CN113987451B - Security authentication method and system for notebook terminal equipment - Google Patents

Security authentication method and system for notebook terminal equipment Download PDF

Info

Publication number
CN113987451B
CN113987451B CN202111606869.7A CN202111606869A CN113987451B CN 113987451 B CN113987451 B CN 113987451B CN 202111606869 A CN202111606869 A CN 202111606869A CN 113987451 B CN113987451 B CN 113987451B
Authority
CN
China
Prior art keywords
information
authentication information
parameter
authentication
identity information
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202111606869.7A
Other languages
Chinese (zh)
Other versions
CN113987451A (en
Inventor
罗远哲
刘瑞景
陈思杰
闫路博
韩松松
李冠蕊
荆全振
姚业国
张春涛
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing China Super Industry Information Security Technology Ltd By Share Ltd
Original Assignee
Beijing China Super Industry Information Security Technology Ltd By Share Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing China Super Industry Information Security Technology Ltd By Share Ltd filed Critical Beijing China Super Industry Information Security Technology Ltd By Share Ltd
Priority to CN202111606869.7A priority Critical patent/CN113987451B/en
Publication of CN113987451A publication Critical patent/CN113987451A/en
Application granted granted Critical
Publication of CN113987451B publication Critical patent/CN113987451B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • G06F21/32User authentication using biometric data, e.g. fingerprints, iris scans or voiceprints
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/44Program or device authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/06Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
    • H04L9/0643Hash functions, e.g. MD5, SHA, HMAC or f9 MAC
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0838Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0863Generation of secret information including derivation or calculation of cryptographic keys or passwords involving passwords or one-time passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0891Revocation or update of secret information, e.g. encryption key update or rekeying
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3271Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using challenge-response
    • H04L9/3278Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using challenge-response using physically unclonable functions [PUF]

Abstract

The invention relates to a security authentication method and system for notebook terminal equipment. The method comprises the steps of introducing the pseudonym to ensure the identity security of the notebook terminal, and updating the secret parameters after the notebook terminal is authenticated, so that the security of authentication is ensured. The notebook terminal device generates corresponding secret parameters and PUF secret values by registering with the server, and then encrypts by a three-factor authentication mode and introducing a bilinear mapping algorithm and a PUF, and the encryption of the mode can reach higher security level. The method is based on the session key generated by the secret value and the updated secret value, and the session key is generated by the notebook terminal device and the server respectively, so that the security of the session key is ensured, and the problem of forward and backward security of the session key can be solved. The invention can improve the communication safety of the notebook terminal equipment and ensure the privacy safety.

Description

Security authentication method and system for notebook terminal equipment
Technical Field
The invention relates to the field of information security, in particular to a security authentication method and system for notebook terminal equipment.
Background
With the development of computer technology, the popularization of various internet terminal devices, and the vigorous development of various sensitive applications on the internet, the problem of user privacy becomes more and more important, and the wide attention of people is attracted.
In addition, with the rapid development of mobile application technology, mobile lightweight devices that are affordable, portable, and lightweight are becoming very popular. The notebook terminal equipment can access the cloud server to carry out online payment. Therefore, the notebook terminal equipment brings convenience to our life. However, in a specific environment, some notebook terminal devices (LTE) need to connect to a specific network (private network) for communication, and therefore, the notebook terminal devices need to be authenticated, and connected to the network for information transmission.
Therefore, it is necessary to design an authentication key protocol suitable for the notebook mobile device.
Disclosure of Invention
The invention aims to provide a security authentication method and a security authentication system for notebook terminal equipment, which can improve the communication security of the notebook terminal equipment and ensure the privacy security.
In order to achieve the purpose, the invention provides the following scheme:
a security authentication method of a notebook terminal device comprises the following steps:
initializing a Server (Server, S), determining system parameters of the Server, and publishing; the system parameters include: the method comprises the steps of prime order, a first group and a second group determined according to the prime order, the relation between the first group and the second group, a public key, a first hash function, a second hash function, a first parameter and a second parameter; the first parameter is used for multiplying the random number to determine a public key; the second parameter is determined according to the relationship between the first group and the second group, the first parameter and the random number;
the notebook terminal equipment is registered on the server, and the server generates corresponding identity information; and storing the identity information in a database;
the server selects the pseudonym information and the response parameter, and then determines first identity information and second identity information according to the system parameter; determining first information according to the first identity information, the second identity information, the pseudonym information and corresponding parameters and sending the first information to the smart card; the first information and the identity information are sent to the notebook terminal equipment;
the notebook terminal equipment determines a first terminal parameter by using a physical unclonable function and a response parameter; determining an input key according to the first terminal parameter and the first parameter; further sending the input key and the fingerprint to the smart card;
the smart card determines a biological characteristic key pair according to the fingerprint and a biological characteristic key extraction algorithm; the biological characteristic key pair comprises a biological characteristic private key and a biological characteristic public key;
the intelligent card determines first authentication information according to the first hash function, the input key, the pseudonym information, the biological characteristic private key, the identity information and the first terminal parameter; determining second authentication information according to the first identity information and the first authentication information; determining third authentication information according to the second authentication information and the second identity information; determining fourth authentication information according to the first hash function, the input key, the pseudonym information, the biological characteristic private key, the identity information and the first identity information; storing the pseudonym information, the third authentication information, the second authentication information, the fourth authentication information, the biological characteristic private key and the response parameter in the smart card; the first terminal parameter is sent to a server through a secure channel, and the server stores the pseudonym information and the first terminal parameter;
the notebook terminal equipment logs in the intelligent card according to the identity information, the input key and the fingerprint;
the smart card determines a biological characteristic private key according to the fingerprint, the biological characteristic public key and a biological characteristic key copying algorithm; determining a first terminal parameter according to the physical unclonable function and the response parameter; determining first generation authentication information according to the first hash function, the input key, the pseudonym information, the biological characteristic private key, the identity information and the first terminal parameter; determining first identity information according to the first generated authentication information and the second authentication information; determining fourth generation authentication information according to the first hash function, the input key, the pseudonym information, the biological characteristic private key, the identity information and the first identity information; further judging whether the fourth generated authentication information is equal to the fourth authentication information; if yes, continuing authentication; if not, refusing to log in;
randomly selecting a timestamp by the notebook equipment terminal; determining second identity information according to the third authentication information, the first generation authentication information and the biological characteristic private key; then, randomly selecting an authentication random number, and determining fifth authentication information according to the authentication random number and system parameters; determining sixth authentication information according to the fifth authentication information, the second identity information and the identity information; determining seventh authentication information according to the first hash function, the pseudonym information, the identity information, the second identity information, the fifth authentication information, the first terminal parameter and the timestamp; sending the pseudonym information, the sixth authentication information, the seventh authentication information, the third authentication information and the timestamp to a server;
the server verifies the timestamp, and after the timestamp passes verification, corresponding pseudonym information and first terminal parameters are determined according to the pseudonym information; determining fifth generation authentication information according to the system parameters and the third authentication information; determining second identity information according to the system parameters and the pseudonym information; determining identity information according to the sixth authentication information, the fifth generated authentication information and the second identity information; inquiring whether the determined identity information is in a database; when the determined identity information is in the database, continuing authentication; then, determining seventh generation authentication information according to the first hash function, the pseudonym information, the determined identity information, the second identity information, the fifth generation authentication information, the first terminal parameter and the timestamp; further verifying whether the seventh generated authentication information is equal to the stored seventh authentication information; when the seventh generated authentication information is equal to the stored seventh authentication information, continuing authentication; then, the server randomly selects a timestamp and a second parameter, and determines a first server parameter and a second server parameter; the pseudonym information is updated, and then the updated first identity information and the updated second identity information are calculated; determining eighth verification information according to the updated first identity information, the updated second identity information, the updated pseudonym information and the updated response parameters; determining ninth authentication information according to the second hash function, the updated kana information, the determined identity information, the second identity information, the updated first identity information, the updated second identity information, the second server parameter, the fifth generation authentication information and the first terminal parameter; determining tenth authentication information according to the first hash function, the updated kana information, the determined identity information, the ninth verification information, the first terminal parameter and the timestamp randomly selected by the server; sending the first server parameter, the eighth authentication information, the tenth authentication information and the server random selection timestamp to the notebook terminal equipment;
the notebook terminal equipment randomly selects a timestamp for verification on the server, and determines a first terminal parameter according to a physical unclonable function after the verification is passed; further determining a second generation server parameter, ninth generation authentication information and tenth generation authentication information; judging whether the tenth generated authentication information is equal to the tenth authentication information; when the tenth generated authentication information is equal to the tenth authentication information, the session key of the notebook terminal device is equal to the session key of the server;
the notebook terminal device and the server communicate through the session key.
Optionally, the initializing the server, determining system parameters of the server, and publishing specifically include:
Figure 874163DEST_PATH_IMAGE001
Figure 427373DEST_PATH_IMAGE002
Figure 295972DEST_PATH_IMAGE003
Figure 18071DEST_PATH_IMAGE004
wherein e is the relationship between the first group and the second group, G1Is a first group, G2Is a second group, PpubIs a public key, H1Is a first hash function, H2Is a second hash function, P is a first parameter,uis a second parameter, s is a random number,
Figure 664822DEST_PATH_IMAGE005
is a prime number set, and q is a prime number.
Optionally, the server selects the pseudonym information and the response parameter, and further determines the first identity information and the second identity information according to the system parameter, which specifically includes:
using formulas
Figure 456061DEST_PATH_IMAGE006
Determining first identity information;
using formulas
Figure 613504DEST_PATH_IMAGE007
Determining second identity information;
wherein A isiAs first identity information, BiIn order to be the second identity information,
Figure 704956DEST_PATH_IMAGE008
in order to be the identity information,
Figure 522609DEST_PATH_IMAGE009
is pseudonym information and S is the private key of the server.
Optionally, the determining, by the notebook terminal device, the first terminal parameter by using the physical unclonable function and the response parameter specifically includes:
using formulas
Figure 348613DEST_PATH_IMAGE010
Determining a first terminal parameter;
wherein, WiFor the first terminal parameter, PUF () is a physically unclonable function, wiIs a response parameter.
Optionally, the smart card determines the biometric key pair according to the fingerprint and the biometric key extraction algorithm, and specifically includes:
using formulas
Figure 559015DEST_PATH_IMAGE011
Determining a biometric key pair;
wherein the content of the first and second substances,
Figure 482803DEST_PATH_IMAGE012
in the form of a biometric secret private key,
Figure 769559DEST_PATH_IMAGE013
is a biometric public key, GEN (-) is a biometric key extraction algorithm, FPiIs a fingerprint.
Optionally, the smart card determines first authentication information according to a first hash function, an input key, pseudonym information, a biometric private key, identity information, and a first terminal parameter; determining second authentication information according to the first identity information and the first authentication information; determining third authentication information according to the second authentication information and the second identity information; determining fourth authentication information according to the first hash function, the input key, the pseudonym information, the biological feature private key, the identity information and the first identity information, and specifically comprising:
using formulas
Figure 535390DEST_PATH_IMAGE014
Determining first authentication information;
using formulas
Figure 533170DEST_PATH_IMAGE015
Determining second authentication information;
using formulas
Figure 84369DEST_PATH_IMAGE016
Determining third authentication information;
using formulas
Figure 260135DEST_PATH_IMAGE017
Determining fourth authentication information;
wherein the content of the first and second substances,
Figure 762529DEST_PATH_IMAGE018
as the first authentication information, it is possible to authenticate the mobile terminal,
Figure 65466DEST_PATH_IMAGE019
in order to be the second authentication information,
Figure 720438DEST_PATH_IMAGE020
as the third authentication information, it is possible to,
Figure 581953DEST_PATH_IMAGE021
in order to be the fourth authentication information,
Figure 322376DEST_PATH_IMAGE022
is the input key.
Optionally, the notebook terminal device and the server communicate with each other through a session key, and then further includes:
the smart card updates the response parameter, the first authentication information, the second authentication information, the third authentication information and the fourth authentication information; and storing the updated pseudonym information, the second authentication information, the third authentication information, the fourth authentication information and the response parameter.
A security authentication system of a notebook terminal device, comprising:
the server initialization module is used for initializing the server, determining the system parameters of the server and publishing the system parameters; the system parameters include: the method comprises the steps of prime order, a first group and a second group determined according to the prime order, the relation between the first group and the second group, a public key, a first hash function, a second hash function, a first parameter and a second parameter; the first parameter is used for multiplying the random number to determine a public key; the second parameter is determined according to the relationship between the first group and the second group, the first parameter and the random number;
the notebook terminal equipment is registered on the server, and the server generates corresponding identity information; and storing the identity information in a database;
the server selects the pseudonym information and the response parameter, and then determines first identity information and second identity information according to the system parameter; determining first information according to the first identity information, the second identity information, the pseudonym information and corresponding parameters and sending the first information to the smart card; the first information and the identity information are sent to the notebook terminal equipment; the notebook terminal equipment determines a first terminal parameter by using a physical unclonable function and a response parameter; determining an input key according to the first terminal parameter and the first parameter; further sending the input key and the fingerprint to the smart card; the smart card determines a biological characteristic key pair according to the fingerprint and a biological characteristic key extraction algorithm; the biological characteristic key pair comprises a biological characteristic private key and a biological characteristic public key;
the registration module is used for the smart card to determine first authentication information according to the first hash function, the input key, the pseudonym information, the biological characteristic private key, the identity information and the first terminal parameter; determining second authentication information according to the first identity information and the first authentication information; determining third authentication information according to the second authentication information and the second identity information; determining fourth authentication information according to the first hash function, the input key, the pseudonym information, the biological characteristic private key, the identity information and the first identity information; storing the pseudonym information, the third authentication information, the second authentication information, the fourth authentication information, the biological characteristic private key and the response parameter in the smart card; the first terminal parameter is sent to a server through a secure channel, and the server stores the pseudonym information and the first terminal parameter;
the login authentication module is used for the notebook terminal equipment to log in the intelligent card according to the identity information, the input key and the fingerprint; the smart card determines a biological characteristic private key according to the fingerprint, the biological characteristic public key and a biological characteristic key copying algorithm; determining a first terminal parameter according to the physical unclonable function and the response parameter; determining first generation authentication information according to the first hash function, the input key, the pseudonym information, the biological characteristic private key, the identity information and the first terminal parameter; determining first identity information according to the first generated authentication information and the second authentication information; determining fourth generation authentication information according to the first hash function, the input key, the pseudonym information, the biological characteristic private key, the identity information and the first identity information; further judging whether the fourth generated authentication information is equal to the fourth authentication information; if yes, continuing authentication; if not, refusing to log in; randomly selecting a timestamp by a terminal of the equipment; determining second identity information according to the third authentication information, the first generation authentication information and the biological characteristic private key; then, randomly selecting an authentication random number, and determining fifth authentication information according to the authentication random number and system parameters; determining sixth authentication information according to the fifth authentication information, the second identity information and the identity information; determining seventh authentication information according to the first hash function, the pseudonym information, the identity information, the second identity information, the fifth authentication information, the first terminal parameter and the timestamp; sending the pseudonym information, the sixth authentication information, the seventh authentication information, the third authentication information and the timestamp to a server; the server verifies the timestamp, and after the timestamp passes verification, corresponding pseudonym information and first terminal parameters are determined according to the pseudonym information; determining fifth generation authentication information according to the system parameters and the third authentication information; determining second identity information according to the system parameters and the pseudonym information; determining identity information according to the sixth authentication information, the fifth generated authentication information and the second identity information; inquiring whether the determined identity information is in a database; when the determined identity information is in the database, continuing authentication; then, determining seventh generation authentication information according to the first hash function, the pseudonym information, the determined identity information, the second identity information, the fifth generation authentication information, the first terminal parameter and the timestamp; further verifying whether the seventh generated authentication information is equal to the stored seventh authentication information; when the seventh generated authentication information is equal to the stored seventh authentication information, continuing authentication; then, the server randomly selects a timestamp and a second parameter, and determines a first server parameter and a second server parameter; the pseudonym information is updated, and then the updated first identity information and the updated second identity information are calculated; determining eighth verification information according to the updated first identity information, the updated second identity information, the updated pseudonym information and the updated response parameters; determining ninth authentication information according to the second hash function, the updated kana information, the determined identity information, the second identity information, the updated first identity information, the updated second identity information, the second server parameter, the fifth generation authentication information and the first terminal parameter; determining tenth authentication information according to the first hash function, the updated kana information, the determined identity information, the ninth verification information, the first terminal parameter and the timestamp randomly selected by the server; sending the first server parameter, the eighth authentication information, the tenth authentication information and the server random selection timestamp to the notebook terminal equipment; the notebook terminal equipment randomly selects a timestamp for verification on the server, and determines a first terminal parameter according to a physical unclonable function after the verification is passed; further determining a second generation server parameter, ninth generation authentication information and tenth generation authentication information; judging whether the tenth generated authentication information is equal to the tenth authentication information; when the tenth generated authentication information is equal to the tenth authentication information, the session key of the notebook terminal device is equal to the session key of the server; the notebook terminal device and the server communicate through the session key.
Optionally, the method further comprises:
the password updating module is used for updating the response parameter, the first authentication information, the second authentication information, the third authentication information and the fourth authentication information by the smart card; and storing the updated pseudonym information, the second authentication information, the third authentication information, the fourth authentication information and the response parameter.
According to the specific embodiment provided by the invention, the invention discloses the following technical effects:
the security authentication method and system for the notebook terminal equipment, provided by the invention, mainly integrate three-factor authentication, Physical Unclonable Function (PUF) and bilinear mapping algorithm to ensure the authentication security of the notebook terminal equipment, and the security is higher due to a specific security environment, a pseudonym is introduced to ensure the identity security of the notebook terminal, and after the authentication of the notebook terminal is completed, secret parameters are updated, so that the authentication security is ensured. The notebook terminal device generates corresponding secret parameters and PUF secret values by registering with the server, and then encrypts by a three-factor authentication mode and introducing a bilinear mapping algorithm and a PUF, and the encryption of the mode can reach higher security level. The method is based on the session key generated by the secret value and the updated secret value, so that the session key is generated by the notebook terminal device and the server respectively, thereby not only ensuring the security of the session key, but also solving the problem of the forward and backward security of the session key. The invention ensures that the notebook terminal equipment and the service network can carry out mutual authentication and safely negotiate the session key, can resist common attacks and ensures the safety of communication.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings needed to be used in the embodiments will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and it is obvious for those skilled in the art to obtain other drawings without inventive exercise.
Fig. 1 is a schematic flow chart of a security authentication method for a notebook terminal device according to the present invention;
fig. 2 is a schematic diagram illustrating the authentication principle of the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
The invention aims to provide a security authentication method and a security authentication system for notebook terminal equipment, which can improve the communication security of the notebook terminal equipment and ensure the privacy security.
In order to make the aforementioned objects, features and advantages of the present invention comprehensible, embodiments accompanied with figures are described in further detail below.
Fig. 1 is a schematic flow chart of a security authentication method for a notebook terminal device provided by the present invention, fig. 2 is a schematic diagram of an authentication principle of the present invention, and as shown in fig. 1 and fig. 2, the security authentication method for a notebook terminal device provided by the present invention includes:
s101, initializing a server, determining system parameters of the server, and publishing; the system parameters include: the method comprises the steps of prime order, a first group and a second group determined according to the prime order, the relation between the first group and the second group, a public key, a first hash function, a second hash function, a first parameter and a second parameter; the first parameter is used for multiplying the random number to determine a public key; the second parameter is determined according to the relationship between the first group and the second group, the first parameter and the random number;
s102, the notebook terminal equipment is registered on a server, and the server generates corresponding identity information; and storing the identity information in a database;
s103, the server selects the pseudonym information and the response parameter, and further determines first identity information and second identity information according to the system parameter; determining first information according to the first identity information, the second identity information, the pseudonym information and corresponding parameters and sending the first information to the smart card; the first information and the identity information are sent to the notebook terminal equipment;
s104, the notebook terminal equipment determines a first terminal parameter by using a physical unclonable function and a response parameter; determining an input key according to the first terminal parameter and the first parameter; further sending the input key and the fingerprint to the smart card;
s105, the smart card determines a biological characteristic key pair according to the fingerprint and a biological characteristic key extraction algorithm; the biological characteristic key pair comprises a biological characteristic private key and a biological characteristic public key;
s106, the smart card determines first authentication information according to the first hash function, the input secret key, the pseudonym information, the biological characteristic private key, the identity information and the first terminal parameter; determining second authentication information according to the first identity information and the first authentication information; determining third authentication information according to the second authentication information and the second identity information; determining fourth authentication information according to the first hash function, the input key, the pseudonym information, the biological characteristic private key, the identity information and the first identity information; storing the pseudonym information, the third authentication information, the second authentication information, the fourth authentication information, the biological characteristic private key and the response parameter in the smart card; the first terminal parameter is sent to a server through a secure channel, and the server stores the pseudonym information and the first terminal parameter;
s107, the notebook terminal equipment logs in the smart card according to the identity information, the input key and the fingerprint;
s108, the smart card determines a biological characteristic private key according to the fingerprint, the biological characteristic public key and a biological characteristic secret key copying algorithm; determining a first terminal parameter according to the physical unclonable function and the response parameter; determining first generation authentication information according to the first hash function, the input key, the pseudonym information, the biological characteristic private key, the identity information and the first terminal parameter; determining first identity information according to the first generated authentication information and the second authentication information; determining fourth generation authentication information according to the first hash function, the input key, the pseudonym information, the biological characteristic private key, the identity information and the first identity information; further judging whether the fourth generated authentication information is equal to the fourth authentication information; if yes, continuing authentication; if not, refusing to log in;
s109, randomly selecting a timestamp by the notebook equipment terminal; determining second identity information according to the third authentication information, the first generation authentication information and the biological characteristic private key; then, randomly selecting an authentication random number, and determining fifth authentication information according to the authentication random number and system parameters; determining sixth authentication information according to the fifth authentication information, the second identity information and the identity information; determining seventh authentication information according to the first hash function, the pseudonym information, the identity information, the second identity information, the fifth authentication information, the first terminal parameter and the timestamp; sending the pseudonym information, the sixth authentication information, the seventh authentication information, the third authentication information and the timestamp to a server;
s110, the server verifies the timestamp, and after the timestamp passes the verification, corresponding pseudonym information and first terminal parameters are determined according to the pseudonym information; determining fifth generation authentication information according to the system parameters and the third authentication information; determining second identity information according to the system parameters and the pseudonym information; determining identity information according to the sixth authentication information, the fifth generated authentication information and the second identity information; inquiring whether the determined identity information is in a database; when the determined identity information is in the database, continuing authentication; then, determining seventh generation authentication information according to the first hash function, the pseudonym information, the determined identity information, the second identity information, the fifth generation authentication information, the first terminal parameter and the timestamp; further verifying whether the seventh generated authentication information is equal to the stored seventh authentication information; when the seventh generated authentication information is equal to the stored seventh authentication information, continuing authentication; then, the server randomly selects a timestamp and a second parameter, and determines a first server parameter and a second server parameter; the pseudonym information is updated, and then the updated first identity information and the updated second identity information are calculated; determining eighth verification information according to the updated first identity information, the updated second identity information, the updated pseudonym information and the updated response parameters; determining ninth authentication information according to the second hash function, the updated kana information, the determined identity information, the second identity information, the updated first identity information, the updated second identity information, the second server parameter, the fifth generation authentication information and the first terminal parameter; determining tenth authentication information according to the first hash function, the updated kana information, the determined identity information, the ninth verification information, the first terminal parameter and the timestamp randomly selected by the server; sending the first server parameter, the eighth authentication information, the tenth authentication information and the server random selection timestamp to the notebook terminal equipment;
s111, the notebook terminal equipment randomly selects a timestamp to verify the server, and determines a first terminal parameter according to a physical unclonable function after the verification is passed; further determining a second generation server parameter, ninth generation authentication information and tenth generation authentication information; judging whether the tenth generated authentication information is equal to the tenth authentication information; when the tenth generated authentication information is equal to the tenth authentication information, the session key of the notebook terminal device is equal to the session key of the server;
and S112, the notebook terminal device and the server communicate through the session key.
After S112, the method further includes the smart card update response parameter, the first authentication information, the second authentication information, the third authentication information, and the fourth authentication information; and storing the updated pseudonym information, the second authentication information, the third authentication information, the fourth authentication information and the response parameter.
Through the steps, the method is divided into a system initialization stage, a registration stage, a login verification stage and a password updating stage; each stage is described below separately:
system initialization phase
At this stage, first the Server (Server) selects two groups G of prime order1And G2Satisfy the requirement of
Figure 429003DEST_PATH_IMAGE001
Selecting a random number
Figure 193609DEST_PATH_IMAGE023
Computing public keys
Figure 976757DEST_PATH_IMAGE002
Two secure hash functions are selected:
Figure 955208DEST_PATH_IMAGE003
Figure 832903DEST_PATH_IMAGE004
publishing system parameters of { q, G }1,G2,Ppubu,e,P,H1,H2And keeps a long-term private key S.
Registration phase
Before the notebook terminal equipment is accessed to the server, the notebook terminal equipment firstly needs to be registered on the server, and the server firstly generates identity information
Figure 931309DEST_PATH_IMAGE008
Figure 901671DEST_PATH_IMAGE009
And stored in a database, while the server selects a pseudonym information
Figure 351106DEST_PATH_IMAGE009
Then randomly select
Figure 32492DEST_PATH_IMAGE024
In response, calculate
Figure 250984DEST_PATH_IMAGE006
Figure 861088DEST_PATH_IMAGE007
To store a message
Figure 532241DEST_PATH_IMAGE025
Is entered into a new Smart Card (SC) and finally a message is sent
Figure 17318DEST_PATH_IMAGE026
To notebook terminal equipment
Figure 106628DEST_PATH_IMAGE008
. Terminal equipment of notebook computer
Figure 402480DEST_PATH_IMAGE027
After the receipt of the message, the user may,
Figure 358933DEST_PATH_IMAGE027
firstly, calculating by using PUF of the self
Figure 883586DEST_PATH_IMAGE028
Then inputs a password
Figure 342249DEST_PATH_IMAGE029
And fingerprints
Figure 58270DEST_PATH_IMAGE030
Entering into a smart card, and then the smart card calculates
Figure 704015DEST_PATH_IMAGE011
Wherein GEN (-) biometric key extraction algorithm, REP (-) biometric key duplication algorithm.
Figure 297939DEST_PATH_IMAGE014
Figure 860376DEST_PATH_IMAGE015
Figure 498031DEST_PATH_IMAGE017
Figure 912963DEST_PATH_IMAGE017
Last message
Figure 543533DEST_PATH_IMAGE031
Figure 711209DEST_PATH_IMAGE032
Store it to smart card
Figure 322362DEST_PATH_IMAGE033
Finally, the message is mapped to a secure channel
Figure 926388DEST_PATH_IMAGE034
And sending the data to the server. The server stores the last page after receiving the message
Figure 127693DEST_PATH_IMAGE035
}。
Login authentication phase
(1) Notebook terminal equipment
Figure 884297DEST_PATH_IMAGE027
First, input user name
Figure 847442DEST_PATH_IMAGE036
Figure 955076DEST_PATH_IMAGE037
And fingerprints
Figure 163334DEST_PATH_IMAGE038
Into smart cards, smart cards
Figure 40023DEST_PATH_IMAGE039
Computing
Figure 439649DEST_PATH_IMAGE040
Wherein REP (-) biometric Key duplication Algorithm,
Figure 769000DEST_PATH_IMAGE041
first generating authentication information
Figure 780949DEST_PATH_IMAGE042
Figure 512145DEST_PATH_IMAGE043
Fourth, authentication information is generated
Figure 607971DEST_PATH_IMAGE044
If, if
Figure 175350DEST_PATH_IMAGE045
And stored
Figure 240258DEST_PATH_IMAGE046
Is equal, authentication continues, otherwise login is denied. Device
Figure 75228DEST_PATH_IMAGE027
Randomly selecting timestamps
Figure 301810DEST_PATH_IMAGE047
Computing
Figure 622064DEST_PATH_IMAGE048
Then randomly select
Figure 225083DEST_PATH_IMAGE049
And calculating a value
Figure 914560DEST_PATH_IMAGE050
Fifth authentication information
Figure 843201DEST_PATH_IMAGE051
Sixth authentication information
Figure 854014DEST_PATH_IMAGE052
Seventh authentication information
Figure 526304DEST_PATH_IMAGE053
. Device
Figure 335865DEST_PATH_IMAGE027
Sending tone
Figure 904250DEST_PATH_IMAGE054
For server
Figure 933517DEST_PATH_IMAGE055
(2) When server
Figure 878339DEST_PATH_IMAGE055
After the receipt of the message, the user may,
Figure 548267DEST_PATH_IMAGE055
first, the timestamp is verified
Figure 303865DEST_PATH_IMAGE056
If the authentication is in the legal range, if not, the authentication is refused, otherwise, the authentication is carried out according to the condition
Figure 804116DEST_PATH_IMAGE057
Looking up values in a database
Figure 67476DEST_PATH_IMAGE058
Rejecting authentication if the lookup fails, otherwise computing fifth generation authentication information
Figure 602363DEST_PATH_IMAGE059
Figure 794441DEST_PATH_IMAGE060
Figure 296835DEST_PATH_IMAGE061
Server, server
Figure 583460DEST_PATH_IMAGE055
Querying databases to verify identity information
Figure 723585DEST_PATH_IMAGE062
If the authentication is not in the database, the authentication is terminated, otherwise the authentication is continued. Server
Figure 70253DEST_PATH_IMAGE055
Calculating seventh generation authentication information
Figure 528785DEST_PATH_IMAGE063
Verifying the calculation
Figure 619101DEST_PATH_IMAGE064
And received
Figure 879312DEST_PATH_IMAGE065
Whether or not equal. If equal, authentication continues, otherwise authentication is terminated.
Figure 396881DEST_PATH_IMAGE055
Random selection
Figure 891446DEST_PATH_IMAGE066
And calculating the first server parameter
Figure 519873DEST_PATH_IMAGE067
Second server parameter
Figure 369012DEST_PATH_IMAGE068
. Server
Figure 57482DEST_PATH_IMAGE055
Randomly selecting timestamps
Figure 490606DEST_PATH_IMAGE069
And selecting a new pseudonym
Figure 922724DEST_PATH_IMAGE070
And a random value
Figure 157528DEST_PATH_IMAGE071
Then calculate
Figure 16899DEST_PATH_IMAGE072
Figure 937320DEST_PATH_IMAGE073
Eighth authentication information
Figure 923862DEST_PATH_IMAGE074
Ninth authentication information
Figure 996860DEST_PATH_IMAGE075
Tenth authentication information
Figure 276400DEST_PATH_IMAGE076
. Last server
Figure 700428DEST_PATH_IMAGE055
Sending messages
Figure 756240DEST_PATH_IMAGE077
Feeding device
Figure 949324DEST_PATH_IMAGE078
(3) When the equipment is used
Figure 671204DEST_PATH_IMAGE078
Receiving message
Figure 802103DEST_PATH_IMAGE077
},
Figure 379714DEST_PATH_IMAGE078
First verifying the timestamp
Figure 942152DEST_PATH_IMAGE079
If the current PUF is in the legal range, if the current PUF is not in the legal range, authentication is refused, otherwise, the PUF of the current PUF is used for calculation
Figure 314227DEST_PATH_IMAGE080
Then calculating a second generation server parameter
Figure 198001DEST_PATH_IMAGE081
Figure 313724DEST_PATH_IMAGE082
Figure 465089DEST_PATH_IMAGE083
Figure 8066DEST_PATH_IMAGE084
. If calculated
Figure 644714DEST_PATH_IMAGE085
And received
Figure 298550DEST_PATH_IMAGE086
Is equal, it can be verified that the computed session key and the session key of the server are equal, otherwise, the authentication ends. Smart card
Figure 570000DEST_PATH_IMAGE087
Computing
Figure DEST_PATH_IMAGE088
Figure 362507DEST_PATH_IMAGE089
Figure 938981DEST_PATH_IMAGE090
Figure 639916DEST_PATH_IMAGE091
Finally, the smart card
Figure 516605DEST_PATH_IMAGE087
Update the stored message to
Figure 417696DEST_PATH_IMAGE092
. Last notebook terminal equipment
Figure 996314DEST_PATH_IMAGE093
And server
Figure 257531DEST_PATH_IMAGE094
Communication is performed through a session key.
Password updating phase
Notebook terminal equipment
Figure 739459DEST_PATH_IMAGE093
First, input user name
Figure 529560DEST_PATH_IMAGE095
Figure 346206DEST_PATH_IMAGE096
And fingerprints
Figure 660382DEST_PATH_IMAGE097
Into smart cards, smart cards
Figure 246084DEST_PATH_IMAGE098
Computing
Figure 223399DEST_PATH_IMAGE099
Figure 527341DEST_PATH_IMAGE100
Figure 379628DEST_PATH_IMAGE101
Figure 819837DEST_PATH_IMAGE102
Figure 233632DEST_PATH_IMAGE103
If, if
Figure 493712DEST_PATH_IMAGE104
And stored
Figure 421129DEST_PATH_IMAGE105
Is equal, then login continues, otherwise, login is denied. Then notebook terminal device
Figure 732155DEST_PATH_IMAGE093
Smart card
Figure 566119DEST_PATH_IMAGE098
Inputting new password
Figure 828342DEST_PATH_IMAGE106
Figure 773164DEST_PATH_IMAGE107
Figure 938698DEST_PATH_IMAGE108
Figure 677983DEST_PATH_IMAGE109
Figure 178235DEST_PATH_IMAGE110
Last new message
Figure 441595DEST_PATH_IMAGE111
Update to smart card
Figure 461635DEST_PATH_IMAGE112
In (1). The password update is completed.
The invention provides a security authentication system of notebook terminal equipment, comprising:
the server initialization module is used for initializing the server, determining the system parameters of the server and publishing the system parameters; the system parameters include: the method comprises the steps of prime order, a first group and a second group determined according to the prime order, the relation between the first group and the second group, a public key, a first hash function, a second hash function, a first parameter and a second parameter; the first parameter is used for multiplying the random number to determine a public key; the second parameter is determined according to the relationship between the first group and the second group, the first parameter and the random number;
the notebook terminal equipment is registered on the server, and the server generates corresponding identity information; and storing the identity information in a database;
the server selects the pseudonym information and the response parameter, and then determines first identity information and second identity information according to the system parameter; determining first information according to the first identity information, the second identity information, the pseudonym information and corresponding parameters and sending the first information to the smart card; the first information and the identity information are sent to the notebook terminal equipment; the notebook terminal equipment determines a first terminal parameter by using a physical unclonable function and a response parameter; determining an input key according to the first terminal parameter and the first parameter; further sending the input key and the fingerprint to the smart card; the smart card determines a biological characteristic key pair according to the fingerprint and a biological characteristic key extraction algorithm; the biological characteristic key pair comprises a biological characteristic private key and a biological characteristic public key;
the registration module is used for the smart card to determine first authentication information according to the first hash function, the input key, the pseudonym information, the biological characteristic private key, the identity information and the first terminal parameter; determining second authentication information according to the first identity information and the first authentication information; determining third authentication information according to the second authentication information and the second identity information; determining fourth authentication information according to the first hash function, the input key, the pseudonym information, the biological characteristic private key, the identity information and the first identity information; storing the pseudonym information, the third authentication information, the second authentication information, the fourth authentication information, the biological characteristic private key and the response parameter in the smart card; the first terminal parameter is sent to a server through a secure channel, and the server stores the pseudonym information and the first terminal parameter;
the login authentication module is used for the notebook terminal equipment to log in the intelligent card according to the identity information, the input key and the fingerprint; the smart card determines a biological characteristic private key according to the fingerprint, the biological characteristic public key and a biological characteristic key copying algorithm; determining a first terminal parameter according to the physical unclonable function and the response parameter; determining first generation authentication information according to the first hash function, the input key, the pseudonym information, the biological characteristic private key, the identity information and the first terminal parameter; determining first identity information according to the first generated authentication information and the second authentication information; determining fourth generation authentication information according to the first hash function, the input key, the pseudonym information, the biological characteristic private key, the identity information and the first identity information; further judging whether the fourth generated authentication information is equal to the fourth authentication information; if yes, continuing authentication; if not, refusing to log in; randomly selecting a timestamp by a terminal of the equipment; determining second identity information according to the third authentication information, the first generation authentication information and the biological characteristic private key; then, randomly selecting an authentication random number, and determining fifth authentication information according to the authentication random number and system parameters; determining sixth authentication information according to the fifth authentication information, the second identity information and the identity information; determining seventh authentication information according to the first hash function, the pseudonym information, the identity information, the second identity information, the fifth authentication information, the first terminal parameter and the timestamp; sending the pseudonym information, the sixth authentication information, the seventh authentication information, the third authentication information and the timestamp to a server; the server verifies the timestamp, and after the timestamp passes verification, corresponding pseudonym information and first terminal parameters are determined according to the pseudonym information; determining fifth generation authentication information according to the system parameters and the third authentication information; determining second identity information according to the system parameters and the pseudonym information; determining identity information according to the sixth authentication information, the fifth generated authentication information and the second identity information; inquiring whether the determined identity information is in a database; when the determined identity information is in the database, continuing authentication; then, determining seventh generation authentication information according to the first hash function, the pseudonym information, the determined identity information, the second identity information, the fifth generation authentication information, the first terminal parameter and the timestamp; further verifying whether the seventh generated authentication information is equal to the stored seventh authentication information; when the seventh generated authentication information is equal to the stored seventh authentication information, continuing authentication; then, the server randomly selects a timestamp and a second parameter, and determines a first server parameter and a second server parameter; the pseudonym information is updated, and then the updated first identity information and the updated second identity information are calculated; determining eighth verification information according to the updated first identity information, the updated second identity information, the updated pseudonym information and the updated response parameters; determining ninth authentication information according to the second hash function, the updated kana information, the determined identity information, the second identity information, the updated first identity information, the updated second identity information, the second server parameter, the fifth generation authentication information and the first terminal parameter; determining tenth authentication information according to the first hash function, the updated kana information, the determined identity information, the ninth verification information, the first terminal parameter and the timestamp randomly selected by the server; sending the first server parameter, the eighth authentication information, the tenth authentication information and the server random selection timestamp to the notebook terminal equipment; the notebook terminal equipment randomly selects a timestamp for verification on the server, and determines a first terminal parameter according to a physical unclonable function after the verification is passed; further determining a second generation server parameter, ninth generation authentication information and tenth generation authentication information; judging whether the tenth generated authentication information is equal to the tenth authentication information; when the tenth generated authentication information is equal to the tenth authentication information, the session key of the notebook terminal device is equal to the session key of the server; the notebook terminal device and the server communicate through the session key.
The invention provides a security authentication system of notebook terminal equipment, which further comprises:
the password updating module is used for updating the response parameter, the first authentication information, the second authentication information, the third authentication information and the fourth authentication information by the smart card; and storing the updated pseudonym information, the second authentication information, the third authentication information, the fourth authentication information and the response parameter.
The embodiments in the present description are described in a progressive manner, each embodiment focuses on differences from other embodiments, and the same and similar parts among the embodiments are referred to each other. For the system disclosed by the embodiment, the description is relatively simple because the system corresponds to the method disclosed by the embodiment, and the relevant points can be referred to the method part for description.
The principles and embodiments of the present invention have been described herein using specific examples, which are provided only to help understand the method and the core concept of the present invention; meanwhile, for a person skilled in the art, according to the idea of the present invention, the specific embodiments and the application range may be changed. In view of the above, the present disclosure should not be construed as limiting the invention.

Claims (8)

1. A security authentication method of a notebook terminal device is characterized by comprising the following steps:
initializing a server, determining system parameters of the server, and publishing; the system parameters include: the method comprises the steps of prime order, a first group and a second group determined according to the prime order, the relation between the first group and the second group, a public key, a first hash function, a second hash function, a first parameter and a second parameter; the first parameter is used for multiplying the random number to determine a public key; the second parameter is determined according to the relationship between the first group and the second group, the first parameter and the random number;
the notebook terminal equipment is registered on the server, and the server generates corresponding identity information; and storing the identity information in a database;
the server selects the pseudonym information and the response parameter, and then determines first identity information and second identity information according to the system parameter; sending first information comprising first identity information, second identity information, pseudonym information and response parameters to the smart card; the first information and the identity information are sent to the notebook terminal equipment;
the notebook terminal equipment determines a first terminal parameter by using a physical unclonable function and a response parameter; determining an input key according to the first terminal parameter and the first parameter; further sending the input key and the fingerprint to the smart card;
the smart card determines a biological characteristic key pair according to the fingerprint and a biological characteristic key extraction algorithm; the biological characteristic key pair comprises a biological characteristic private key and a biological characteristic public key;
the intelligent card determines first authentication information according to the first hash function, the input key, the pseudonym information, the biological characteristic private key, the identity information and the first terminal parameter; determining second authentication information according to the first identity information and the first authentication information; determining third authentication information according to the second authentication information and the second identity information; determining fourth authentication information according to the first hash function, the input key, the pseudonym information, the biological characteristic private key, the identity information and the first identity information; storing the pseudonym information, the third authentication information, the second authentication information, the fourth authentication information, the biological characteristic public key and the response parameter in the smart card; the first terminal parameter is sent to a server through a secure channel, and the server stores the pseudonym information and the first terminal parameter;
the notebook terminal equipment logs in the intelligent card according to the identity information, the input key and the fingerprint;
the smart card determines a biological characteristic private key according to the fingerprint, the biological characteristic public key and a biological characteristic key copying algorithm; determining a first terminal parameter according to the physical unclonable function and the response parameter; determining first generation authentication information according to the first hash function, the input key, the pseudonym information, the biological characteristic private key, the identity information and the first terminal parameter; determining first identity information according to the first generated authentication information and the second authentication information; determining fourth generation authentication information according to the first hash function, the input key, the pseudonym information, the biological characteristic private key, the identity information and the first identity information; further judging whether the fourth generated authentication information is equal to the fourth authentication information; if yes, continuing authentication; if not, refusing to log in;
randomly selecting a timestamp by the notebook equipment terminal; determining second identity information according to the third authentication information, the first generation authentication information and the biological characteristic private key; then, randomly selecting an authentication random number, and determining fifth authentication information according to the authentication random number and system parameters; determining sixth authentication information according to the fifth authentication information, the second identity information and the identity information; determining seventh authentication information according to the first hash function, the pseudonym information, the identity information, the second identity information, the fifth authentication information, the first terminal parameter and the timestamp; the pseudonym information, the sixth authentication information, the seventh authentication information, the third authentication information and the timestamp are sent to a server;
the server verifies the timestamp, and after the timestamp passes verification, corresponding pseudonym information and first terminal parameters are determined according to the pseudonym information; determining fifth generation authentication information according to the system parameters and the third authentication information; determining second identity information according to the system parameters and the pseudonym information; determining identity information according to the sixth authentication information, the fifth generated authentication information and the second identity information; inquiring whether the determined identity information is in a database; when the determined identity information is in the database, continuing authentication; then, determining seventh generation authentication information according to the first hash function, the pseudonym information, the determined identity information, the second identity information, the fifth generation authentication information, the first terminal parameter and the timestamp; further verifying whether the seventh generated authentication information is equal to the stored seventh authentication information; when the seventh generated authentication information is equal to the stored seventh authentication information, continuing authentication; then, the server randomly selects a timestamp and a second parameter, and determines a first server parameter and a second server parameter; the pseudonym information is updated, and then the updated first identity information and the updated second identity information are calculated; determining eighth authentication information according to the updated first identity information, the updated second identity information, the updated pseudonym information and the updated response parameter; determining ninth authentication information according to the second hash function, the updated kana information, the determined identity information, the second identity information, the updated first identity information, the updated second identity information, the second server parameter, the fifth generation authentication information and the first terminal parameter; determining tenth authentication information according to the first hash function, the updated kana information, the determined identity information, the ninth authentication information, the first terminal parameter and the timestamp randomly selected by the server; sending the first server parameter, the eighth authentication information, the tenth authentication information and the server random selection timestamp to the notebook terminal equipment;
the notebook terminal equipment randomly selects a timestamp for verification on the server, and determines a first terminal parameter according to a physical unclonable function after the verification is passed; determining a second generation server parameter according to the system parameter and the random number of the server, determining a ninth generation authentication information according to a second hash function, the updated kana information, the determined identity information, the second identity information, the updated first identity information, the updated second identity information, the fifth generation authentication information and the first terminal parameter, and determining a tenth generation authentication information according to the first hash function, the updated kana information, the determined identity information, the ninth authentication information, the first terminal parameter and the time stamp; judging whether the tenth generated authentication information is equal to the tenth authentication information; when the tenth generated authentication information is equal to the tenth authentication information, the session key of the notebook terminal device is equal to the session key of the server;
the notebook terminal equipment and the server communicate through the session key;
the smart card calculates the updated first terminal parameter, the updated first authentication information, the updated second authentication information, the updated third authentication information and the updated fourth authentication information; storing the updated pseudonym information, the updated third authentication information, the updated second authentication information, the updated fourth authentication information, the biological characteristic public key and the updated response parameter in the smart card; finally, the notebook terminal equipment and the server communicate through the session key;
the server selects the pseudonym information and the response parameter, and further determines first identity information and second identity information according to the system parameter, and the method specifically comprises the following steps:
using formulas
Figure DEST_PATH_IMAGE001
Determining first identity information;
using formulas
Figure DEST_PATH_IMAGE002
Determining second identity information;
wherein A isiAs first identity information, BiIn order to be the second identity information,
Figure DEST_PATH_IMAGE003
in order to be the identity information,
Figure DEST_PATH_IMAGE004
is pseudonym information, s is the private key of the server, H1In order to be the first hash function, the hash function,
Figure DEST_PATH_IMAGE005
in order to update the pseudonym information,
Figure DEST_PATH_IMAGE006
is a random value and is used as a reference,
Figure DEST_PATH_IMAGE007
is a time stamp, WiFor the first terminal parameter, PUF () is a physically unclonable function, wiIn response to the parameter, H2Is a second hash function.
2. The security authentication method of the notebook terminal device according to claim 1, wherein initializing the server, determining system parameters of the server, and publishing the system parameters specifically comprises:
Figure DEST_PATH_IMAGE008
Figure DEST_PATH_IMAGE009
Figure DEST_PATH_IMAGE010
Figure DEST_PATH_IMAGE011
wherein e is the relationship between the first group and the second group, G1Is a first group, G2Is a second group, PpubIs a public key, H1Is a first hash function, H2Is a second hash function, P is a first parameter,uis a second parameter, s is a random number,
Figure DEST_PATH_IMAGE012
is a prime number set, and q is a prime number.
3. The security authentication method of the notebook terminal device according to claim 1, wherein the notebook terminal device determines the first terminal parameter by using a physical unclonable function and a response parameter, and specifically comprises:
using formulas
Figure DEST_PATH_IMAGE013
Determining a first terminal parameter;
wherein, WiFor the first terminal parameter, PUF () is a physically unclonable function, wiIs a response parameter.
4. The security authentication method of the notebook terminal device according to claim 3, wherein the smart card determines the biometric key pair according to the fingerprint and the biometric key extraction algorithm, and specifically comprises:
using formulas
Figure DEST_PATH_IMAGE014
Determining a biometric key pair;
wherein the content of the first and second substances,
Figure DEST_PATH_IMAGE015
in the form of a biometric secret private key,
Figure DEST_PATH_IMAGE016
is a biometric public key, GEN (-) is a biometric key extraction algorithm, FPiIs a fingerprint.
5. The security authentication method of the notebook terminal device according to claim 4, wherein the smart card determines the first authentication information according to a first hash function, the input key, the pseudonym information, the biometric private key, the identity information, and the first terminal parameter; determining second authentication information according to the first identity information and the first authentication information; determining third authentication information according to the second authentication information and the second identity information; determining fourth authentication information according to the first hash function, the input key, the pseudonym information, the biological feature private key, the identity information and the first identity information, and specifically comprising:
using formulas
Figure DEST_PATH_IMAGE017
Determining first authentication information;
using formulas
Figure DEST_PATH_IMAGE018
Determining second authentication information;
using formulas
Figure DEST_PATH_IMAGE019
Determining third authentication information;
using formulas
Figure DEST_PATH_IMAGE020
Determining fourth authentication information;
wherein the content of the first and second substances,
Figure DEST_PATH_IMAGE021
as the first authentication information, it is possible to authenticate the mobile terminal,
Figure DEST_PATH_IMAGE022
in order to be the second authentication information,
Figure DEST_PATH_IMAGE023
as the third authentication information, it is possible to,
Figure DEST_PATH_IMAGE024
in order to be the fourth authentication information,
Figure DEST_PATH_IMAGE025
is the input key.
6. The method of claim 1, wherein the notebook terminal device and the server communicate with each other via a session key, and thereafter further comprising:
the smart card updates the response parameter, the first authentication information, the second authentication information, the third authentication information and the fourth authentication information; and storing the updated pseudonym information, the second authentication information, the third authentication information, the fourth authentication information and the response parameter.
7. A security authentication system of a notebook terminal device, comprising:
the server initialization module is used for initializing the server, determining the system parameters of the server and publishing the system parameters; the system parameters include: the method comprises the steps of prime order, a first group and a second group determined according to the prime order, the relation between the first group and the second group, a public key, a first hash function, a second hash function, a first parameter and a second parameter; the first parameter is used for multiplying the random number to determine a public key; the second parameter is determined according to the relationship between the first group and the second group, the first parameter and the random number;
the notebook terminal equipment is registered on the server, and the server generates corresponding identity information; and storing the identity information in a database;
the server selects the pseudonym information and the response parameter, and then determines first identity information and second identity information according to the system parameter; sending first information comprising first identity information, second identity information, pseudonym information and response parameters to the smart card; the first information and the identity information are sent to the notebook terminal equipment; the notebook terminal equipment determines a first terminal parameter by using a physical unclonable function and a response parameter; determining an input key according to the first terminal parameter and the first parameter; further sending the input key and the fingerprint to the smart card; the smart card determines a biological characteristic key pair according to the fingerprint and a biological characteristic key extraction algorithm; the biological characteristic key pair comprises a biological characteristic private key and a biological characteristic public key;
the registration module is used for the smart card to determine first authentication information according to the first hash function, the input key, the pseudonym information, the biological characteristic private key, the identity information and the first terminal parameter; determining second authentication information according to the first identity information and the first authentication information; determining third authentication information according to the second authentication information and the second identity information; determining fourth authentication information according to the first hash function, the input key, the pseudonym information, the biological characteristic private key, the identity information and the first identity information; storing the pseudonym information, the third authentication information, the second authentication information, the fourth authentication information, the biological characteristic public key and the response parameter in the smart card; the first terminal parameter is sent to a server through a secure channel, and the server stores the pseudonym information and the first terminal parameter;
the login authentication module is used for the notebook terminal equipment to log in the intelligent card according to the identity information, the input key and the fingerprint; the smart card determines a biological characteristic private key according to the fingerprint, the biological characteristic public key and a biological characteristic key copying algorithm; determining a first terminal parameter according to the physical unclonable function and the response parameter; determining first generation authentication information according to the first hash function, the input key, the pseudonym information, the biological characteristic private key, the identity information and the first terminal parameter; determining first identity information according to the first generated authentication information and the second authentication information; determining fourth generation authentication information according to the first hash function, the input key, the pseudonym information, the biological characteristic private key, the identity information and the first identity information; further judging whether the fourth generated authentication information is equal to the fourth authentication information; if yes, continuing authentication; if not, refusing to log in; randomly selecting a timestamp by a terminal of the equipment; determining second identity information according to the third authentication information, the first generation authentication information and the biological characteristic private key; then, randomly selecting an authentication random number, and determining fifth authentication information according to the authentication random number and system parameters; determining sixth authentication information according to the fifth authentication information, the second identity information and the identity information; determining seventh authentication information according to the first hash function, the pseudonym information, the identity information, the second identity information, the fifth authentication information, the first terminal parameter and the timestamp; the pseudonym information, the sixth authentication information, the seventh authentication information, the third authentication information and the timestamp are sent to a server; the server verifies the timestamp, and after the timestamp passes verification, corresponding pseudonym information and first terminal parameters are determined according to the pseudonym information; determining fifth generation authentication information according to the system parameters and the third authentication information; determining second identity information according to the system parameters and the pseudonym information; determining identity information according to the sixth authentication information, the fifth generated authentication information and the second identity information; inquiring whether the determined identity information is in a database; when the determined identity information is in the database, continuing authentication; then, determining seventh generation authentication information according to the first hash function, the pseudonym information, the determined identity information, the second identity information, the fifth generation authentication information, the first terminal parameter and the timestamp; further verifying whether the seventh generated authentication information is equal to the stored seventh authentication information; when the seventh generated authentication information is equal to the stored seventh authentication information, continuing authentication; then, the server randomly selects a timestamp and a second parameter, and determines a first server parameter and a second server parameter; the pseudonym information is updated, and then the updated first identity information and the updated second identity information are calculated; determining eighth authentication information according to the updated first identity information, the updated second identity information, the updated pseudonym information and the updated response parameter; determining ninth authentication information according to the second hash function, the updated kana information, the determined identity information, the second identity information, the updated first identity information, the updated second identity information, the second server parameter, the fifth generation authentication information and the first terminal parameter; determining tenth authentication information according to the first hash function, the updated kana information, the determined identity information, the ninth authentication information, the first terminal parameter and the timestamp randomly selected by the server; sending the first server parameter, the eighth authentication information, the tenth authentication information and the server random selection timestamp to the notebook terminal equipment; the notebook terminal equipment randomly selects a timestamp for verification on the server, and determines a first terminal parameter according to a physical unclonable function after the verification is passed; determining a second generation server parameter according to the system parameter and the random number of the server, determining a ninth generation authentication information according to a second hash function, the updated kana information, the determined identity information, the second identity information, the updated first identity information, the updated second identity information, the fifth generation authentication information and the first terminal parameter, and determining a tenth generation authentication information according to the first hash function, the updated kana information, the determined identity information, the ninth authentication information, the first terminal parameter and the time stamp; judging whether the tenth generated authentication information is equal to the tenth authentication information; when the tenth generated authentication information is equal to the tenth authentication information, the session key of the notebook terminal device is equal to the session key of the server;
the notebook terminal equipment and the server communicate through the session key;
the smart card calculates the updated first terminal parameter, the updated first authentication information, the updated second authentication information, the updated third authentication information and the updated fourth authentication information; storing the updated pseudonym information, the updated third authentication information, the updated second authentication information, the updated fourth authentication information, the biological characteristic public key and the updated response parameter in the smart card; finally, the notebook terminal equipment and the server communicate through the session key;
the server selects the pseudonym information and the response parameter, and further determines first identity information and second identity information according to the system parameter, and the method specifically comprises the following steps:
using formulas
Figure 84164DEST_PATH_IMAGE001
Determining first identity information;
using formulas
Figure 437523DEST_PATH_IMAGE002
Determining second identity information;
wherein A isiAs first identity information, BiIn order to be the second identity information,
Figure 420522DEST_PATH_IMAGE003
in order to be the identity information,
Figure 18994DEST_PATH_IMAGE004
is pseudonym information, s is the private key of the server, H1In order to be the first hash function, the hash function,
Figure 771049DEST_PATH_IMAGE005
in order for the pseudonym to be updated,
Figure 796774DEST_PATH_IMAGE006
is a random value and is used as a reference,
Figure 765605DEST_PATH_IMAGE007
is a time stamp, WiFor the first terminal parameter, PUF () is a physically unclonable function, wiIn response to the parameter, H2Is a second hash function.
8. The system of claim 7, further comprising:
the password updating module is used for updating the response parameter, the first authentication information, the second authentication information, the third authentication information and the fourth authentication information by the smart card; and storing the updated pseudonym information, the second authentication information, the third authentication information, the fourth authentication information and the response parameter.
CN202111606869.7A 2021-12-27 2021-12-27 Security authentication method and system for notebook terminal equipment Active CN113987451B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111606869.7A CN113987451B (en) 2021-12-27 2021-12-27 Security authentication method and system for notebook terminal equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111606869.7A CN113987451B (en) 2021-12-27 2021-12-27 Security authentication method and system for notebook terminal equipment

Publications (2)

Publication Number Publication Date
CN113987451A CN113987451A (en) 2022-01-28
CN113987451B true CN113987451B (en) 2022-04-08

Family

ID=79734333

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111606869.7A Active CN113987451B (en) 2021-12-27 2021-12-27 Security authentication method and system for notebook terminal equipment

Country Status (1)

Country Link
CN (1) CN113987451B (en)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108768660A (en) * 2018-05-28 2018-11-06 北京航空航天大学 Internet of things equipment identity identifying method based on physics unclonable function
CN111818039A (en) * 2020-07-03 2020-10-23 西安电子科技大学 Three-factor anonymous user authentication protocol method based on PUF in Internet of things
EP3770888A1 (en) * 2019-07-23 2021-01-27 Universidad de Sevilla A behavioral and physical unclonable function and a multi-modal cryptographic authentication method using the same
CN113824570A (en) * 2021-11-23 2021-12-21 北京中超伟业信息安全技术股份有限公司 Block chain-based security terminal authentication method and system

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112069493A (en) * 2019-06-10 2020-12-11 联阳半导体股份有限公司 Authentication system and authentication method

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108768660A (en) * 2018-05-28 2018-11-06 北京航空航天大学 Internet of things equipment identity identifying method based on physics unclonable function
EP3770888A1 (en) * 2019-07-23 2021-01-27 Universidad de Sevilla A behavioral and physical unclonable function and a multi-modal cryptographic authentication method using the same
CN111818039A (en) * 2020-07-03 2020-10-23 西安电子科技大学 Three-factor anonymous user authentication protocol method based on PUF in Internet of things
CN113824570A (en) * 2021-11-23 2021-12-21 北京中超伟业信息安全技术股份有限公司 Block chain-based security terminal authentication method and system

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
Lightweight and Physically Secure Anonymous Mutual Authentication Protocol for Real-Time Data Access in Industrial Wireless Sensor Networks;Prosanta Gope 等;《IEEE transactions on industrial informatics》;20190930;第15卷(第9期);全文 *

Also Published As

Publication number Publication date
CN113987451A (en) 2022-01-28

Similar Documents

Publication Publication Date Title
Amin et al. A light weight authentication protocol for IoT-enabled devices in distributed Cloud Computing environment
CN108768660B (en) Internet of things equipment identity authentication method based on physical unclonable function
WO2020134942A1 (en) Identity verification method and system therefor
US8627424B1 (en) Device bound OTP generation
US20070130463A1 (en) Single one-time password token with single PIN for access to multiple providers
CN105516201A (en) Lightweight anonymous authentication and key negotiation method in multi-server environment
US8966263B2 (en) System and method of network equipment remote access authentication in a communications network
CN108400962B (en) Authentication and key agreement method under multi-server architecture
IES20020190A2 (en) a biometric authentication system and method
US20150244695A1 (en) Network authentication method for secure user identity verification
CN111835526B (en) Method and system for generating anonymous credential
Jiang et al. An anonymous and efficient remote biometrics user authentication scheme in a multi server environment
KR20210095093A (en) Method for providing authentification service by using decentralized identity and server using the same
CN113971274B (en) Identity recognition method and device
CN111600869A (en) Verification code authentication method and system based on biological characteristics
CN107347073B (en) A kind of resource information processing method
Roy et al. An efficient biometric based remote user authentication scheme for secure internet of things environment
KR20050071768A (en) System and method for one time password service
Rahmani et al. AMAPG: Advanced mobile authentication protocol for GLOMONET
KR20130039745A (en) System and method for authentication interworking
KR20210095061A (en) Method for providing authentification service by using decentralized identity and server using the same
CN113987451B (en) Security authentication method and system for notebook terminal equipment
KR102118556B1 (en) Method for providing private blockchain based privacy information management service
CN114422106B (en) Security authentication method and system for Internet of things system under multi-server environment
CN108566274B (en) Method, equipment and storage equipment for seamless docking between block chain authentication systems

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant