CN114417309A

CN114417309A - Bidirectional identity authentication method, device, equipment and storage medium

Info

Publication number: CN114417309A
Application number: CN202210064883.7A
Authority: CN
Inventors: 曹高明; 徐延林; 邓颂清; 杜海华; 梁倚梦; 马创奇; 丘坚; 张赐洲; 高铭瑜; 何舒琴
Original assignee: Digital Guangdong Network Construction Co Ltd
Current assignee: Digital Guangdong Network Construction Co Ltd
Priority date: 2022-01-20
Filing date: 2022-01-20
Publication date: 2022-04-29

Abstract

The embodiment of the invention discloses a bidirectional identity authentication method, a bidirectional identity authentication device, bidirectional identity authentication equipment and a bidirectional identity authentication storage medium. The method comprises the following steps: receiving a sender identification, a sender random number and a sender signature value; generating a sender identification public key according to the pre-acquired public parameters and the sender identification, and verifying the sender random number and the sender signature value by using the sender identification public key; and if the verification result is successful, generating a receiver time stamp signature value according to a pre-acquired receiver private key, and sending the receiver time stamp signature value and a receiver identifier corresponding to the receiver communication entity to the sender communication entity. The technical scheme of the embodiment of the invention improves the efficiency of the identity authentication of both sides of the communication entity, reduces the management cost of the authentication information in the authentication process, and simultaneously improves the safety of the identity authentication of both sides of the communication entity by combining the identification number, the time and the random number during the bidirectional authentication.

Description

Bidirectional identity authentication method, device, equipment and storage medium

Technical Field

The embodiment of the invention relates to the technical field of communication security, in particular to a bidirectional identity authentication method, a bidirectional identity authentication device, bidirectional identity authentication equipment and a bidirectional identity authentication storage medium.

Background

With the continuous development and enrichment of the internet, information systems based on cloud computing infrastructure, such as office applications, secure access, e-mails, video conferences, and the like, are also popularized and applied. Along with the continuous renovation of the attack means, the social engineering information security problem that hackers impersonate users, steal user identity information, steal and snoop user privacy data is increasingly highlighted by means of brute force cracking, automatic proxy and the like, and the verification of the authenticity of the accessed user identity becomes an important implementation means for guaranteeing the information security.

In a typical e-government network application, device-to-device authentication, as well as user-to-device authentication, is common. However, when the user or the device is authenticated in the existing access process, the user name and password authentication is usually used, and certain security risk exists. When the digital certificate authentication technology is used for authenticating the digital certificate and the certificate, the digital certificate issued by a trusted certificate authentication center is required to be authenticated, but the management of the certificate is complicated, the cost is high, and the technical implementation difficulty is high. When most service providers use self-generated certificates for authentication to avoid the complicated problem, the security risk of man-in-the-middle attack is difficult to prevent, and after a hacker establishes a pseudo trust channel between two communication entities needing to communicate through the self-generated certificates, barrier-free snooping and stealing of communication data of the two parties can be realized. The efficiency and the safety of the identity verification of the two communication parties are reduced, the safety and the easy use of the identity authentication in the access process of the two communication parties cannot be guaranteed, and the completeness of the bidirectional identity verification of the communication entity is reduced.

Disclosure of Invention

The invention provides a bidirectional identity authentication method, a device, equipment and a storage medium, which are used for authenticating the identities of two parties of a communication entity before the two parties need to communicate, thereby improving the authentication efficiency and safety of the identity authentication of the two parties of the communication entity, reducing the management difficulty of authentication information in the authentication process, reducing the memory required by the identity authentication in the communication entity and reducing the cost of the bidirectional identity authentication.

In a first aspect, a bidirectional authentication method provided in an embodiment of the present invention is applied to a receiving party communication entity, and includes:

receiving a sender identification, a sender random number and a sender signature value;

generating a sender identification public key according to the pre-acquired public parameters and the sender identification, and verifying the sender random number and the sender signature value by using the sender identification public key;

and if the verification result is successful, generating a receiver time stamp signature value according to a pre-acquired receiver private key, and sending the receiver time stamp signature value and a receiver identifier corresponding to the receiver communication entity to the sender communication entity.

Further, verifying the sender random number and the sender signature value using the sender identification public key comprises:

decrypting the signature value of the sender through the identification public key of the sender to determine a decrypted value;

if the decryption value is the same as the random number of the sender, determining the verification result as successful;

otherwise, the verification result is determined to be a failure.

Further, generating a receiver timestamp signature value according to a pre-acquired receiver private key, including:

acquiring a receiver timestamp by a common clock;

performing field combination on the time stamp of the receiver and the random number of the sender to generate a time stamp random number;

and encrypting the timestamp random number signature through a pre-acquired private key of the receiver to generate a signature value of the timestamp of the receiver.

Further, after determining the verification result as a failure, the method further includes:

communication between the receiver communication entity and the sender communication entity is cancelled.

Further, before receiving the sender identification, the sender random number, and the sender signature value, the method further includes:

and according to the receiver identification corresponding to the receiver communication entity, the key management platform acquires a receiver private key and public parameters corresponding to the receiver communication entity.

In a second aspect, an embodiment of the present invention further provides a bidirectional identity authentication method, applied to a sender communication entity, including:

when the secure communication is needed, a sender random number is generated, and the sender random number is encrypted through a sender private key signature obtained in advance to generate a sender signature value;

sending the sender random number, the sender signature value and a sender identification corresponding to the sender communication entity to a receiver communication entity;

generating a receiver identification public key according to the received receiver identification and a public parameter acquired in advance, and verifying the received receiver timestamp signature value by using the receiver identification public key and a sender random number;

and establishing communication between the communication entity of the sender and the communication entity of the receiver according to the verification result.

Further, verifying the received receiver timestamp signature value by using the receiver identification public key and the sender random number, comprising:

decrypting the receiver timestamp signature value through the receiver identification public key to determine a receiver timestamp and a decryption random value;

obtaining a sender timestamp by a common clock;

and verifying the time stamp of the receiving party and the decryption random number value according to the time stamp of the sending party and the random number of the sending party.

Further, verifying the receiver timestamp and the decrypted random number value according to the sender timestamp and the sender random number comprises:

determining a time difference between a sender timestamp and a receiver timestamp;

if the time difference is smaller than the preset time threshold value and the decryption random number value is the same as the sender random number, determining that the verification result is successful;

otherwise, determining that the verification result is failure.

Further, establishing communication between the sender communication entity and the receiver communication entity according to the verification result comprises:

if the verification result is successful, establishing the communication between the communication entity of the sender and the communication entity of the receiver;

and if the verification result is failure, canceling the communication between the communication entity of the receiver and the communication entity of the sender.

Further, before the secure communication, the method further comprises:

and according to the sender identification corresponding to the sender communication entity, the secret key management platform acquires a sender secret key and public parameters corresponding to the sender communication entity.

In a third aspect, an embodiment of the present invention further provides a bidirectional authentication apparatus, which is applied to a receiving party communication entity, where the bidirectional authentication apparatus includes:

the parameter receiving module is used for receiving the sender identifier, the sender random number and the sender signature value;

the signature value verification module is used for generating a sender identification public key according to the pre-acquired public parameters and the sender identification, and verifying the sender random number and the sender signature value by using the sender identification public key;

and the first parameter sending module is used for generating a receiver time stamp signature value according to a pre-acquired receiver private key and sending the receiver time stamp signature value and a receiver identifier corresponding to the receiver communication entity to the sender communication entity if the verification result is successful.

In a fourth aspect, an embodiment of the present invention further provides a bidirectional authentication apparatus, which is applied to a sender communication entity, where the bidirectional authentication apparatus includes:

the signature value generation module is used for generating a sender random number when the secure communication is required, and encrypting the sender random number through a sender private key signature acquired in advance to generate a sender signature value;

the second parameter sending module is used for sending the sender random number, the sender signature value and the sender identification corresponding to the sender communication entity to the receiver communication entity;

the parameter verification module is used for generating a receiver identification public key according to the received receiver identification and the pre-acquired public parameter, and verifying the received receiver timestamp signature value by using the receiver identification public key and the sender random number;

and the communication establishing module is used for establishing the communication between the communication entity of the sender and the communication entity of the receiver according to the verification result.

In a fifth aspect, an embodiment of the present invention further provides a bidirectional authentication device, including:

a storage device and one or more processors;

storage means for storing one or more programs;

the one or more programs, when executed by the one or more processors, cause the one or more processors to implement a two-way authentication method as described above in the first aspect when the two-way authentication device is a recipient communication entity and to implement a two-way authentication method as described above in the second aspect when the two-way authentication device is a sender communication entity.

In a sixth aspect, embodiments of the present invention also provide a storage medium containing computer-executable instructions, which when executed by a computer processor, are configured to perform the bidirectional authentication method according to the first or second aspect.

The embodiment of the invention provides a bidirectional identity authentication method, a bidirectional identity authentication device, bidirectional identity authentication equipment and a bidirectional identity authentication storage medium, aiming at a communication entity of a receiver, the bidirectional identity authentication method comprises the steps of receiving an identifier of a sender, a random number of the sender and a signature value of the sender; generating a sender identification public key according to the pre-acquired public parameters and the sender identification, and verifying the sender random number and the sender signature value by using the sender identification public key; and if the verification result is successful, generating a receiver time stamp signature value according to a pre-acquired receiver private key, and sending the receiver time stamp signature value and a receiver identifier corresponding to the receiver communication entity to the sender communication entity. By adopting the technical scheme, when the safety communication is required, the receiver communication entity verifies that the sender communication entity is the communication entity which needs to be in communication connection through the received sender random number, the sender signature value and the sender identification of the sender communication entity, further generates the receiver timestamp signature value according to the pre-acquired receiver private key and the time for the receiver communication entity to send information to the sender communication entity, and sends the receiver timestamp signature value and the receiver identification corresponding to the receiver communication entity to the sender communication entity, so that the sender communication entity can verify the identity of the receiver communication entity according to the receiver timestamp signature value and the receiver identification containing the timestamp information. The problem of when traditional two-way authentication, if rely on password authentication technique, then the security is low, if rely on certificate authentication technique, then need rely on third party certificate authentication center, the management is complicated and with high costs is solved. The authentication between the two parties is not needed to be acquired through a third party certificate authentication center and the certificate information is not needed to be stored locally when the two parties perform authentication, so that the authentication efficiency of the two parties of the communication entity is improved, the management cost of the authentication information in the authentication process is reduced, and meanwhile, the security of the authentication between the two parties of the communication entity is improved by adopting a mode of combining the identification number, the time and the random number when the two-way authentication is performed.

Drawings

In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings needed to be used in the embodiments will be briefly described below, it should be understood that the following drawings only illustrate some embodiments of the present invention and therefore should not be considered as limiting the scope, and for those skilled in the art, other related drawings can be obtained according to the drawings without inventive efforts.

Fig. 1 is a flowchart of a bidirectional authentication method according to a first embodiment of the present invention;

fig. 2 is a flowchart of a bidirectional authentication method according to a second embodiment of the present invention;

fig. 3 is a flowchart of a bidirectional authentication method according to a third embodiment of the present invention;

fig. 4 is a flowchart of a bidirectional authentication method according to a fourth embodiment of the present invention;

fig. 5 is a schematic flowchart of a fourth embodiment of the present invention, in which a receiver timestamp and a decrypted random number are verified according to a sender timestamp and a sender random number;

fig. 6 is a schematic structural diagram of a bidirectional authentication apparatus according to a fifth embodiment of the present invention;

fig. 7 is a schematic structural diagram of a bidirectional authentication apparatus according to a sixth embodiment of the present invention;

fig. 8 is a schematic structural diagram of a bidirectional authentication device in a seventh embodiment of the present invention;

fig. 9 is a diagram illustrating an example of a bidirectional authentication topology in a seventh embodiment of the present invention.

Detailed Description

In order to make the objects, technical solutions and advantages of the present invention more apparent, embodiments of the present invention will be described in detail with reference to the accompanying drawings. It should be understood that the described embodiments are only some embodiments of the invention, and not all embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.

When the following description refers to the accompanying drawings, like numbers in different drawings represent the same or similar elements unless otherwise indicated. The embodiments described in the following exemplary embodiments do not represent all embodiments consistent with the present invention. Rather, they are merely examples of apparatus and methods consistent with certain aspects of the invention, as detailed in the appended claims.

In the description of the present invention, it is to be understood that the terms "first," "second," "third," and the like are used solely to distinguish one from another and are not necessarily used to describe a particular order or sequence, nor are they to be construed as indicating or implying relative importance. The specific meanings of the above terms in the present invention can be understood by those skilled in the art according to specific situations. In addition, in the description of the present invention, "a plurality" means two or more unless otherwise specified. "and/or" describes the association relationship of the associated objects, meaning that there may be three relationships, e.g., a and/or B, which may mean: a exists alone, A and B exist simultaneously, and B exists alone. The character "/" generally indicates that the former and latter associated objects are in an "or" relationship.

Example one

Fig. 1 is a flowchart of a bidirectional authentication method according to an embodiment of the present invention, where the present embodiment is applicable to a situation in which a receiving-side communication entity performs authentication on a sending-side communication entity and sends self authentication information to the sending-side communication entity for authentication of the sending-side communication entity, where the method may be executed by a bidirectional authentication apparatus, the bidirectional authentication apparatus may be implemented by software and/or hardware, the bidirectional authentication apparatus may be configured on a bidirectional authentication device, the bidirectional authentication device may be a computer device, and the computer device may be formed by two or more physical entities or may be formed by one physical entity. Generally, the computer device may be a notebook, a desktop computer, a smart tablet, and the like.

As shown in fig. 1, a bidirectional authentication method provided in this embodiment is applied to a receiving-party communication entity, and specifically includes the following steps:

s101, receiving a sender identification, a sender random number and a sender signature value.

In this embodiment, the receiver communication entity may be specifically understood as a communication entity of a communication receiver in two communication entities that need to perform secure communication, and optionally, the communication entity may be a mobile communication device, a notebook, a desktop computer, an intelligent tablet, and other computer devices that can implement interactive communication. The sender id may specifically be understood as a device code corresponding to a communication entity that is used as a communication initiator in secure communication, and it is to be understood that, for all communication entities in the same government network, each communication entity has its own device code, and information such as the location and type of the communication entity can be determined by the device code. A sender random number is understood in particular to be a random number value generated in the communication entity acting as a communication initiator. The sender signature value is understood to be a parameter value obtained by encrypting a sender random number by a signature technology.

Specifically, when secure communication is required between two communication entities, a receiver communication entity as a communication receiver receives a sender identifier, a sender random number, and a sender signature value transmitted by the sender communication entity.

S102, generating a sender identification public key according to the pre-acquired public parameters and the sender identification, and verifying the sender random number and the sender signature value by using the sender identification public key.

In this embodiment, the common parameter is specifically understood as a parameter value that is obtained by a communication entity from a Key Generation Center (KGC) in advance to identify a cryptographic algorithm, and it is required to be clear that, for a plurality of communication entities belonging to the same KGC, the common parameter obtained by the KGC is the same. The sender identification public key may specifically be understood as a non-secret half corresponding to the sender communication entity private key, a key used to correspondingly decrypt information encrypted by the sender private key.

Generally, for a government affair system, communication entities belonging to the same area are managed by the same KGC, the obtained common parameters are the same, bidirectional authentication can be directly performed between the communication entities in the area through the once obtained common parameters, and for other communication entities outside the area, bidirectional authentication cannot be performed due to different common parameters unless the corresponding common parameters are exchanged before authentication. Exemplarily, assuming that the respective communication entities in the Shenzhen city and the Zhuhai city are managed by two KGCs respectively, bidirectional identity authentication can be performed between the respective communication entities in the Shenzhen city based on the corresponding KGC common parameter, and bidirectional identity authentication cannot be performed between the communication entities in one Shenzhen city and one Zhuhai city directly based on the respectively obtained common parameter.

Specifically, according to an identification key algorithm conforming to the national password specification, a sender identification public key corresponding to a sender private key corresponding to a sender communication entity is generated by combining public parameters obtained by a key management platform in advance and a received sender identification, a received sender signature value is decrypted by using the sender identification public key, and the decrypted sender signature value is compared with a sender random number for verification, so that a corresponding verification result is obtained. For example, the identification key algorithm in the embodiment of the present invention may be an SM9 identification key algorithm that conforms to the national standard GM/T0044-2016 SM9 identification cryptographic algorithm, and the embodiment of the present invention does not limit the identification key method specifically adopted by the communication entity.

In the embodiment of the invention, because the device code of the communication entity is used as the secret key, a third-party certificate authentication center does not need to apply for a trusted electronic authentication Certificate (CA), the problems that the CA certificate is not convenient to manage in the aspects of storage consumption and performance, and the efficiency is low when the identity authentication is carried out on massive communication entities are solved, and the problem that in the prior art, the security is low when the communication entities and the two parties generate the trusted CA certificate through a self-generation mode instead of generating the untrusted certificate through the trusted third-party certificate authentication center is solved. The efficiency of key management has been promoted, has reduced the complexity of both sides' authentication of communication, has saved the occupation of network resource, has avoided the multiple interaction with the third party simultaneously, has promoted the security.

And S103, if the verification result is successful, generating a receiver time stamp signature value according to a pre-acquired receiver private key, and sending the receiver time stamp signature value and a receiver identifier corresponding to the receiver communication entity to the sender communication entity.

In this embodiment, the receiving party private key may be specifically understood as a secret half of a key pair used with a public key algorithm in the receiving party communication entity, and may be used to encrypt parameters in the receiving party communication entity, where the encrypted parameters may only be decrypted by the receiving party private key or a corresponding public key. The receiver time stamp signature value can be specifically understood as a parameter value obtained by encrypting a character string which simultaneously contains time stamp information and random number information by a receiver private key through a signature technology. The receiver identification is understood in particular to mean the device coding corresponding to the communication entity which is the communication receiver in the secure communication.

Specifically, if the verification is successful, it is determined that the sender communication entity is a communication entity which is located in the same area as the receiver communication entity and can perform secure communication, at this time, the receiver communication entity needs to obtain a timestamp corresponding to the current time, combine the timestamp with the obtained sender random number, further perform signature encryption on the combination by using a pre-obtained receiver private key to obtain a corresponding receiver timestamp signature value, and send the obtained receiver timestamp signature value and a receiver identifier corresponding to the receiver communication entity to the sender communication entity, so that the sender communication entity can verify the identity of the receiver communication entity according to the receiver timestamp signature value and the receiver identifier.

The embodiment of the invention receives the sender identification, the sender random number and the sender signature value; generating a sender identification public key according to the pre-acquired public parameters and the sender identification, and verifying the sender random number and the sender signature value by using the sender identification public key; and if the verification result is successful, generating a receiver time stamp signature value according to a pre-acquired receiver private key, and sending the receiver time stamp signature value and a receiver identifier corresponding to the receiver communication entity to the sender communication entity. By adopting the technical scheme, when the safety communication is required, the receiver communication entity verifies that the sender communication entity is the communication entity which needs to be in communication connection through the received sender random number, the sender signature value and the sender identification of the sender communication entity, further generates the receiver timestamp signature value according to the pre-acquired receiver private key and the time for the receiver communication entity to send information to the sender communication entity, and sends the receiver timestamp signature value and the receiver identification corresponding to the receiver communication entity to the sender communication entity, so that the sender communication entity can verify the identity of the receiver communication entity according to the receiver timestamp signature value and the receiver identification containing the timestamp information. The problem of when traditional two-way authentication, if rely on password authentication technique, then the security is low, if rely on certificate authentication technique, then need rely on third party certificate authentication center, the management is complicated and with high costs is solved. The authentication between the two parties is not needed to be acquired through a third party certificate authentication center and the certificate information is not needed to be stored locally when the two parties perform authentication, so that the authentication efficiency of the two parties of the communication entity is improved, the management cost of the authentication information in the authentication process is reduced, and meanwhile, the security of the authentication between the two parties of the communication entity is improved by adopting a mode of combining the identification number, the time and the random number when the two-way authentication is performed.

Example two

Fig. 2 is a flowchart of a bidirectional authentication method according to a second embodiment of the present invention, which is further optimized based on the above optional technical solutions, the sender signature value is decrypted by the generated sender identification public key, and whether the decrypted signature value is the same as the sender random number is verified, if the verification is successful, the public clock acquires the receiver timestamp, and the receiver timestamp and the sender random number are combined and encrypted by the receiver private key, so as to generate a receiver timestamp signature value for sending to the sender communication entity, and add the time information to the encrypted information for performing the authentication, thereby improving the accuracy of the bidirectional authentication, and only two parties needing to communicate perform the authentication, reducing the data transmission amount in the authentication process, and improving the authentication efficiency of the two parties of the communication entity, the management cost of the verification information in the verification process is reduced, and the safety of the identity verification is guaranteed.

As shown in fig. 2, a bidirectional authentication method provided in the second embodiment of the present invention specifically includes the following steps:

s201, according to the receiver identification corresponding to the receiver communication entity, the key management platform obtains a receiver private key and public parameters corresponding to the receiver communication entity.

In this embodiment, the key management platform may be specifically understood as a management key infrastructure for managing keys of the communication entities in the area where the key management platform is located, wherein the communication entities managed by the key management platform should perform backup, and when the communication entities have a key requirement, the communication entities can obtain the corresponding generated private keys and public parameters.

Specifically, when a receiver communication entity needs to obtain a receiver private key and a public parameter corresponding to the receiver communication entity, the receiver communication entity sends a receiver identifier corresponding to the receiver communication entity to a key management platform, the key management platform detects whether the receiver identifier exists in the platform, if so, generates a corresponding receiver private key according to the receiver identifier, and sends the receiver private key and the public parameter corresponding to the key management platform to the corresponding receiver communication entity.

S202, receiving a sender identification, a sender random number and a sender signature value.

And S203, generating a sender identification public key according to the public parameter and the sender identification, decrypting the sender signature value through the sender identification public key, and determining a decryption value.

Specifically, the receiver communication entity sends identification public key application information containing a sender identification to the key management platform, so that the key management platform can generate a sender identification public key by combining a public parameter and the sender identification according to an identification key algorithm conforming to the national password specification and feed the sender identification public key back to the receiver communication entity, the receiver communication entity decrypts a sender signature value encrypted by a sender private key through the sender identification public key, and determines a value obtained after decryption as a decrypted value.

S204, judging whether the decryption value is the same as the random number of the sender, if so, executing a step S205; if not, go to step S206.

Specifically, it is determined whether the decryption value is the same as the sender random number through character comparison, and if so, the sender communication entity is determined to be indeed in the same region as the receiver communication entity and belongs to the communication entity managed by the same key management platform, a secure communication relationship can be established between the sender communication entity and the receiver communication entity, and the sender communication entity passes the authentication, at this time, step S205 is executed; if not, it is determined that the sender communication entity and the receiver communication entity are not located in the same area, the sender communication entity and the receiver communication entity cannot establish a secure communication relationship, and the identity authentication of the sender communication entity fails, and then step S206 is performed.

S205, the verification result is determined to be successful, and step S208 is performed.

S206, determining the verification result as failure, and executing the step S207.

And S207, canceling the communication between the communication entity of the receiving party and the communication entity of the sending party.

Specifically, since the receiver communication entity confirms that the sender communication entity is not a communication entity capable of establishing secure communication, the communication between the receiver communication entity and the sender communication entity can be canceled directly by the receiver communication entity.

Further, after the communication between the two communication entities is cancelled, the receiving communication entity sends an alarm, so that a technician can perform exception elimination, the risk of man-in-the-middle attack is reduced, and the necessary communication request of the communication entity in the different area is prevented from being ignored.

And S208, acquiring the time stamp of the receiving party by the common clock.

In this embodiment, the common clock can be specifically understood as a common clock of each communication entity needing to use the clock in the same area, which can be used as a standard to unify relative time between each communication entity.

Specifically, after the verification result is determined to be successful, the receiver communication entity may be considered to have completed the identity verification of the sender communication entity with which the receiver communication entity is to communicate, and corresponding identity verification information needs to be generated for the sender communication entity to verify the identity of the sender communication entity. Because the verification time theory of the public clock and the public clock is relatively small in difference, the time of the current moment can be acquired from the public clock, and the time stamp of the receiver can be constructed by using the time, so that the time factor is considered in the identity verification, and the accuracy of the identity verification is improved.

S209, the time stamp of the receiving party and the random number of the sending party are subjected to field combination to generate a time stamp random number.

Specifically, a field corresponding to the time stamp of the receiver and a field corresponding to the random number of the sender are combined, and for example, the field corresponding to the random number of the sender may be added to the field corresponding to the time stamp of the receiver, and then the combined field is determined as the time stamp random number.

S210, encrypting the timestamp random number signature through a private key of the receiver to generate a signature value of the timestamp of the receiver.

Specifically, the timestamp random number is subjected to overall signature encryption by using a private key of the receiver in cooperation with a signature technology, and the encrypted timestamp random number is determined as a timestamp signature value of the receiver.

And S211, sending the receiver timestamp signature value and the receiver identifier corresponding to the receiver communication entity to the sender communication entity.

The technical scheme of the embodiment completes decryption of a signature value of a sender through a public key of the sender identifier generated by the sender identifier and public parameters, compares the signature value with a random number of the sender to verify so as to determine the identity of the sender, does not need to participate in a third party, reduces data transmission quantity during verification, improves the efficiency of identity verification of two parties of communication entities, obtains a time stamp of a receiver through a public clock after successful verification, combines the time stamp of the receiver with the random number of the sender and then encrypts the combined time stamp by a private key of the receiver to generate a signature value of the time stamp of the receiver for sending to the communication entity of the sender, adds time information into encryption information for identity verification, enables the communication entity of the sender to simultaneously verify the identity of the communication entity of the receiver according to time and the identity of the receiver, and improves the accuracy of bidirectional identity verification, the safety of the identity authentication is further guaranteed, and meanwhile the management cost of the authentication information in the authentication process is reduced.

EXAMPLE III

Fig. 3 is a flowchart of a bidirectional authentication method provided in the third embodiment of the present invention, where the technical solution of the third embodiment of the present invention is further optimized based on the above optional technical solutions, and this embodiment is applicable to the case of authenticating the identity of the communication entity of the sending party to the communication entity of the receiving party, and the method may be executed by a bidirectional authentication apparatus, where the bidirectional authentication apparatus may be implemented by software and/or hardware, and the bidirectional authentication apparatus may be configured on bidirectional authentication equipment, where the bidirectional authentication equipment may be computer equipment, and the computer equipment may be composed of two or more physical entities, or may be composed of one physical entity. Generally, the computer device may be a notebook, a desktop computer, a smart tablet, and the like.

As shown in fig. 3, the bidirectional authentication method provided in the third embodiment is applied to a sender communication entity, and specifically includes the following steps:

s301, when the secure communication is needed, a sender random number is generated, and the sender random number is encrypted through a sender private key signature acquired in advance to generate a sender signature value.

In this embodiment, the sender communication entity may be specifically understood as a communication entity that is a communication initiator of two communication entities that need to perform secure communication. The sender random number is specifically understood to be a random number randomly generated by the sender communication entity to assist in encryption for authentication. The sender private key may specifically be understood as a secret half of a key pair used with a public key algorithm in a sender communication entity, and may be used to encrypt parameters that need to be sent in the sender communication entity, and the encrypted parameters may only be decrypted by the sender private key or a public key corresponding thereto.

Specifically, when the secure communication is required, the sender communication entity firstly defines a receiver communication entity which needs to perform the communication, generates a sender random number by itself, signs and encrypts the sender random number through a sender private key acquired from a key management platform in advance, and determines the encrypted sender random number as a sender signature value.

S302, sending the sender random number, the sender signature value and the sender identification corresponding to the sender communication entity to the receiver communication entity.

Specifically, because the receiver communication entity does not have a sender random number obtained in advance, and the identity of the sender communication entity cannot be verified only by the sender signature value and the sender identifier, the sender communication entity needs to send the sender random number, the sender signature value, and the sender identifier corresponding to the sender communication entity to the receiver communication entity for identity verification.

S303, generating a receiver identification public key according to the received receiver identification and the pre-acquired public parameter, and verifying the received receiver timestamp signature value by using the receiver identification public key and the sender random number.

In this embodiment, the receiver identification public key may be specifically understood as a non-secret half corresponding to the receiver communication entity private key, and is a key for correspondingly decrypting information encrypted by the receiver private key.

Specifically, according to an identification key algorithm conforming to the national password specification, a public parameter obtained by a key management platform in advance and a received receiver identification are combined to generate a receiver identification public key corresponding to a receiver private key corresponding to a receiver communication entity, the received receiver timestamp signature value is decrypted by using the receiver identification public key, the decrypted receiver timestamp signature value is compared with a sender random number and the time corresponding to the time when the sender communication entity receives the receiver timestamp signature value, and a corresponding verification result is obtained.

S304, establishing communication between the communication entity of the sender and the communication entity of the receiver according to the verification result.

Specifically, when the sender communication entity can receive the receiver identifier and the receiver timestamp signature value sent by the receiver communication entity, the receiver communication entity can be considered to have completed the identity verification of the sender communication entity, so that when the sender communication entity determines that the verification result is successful, the sender communication entity can determine that the sender communication entity and the receiver communication entity are two communication entities capable of performing secure communication, at this time, the sender communication entity can establish communication between the sender communication entity and the receiver communication entity, otherwise, the sender communication entity and the receiver communication entity can be considered to be incapable of performing secure communication, and the establishment of communication between the sender communication entity and the receiver communication entity is cancelled.

The embodiment of the invention generates the random number of the sender when the safe communication is needed, and encrypts the random number of the sender through the pre-acquired private key signature of the sender to generate the signature value of the sender; sending the sender random number, the sender signature value and a sender identification corresponding to the sender communication entity to a receiver communication entity; generating a receiver identification public key according to the received receiver identification and a public parameter acquired in advance, and verifying the received receiver timestamp signature value by using the receiver identification public key and a sender random number; and establishing communication between the communication entity of the sender and the communication entity of the receiver according to the verification result. By adopting the technical scheme, when the safety communication is required, firstly, the random number of the sender generated by the random number of the sender is encrypted by the private key of the sender acquired in advance, and then the random number of the sender, the signature value of the sender obtained after encryption and the identification of the sender corresponding to the communication entity of the sender are sent to the communication entity of the receiver required to communicate correspondingly, so that the corresponding communication entity of the receiver can directly complete the identity verification of the communication entity of the sender according to the received content, and then the identification of the receiver and the time stamp signature value of the receiver sent by the communication entity of the receiver can be received only after the verification is passed, a public key of the identification of the receiver corresponding to the private key of the receiver is generated by the identification of the receiver and public parameters acquired in advance, the time stamp signature value of the receiver is decrypted, and the identity of the communication entity of the receiver is verified according to the time information and the random number information obtained by decryption, and then establishing secure communication between the two according to the verification result. The problem of when traditional two-way authentication, if rely on password authentication technique, then the security is low, if rely on certificate authentication technique, then need rely on third party certificate authentication center, the management is complicated and with high costs is solved. The authentication between the two parties is not needed to be acquired through a third party certificate authentication center and the certificate information is not needed to be stored locally when the two parties perform authentication, so that the authentication efficiency of the two parties of the communication entity is improved, the management cost of the authentication information in the authentication process is reduced, and meanwhile, the security of the authentication between the two parties of the communication entity is improved by adopting a mode of combining the identification number, the time and the random number when the two-way authentication is performed.

Example four

Fig. 4 is a flowchart of a bidirectional authentication method according to a fourth embodiment of the present invention, which is further optimized based on the optional technical solutions, the receiver timestamp signature value is decrypted by the generated receiver identification public key, the receiver timestamp and the decrypted random value are determined according to the decrypted receiver timestamp signature value, the receiver timestamp and the decrypted random value are verified according to the sender timestamp and the sender random value obtained by the public clock during decryption, communication between the sender communication entity and the receiver communication entity is established according to the verification result, and time information is applied to encrypted information for authentication, so that accuracy of bidirectional authentication is improved, and only two parties need to participate in the authentication process, so that data transmission amount in the authentication process is reduced, the efficiency of authentication of both sides of the communication entity is improved, and the management cost of the authentication information in the authentication process is reduced.

As shown in fig. 4, a bidirectional authentication method provided in the fourth embodiment of the present invention specifically includes the following steps:

s401, according to the sender identification corresponding to the sender communication entity, the secret key management platform obtains the sender secret key and the public parameter corresponding to the sender communication entity.

Specifically, when a sender communication entity needs to obtain a sender private key and a public parameter corresponding to the sender communication entity, the sender communication entity sends a sender identifier corresponding to the sender communication entity to a key management platform, the key management platform detects whether the sender identifier exists in the platform, if so, generates a corresponding sender private key according to the sender identifier, and sends the sender private key and the public parameter corresponding to the key management platform to the corresponding sender communication entity.

S402, when the secure communication is needed, a sender random number is generated, and the sender random number is encrypted through a sender private key signature acquired in advance to generate a sender signature value.

And S403, sending the sender random number, the sender signature value and the sender identification corresponding to the sender communication entity to the receiver communication entity.

S404, generating a receiver identification public key according to the received receiver identification and the public parameter.

The specific sender communication entity sends identification public key application information containing the receiver identification to the key management platform, so that the key management platform can generate a receiver identification public key by combining the public parameter and the receiver identification according to an identification key algorithm conforming to the national password specification and feed the receiver identification public key back to the sender communication entity.

S405, decrypting the receiver timestamp signature value through the receiver identification public key, and determining a receiver timestamp and a decryption random value.

Specifically, the sender communication entity decrypts the receiver timestamp signature value encrypted by the receiver private key through the receiver identification public key, and performs field splitting on the decrypted value to determine the receiver timestamp and the decrypted random value.

And S406, acquiring the timestamp of the sender by the common clock.

Specifically, since the theoretical time difference for performing the identity authentication between the sender communication entity and the receiver communication entity should be small, after the received receiver timestamp signature value is decrypted, the time of the current time can be obtained from the common clock, and the sender timestamp can be constructed by using the time to represent the time for performing the identity authentication by the sender communication entity.

And S407, verifying the time stamp of the receiving party and the decryption random number value according to the time stamp of the sending party and the random number of the sending party.

Specifically, whether the authentication is the authentication established in the same safety communication or not is determined according to the sender timestamp and the receiver timestamp, the identity of the communication entity of the receiver is determined through the sender random number and the decryption random number, and the authentication result is determined by combining the sender random number and the decryption random number.

Further, fig. 5 is a schematic flowchart of a process of verifying a timestamp and a decrypted random number of a receiving party according to a timestamp of a sending party and a random number of the sending party according to a fourth embodiment of the present invention, as shown in fig. 5, specifically including the following steps:

s4071, determining a time difference value between the timestamp of the sending party and the timestamp of the receiving party.

Specifically, the time value corresponding to the timestamp of the sender and the time difference corresponding to the timestamp of the receiver are subtracted, and the absolute value of the difference is determined as the time difference.

S4072, judging whether the time difference value is smaller than a preset time threshold value or not, and if so, executing the step S4073; if not, step S4074 is executed.

Specifically, if the time difference is smaller than the preset time threshold, the current authentication may be considered as the authentication when the same secure communication is established, and meanwhile, if the decrypted random number value is the same as the sender random number, the receiver communication entity may be considered as an object to be communicated in the current secure communication, and then step S4073 is executed; otherwise, the current authentication is not the authentication established in the same secure communication, or the receiving party communication entity is not the object to be communicated in the current secure communication, and then step S4074 is executed.

Optionally, the preset time threshold may be 5 minutes, and may also be adaptively set according to actual requirements, which is not limited in the embodiment of the present invention.

S4073, the verification result is determined to be successful.

S4074, determining that the verification result is failure.

S408, judging whether the verification result is successful, if so, executing a step S409; if not, go to step S410.

Specifically, if the verification result is successful, it may be determined that the sending-side communication entity is indeed located in the same area as the receiving-side communication entity and belongs to the communication entity managed by the same key management platform, a secure communication relationship may be established between the sending-side communication entity and the receiving-side communication entity, and the sending-side communication entity passes the identity verification, at this time, step S409 is executed; if the verification result is failure, it may be determined that the sender communication entity and the receiver communication entity are not located in the same area, and the sender communication entity cannot establish a secure communication relationship, and the identity verification of the sender communication entity fails, at this time, step S410 is executed.

And S409, establishing communication between the sender communication entity and the receiver communication entity.

And S410, canceling the communication between the communication entity of the receiving party and the communication entity of the sending party.

Specifically, since the sending-side communication entity confirms that the receiving-side communication entity is not a communication entity capable of establishing secure communication, the sending-side communication entity can cancel communication between the sending-side communication entity and the receiving-side communication entity directly.

Furthermore, after the communication between the two communication entities is cancelled, the communication entity of the sending party sends an alarm, so that a technician can carry out exception elimination, the risk of man-in-the-middle attack is reduced, and meanwhile, the necessary communication request of the communication entity in the different area is prevented from being ignored.

The technical scheme of the embodiment completes the decryption of the receiver timestamp signature value through the receiver identifier and the receiver identifier public key generated by the public parameter, and determines the time stamp of the receiver and the decryption random value according to the decrypted time stamp signature value of the receiver, the receiver timestamp and the decryption random number are verified according to the sender timestamp and the sender random number obtained by the common clock when decryption is carried out, establishing communication between the sender communication entity and the receiver communication entity according to the authentication result, adding the time information to the encrypted information for performing the identity authentication, the sender communication entity can perform identity authentication on the receiver communication entity according to the time and the receiver identification, so that the accuracy of bidirectional identity authentication is improved, the safety of identity authentication is further guaranteed, and the management cost of authentication information in the authentication process is reduced.

EXAMPLE five

Fig. 6 is a schematic structural diagram of a bidirectional authentication apparatus according to a fifth embodiment of the present invention, which is applied to a receiving-party communication entity, and the bidirectional authentication apparatus includes: a parameter receiving module 51, a signature value verifying module 52 and a first parameter transmitting module 53.

The parameter receiving module 51 is configured to receive a sender identifier, a sender random number, and a sender signature value; the signature value verification module 52 is configured to generate a sender identifier public key according to the pre-obtained public parameter and the sender identifier, and verify the sender random number and the sender signature value by using the sender identifier public key; and the first parameter sending module 53 is configured to, if the verification result is successful, generate a receiver timestamp signature value according to a pre-obtained receiver private key, and send the receiver timestamp signature value and a receiver identifier corresponding to the receiver communication entity to the sender communication entity.

The technical scheme of the embodiment solves the problems that the traditional two-way identity authentication is low in safety if the traditional two-way identity authentication depends on a password authentication technology, and needs to depend on a third party certificate authentication center if the traditional two-way identity authentication depends on a certificate authentication technology, so that the management is complicated and the cost is high. The authentication between the two parties is not needed to be acquired through a third party certificate authentication center and the certificate information is not needed to be stored locally when the two parties perform authentication, so that the authentication efficiency of the two parties of the communication entity is improved, the management cost of the authentication information in the authentication process is reduced, and meanwhile, the security of the authentication between the two parties of the communication entity is improved by adopting a mode of combining the identification number, the time and the random number when the two-way authentication is performed.

Optionally, the signature value verification module 52 includes:

and the signature decryption unit is used for decrypting the signature value of the sender through the identification public key of the sender and determining a decrypted value.

The verification result determining unit is used for determining the verification result as successful if the decryption value is the same as the random number of the sender; otherwise, the verification result is determined to be a failure.

Optionally, the first parameter sending module 53 includes:

and the time stamp obtaining unit is used for obtaining the time stamp of the receiving party by the common clock.

And the time stamp random number generating unit is used for carrying out field combination on the time stamp of the receiving party and the random number of the sending party to generate the time stamp random number.

And the time stamp signature value generating unit is used for encrypting the time stamp random number signature through a pre-acquired private key of the receiver to generate a time stamp signature value of the receiver.

And the parameter sending unit is used for sending the receiver timestamp signature value and the receiver identifier corresponding to the receiver communication entity to the sender communication entity.

Optionally, the bidirectional authentication apparatus further includes:

and the private key acquisition module is used for acquiring a private key and public parameters of a receiver corresponding to the communication entity of the receiver by the key management platform according to the identifier of the receiver corresponding to the communication entity of the receiver before receiving the identifier of the sender, the random number of the sender and the signature value of the sender.

And the communication canceling module is used for canceling the communication between the communication entity of the receiving party and the communication entity of the sending party after the verification result is determined to be failed.

The bidirectional identity authentication device provided by the embodiment of the invention can execute the bidirectional identity authentication method provided by the first embodiment of the invention and the second embodiment of the invention, and has corresponding functional modules and beneficial effects of the execution method.

EXAMPLE six

Fig. 7 is a schematic structural diagram of a bidirectional authentication apparatus according to a sixth embodiment of the present invention, which is applied to a sender communication entity, and the bidirectional authentication apparatus includes: a signature value generating module 61, a second parameter sending module 62, a parameter verifying module 63 and a communication establishing module 64.

The signature value generating module 61 is configured to generate a sender random number when secure communication is required, and encrypt the sender random number through a sender private key signature obtained in advance to generate a sender signature value; a second parameter sending module 62, configured to send the sender random number, the sender signature value, and a sender identifier corresponding to the sender communication entity to the receiver communication entity; the parameter verification module 63 is configured to generate a receiver identifier public key according to the received receiver identifier and a pre-acquired public parameter, and verify the received receiver timestamp signature value by using the receiver identifier public key and the sender random number; and a communication establishing module 64, configured to establish communication between the sender communication entity and the receiver communication entity according to the verification result.

Optionally, the parameter verification module 63 includes:

and the parameter decryption unit is used for decrypting the timestamp signature value of the receiver through the receiver identification public key and determining the timestamp and the decryption random value of the receiver.

And the time stamp obtaining unit is used for obtaining the time stamp of the sender by the common clock.

And the time stamp value verification unit is used for verifying the time stamp of the receiving party and the decryption random value according to the time stamp of the sending party and the random number of the sending party.

Optionally, the timestamp value verifying unit is specifically configured to:

otherwise, determining that the verification result is failure.

Optionally, the communication establishing module 64 is specifically configured to:

Optionally, the bidirectional authentication apparatus further includes:

and the private key acquisition module is used for acquiring a sender private key and public parameters corresponding to the sender communication entity by the key management platform according to the sender identification corresponding to the sender communication entity before the safety communication.

The bidirectional identity authentication device provided by the embodiment of the invention can execute the bidirectional identity authentication methods provided by the third embodiment of the invention and the fourth embodiment of the invention, and has corresponding functional modules and beneficial effects of the execution method.

EXAMPLE seven

Fig. 8 is a schematic structural diagram of a bidirectional authentication device according to a seventh embodiment of the present invention, where the bidirectional authentication device includes: a processor 70, a memory device 71, a display 72, an input device 73, and an output device 74. The number of the processors 70 in the data processing device may be one or more, and one processor 70 is taken as an example in fig. 8. The number of the storage devices 71 in the data processing apparatus may be one or more, and one storage device 71 is illustrated in fig. 8 as an example. The processor 70, the storage means 71, the display 72, the input means 73 and the output means 74 of the data processing device may be connected by a bus or other means, as exemplified by the bus connection in fig. 8. In an embodiment, the data processing device may be a computer, a notebook, or a smart tablet, etc.

The storage device 71 is a computer-readable storage medium, and can be used for storing software programs, computer-executable programs, and modules, such as program instructions/modules corresponding to the bidirectional authentication device described in any embodiment of the present application (for example, the parameter receiving module 51, the signature value verifying module 52, and the first parameter sending module 53, or the signature value generating module 61, the second parameter sending module 62, the parameter verifying module 63, and the communication establishing module 64). The storage device 71 may mainly include a storage program area and a storage data area, wherein the storage program area may store an operating system, an application program required for at least one function; the storage data area may store data created according to use of the device, and the like. Further, the storage 71 may include high speed random access memory, and may also include non-volatile memory, such as at least one magnetic disk storage device, flash memory device, or other non-volatile solid state storage device. In some examples, the storage 71 may further include memory located remotely from the processor 70, which may be connected to the device over a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.

The display screen 72 may be a touch-enabled display screen 72, which may be a capacitive screen, an electromagnetic screen, or an infrared screen. Generally, the display screen 72 is used for displaying data according to instructions of the processor 70, and is also used for receiving touch operations applied to the display screen 72 and sending corresponding signals to the processor 70 or other devices.

The input device 73 may be used to receive input numeric or character information and generate key signal inputs related to user settings and function controls of the presentation apparatus, and may also be a camera for acquiring images and a sound pickup apparatus for acquiring audio data. The output device 74 may include an audio device such as a speaker. It should be noted that the specific composition of the input device 73 and the output device 74 may be set according to actual conditions.

The processor 70 executes various functional applications and data processing of the device by executing software programs, instructions and modules stored in the storage 71, that is, implements the above-described bidirectional authentication method.

The bidirectional authentication device provided by the above can be used to execute the bidirectional authentication method provided by any of the above embodiments, and has corresponding functions and advantageous effects.

For example, as shown in fig. 9, before a sender communication entity serving as a communication initiator desires to perform secure communication, a private key is applied to a KGC key management platform through a self identifier, KGC obtains a sender private key generated according to the sender identifier and a public parameter corresponding to the KGC, generates a sender signature value based on a sender random number generated by itself and the sender private key, and sends the sender random number, the sender signature value, and the sender identifier to a receiver communication entity according to an exemplary two-way authentication topology example diagram provided by an embodiment of the present invention. Before receiving the information, the receiver communication entity applies a private key to the KGC key management platform through the self identifier, and the KGC acquires a receiver private key generated according to the receiver identifier and public parameters corresponding to the KGC. Upon receiving the sender random number, the sender signature value and the sender identification, sending an identification public key application to the KGC according to the sender identification, the KGC generating a sender identification public key according to the received sender identification and the public parameter and sending the sender identification public key to the receiver communication entity, such that the receiver communication entity may decrypt the sender signature value based on the sender identification public key, then the identity of the communication entity of the sender is verified through the random number of the sender and the signature value of the sender after decryption, and after the verification is successful, the common public clock acquires the timestamp of the receiver, the timestamp is combined with the random number of the sender and then encrypted by the private key of the receiver to obtain the signature value of the timestamp of the receiver, and sending the receiver identifier and the receiver timestamp signature value to the sender communication entity to complete the identity verification of the sender communication entity on the receiver communication entity. After receiving the receiver identifier and the receiver timestamp signature value, the sender communication entity receives an identifier public key application to KGC according to the receiver identifier, KGC generates a receiver identifier public key according to the received receiver identifier and a public parameter and sends the receiver identifier public key to the sender communication entity, the sender communication entity can decrypt the receiver timestamp signature value according to the receiver identifier public key, obtains a sender timestamp by a common public clock after decryption, verifies the decrypted receiver timestamp signature value through the sender timestamp and a sender random number, and then establishes a secure communication connection between the sender communication entity and the receiver communication entity according to a verification result.

Example eight

An eighth embodiment of the present invention further provides a storage medium containing computer-executable instructions, which when executed by a computer processor, are configured to perform a two-way authentication method, where when applied to a recipient communication entity, the method includes:

When applied to a sender communication entity, the method comprises:

Of course, the storage medium provided by the embodiment of the present invention contains computer-executable instructions, and the computer-executable instructions are not limited to the operations of the method described above, and may also perform related operations in the bidirectional authentication method provided by any embodiment of the present invention.

From the above description of the embodiments, it is obvious for those skilled in the art that the present invention can be implemented by software and necessary general hardware, and certainly, can also be implemented by hardware, but the former is a better embodiment in many cases. Based on such understanding, the technical solutions of the present invention may be embodied in the form of a software product, which can be stored in a computer-readable storage medium, such as a floppy disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a FLASH Memory (FLASH), a hard disk or an optical disk of a computer, and includes several instructions for enabling a computer device (which may be a personal computer, a server, or a network device) to execute the methods according to the embodiments of the present invention.

It should be noted that, in the embodiment of the above search apparatus, each included unit and module are merely divided according to functional logic, but are not limited to the above division as long as the corresponding functions can be implemented; in addition, specific names of the functional units are only for convenience of distinguishing from each other, and are not used for limiting the protection scope of the present invention.

It is to be noted that the foregoing is only illustrative of the preferred embodiments of the present invention and the technical principles employed. It will be understood by those skilled in the art that the present invention is not limited to the particular embodiments described herein, but is capable of various obvious changes, rearrangements and substitutions as will now become apparent to those skilled in the art without departing from the scope of the invention. Therefore, although the present invention has been described in greater detail by the above embodiments, the present invention is not limited to the above embodiments, and may include other equivalent embodiments without departing from the spirit of the present invention, and the scope of the present invention is determined by the scope of the appended claims.

Claims

1. A two-way authentication method applied to a recipient communication entity, the method comprising:

generating a sender identification public key according to a pre-acquired public parameter and the sender identification, and verifying the sender random number and the sender signature value by using the sender identification public key;

and if the verification result is successful, generating a receiver time stamp signature value according to a pre-acquired receiver private key, and sending the receiver time stamp signature value and a receiver identifier corresponding to the receiver communication entity to a sender communication entity.

2. The method of claim 1, wherein said verifying the sender random number and the sender signature value using the sender identification public key comprises:

decrypting the sender signature value through the sender identification public key to determine a decrypted value;

if the decryption value is the same as the sender random number, determining the verification result as successful;

otherwise, the verification result is determined to be a failure.

3. The method of claim 1, wherein generating a receiver timestamp signature value according to a pre-obtained receiver private key comprises:

acquiring a receiver timestamp by a common clock;

4. The method of claim 2, further comprising, after determining that the verification result is a failure:

canceling the communication between the receiver communication entity and the sender communication entity.

5. The method of claim 1, wherein prior to receiving the sender identification, sender random number, and sender signature value, further comprising:

and according to the receiver identification corresponding to the receiver communication entity, a key management platform acquires a receiver private key and public parameters corresponding to the receiver communication entity.

6. A two-way authentication method applied to a sender communication entity, the method comprising:

when the secure communication is needed, generating a sender random number, and encrypting the sender random number through a sender private key signature obtained in advance to generate a sender signature value;

generating a receiver identification public key according to the received receiver identification and a public parameter acquired in advance, and verifying the received receiver timestamp signature value by using the receiver identification public key and the sender random number;

and establishing communication between the sender communication entity and the receiver communication entity according to the verification result.

7. The method of claim 6, wherein verifying the received receiver timestamp signature value using the receiver identification public key and the sender nonce comprises:

obtaining a sender timestamp by a common clock;

and verifying the time stamp of the receiver and the decryption random number value according to the time stamp of the sender and the random number of the sender.

8. The method of claim 7, wherein verifying the receiver timestamp and the decryption nonce value based on the sender timestamp and the sender nonce comprises:

determining a time difference between the sender timestamp and the receiver timestamp;

if the time difference is smaller than a preset time threshold value and the decryption random number value is the same as the sender random number, determining that the verification result is successful;

otherwise, determining that the verification result is failure.

9. The method of claim 6, wherein establishing communication between the sender communication entity and the receiver communication entity according to the authentication result comprises:

if the verification result is successful, establishing the communication between the sender communication entity and the receiver communication entity;

10. The method of claim 6, further comprising, prior to said conducting secure communications:

and according to the sender identification corresponding to the sender communication entity, a secret key management platform acquires a sender secret key and public parameters corresponding to the sender communication entity.

11. A two-way authentication apparatus for use with a recipient communication entity, the apparatus comprising:

12. A two-way authentication apparatus for use with a sender-side communication entity, the apparatus comprising:

a second parameter sending module, configured to send the sender random number, the sender signature value, and a sender identifier corresponding to the sender communication entity to a receiver communication entity;

the parameter verification module is used for generating a receiver identification public key according to the received receiver identification and a public parameter acquired in advance, and verifying the received receiver timestamp signature value by using the receiver identification public key and the sender random number;

and the communication establishing module is used for establishing the communication between the sender communication entity and the receiver communication entity according to the verification result.

13. A bidirectional authentication apparatus characterized in that the bidirectional authentication apparatus comprises: a storage device and one or more processors;

the storage device to store one or more programs;

the one or more programs, when executed by the one or more processors, cause the one or more processors to implement the two-way authentication method of any one of claims 1-5 when the two-way authentication device is a recipient communication entity and to implement the two-way authentication method of any one of claims 6-10 when the two-way authentication device is a sender communication entity.

14. A storage medium containing computer-executable instructions for performing the two-way authentication method of any one of claims 1-5 and 6-10 when executed by a computer processor.