CN114513339A - Security authentication method, system and device - Google Patents

Security authentication method, system and device Download PDF

Info

Publication number
CN114513339A
CN114513339A CN202210070012.6A CN202210070012A CN114513339A CN 114513339 A CN114513339 A CN 114513339A CN 202210070012 A CN202210070012 A CN 202210070012A CN 114513339 A CN114513339 A CN 114513339A
Authority
CN
China
Prior art keywords
client
key
server
data
session
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202210070012.6A
Other languages
Chinese (zh)
Inventor
崔建业
戴向文
倪旭明
赵凯美
盛辉
厉立锋
卢文达
王焕娟
杨珂
罗开明
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Xuji Group Co Ltd
State Grid Zhejiang Electric Power Co Ltd
Jinhua Power Supply Co of State Grid Zhejiang Electric Power Co Ltd
State Grid E Commerce Co Ltd
Original Assignee
Xuji Group Co Ltd
State Grid Zhejiang Electric Power Co Ltd
Jinhua Power Supply Co of State Grid Zhejiang Electric Power Co Ltd
State Grid E Commerce Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Xuji Group Co Ltd, State Grid Zhejiang Electric Power Co Ltd, Jinhua Power Supply Co of State Grid Zhejiang Electric Power Co Ltd, State Grid E Commerce Co Ltd filed Critical Xuji Group Co Ltd
Priority to CN202210070012.6A priority Critical patent/CN114513339A/en
Publication of CN114513339A publication Critical patent/CN114513339A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0442Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply asymmetric encryption, i.e. different keys for encryption and decryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0823Network architectures or network communication protocols for network security for authentication of entities using certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/12Applying verification of the received information
    • H04L63/123Applying verification of the received information received data contents, e.g. message integrity
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0838Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these
    • H04L9/0841Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these involving Diffie-Hellman or related key agreement protocols
    • H04L9/0844Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these involving Diffie-Hellman or related key agreement protocols with user authentication or key authentication, e.g. ElGamal, MTI, MQV-Menezes-Qu-Vanstone protocol or Diffie-Hellman protocols using implicitly-certified keys
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures

Abstract

The invention discloses a security authentication method, a system and a device, wherein in the process of establishing connection between a session layer and a transmission layer, bidirectional identity certification and authentication between a client and a server are realized by means of an asymmetric encryption and challenge response mechanism, so that the behavior of a hacker imitating the identities of both parties is avoided, and the communication process is real and credible; in the session key agreement stage, a key agreement mechanism of bidirectional identity authentication and cross encryption is executed based on the client and server certificates, so that session hijacking and man-in-the-middle attack are avoided; after the client requests are received, analysis results are generated, the server private key is used for signing the result data, and the client can ensure that the result data cannot be tampered by verifying the signature after obtaining the query results.

Description

Security authentication method, system and device
Technical Field
The present invention relates to the field of information security, and in particular, to a security authentication method, system and device.
Background
Currently, with the rapid development of industrial internet and information technology, Handle-based identification analysis has abundant application scenarios in China. Identity authentication and access control are the main strategies for network security and protection, and the main task of the identity authentication and access control is to ensure that network resources are not illegally used and accessed irregularly. It is also an important means for maintaining the security of the network system and protecting the network resources. The access control specifies the subject's restrictions on access to the object and controls requests for access to resources based on authentication. It is an important measure for protecting information system resources and is also the most important and basic security mechanism of a computer system. Identity authentication is a prerequisite and basis for implementing access control.
The traditional internet uses the TCP/IP protocol as the basic protocol of the network, and the network is not considered from the beginning of the design to face so many threats, so that many attack methods are presented at present. IP protocols rely on IP addresses and IP routers in order to transfer data packets from an original device to a destination device. The IP address is a machine language, which is usually long, so although the IP address has uniqueness, it is inconvenient to memorize and use, and on this basis, people have invented a dns (domain Name system), namely a domain Name resolution system, and the domain Name is usually short, and has readability and practicability. Because the domain name and the IP address are in one-to-one correspondence, the system can directly carry out domain name resolution and translate the domain name into the IP address only by inputting the domain name in an address bar when surfing the internet.
Common attacks against DNS services are mainly two types: one is 'domain hijacking', when a domain name server executes domain name retrieval, the domain name server stores domain name records, each record contains the unique corresponding relation between a domain name and an IP address, if the domain name server is attacked, the real IP address corresponding to the domain name to be accessed by a user is tampered, an attacker can manually manipulate the final access address of the user, and the user cannot judge the authenticity of the IP address analyzed by the DNS in the process; the other is 'domain name deception' or 'domain name pollution', when a user sends 'domain name query' to a domain name server through a computer, the domain name server sends a response back to the user computer after analyzing an IP address corresponding to a domain name, a time difference occurs between the sending request and the information receiving process, and an attacker may forge a wrong IP response to the computer before the user receives the information response by using a network man-in-the-middle attack, so that the user accesses the wrong IP address.
Since the development path of the identification resolution technology is still based on the DNS service principle, the DNS resolution process is vulnerable to the identification of resolution requests, so that attacks are frequent. Therefore, a security authentication method is urgently needed to avoid the DNS service attack of hackers.
Disclosure of Invention
Aiming at the problem that the prior art is easy to attack in the analysis process, the invention provides a security authentication method, a system and a device, which mainly aim at the identity authentication risk in the process of analyzing the Handle identifier, strengthen the analysis process by using a password technology and avoid hackers from attacking the Handle identifier analysis by using a method similar to DNS service attack.
The technical scheme of the invention is as follows.
A security authentication method comprising the steps of:
the client side obtains a private key and a public key of the server side;
the client generates first key negotiation data according to the private key, encrypts the first key negotiation data through the public key, generates second key negotiation data and sends the second key negotiation data to the server;
the client receives third key negotiation data sent by the server, and calculates a session key by using the first key negotiation data and the third key negotiation data, wherein the third key negotiation data is generated by the server by using a private key of the server;
the client establishes a secure session channel with the server based on the session key, and session communication data between the client and the server is encrypted and decrypted by the session key;
when the client requests to perform sensitive data operation on the server, the client receives challenge inquiry information from the server, generates a response value and replies to the server, and the client obtains sensitive data operation authority after the authentication is passed.
In the process of establishing connection between a session layer and a transmission layer, the invention realizes bidirectional identity certification and authentication between a client and a server based on asymmetric encryption and a challenge response mechanism, thereby preventing hackers from imitating the identity of both parties and ensuring the real and credible communication process; in the session key agreement stage, a key agreement mechanism of bidirectional identity authentication and cross encryption is executed based on the client and server certificates, so that session hijacking and man-in-the-middle attack are avoided; after the client requests are received, analysis results are generated, the server private key is used for signing the result data, and the client can ensure that the result data cannot be tampered by verifying the signature after obtaining the query results.
Preferably, the receiving a challenge message from the server, the client generating a response value and replying to the server, includes:
the client uses a client private key to carry out digital signature on the challenge value in the challenge message to generate a response value, and the response value is sent to the server through the challenge response message;
and if the digital signature value of the response value in the challenge response message is verified and passed by the server side by using the client public key, the safety authentication is completed.
Preferably, the obtaining, by the client, the sensitive data operation authority includes:
the client sends an identifier analysis request message to inquire data corresponding to the specified Handle identifier;
the client receives an identification analysis response message generated after the server signs a data retrieval result corresponding to the Handle identification by using a server private key;
and the client verifies the validity of the digital signature in the identification analysis response message by using the server public key so as to determine the correctness and the integrity of the Handle analysis result.
Preferably, the private key and the public key are obtained by the SM2 algorithm.
Preferably, the method further comprises the following steps: when the challenge does not pass, the client and the server perform session key negotiation again, and perform the challenge again while performing the session key negotiation.
The invention also provides a safety authentication method, which comprises the following steps:
the server side obtains a private key and a public key of the client side;
the server receives second key negotiation data sent by the client, and decrypts the second key negotiation data by using a private key to obtain first key negotiation data;
the server side generates third key negotiation data according to the private key, encrypts the third key negotiation data through the public key of the client side, generates fourth key negotiation data and sends the fourth key negotiation data to the client side;
the server side calculates a session key by using the first key negotiation data and the third key negotiation data;
the server establishes a secure session channel with the client based on the session key, and session communication data between the client and the server is encrypted and decrypted by the session key;
when receiving a sensitive data operation request of a client, a server sends a challenge inquiry message to the client, and after receiving a response value generated by the client and passing authentication, the server gives a sensitive data operation authority to the client.
Preferably, the receiving and authenticating the response value generated by the client includes: and verifying the digital signature value in the response value by using the client public key, and finishing the security authentication if the digital signature value passes the verification.
Preferably, the server gives the sensitive data operation authority to the client, including:
the server side inquires data corresponding to the appointed Handle identification according to the identification analysis request message sent by the client side;
and signing the data retrieval result corresponding to the Handle identifier to generate an identifier analysis response message, and sending the identifier analysis response message to the client.
The invention also provides a safety certification system, which comprises a client and a server,
the client is used for acquiring a private key and a public key of the server; generating first key negotiation data according to the private key, encrypting the first key negotiation data through the public key, generating second key negotiation data and sending the second key negotiation data to the server; receiving third key negotiation data sent by a server, and calculating a session key by using the first key negotiation data and the third key negotiation data, wherein the third key negotiation data is generated by the server by using a private key of the server; establishing a secure session channel with the server based on the session key, and encrypting and decrypting session communication data between the client and the server by the session key; when the sensitive data operation is requested to the server, the challenge inquiry message from the server is received, the client generates a response value and replies to the server, and the client obtains the sensitive data operation authority after the authentication is passed.
The server is used for acquiring a private key and a public key of the client; receiving second key negotiation data sent by the client, and decrypting by using a private key to obtain first key negotiation data; generating third key negotiation data according to the private key, encrypting the third key negotiation data through a public key of the client, generating fourth key negotiation data and sending the fourth key negotiation data to the client; calculating a session key using the first key agreement data and the third key agreement data; establishing a secure session channel with the client based on the session key, and encrypting and decrypting session communication data between the client and the server by the session key; when a sensitive data operation request of the client is received, a challenge inquiry message is sent to the client, and after a response value generated by the client is received and authenticated, the server gives a sensitive data operation authority to the client.
The invention also provides a security authentication device, which comprises a client, and comprises:
the key acquisition module is used for acquiring a private key and a public key of the server;
the key negotiation data generation module is used for generating first key negotiation data according to the private key, encrypting the first key negotiation data through the public key, generating second key negotiation data and sending the second key negotiation data to the server;
the session key calculation module is used for receiving third key negotiation data sent by the server and calculating a session key by using the first key negotiation data and the third key negotiation data, wherein the third key negotiation data is generated by the server by using a private key of the server;
the secure session module is used for establishing a secure session channel with the server based on the session key;
and the challenge response module is used for receiving the challenge message from the server, generating a response value and replying to the server, and the client obtains the sensitive data operation authority after the authentication is passed.
Preferably, the receiving the challenge message from the server, generating a response value and replying to the server includes:
the client uses a client private key to carry out digital signature on the challenge value in the challenge message to generate a response value, and the response value is sent to the server through the challenge response message;
and if the digital signature value of the response value in the challenge response message is verified and passed by the server side by using the client public key, the safety authentication is completed.
Preferably, the client requests to perform sensitive data operation to the server, including:
the client sends an identifier analysis request message to inquire data corresponding to the specified Handle identifier;
the client receives an identification analysis response message generated after the server signs a data retrieval result corresponding to the Handle identification by using a server private key;
and the client verifies the validity of the digital signature in the identifier analysis response message by using the server public key so as to determine the correctness and the integrity of the Handle analysis result.
The invention also provides a security authentication device, which comprises a server and comprises:
the key acquisition module is used for acquiring a private key and a public key of the client;
the key agreement data generation module is used for receiving second key agreement data sent by the client and decrypting the second key agreement data by using a private key to obtain first key agreement data; generating third key negotiation data according to the private key, encrypting the third key negotiation data through a public key of the client, generating fourth key negotiation data and sending the fourth key negotiation data to the client;
the session key calculation module is used for calculating a session key by utilizing the first key negotiation data and the third key negotiation data;
the secure session module is used for establishing a secure session channel with the client based on the session key, and session communication data between the client and the server is encrypted and decrypted by the session key;
and the challenge inquiry module is used for sending a challenge inquiry message to the client when receiving the sensitive data operation request of the client, and after receiving a response value generated by the client and passing the authentication, the server gives the client the sensitive data operation authority.
Preferably, the receiving and authenticating the response value generated by the client includes: and verifying the digital signature value in the response value by using the client public key through the server, and finishing safety certification if the digital signature value passes the verification.
Preferably, the server gives the sensitive data operation authority to the client, including:
the server side inquires data corresponding to the appointed Handle identification according to the identification analysis request message sent by the client side;
and signing the data retrieval result corresponding to the Handle identifier to generate an identifier analysis response message, and sending the identifier analysis response message to the client.
The substantial effects of the invention include:
(1) the identification analysis request and the response communication session are encrypted in the whole process, and the server and the client use respective SM2 public keys to complete session key negotiation; the invention can realize the beneficial technical effects that: the session is effectively prevented from being hijacked;
(2) in the communication session process of initiating the identification analysis request by the user side and responding by the server side, the server side can verify the signature of the user SM2 through a challenge response mechanism, so that the legal identity of the user is confirmed; the invention can realize the beneficial technical effects that: the man-in-the-middle attack is effectively prevented;
(3) the server side responds to the request of the user side to retrieve the Handle identification data, the private key of the server side SM2 is used for signing the analysis result of the Handle identification, and the public key of the server side SM2 is used for verifying the signature of the user side, so that the validity of the analysis result is ensured; the invention can realize the following beneficial technical effects: the method and the device effectively prevent the Handle identification analysis data from being illegally tampered.
Drawings
FIG. 1 is a schematic flow diagram of an embodiment of the present invention;
FIG. 2 is a process diagram of the session establishment and key agreement phase according to an embodiment of the present invention;
FIG. 3 is a schematic process diagram of the user authentication phase according to an embodiment of the present invention;
fig. 4 is a process diagram of an identity resolution phase according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions will be clearly and completely described below with reference to the embodiments, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
It should be understood that, in various embodiments of the present invention, the sequence numbers of the processes do not mean the execution sequence, and the execution sequence of the processes should be determined by the functions and the internal logic of the processes, and should not constitute any limitation on the implementation process of the embodiments of the present invention.
It should be understood that in the present application, "comprising" and "having" and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed, but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
The technical solution of the present invention will be described in detail below with specific examples. Embodiments may be combined with each other and some details of the same or similar concepts or processes may not be repeated in some embodiments.
Example (b):
a security authentication method and apparatus, wherein a client and a server in this embodiment both include:
the key generation module is used for acquiring a private key and a public key of the other party from the password infrastructure; the key agreement data is generated and a consistent session key is calculated according to the two key agreement data;
the data encryption module is used for establishing a secure session channel between the client and the server based on the session key, and encrypting and decrypting session communication data between the client and the server by using the session key;
and the authentication module is used for sending the challenge message when the client requests to carry out sensitive data operation on the server, generating a response value and authenticating whether the response value passes or not.
The method of the present embodiment comprises the following steps as shown in fig. 1:
(1) the client and the server respectively obtain a respective trusted and legal SM2 algorithm key pair from the trusted cryptographic infrastructure.
(2) If the client wants to establish a secure SESSION channel with the server, first, client key agreement data is generated, then, the client key agreement data is encrypted by using the server SM2 public key, and a SESSION establishment request message (SESSION _ SETUP _ REQ) containing the encrypted client key agreement data is sent to the server.
(3) After receiving the SESSION _ SETUP _ REQ message, the server decrypts the message by using its own private key to obtain client key negotiation data, then generates the server key negotiation data, calculates a SESSION key by combining the client key negotiation data, finally obtains a client SM2 public key to encrypt the generated server key negotiation data, and sends a SESSION establishment response message (SESSION _ SETUP _ RESP) containing the encrypted server key negotiation data back to the client.
(4) After receiving the SESSION _ SETUP _ RESP message, the client decrypts by using the private key of the client SM2 to obtain the key negotiation data of the server, and then calculates the SESSION key by combining the key negotiation data of the client, so that the establishment of the secure SESSION channel is successful, and the subsequent SESSION communication data can be transmitted and encrypted by using the SESSION key for protection.
(5) When the client side carries out sensitive data operation to the server side, the server side sends CHALLENGE inquiry information (CHALLENGE) to the client side to require to authenticate the identity of the client side.
(6) After receiving the CHALLENGE message, the client digitally signs the CHALLENGE value by using the SM2 private key of the client, generates a RESPONSE value, and sends the RESPONSE value to the server in the form of a CHALLENGE RESPONSE message (CHALLENGE _ RESPONSE).
(7) After receiving the CHALLENGE _ RESPONSE message, the server verifies the digital signature value therein by using the public key of the client SM2, so as to authenticate the authenticity of the client identity.
(8) After the client identity authentication is passed, the client sends an identifier RESOLUTION request message (RESOLUTION _ REQ) to query data corresponding to a certain specified Handle identifier.
(9) After the server retrieves the Handle identification data, the server signs the retrieval result of the Handle identification data by using the SM2 private key of the server, generates an identification analysis response message (RESOLUTION _ RESP) and returns the response message to the client.
(10) The client verifies the validity of the digital signature in the RESOLUTION _ RESP message using the server SM2 public key to determine the correctness and integrity of the Handle parsing result.
In the authentication process, three different roles are provided, namely a Handle user, a Handle server and a password infrastructure. The authentication process follows the technical specification of the national code management bureau and supports two unidirectional identity authentication modes and one bidirectional identity authentication mode.
In the above scheme, when authentication is required, the Handle server will send a challenge value to the client before executing its request. In order to comply with the authentication requirement, the client must respond correctly to prove that it is a valid user. And only after the identity authentication of the client is passed, the Handle server can respond to the identification analysis request of the client. The Handle client can use the SM2 algorithm for authentication. Authentication of the Handle system may also be performed by a third party authentication service. To ensure the integrity of the data, the client may require the parsing result data obtained from the Handle server to be accompanied by a digital signature value. A secure communication session between the Handle client and the Handle server may be established using SM2 keys, so that any exchanged information may be encrypted with the session keys to substantially ensure data confidentiality during the Handle session. The Handle server may also encrypt the parsed data using the client's SM2 public key to provide confidentiality if no key agreement is done.
Fig. 2 is a schematic diagram of a process of session establishment and key agreement, and a specific workflow is described as follows:
step A: initializing a user side and a server side, and randomly generating an SM2 key pair of the user side and the server side;
and B: the user side and the server side respectively transmit SM2 public keys of the user side and the server side to the trusted password infrastructure and apply for an SM2 certificate;
and C: the trusted password infrastructure registers and issues SM2 certificates of a user side and a server side, and distributes SM2 certificates to the user side and the server side;
step D: the user side randomly generates a key negotiation parameter P1, and encrypts P1 by using an SM2 public key in the SM2 certificate of the service side to obtain a parameter ciphertext S1;
step E: the user terminal sends SESSION establishment request information SESSION _ SETUP _ REQ and transmits an encryption parameter S1 in a message;
step F: the server receives the session establishment request of the user side, and decrypts the S1 by using a private key of the SM2 of the server side to obtain a clear text of a key negotiation parameter P1;
step G: the server randomly generates a key negotiation parameter P2, a session key SKey is generated by combining P1 and P2, and then a public key SM2 in a client SM2 certificate is used for encrypting P2 to P2 to obtain a parameter ciphertext S2;
step H: the server side sends SESSION establishment response information SESSION _ SETUP _ RESP, and transmits the encryption parameter S2 in the message;
step I: the user side receives the session establishment response of the server side, decrypts the S2 by using a private key of the SM2 of the user side to obtain a plaintext of a key negotiation parameter P2;
step J: the user side generates a session key SKey by calculation in combination with P1 and P2.
Fig. 3 is a schematic diagram of a process of the user identity authentication stage, and a specific workflow is described as follows:
step A: the server randomly generates challenge information CHALLENGS;
and B: the server sends CHALLENGS challenge information to the client;
and C: after receiving the challenge inquiry information of the server, the user side calculates a digital signature for CHALLENGS by using a private key pair of the SM2 of the user side, and generates a signature value C _ Sign;
step D: the user side sends challenge RESPONSE information CHALLENGS _ RESPONSE to the server side and transmits a signature value C _ Sign;
step E: after receiving the challenge response information, the server applies to a trusted password infrastructure to obtain a client SM2 certificate;
step F: the password infrastructure retrieves the SM2 certificate of the user terminal and sends the SM2 certificate to the server terminal;
step G: and after the server side verifies the validity of the user side SM2 certificate, the public key in the user side SM2 certificate is used for verifying the challenge information signature value C _ Sign of the user side, and the authenticity of the user identity is determined.
Fig. 4 is a schematic process diagram of the identifier resolution phase, and a specific workflow is described as follows:
step A: a user side sends an identification analysis request RESOLUTION _ REQ to a server side;
and B: after receiving the identifier analysis request, the server retrieves data corresponding to the identifier, calculates a digital signature on the identifier analysis result by using a private key of the server SM2, and generates a signature value R _ Sign;
and C: the server side sends identification analysis response information RESOLUTION _ RESP to the client side, and transmits a signature value R _ Sign;
step D: after receiving the identification analysis response information, the user side applies to the trusted password infrastructure to obtain a server side SM2 certificate;
step E: the password infrastructure retrieves the SM2 certificate of the server and sends the SM2 certificate to the user side;
step F: and after the client verifies the validity of the server SM2 certificate, the public key in the server SM2 certificate is used for verifying the server identification analysis result signature value R _ Sign, and the authenticity and the integrity of the identification analysis data are determined.
In addition, when the challenge does not pass, the client and the server perform session key agreement again, and perform the challenge again while performing the session key agreement, including:
the client generates key negotiation data, encrypts the client key negotiation data by using a server public key, and sends a session establishment request message containing the encrypted client key negotiation data to the server;
after receiving the session establishment request message, the server decrypts the session establishment request message by using a server private key to obtain client key negotiation data, calculates a session key by combining the server key negotiation data generated by the server, encrypts the generated server key negotiation data and challenge message by using a client public key, and packages the encrypted server key negotiation data and challenge message into a session establishment response message to be sent to the client;
after receiving the session establishment response message, the client decrypts the session establishment response message by using a client private key to obtain server key negotiation data and challenge information, calculates a session key by combining the client key negotiation data, and simultaneously digitally signs the challenge value by using the client private key to generate a response value which is sent to the server in the form of a challenge response message;
and the server side verifies the digital signature value by using the client public key after receiving the challenge response message, and completes the security authentication and starts the session key if the verification is passed.
In the session establishment stage, the client and the server use the SM2 algorithm public key encryption and private key decryption method to implement key agreement and exchange session keys, and establish an encrypted communication session channel, thereby effectively avoiding the session from being hijacked illegally;
in the identity authentication stage, the client and the server use the SM2 algorithm digital signature technology and construct a challenge response mechanism of both communication parties to ensure that the server can verify the true identity of the user initiating the request in the subsequent information exchange process, and since a potential attacker cannot obtain the SM2 private keys of the client and the server, the digital signature of the client or the server cannot be generated, thereby effectively preventing man-in-the-middle attack;
in the embodiment, in the identifier parsing stage, the server generates an identifier parsing result, performs digital signature on the result by using a server private key, and verifies the signature by using a server public key at the user side, thereby confirming the validity of the identifier parsing result. Under the security mechanism, if an attacker tampers with the identification analysis result, the attacker cannot forge the digital signature of the server, so that any form of identification analysis hijacking or cheating can be immediately found by the user side, and the security of the Handle system is ensured.
In addition, the client and the server of this embodiment both include:
the key generation module is used for acquiring a private key and a public key of the other party from the password infrastructure; the key agreement data is generated and a consistent session key is calculated according to the two key agreement data;
the data encryption module is used for establishing a secure session channel between the client and the server based on the session key, and encrypting and decrypting session communication data between the client and the server by using the session key;
and the authentication module is used for sending the challenge message when the client requests to carry out sensitive data operation on the server, generating a response value and authenticating whether the response value passes or not.
Through the description of the above embodiments, those skilled in the art will understand that, for convenience and simplicity of description, only the division of the above functional modules is used as an example, and in practical applications, the above function distribution may be completed by different functional modules according to needs, that is, the internal structure of a specific device is divided into different functional modules to complete all or part of the above described functions.
In the embodiments provided in this application, it should be understood that the disclosed structures and methods may be implemented in other ways. For example, the above-described embodiments with respect to structures are merely illustrative, and for example, a module or a unit may be divided into only one logic function, and may have another division manner in actual implementation, for example, a plurality of units or components may be combined or may be integrated into another structure, or some features may be omitted or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, structures or units, and may be in an electrical, mechanical or other form.
Units described as separate parts may or may not be physically separate, and parts displayed as units may be one physical unit or a plurality of physical units, may be located in one place, or may be distributed to a plurality of different places. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
In addition, functional units in the embodiments of the present application may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit. The integrated unit may be implemented in the form of hardware, or may also be implemented in the form of a software functional unit.
The integrated unit, if implemented as a software functional unit and sold or used as a separate product, may be stored in a readable storage medium. Based on such understanding, the technical solutions of the embodiments of the present application may be essentially or partially contributed to by the prior art, or all or part of the technical solutions may be embodied in the form of a software product, where the software product is stored in a storage medium and includes several instructions to enable a device (which may be a single chip, a chip, or the like) or a processor (processor) to execute all or part of the steps of the methods of the embodiments of the present application. And the aforementioned storage medium includes: various media capable of storing program codes, such as a usb disk, a removable hard disk, a Read Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk, or an optical disk.
The above description is only for the specific embodiments of the present application, but the scope of the present application is not limited thereto, and any person skilled in the art can easily conceive of the changes or substitutions within the technical scope of the present application, and shall be covered by the scope of the present application. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.

Claims (15)

1. A security authentication method, comprising the steps of:
the client side obtains a private key and a public key of the server side;
the client generates first key negotiation data according to the private key, encrypts the first key negotiation data through the public key, generates second key negotiation data and sends the second key negotiation data to the server;
the client receives third key negotiation data sent by the server, and calculates a session key by using the first key negotiation data and the third key negotiation data, wherein the third key negotiation data is generated by the server by using a private key of the server;
the client establishes a secure session channel with the server based on the session key, and session communication data between the client and the server is encrypted and decrypted by the session key;
when the client requests to perform sensitive data operation on the server, the client receives challenge inquiry information from the server, generates a response value and replies to the server, and the client obtains sensitive data operation authority after the authentication is passed.
2. The method of claim 1, wherein receiving a challenge message from the server, and generating a response value and replying to the server by the client comprises:
the client uses a client private key to carry out digital signature on the challenge value in the challenge message to generate a response value, and the response value is sent to the server through the challenge response message;
and if the digital signature value of the response value in the challenge response message is verified and passed by the server side by using the client public key, the safety authentication is completed.
3. The security authentication method of claim 1, wherein the client obtains the sensitive data operation right, and comprises:
the client sends an identifier analysis request message to inquire data corresponding to the specified Handle identifier;
the client receives an identification analysis response message generated after the server signs a data retrieval result corresponding to the Handle identification by using a server private key;
and the client verifies the validity of the digital signature in the identification analysis response message by using the server public key so as to determine the correctness and the integrity of the Handle analysis result.
4. A security authentication method according to claim 1, wherein said private key and public key are obtained by SM2 algorithm.
5. The method of claim 1, further comprising:
when the challenge does not pass, the client and the server perform session key negotiation again, and perform the challenge again while performing the session key negotiation.
6. A security authentication method, comprising the steps of:
the server side obtains a private key and a public key of the client side;
the server receives second key negotiation data sent by the client, and decrypts the second key negotiation data by using a private key to obtain first key negotiation data;
the server side generates third key negotiation data according to the private key, encrypts the third key negotiation data through the public key of the client side, generates fourth key negotiation data and sends the fourth key negotiation data to the client side;
the server side calculates a session key by using the first key negotiation data and the third key negotiation data;
the server establishes a secure session channel with the client based on the session key, and session communication data between the client and the server is encrypted and decrypted by the session key;
when receiving a sensitive data operation request of a client, a server sends a challenge inquiry message to the client, and after receiving a response value generated by the client and passing authentication, the server gives a sensitive data operation authority to the client.
7. The method of claim 6, wherein receiving and authenticating the response value generated by the client comprises: and verifying the digital signature value in the response value by using the client public key, and finishing the security authentication if the digital signature value passes the verification.
8. The security authentication method of claim 6, wherein the server side gives the client side the operation right of the sensitive data, and the method comprises the following steps:
the server side inquires data corresponding to the appointed Handle identification according to the identification analysis request message sent by the client side;
and generating an identification analysis response message after signing the data retrieval result corresponding to the Handle identification, and sending the identification analysis response message to the client.
9. A security authentication system comprises a client and a server, and is characterized in that,
the client is used for acquiring a private key and a public key of the server; generating first key negotiation data according to the private key, encrypting the first key negotiation data through the public key, generating second key negotiation data and sending the second key negotiation data to the server; receiving third key negotiation data sent by a server, and calculating a session key by using the first key negotiation data and the third key negotiation data, wherein the third key negotiation data is generated by the server by using a private key of the server; establishing a secure session channel with the server based on the session key, and encrypting and decrypting session communication data between the client and the server by the session key; when a request is made for sensitive data operation to a server, a challenge inquiry message from the server is received, the client generates a response value and replies to the server, and the client obtains a sensitive data operation authority after passing authentication;
the server is used for: acquiring a private key and a public key of a client; receiving second key negotiation data sent by the client, and decrypting by using a private key to obtain first key negotiation data; generating third key negotiation data according to the private key, encrypting the third key negotiation data through a public key of the client, generating fourth key negotiation data and sending the fourth key negotiation data to the client; calculating a session key using the first key agreement data and the third key agreement data; establishing a secure session channel with the client based on the session key, and encrypting and decrypting session communication data between the client and the server by the session key; when a sensitive data operation request of the client is received, a challenge inquiry message is sent to the client, and after a response value generated by the client is received and authenticated, the server gives a sensitive data operation authority to the client.
10. A security authentication apparatus comprising a client, comprising:
the key acquisition module is used for acquiring a private key and a public key of the server;
the key negotiation data generation module is used for generating first key negotiation data according to the private key, encrypting the first key negotiation data through the public key, generating second key negotiation data and sending the second key negotiation data to the server;
the session key calculation module is used for receiving third key negotiation data sent by the server and calculating a session key by using the first key negotiation data and the third key negotiation data, wherein the third key negotiation data are generated by the server by using a private key of the server;
the secure session module is used for establishing a secure session channel with the server based on the session key;
and the challenge response module is used for receiving the challenge message from the server, generating a response value and replying to the server, and the client obtains the sensitive data operation authority after the authentication is passed.
11. The security authentication device of claim 10, wherein receiving the challenge message from the server, generating a response value and replying to the server comprises:
the client uses a client private key to carry out digital signature on the challenge value in the challenge message to generate a response value, and the response value is sent to the server through the challenge response message;
and if the digital signature value of the response value in the challenge response message is verified and passed by the server side by using the client public key, the safety authentication is completed.
12. The security authentication device of claim 10, wherein the client requests the server to perform the sensitive data operation, and the method comprises:
the client sends an identifier analysis request message to inquire data corresponding to the specified Handle identifier;
the client receives an identification analysis response message generated after the server signs a data retrieval result corresponding to the Handle identification by using a server private key;
and the client verifies the validity of the digital signature in the identification analysis response message by using the server public key so as to determine the correctness and the integrity of the Handle analysis result.
13. A security authentication device, comprising a server, characterized by comprising:
the key acquisition module is used for acquiring a private key and a public key of the client;
the key agreement data generation module is used for receiving second key agreement data sent by the client and decrypting the second key agreement data by using a private key to obtain first key agreement data; generating third key negotiation data according to the private key, encrypting the third key negotiation data through a public key of the client, generating fourth key negotiation data and sending the fourth key negotiation data to the client;
the session key calculation module is used for calculating a session key by utilizing the first key negotiation data and the third key negotiation data;
the secure session module is used for establishing a secure session channel with the client based on the session key, and session communication data between the client and the server is encrypted and decrypted by the session key;
and the challenge inquiry module is used for sending a challenge inquiry message to the client when receiving the sensitive data operation request of the client, and after receiving a response value generated by the client and passing the authentication, the server gives the client the sensitive data operation authority.
14. The security authentication device of claim 13, wherein receiving and authenticating a response value generated by a client comprises: and verifying the digital signature value in the response value by using the client public key through the server, and finishing safety certification if the digital signature value passes the verification.
15. The security authentication device of claim 13, wherein the server side gives the client side the operation right of the sensitive data, and the method comprises:
the server side inquires data corresponding to the appointed Handle identification according to the identification analysis request message sent by the client side;
and generating an identification analysis response message after signing the data retrieval result corresponding to the Handle identification, and sending the identification analysis response message to the client.
CN202210070012.6A 2022-01-21 2022-01-21 Security authentication method, system and device Pending CN114513339A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210070012.6A CN114513339A (en) 2022-01-21 2022-01-21 Security authentication method, system and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210070012.6A CN114513339A (en) 2022-01-21 2022-01-21 Security authentication method, system and device

Publications (1)

Publication Number Publication Date
CN114513339A true CN114513339A (en) 2022-05-17

Family

ID=81549140

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210070012.6A Pending CN114513339A (en) 2022-01-21 2022-01-21 Security authentication method, system and device

Country Status (1)

Country Link
CN (1) CN114513339A (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116015679A (en) * 2022-12-20 2023-04-25 浪潮云信息技术股份公司 Multi-cloud management authentication method and system based on SM2 digital signature for government cloud
CN116366252A (en) * 2023-03-17 2023-06-30 北京信源电子信息技术有限公司 DOA-based data protection method for handle identification analysis technology
CN116579774A (en) * 2023-07-14 2023-08-11 深圳明辉智能技术有限公司 Cross encryption-based payment platform system and method

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2014069985A1 (en) * 2012-11-05 2014-05-08 Mimos Berhad System and method for identity-based entity authentication for client-server communications
CN104023013A (en) * 2014-05-30 2014-09-03 上海帝联信息科技股份有限公司 Data transmission method, server side and client
CN111030814A (en) * 2019-12-25 2020-04-17 杭州迪普科技股份有限公司 Key negotiation method and device
CN111917552A (en) * 2020-06-23 2020-11-10 深圳奥联信息安全技术有限公司 Handle authority control method, device and system based on identification key
CN113612797A (en) * 2021-08-23 2021-11-05 金陵科技学院 Kerberos identity authentication protocol improvement method based on state cryptographic algorithm

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2014069985A1 (en) * 2012-11-05 2014-05-08 Mimos Berhad System and method for identity-based entity authentication for client-server communications
CN104023013A (en) * 2014-05-30 2014-09-03 上海帝联信息科技股份有限公司 Data transmission method, server side and client
CN111030814A (en) * 2019-12-25 2020-04-17 杭州迪普科技股份有限公司 Key negotiation method and device
CN111917552A (en) * 2020-06-23 2020-11-10 深圳奥联信息安全技术有限公司 Handle authority control method, device and system based on identification key
CN113612797A (en) * 2021-08-23 2021-11-05 金陵科技学院 Kerberos identity authentication protocol improvement method based on state cryptographic algorithm

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116015679A (en) * 2022-12-20 2023-04-25 浪潮云信息技术股份公司 Multi-cloud management authentication method and system based on SM2 digital signature for government cloud
CN116366252A (en) * 2023-03-17 2023-06-30 北京信源电子信息技术有限公司 DOA-based data protection method for handle identification analysis technology
CN116366252B (en) * 2023-03-17 2024-01-30 北京信源电子信息技术有限公司 DOA-based data protection method for handle identification analysis technology
CN116579774A (en) * 2023-07-14 2023-08-11 深圳明辉智能技术有限公司 Cross encryption-based payment platform system and method
CN116579774B (en) * 2023-07-14 2024-01-12 深圳明辉智能技术有限公司 Cross encryption-based payment platform system and method

Similar Documents

Publication Publication Date Title
US10142297B2 (en) Secure communication method and apparatus
EP3661120B1 (en) Method and apparatus for security authentication
CN107257334B (en) Identity authentication method for Hadoop cluster
CN111416807B (en) Data acquisition method, device and storage medium
US5418854A (en) Method and apparatus for protecting the confidentiality of passwords in a distributed data processing system
WO2016177052A1 (en) User authentication method and apparatus
CN109728909A (en) Identity identifying method and system based on USBKey
CN111901346B (en) Identity authentication system
CA2551113A1 (en) Authentication system for networked computer applications
US20100185860A1 (en) Method for authenticating a communication channel between a client and a server
JP2005102163A (en) Equipment authentication system, server, method and program, terminal and storage medium
JP2011521548A (en) Network helper for authentication between token and verifier
CN114513339A (en) Security authentication method, system and device
CN102098317A (en) Data transmitting method and system applied to cloud system
CN111030814A (en) Key negotiation method and device
CN111770088A (en) Data authentication method, device, electronic equipment and computer readable storage medium
CN112351037B (en) Information processing method and device for secure communication
CN102164033A (en) Method, device and system for preventing services from being attacked
CN103701787A (en) User name password authentication method implemented on basis of public key algorithm
JPH07325785A (en) Network user identifying method, ciphering communication method, application client and server
CN113612797A (en) Kerberos identity authentication protocol improvement method based on state cryptographic algorithm
CN111800378A (en) Login authentication method, device, system and storage medium
CN110138558B (en) Transmission method and device of session key and computer-readable storage medium
JPH10340255A (en) System for authenticating network user
KR19990038925A (en) Secure Two-Way Authentication Method in a Distributed Environment

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination