key agreement system.
Background
The key exchange protocol is that two communication parties transmit messages through an insecure channel, a shared secret value is calculated according to the transmitted messages, and a shared key is calculated by using the secret value and is used for subsequent secure communication.
A common key exchange algorithm is DH key exchange algorithm, which can satisfy the condition that two communication parties create a shared key through an insecure channel without any previous message from the other party. The DH algorithm flow is that two communication parties respectively establish a temporary public and private key pair and publicly transmit a temporary public key to the other party; the two parties use the own temporary private key and the temporary public key transmitted by the other party to calculate a shared secret value. The DH algorithm is based on a discrete logarithm difficult problem, and similarly, the ECDH algorithm was generated based on a discrete logarithm difficult problem on an elliptic curve (ECC). The flow of the ECDH algorithm is identical to the flow of the DH algorithm. However, both DH and ECDH algorithms lack authentication and therefore are not resistant to man-in-the-middle attacks. In the actual use process, DH and ECDH algorithms need to be matched with other signature algorithms, and identity authentication is realized by the signature algorithms.
The password-based key exchange algorithm solves the problem of identity authentication to a certain extent. The international space 2 algorithm is a symmetric password authenticated key exchange protocol. The algorithm can meet the requirement that two parties with a common password obtain a shared key with stronger safety through two or three information transmission processes. The protocol is that two users work out a secret value only known to them through interactive information transmission and passwords, and a shared secret key is constructed by the secret value. The SPAKE2 algorithm is essentially based on the DH algorithm, and adds a part of password authentication.
The key exchange algorithm based on password authentication has a very wide application prospect in the internet of things, for example, the establishment of a security channel in the process of pairing a digital car key and a car in the internet of vehicles for the first time has very many requirements for establishing a safer communication channel based on a simple password in actual life, but the existing key exchange based on password authentication has the problems of low security strength and incapability of resisting password guessing attack.
The SM2 cryptographic algorithm key exchange protocol is suitable for key exchange in commercial cipher application, and can satisfy the requirement that two communication parties obtain a shared key determined by the two parties through two or three information transfer processes. The SM2 algorithm key exchange protocol also requires that two parties transmit a temporary public key to each other, then calculates a secret value only known to them by using the private key of the own party, the temporary public-private key pair of the own party, the public key of the other party and the temporary public key of the other party, and calculates a shared key from the secret value. The shared key is typically used in some symmetric cryptographic algorithm. The SM2 algorithm key exchange protocol may be used for key management and negotiation. The secret SM2 algorithm is not suitable for the key agreement application scenario of password authentication.
Disclosure of Invention
Aiming at the problem that the password authentication key exchange protocol in the prior art cannot resist password guessing attack, the invention provides a key negotiation method and a key negotiation system which can improve the security strength of a password authentication exchange key based on the SM2 algorithm.
The first technical proposal is a key agreement system, which is characterized in that two communication parties mutually negotiate a shared key by mutually transmitting information,
the communicator a includes the following modules: a1 st private key generation module (11), a1 st public key generation module (12), a1 st combined public key generation module (13), a1 st information recovery module (14) and a1 st shared key generation module (15);
the correspondent B includes the following modules: a2 nd private key generation module (21), a2 nd public key generation module (22), a2 nd combined public key generation module (23), a2 nd information recovery module (24) and a2 nd shared key generation module (25);
a communication party A and a communication party B, each having a private key dA、dBPublic key PA、PBAnd share a secret password pi e [1, n-1 ∈ ]]Where G is the base point of the elliptic curve with the order n, h is the cofactor, M, N are two published point parameters,
the 1 st private key generation module (11) generates a random number rAAs a temporary private key, the private key is,
the 1 st public key generation module (12) generates a temporary private key rAMultiplying by base point G to obtain RA=[rA]G is used as a temporary public key, wherein]Is a point multiplication operation on the elliptic curve,
the 1 st combined public key generating module (13) multiplies the secret password pi by the public point M to obtain a password public key pi]M, by a temporary public key RAAnd password public key pi]M generates a combined public key X which is,
the 1 st information recovery module (14) receives the combined public key Y sent by the communication party B and calculates the password public key [ pi ] of the communication party B]Recovering the temporary public key R of the communication party B from the combined public key YB
The 1 st shared key generation module (15) is generated by a private key dAPublic key PAOwn temporary private key rAOwn temporary public key RATemporary public key R of the other partyBThe other party's public key PBCalculating a secret value U for generating a shared secret KA
The 2 nd private key generation module (21) generates a random number rBAs a temporary private key, the 2 nd public key generation module (22) generates a temporary private key rBMultiplying by base point G to obtain RB=[rB]G is used as a temporary public key for the mobile terminal,
the 2 nd combined public key generating module (23) multiplies the secret password pi by the public point N to obtain a password public key pi]N, by a temporary public key RBAnd password public key pi]N generates a combined public key Y which is,
the 2 nd recovery module (24) receives the combined public key X sent by the communication party A and calculates the password public key [ pi ] of the communication party A]M, recovering the temporary public key R of the communication party A from the combined public key XA
The 2 nd shared key generation module (25) is generated by a private key dBPublic key PBOwn temporary private key rBOwn temporary public key RBTemporary public key R of the other partyAThe other party's public key PACalculating a secret value V for generating a shared secret KB
Preferably, the 1 st shared key generation module (15) generates a shared key K of a required length from the secret value U and the public parameter using a KDF algorithmA
The 2 nd shared key generation module (25) generates a shared key K of a required length from the secret value V and the public parameter by using a KDF algorithmB
Preferably, the communication party A and the communication party B further comprise a1 st information verification module (16) and a2 nd information verification module (26), respectively,
the 1 st information verification module (16) and the 2 nd information verification module (26) confirm the shared secret key K generated by the two parties through information transmissionAAnd KBThe same is true.
Preferably, the 1 st information verification module (16) and the 2 nd information verification module (26) perform verification by using any one of a hash algorithm, a MAC algorithm, and a symmetric cipher algorithm on a shared key and some other information known to both parties.
A second technical solution is a key agreement method, characterized in that: the two communication parties negotiate a shared secret key together by mutually transmitting information, the communication party A comprises the following steps,
step A1: generating a random number rA∈[1,n-1],
Step A2: calculating elliptic curve point RA=[rA]G=(x1,y1),
Step A3: calculating the elliptic curve point X ═ RA+[π]M, where + is the point addition on the elliptic curve, if [ h ]]X is the infinite point, then go back to step A1, repeat the above steps until [ h]X is not a point of infinite distance,
step A4: the elliptic curve point X is sent to the communication party B, and the elliptic curve point Y sent by the communication party B is received,
step A5: calculating elliptic curve point RB=Y-[π]N, where-is a point subtraction on an elliptic curve and verifies RBWhether the elliptic curve equation is satisfied is judged, if the elliptic curve equation is not satisfied, the step A13 is entered, and negotiation is judged to fail; otherwise step a6 is entered to continue negotiating a shared key,
step A6: from RBMiddle out field element x2X is to be2Is converted into an integer, and calculated
Figure BDA0002864567420000041
Wherein
Figure BDA0002864567420000045
Step A7: from RAMiddle out field element x1X is to be1Is converted into an integer, and calculated
Figure BDA0002864567420000042
Step A8: computing
Figure BDA0002864567420000043
Step A9: calculating points of an elliptic curve
Figure BDA0002864567420000044
If U is the infinity point, go to step A13, and determine that the negotiation fails; otherwise, the procedure proceeds to step a10,
step A10: calculating a shared secret KA=KDF(xU||yU||ZA||ZBKlen), in which ZAAnd ZBTo disclose the hash value corresponding to the computable correspondent A, B, klen is the length of the agreed shared key,
the correspondent B includes the following steps,
step B1: generating a random number rB∈[1,n-1],
Step B2: calculating elliptic curve point RB=[rB]G=(x2,y2),
Step B3: calculating the elliptic curve point Y ═ RB+[π]N, wherein + is the point addition operation on the elliptic curve,
if [ h ] Y is the infinity point, go back to B1; repeating the above steps until [ h ] Y is not an infinite point, transmitting the elliptic curve point Y to the communication party A,
step B4: an elliptic curve point R is calculated according to the elliptic curve point X sent by the communication party AA=X-[π]M, wherein-is a point subtraction operation on the elliptic curve,
and verify RAWhether the elliptic curve equation is satisfied or not is judged, if not, the step B14 is carried out, and negotiation failure is judged; otherwise step B5 is entered to continue negotiating a shared key,
step B5: from RAMiddle out field element x1X is to be1Is converted into an integer, and calculated
Figure BDA0002864567420000051
Wherein
Figure BDA0002864567420000055
Step B6: from RBMiddle out field element x2X is to be2Is converted into an integer, and calculated
Figure BDA0002864567420000052
Step B7: computing
Figure BDA0002864567420000053
Step B8: calculating points of an elliptic curve
Figure BDA0002864567420000054
If V is the point of infinity, step B14 is entered, and the shared key agreement fails; otherwise, the procedure goes to step B9,
step B9: calculating a shared secret KB=KDF(xV||yV||ZA||ZBKlen), in which ZAAnd ZBKlen is the agreed length of the shared key for disclosing the corresponding hash value of the computable correspondent A, B.
Preferably, the communication party a further comprises the steps of:
step A11: computing
S1=Hash(0x02||yU||Hash(xU||ZA||ZB||x1||y1||x2||y2) According to the general rule
S sent by the party BBChecking S1=SBIf it is not true, the key confirmation from the user B to the user a fails, and if it is true, the process proceeds to step a12,
step A12: computing
SA=Hash(0x03||yU||Hash(xU||ZA||ZB||x1||y1||x2||y2) And mixing S withAIs sent to the communication party B and,
the correspondent B includes the following steps,
step B10: computing
SB=Hash(0x02||yV||Hash(xV||ZA||ZB||x1||y1||x2||y2));
Step B11: will SBOr together with the elliptic curve point Y to the communication party A;
step B12: computing
S2=Hash(0x03||yV||Hash(xV||ZA||ZB||x1||y1||x2||y2)),
And according to S transmitted by the communication party AAChecking S2=SAAnd if the key agreement is not established, determining that the key agreement from the user A to the user B fails.
The technical effects are as follows:
the invention realizes the password authentication key exchange protocol based on the SM2 algorithm, and converts the password shared by two parties into a shared key with higher security level and required length through two or three rounds of information transmission (the key confirmation process is optional). The two communication parties respectively generate temporary private keys, calculate a temporary public key and a password public key, and calculate a combined public key on the basis of the two keys and transmit the combined public key to the other party. After both sides receive the combined public key of the other side, the temporary public key of the other side is recovered by using the password, a common secret value is calculated by using the own public-private key pair, the own temporary public-private key pair, the temporary public key of the other side and the public key of the other side, and a shared key is calculated according to an agreed algorithm on the basis.
The invention can complete double identity authentication based on a private key and a password on the basis of an SM2 algorithm, can effectively resist man-in-the-middle attack, is safer than the existing password authentication key exchange protocol, and can meet the requirement of communication parties for negotiating an application scene of a shared key by using the password. Meanwhile, the invention can also be extended to other ECC elliptic curve cryptosystems.
Drawings
Fig. 1 is a block diagram showing a configuration of a key agreement system according to embodiment 1;
fig. 2 is a flowchart of a key agreement method according to embodiment 1;
fig. 3 is a block diagram showing the configuration of the key agreement system according to embodiment 2;
fig. 4 is a flowchart of the key exchange protocol of embodiment 2.
Detailed Description
The present invention provides many applicable inventive concepts that can be embodied in a wide variety of specific contexts. The specific examples described in the following embodiments of the present invention are merely illustrative of specific embodiments of the present invention and do not limit the scope of the invention.
The invention relates to a scheme for realizing a password authentication key exchange protocol on an elliptic curve. Two users use the private and public key pair of own party, the public key of the other party and the password to agree a shared key only known to them through interactive information transfer. This shared key is usually used as a symmetric cryptographic algorithm key for subsequently establishing a more secure communication channel.
The basic principle is as follows: selecting an elliptic curve over a finite field and three random points belonging to the elliptic curve requires that these points generate a large subgroup, which is preferably as large as or relatively close to the group formed by the elliptic curve itself. Note that these three random points are G, M, N. Wherein, G is used as a base point of the elliptic curve, the order of the base point is prime number n, h is a cofactor, and M, N is used as a public point parameter.
The two parties of communication are A and B, and the respective private keys are dA、dBThe public key is PA、PBSharing a secret password pi E [1, n-1 ] between users A and B]. The pi can be obtained by calculating a Hash function through a short password series public parameter (such as public information or a salt value of both parties) shared by both parties and then processing the public parameter to a proper range. When user a and user B communicate, a shared key is negotiated for subsequent secure communications, such as password-based key negotiation and secure communications between a digital key and a vehicle in an internet of vehicles scenario.
The communication partner a generates a random number rAAs a temporary private key (1 st private key), a random number r is setAMultiplying by base point G to obtain RA=[rA]G as a temporary public key (1 st public key). Multiplying secret password pi by public point M to obtain password public key pi]M; by a temporary public key RAAnd password public key pi]M generates a combined public key X (the 1 st combined public key),the combined public key X is transmitted to the correspondent party B over the network. When the communication party A generates the combined public key X, the communication party A needs to ensure that the combined public key X is not an infinite point, otherwise, the communication party A needs to regenerate the temporary private key.
The communication partner B likewise generates a random number rBAs a temporary private key (2 nd private key), a random number r is setBMultiplying by base point G to obtain RB=[rB]G as a temporary public key (2 nd public key). Multiplying secret password pi by public point N to obtain password public key pi]N; by a temporary public key RBAnd password public key pi]N generates a combined public key Y (2 nd combined public key) which is transmitted to the correspondent a through the network. The correspondent B also needs to ensure that the combined password Y is not an infinite point, otherwise the temporary private key needs to be regenerated.
After the communication party A receives the combined public key Y, the password public key [ pi ] of the communication party B is calculated]Recovering the temporary public key R of the communication party B from the combined public key YB(2 nd public key). From a private key dAPublic key PAOwn temporary private key rAOwn temporary public key RATemporary public key R of the other partyBThe other party's public key PBCalculating a secret value V for generating a shared secret KA. A shared key K of the required length can be generated from the secret value V and some public parameters, for example using the agreed KDF algorithm or the Hash algorithmA
After the communication party B receives the combined public key X, the password public key [ pi ] of the communication party A is calculated]M, recovering the temporary public key R of the communication party A from the combined public key XA(1 st public key). From a private key dBPublic key PBOwn temporary private key rBOwn temporary public key RBTemporary public key R of the other partyAThe other party's public key PACalculating the same secret value V to generate a shared secret key KB. For example, the same KDF algorithm or Hash algorithm can be used to generate a shared key K of the required length from the secret value V and the public parameterB
Thus, the communication parties A and B generate the shared secret key K through two-time communicationA(i.e., K)B)。
As a key validation process, user A, B mayUtilizes Hash algorithm, MAC algorithm, symmetric cipher algorithm, etc. to confirm shared secret key K produced by both parties by adding one round of information transmissionAAnd KBIf consistent, this step is optional.
The flexible selection of the above steps is further illustrated below:
the Hash algorithm in the invention can be a common Hash algorithm, such as a SM3 algorithm or a SHA256 algorithm.
The KDF algorithm, also called the key derivation algorithm, functions to derive key data from a shared secret bit string. During the key agreement process, a key derivation algorithm acts on a shared secret bit string obtained from the key exchange to generate therefrom the required session key or to further encrypt the required key data. The key derivation function may select a KDF algorithm among SM2 algorithms, or the like.
The calculation process of generating the combined public key by the temporary public key and the password public key only needs to meet the requirement that the temporary public key can be reversely deduced from the combined public key and the password public key, and the three are all involved in operation non-trivial. For example, a point-plus-calculation may be employed, where the combined public key equals the temporary public key plus the password public key, and in the subsequent calculation of the temporary public key from the combined public key and the password public key, the temporary public key equals the combined public key minus the password public key; point subtraction operation can also be adopted, the combined public key is equal to the temporary public key minus the password public key, and then in the subsequent process of calculating the temporary public key from the combined public key and the password public key, the temporary public key is equal to the combined public key plus the password public key.
The calculation process of calculating a secret point by the own public and private key pair, the own temporary public and private key pair, the other temporary public key and the other public key is marked as F, and the process only needs to meet the following requirements:
a.F(dA,PA,rA,RA,RB,PB)=F(dB,PB,rB,RB,RA,PA) That is to say
Both communication parties generate the same secret value Z through an F function;
b. the temporary public keys of the two parties and the public key of the other party need to be subjected to non-trivial calculation;
c. the safety intensity corresponding to the elliptic curve must not be affected.
For example, the same calculation process in the SM2 algorithm key exchange protocol may be chosen.
The key confirmation process only needs to ensure that the two parties generate the same shared key, and can utilize a Hash algorithm, an MAC algorithm, a symmetric cryptographic algorithm and the like to act on the shared key and other shared information known by the two parties.
The technical solution of the present invention will be described below with reference to specific examples.
Example 1:
in embodiment 1, the elliptic curve parameters are SM2 elliptic curve public key cryptography algorithm system parameters: wherein, G is the base point of the elliptic curve, the order thereof is a prime number n, and h is a cofactor. In addition, a point M, N on both elliptic curves is arbitrarily selected as a public parameter. The Hash algorithm, KDF algorithm and the generating function F of the shared secret point are all in accordance with the SM2 algorithm key exchange protocol.
Fig. 1 is a block diagram showing a configuration of a key agreement system according to embodiment 1.
The communication party a consists of the following modules: a1 st private key generating module 11, a1 st public key generating module 12, a1 st combined public key generating module 13, a1 st information recovering module 14, a1 st shared key generating module 15, a1 st information verifying module 16 and a1 st communication module 17.
The communication party B is composed of the following modules: a2 nd private key generating module 21, a2 nd public key generating module 22, a2 nd combined public key generating module 23, a2 nd information restoring module 24, a2 nd shared key generating module 25, a2 nd information verifying module 26, and a2 nd communication module 27.
The two parties of communication are A and B, and the respective private keys are dA、dBThe public key is PA、PBSharing a secret password pi E [1, n-1 ] between users A and B]. The pi can be obtained by calculating a Hash function through a short password series public parameter (such as public information or a salt value of both parties) shared by both parties and then processing the public parameter to a proper range. When a communication party A and a communication party BDuring communication, the shared key is negotiated for subsequent secure communication, such as password-based key negotiation and secure communication between the digital key and the vehicle in the car networking scene.
The communication party A:
the 1 st private key generation module 11 generates a random number rAAs a temporary private key (1 st temporary key), the 1 st public key generation module 12 generates a temporary private key rAMultiplying by base point G to obtain RA=[rA]G as a temporary public key (1 st temporary public key). The 1 st combined public key generating module 13 multiplies the secret password pi by the public point M to obtain a password public key pi]M; by a temporary public key RAAnd password public key pi]M generates a combined public key X (1 st combined public key). The combined public key X is transmitted to the correspondent B through the 1 st communication module 17. When generating the combined public key X, the correspondent a needs to ensure that the combined public key X is not an infinite point, otherwise, the temporary private key needs to be regenerated.
The 1 st information recovery module 14 receives the combined public key Y sent by the communication party B and calculates the password public key [ pi ] of the communication party B]Recovering the temporary public key R of the communication party B from the combined public key YB(2 nd temporary public key).
The 1 st shared key generation module 15 is generated by a private key dAPublic key PAOwn temporary private key rAOwn temporary public key RATemporary public key R of the other partyBThe other party's public key PBA secret value U is calculated for generating the shared secret. The embodiment uses the agreed KDF algorithm to generate the shared secret key K with the required length from the secret value U and some public parametersA
The 1 st information verification module 16 confirms whether the shared keys of the communication parties a and B are consistent.
The communication party B:
the 2 nd private key generation module 21 generates a random number rBAs a temporary private key (2 nd temporary key), the 2 nd public key generation module 22 generates a temporary private key rBMultiplying by base point G to obtain RB=[rB]G as a temporary public key (2 nd temporary public key). The 2 nd combined public key generating module 23 multiplies the secret password pi by the public point N to obtain a password public key pi]N; by temporary public keysRBAnd password public key pi]N generates a combined public key Y (2 nd combined public key). The combined public key Y is transmitted to the correspondent a through the 2 nd communication module 27. Correspondent B also needs to ensure that the combined public key Y is not a point of infinity, otherwise the temporary private key needs to be regenerated.
The 2 nd recovery module 24 receives the combined public key X sent by the communication party A and calculates the password public key [ pi ] of the communication party A]M, recovering the temporary public key R of the communication party A from the combined public key XA
(1 st temporary public key).
The 2 nd shared key generation module 25 generates a private key d from the private key dBPublic key PBOwn temporary private key rBOwn temporary public key RBTemporary public key R of the other partyAThe other party's public key PACalculating the same secret value V to generate a shared secret key KB. The embodiment uses the same KDF algorithm to generate the shared secret key K with the required length from the secret value V and the public parameterB
The 2 nd information authentication module 26 confirms whether the shared keys of the communication parties a and B are identical.
FIG. 2 is a flowchart of the key exchange protocol of embodiment 1;
user A's public and private key pair is (d)A,PA) Wherein d isAIs a private key, PAAs a public key, user B has a public-private key pair of (d)B,PB) Wherein d isBIs a private key, PBIs a public key. ZAAnd ZBTo disclose a corresponding hash value of the computable user A, B. Users A, B share a secret password π e [1, n-1 ∈]The length of the key data obtained by plan negotiation is klen bits, user a is the initiator, and user B is the responder. Both users A, B obtain the same key based on the following calculation steps. In an embodiment of the present invention,
Figure BDA0002864567420000112
the communication party a includes the following steps.
Step A1: 1 st private key generation module 11 generates random number rA∈[1,n-1]。
Step A2: first, the1 public key generation module 12 calculates elliptic curve point RA=[rA]G=(x1,y1)。
Step A3: 1 st combined public key generation module 13 calculates elliptic curve points
X=RA+[π]M, if [ h ]]X is the infinite point, then go back to step A1, repeat the above steps until [ h]X is not the point of infinity.
Step A4: the 1 st communication module 17 transmits the elliptic curve point X to the communication party B and receives the elliptic curve point Y transmitted by the communication party B.
Step A5: the 1 st information retrieval module 14 calculates an elliptic curve point RB=Y-[π]N, and verify RBWhether the elliptic curve equation is satisfied is judged, if the elliptic curve equation is not satisfied, the step A13 is entered, and negotiation is judged to fail; otherwise step a6 is entered to continue negotiating a shared key.
Step A6: 1 st shared key generation module 15 from RBMiddle out field element x2X is to be2Is converted into an integer, and calculated
Figure BDA0002864567420000111
Step A7: 1 st shared key generation module 15 from RAMiddle out field element x1X is to be1Is converted into an integer, and calculated
Figure BDA0002864567420000121
Step A8: 1 st shared key generation module 15 calculates
Figure BDA0002864567420000122
Step A9: the 1 st shared key generation module 15 calculates elliptic curve points
Figure BDA0002864567420000123
If U is the infinity point, go to step A13, and determine that the negotiation fails; otherwise x is processed according to the method given in GM/T0003-U、yUIs converted into a bit string and proceeds to step a 10.
Step A10: the 1 st shared key generation module 15 calculates a shared key
KA=KDF(xU||yU||ZA||ZB,klen)。
Step A11: the 1 st information verification module 16 converts the data type of the corresponding data into a bit string and calculates
S1=Hash(0x02||yU||Hash(xU||ZA||ZB||x1||y1||x2||y2) And according to S sent by the correspondent B)BChecking S1=SBIf the key confirmation is not successful, the key confirmation from the communication party B to the communication party a fails, and if the key confirmation is successful, the process proceeds to step a 12.
Step A12: 1 st information verification module 16 calculates
SA=Hash(0x03||yU||Hash(xU||ZA||ZB||x1||y1||x2||y2) And through 1 st)
The communication module 17 will SAAnd sending the data to a communication party B.
The correspondent party B includes the following steps.
Step B1 private key generation module 2 21 generates random number rB∈[1,n-1]。
Step B2: the 2 nd public key generation module 22 calculates an elliptic curve point RB=[rB]G=(x2,y2)。
Step B3: the 2 nd combined public key generating module 23 calculates the elliptic curve point Y ═ RB+[π]N, if [ h ]]Y is the point of infinity, then go back to B1; repeating the above steps until [ h ]]Y is not the point of infinity.
Step B4: the 2 nd recovery module 24 calculates an elliptic curve point R from the elliptic curve point X sent by the communication party aA=X-[π]M, and verify RAWhether the elliptic curve equation is satisfied or not is judged, if not, the step B14 is carried out, and negotiation failure is judged; otherwise step B5 is entered to continue negotiating a shared key.
Step B5: the 2 nd shared key generation module 25 receives the key from RAMiddle out field element x1X is to be1Is converted into an integer, and calculated
Figure BDA0002864567420000124
Step B6: the 2 nd shared key generation module 25 receives the key from RBMiddle out field element x2X is to be2Is converted into an integer, and calculated
Figure BDA0002864567420000131
Step B7: shared key generation module 2 25 calculates
Figure BDA0002864567420000132
Step B8: the 2 nd shared key generation module 25 calculates elliptic curve points
Figure BDA0002864567420000133
Figure BDA0002864567420000134
If V is the point of infinity, then step B14 is entered and the shared key agreement fails; otherwise x is processed according to the method given in GM/T0003-V、yVIs converted into a bit string and proceeds to step B9.
Step B9: shared key generation module 2 25 calculates
KB=KDF(xV||yV||ZA||ZB,klen)。
Step B10: the 2 nd information verification module 26 converts the data type of the corresponding data into a bit string, and calculates SB=Hash(0x02||yV||Hash(xV||ZA||ZB||x1||y1||x2||y2))。
Step B11: the 2 nd communication module 27 maps the elliptic curve point Y, SBTo the correspondent a.
Step B12: the 2 nd information verification module 26 calculates
S2=Hash(0x03||yV||Hash(xV||ZA||ZB||x1||y1||x2||y2)),
And according to S transmitted by the communication party AAChecking S2=SAIf the key agreement is not established, the process proceeds to step B13, where the key agreement between the communication parties a and B is confirmed to be successful, and if not, the process proceeds to step B14, where the key agreement between the communication parties a and B is determined to be failed.
The technical solution of the present invention is explained above by taking the embodiment as an example. From the above, the present invention mainly realizes the password authentication key exchange protocol based on the SM2 algorithm, and converts the password shared by both parties into the shared key with the required length with higher security level through two or three rounds of information transfer. Both information exchange parties can calculate a common secret value based on their respective secret values (own private key, temporary private key, password) and public values (both public keys, combined public key). That is to say that the first and second electrodes,
1. the two parties respectively generate temporary private keys, calculate a temporary public key and a password public key, and calculate a combined public key on the basis of the two keys and transmit the combined public key to the other party.
2. After both sides receive the combined public key of the other side, the temporary public key of the other side is recovered by using the password, a common secret value is calculated by using the own public-private key pair, the own temporary public-private key pair, the temporary public key of the other side and the public key of the other side, and a shared key is calculated according to an agreed algorithm on the basis.
3. The two parties can ensure that the two parties already calculate the same shared secret key by adding a round of information transmission, and the secret key confirmation process is not necessary and can be selected according to requirements.
The technical scheme of the invention can be applied to an application scene of establishing a safer communication channel based on a simple password, such as password-based key agreement between a digital key and a vehicle in a vehicle networking scene.
The invention constructs a new key exchange protocol based on password authentication based on the SM2 algorithm key exchange protocol. Compared with the existing algorithm, the two communication parties in the SM2 algorithm key exchange protocol realize the authentication of the two communication parties based on the mastery of respective private keys, and finally negotiate out a shared key; the SPAKE2 algorithm negotiates a shared key based on mutual authentication of passwords owned by both parties. The invention integrates the advantages of the two algorithms, realizes mutual authentication of the two parties based on the mastery of the two factors of the private key and the password, and negotiates a shared key with required length through two or three rounds of information exchange.
Compared with the existing key agreement algorithm, the invention has the following advantages:
1. compared with a DH algorithm and an ECDH algorithm, the method can naturally resist man-in-the-middle attacks.
2. Compared with the SPAKE2 algorithm, the method has double authentication based on the password and the private key, and has higher security strength compared with the simple authentication based on the password.
3. Compared with the SM2 key exchange protocol, the method adds the password authentication part, and is more suitable for application scenarios for realizing higher-level security channel establishment based on the password.
The following describes example 2.
Example 2
Fig. 3 is a block diagram of the key agreement system of embodiment 2, and fig. 4 is a flowchart of the key exchange protocol of embodiment 2.
Embodiment 2 omits the 1 st and 2 nd information authentication modules and the calculation S compared to embodiment 11、S2、SA、SBAnd a step of verification, the other is the same as embodiment 1. The 2 nd embodiment can reduce the number of information transmissions of the communication parties a and B compared to the 1 st embodiment.
It should be noted that the above-mentioned embodiments illustrate rather than limit the invention, and that those skilled in the art will be able to design alternative embodiments without departing from the scope of the appended claims. In the claims, any reference signs placed between parentheses shall not be construed as limiting the claim. The word "comprising" does not exclude the presence of elements or steps not listed in a claim.

Claims (6)

1. A key agreement system is characterized in that two communication parties mutually negotiate a shared key by mutually transmitting information,
the communicator a includes the following modules: a1 st private key generation module (11), a1 st public key generation module (12), a1 st combined public key generation module (13), a1 st information recovery module (14) and a1 st shared key generation module (15);
the correspondent B includes the following modules: a2 nd private key generation module (21), a2 nd public key generation module (22), a2 nd combined public key generation module (23), a2 nd information recovery module (24) and a2 nd shared key generation module (25);
a communication party A and a communication party B, each having a private key dA、dBPublic key PA、PBAnd share a secret password pi e [1, n-1 ∈ ]]Where G is the base point of the elliptic curve with the order n, h is the cofactor, M, N are two published point parameters,
the 1 st private key generation module (11) generates a random number rAAs a temporary private key, the private key is,
the 1 st public key generation module (12) generates a temporary private key rAMultiplying by base point G to obtain RA=[rA]G is used as a temporary public key, wherein]Is a point multiplication operation on the elliptic curve,
the 1 st combined public key generating module (13) multiplies the secret password pi by the public point M to obtain a password public key pi]M, by a temporary public key RAAnd password public key pi]M generates a combined public key X which is,
the 1 st information recovery module (14) receives the combined public key Y sent by the communication party B and calculates the password public key [ pi ] of the communication party B]Recovering the temporary public key R of the communication party B from the combined public key YB
The 1 st shared key generation module (15) is generated by a private key dAPublic key PAOwn temporary private key rAOwn temporary public key RATemporary public key R of the other partyBThe other party's public key PBCalculating a secret value U for generating a shared secret KA
The 2 nd private key generation module (21) generates a random number rBAs a temporary private key, the private key is,
the 2 nd public key generation module (22) generates a temporary private key rBMultiplying by base point G to obtain RB=[rB]G is used as a temporary public key, wherein]Is a point multiplication operation on the elliptic curve,
the 2 nd combined public key generating module (23) multiplies the secret password pi by the public point N to obtain a password public key pi]N, by a temporary public key RBAnd password public key pi]N generates a combined public key Y which is,
the 2 nd recovery module (24) receives the combined public key X sent by the communication party A and calculates the password public key [ pi ] of the communication party A]M, recovering the temporary public key R of the communication party A from the combined public key XA
The 2 nd shared key generation module (25) is generated by a private key dBPublic key PBOwn temporary private key rBOwn temporary public key RBTemporary public key R of the other partyAThe other party's public key PACalculating a secret value V for generating a shared secret KB
2. A key agreement system according to claim 1, characterized in that: the 1 st shared key generation module (15) generates a shared key K with a required length from the secret value U and the public parameter by using a KDF algorithmA
The 2 nd shared key generation module (25) generates a shared key K of a required length from the secret value V and the public parameter by using a KDF algorithmB
3. A key agreement system according to claim 2, characterized in that: the communication party A and the communication party B also respectively comprise a1 st information verification module (16) and a2 nd information verification module (26),
the 1 st information verification module (16) and the 2 nd information verification module (26) confirm the shared secret key K generated by the two parties through information transmissionAAnd KBThe same is true.
4. A key agreement system according to claim 3, characterized in that: the 1 st information verification module (16) and the 2 nd information verification module (26) perform verification on the shared key and some other information known by both parties by using any algorithm of a hash algorithm, a MAC algorithm and a symmetric cryptographic algorithm.
5. A method of key agreement, characterized by: the two communication parties negotiate a shared secret key through mutually transmitting information, and the communication party A and the communication party B respectively have a private key dA、dBPublic key PA、PBAnd share a secret password pi e [1, n-1 ∈ ]]Where G is the base point of the elliptic curve with the order n, h is the cofactor, M, N are two published point parameters,
the communication partner a comprises the following steps,
step A1: generating a random number rA∈[1,n-1]As a temporary private key of the correspondent a,
step A2: calculating elliptic curve point RA=[rA]G=(x1,y1) As a temporary public key of the correspondent a,
step A3: calculating the combined public key X of the communication party A, i.e. calculating the elliptic curve point X ═ RA+[π]M, where + is the point addition on the elliptic curve, if [ h ]]X is the infinite point, then go back to step A1, repeat the above steps until [ h]X is not a point of infinite distance,
step A4: the elliptic curve point X is sent to the communication party B, and the elliptic curve point Y which is sent by the communication party B and is used as the combined public key of the communication party B is received,
step A5: calculating a temporary public key R for a correspondent BBI.e. calculating elliptic curve points RB=Y-[π]N, wherein-is a point subtraction operation on the elliptic curve,
step A6: with RBSatisfy the elliptic curve equation as the condition from RBMiddle out field element x2X is to be2Is converted into an integer, and calculated
Figure FDA0003456028180000031
Wherein
Figure FDA0003456028180000032
Figure FDA0003456028180000033
Step A7: from RAMiddle out field element x1X is to be1Is converted into an integer, and calculated
Figure FDA0003456028180000034
Step A8: computing
Figure FDA0003456028180000035
Step A9: calculating points of an elliptic curve
Figure FDA0003456028180000036
Step A10: calculating shared secret key K by taking U as condition of point not at infinityA=KDF(xU||yU||ZA||ZBKlen), in which ZAAnd ZBTo disclose the hash value corresponding to the computable correspondent A, B, klen is the length of the agreed shared key,
the correspondent B includes the following steps,
step B1: generating a random number rB∈[1,n-1]As a temporary public key of the correspondent B,
step B2: calculating elliptic curve point RB=[rB]G=(x2,y2) As a temporary public key of the correspondent B,
step B3: calculating a combined public key Y of the communication partner B, i.e. calculating an elliptic curve point Y ═ RB+[π]N, where + is the point addition on the elliptic curve, if [ h ]]Y is the point of infinity, then go back to B1; repeating the above steps until [ h ]]Y is not an infinite point, the elliptic curve point Y is sent to the communication party a,
step B4: calculating a temporary public key R of a correspondent AAThat is, an elliptic curve point R is calculated from the elliptic curve point X transmitted from the communication party AA=X-[π]M, wherein-is a point subtraction operation on the elliptic curve,
step B5: with RASatisfy the elliptic curve equation as the condition from RAMiddle out field element x1X is to be1Is converted into an integer, and calculated
Figure FDA0003456028180000041
Wherein
Figure FDA0003456028180000042
Figure FDA0003456028180000043
Step B6: from RBMiddle out field element x2X is to be2Is converted into an integer, and calculated
Figure FDA0003456028180000044
Step B7: computing
Figure FDA0003456028180000045
Step B8: calculating points of an elliptic curve
Figure FDA0003456028180000046
Step B9: calculating shared secret key K by using condition that V is not an infinite pointB=KDF(xV||yV||ZA||ZBKlen), in which ZAAnd ZBKlen is the agreed length of the shared key for disclosing the corresponding hash value of the computable correspondent A, B.
6. The key agreement method according to claim 5, characterized in that: the communication party a further comprises the steps of:
step A11: computing
S1=Hash(0x02||yU||Hash(xU||ZA||ZB||x1||y1||x2||y2) And according to S sent by the correspondent B)BChecking S1=SBIf the key agreement is not successful, the key confirmation from the communication party B to the communication party a fails, and if the key agreement is successful, the procedure goes to step a12,
step A12: computing
SA=Hash(0x03||yU||Hash(xU||ZA||ZB||x1||y1||x2||y2) And mixing S withAIs sent to the communication party B and,
the correspondent B includes the following steps,
step B10: computing
SB=Hash(0x02||yV||Hash(xV||ZA||ZB||x1||y1||x2||y2));
Step B11: will SBIs sent to the communication party a and,
step B12: computing
S2=Hash(0x03||yV||Hash(xV||ZA||ZB||x1||y1||x2||y2)),
And according to S transmitted by the communication party AAChecking S2=SAAnd if the key agreement is not established, judging that the key agreement from the communication parties A to B fails.
CN202011578115.0A 2020-12-28 2020-12-28 Key agreement method and system Active CN112713997B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202011578115.0A CN112713997B (en) 2020-12-28 2020-12-28 Key agreement method and system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202011578115.0A CN112713997B (en) 2020-12-28 2020-12-28 Key agreement method and system

Publications (2)

Publication Number Publication Date
CN112713997A CN112713997A (en) 2021-04-27
CN112713997B true CN112713997B (en) 2022-04-22

Family

ID=75545715

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202011578115.0A Active CN112713997B (en) 2020-12-28 2020-12-28 Key agreement method and system

Country Status (1)

Country Link
CN (1) CN112713997B (en)

Families Citing this family (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113572607A (en) * 2021-08-11 2021-10-29 太原理工大学 Secure communication method adopting unbalanced SM2 key exchange algorithm
WO2023230929A1 (en) * 2022-05-31 2023-12-07 华为技术有限公司 Communication method and related apparatus
CN115174086B (en) * 2022-07-11 2023-06-27 三未信安科技股份有限公司 Half probability key negotiation method based on SM2 elliptic curve
CN116961906B (en) * 2023-09-19 2023-12-15 长春吉大正元信息技术股份有限公司 Network communication method, device, equipment and storage medium
CN117118635B (en) * 2023-10-16 2024-02-02 南方电网科学研究院有限责任公司 Anonymous authentication method and device for electric automobile, storage medium and computer equipment

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101710859A (en) * 2009-11-17 2010-05-19 深圳国微技术有限公司 Authentication key agreement method
CN109274663A (en) * 2018-09-07 2019-01-25 西安莫贝克半导体科技有限公司 Communication means based on SM2 dynamic key exchange and SM4 data encryption
CN109474425A (en) * 2018-12-25 2019-03-15 国科量子通信网络有限公司 A method of length derivative key is arbitrarily designated based on the acquisition of multiple shared keys

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108234501B (en) * 2018-01-11 2020-12-11 北京中电普华信息技术有限公司 Quantum key fusion-based virtual power plant secure communication method

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101710859A (en) * 2009-11-17 2010-05-19 深圳国微技术有限公司 Authentication key agreement method
CN109274663A (en) * 2018-09-07 2019-01-25 西安莫贝克半导体科技有限公司 Communication means based on SM2 dynamic key exchange and SM4 data encryption
CN109474425A (en) * 2018-12-25 2019-03-15 国科量子通信网络有限公司 A method of length derivative key is arbitrarily designated based on the acquisition of multiple shared keys

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
戚世杰 ; 卢建朱 ; 胡吉旦.增强型相互认证密钥协商方案.《计算机工程》.2012, *

Also Published As

Publication number Publication date
CN112713997A (en) 2021-04-27

Similar Documents

Publication Publication Date Title
CN112713997B (en) Key agreement method and system
CN110971401B (en) Authentication key negotiation method based on cross-interlocking mechanism and implementation device thereof
US8447036B2 (en) Multi-party key agreement method using bilinear map and system therefor
CN111682938B (en) Three-party authenticatable key agreement method facing centralized mobile positioning system
Abi-Char et al. A fast and secure elliptic curve based authenticated key agreement protocol for low power mobile communications
US20110208970A1 (en) Digital signature and key agreement schemes
CN107437993A (en) One kind is based on without the side's authentication key agreement method of certificate two and device
Irshad et al. A secure authentication scheme for session initiation protocol by using ECC on the basis of the Tang and Liu scheme
JP2012518331A (en) Identity-based authentication key agreement protocol
CN113300836B (en) Vehicle-mounted network message authentication method and system based on block chain and ECC
CN111049647B (en) Asymmetric group key negotiation method based on attribute threshold
Tian et al. Analysis and improvement of an authenticated key exchange protocol for sensor networks
Shukla et al. A bit commitment signcryption protocol for wireless transport layer security (wtls)
CN113572603A (en) Heterogeneous user authentication and key agreement method
CN112468490A (en) Authentication method for power grid terminal layer equipment access
Wong et al. Repairing the Bluetooth pairing protocol
CN113132104A (en) Active and safe ECDSA (electronic signature SA) digital signature two-party generation method
Kumar et al. Anonymous ID-based Group Key Agreement Protocol without Pairing.
EP2363976A1 (en) Improved digital signature and key agreement schemes
Pal et al. Diffie-Hellman key exchange protocol with entities authentication
Abi-Char et al. A secure authenticated key agreement protocol based on elliptic curve cryptography
CN113242129B (en) End-to-end data confidentiality and integrity protection method based on lattice encryption
CN114021165A (en) Partial private-public key pair construction method, authentication key negotiation method and system
CN113014376B (en) Method for safety authentication between user and server
CN113872767A (en) Two-party collaborative signature method and device based on ECDSA algorithm

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant