CN116073989A - Authentication data processing method, device, system, equipment and medium - Google Patents
Authentication data processing method, device, system, equipment and medium Download PDFInfo
- Publication number
- CN116073989A CN116073989A CN202111276205.9A CN202111276205A CN116073989A CN 116073989 A CN116073989 A CN 116073989A CN 202111276205 A CN202111276205 A CN 202111276205A CN 116073989 A CN116073989 A CN 116073989A
- Authority
- CN
- China
- Prior art keywords
- random number
- server
- client
- certificate
- encrypted
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/0852—Quantum cryptography
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0861—Generation of secret information including derivation or calculation of cryptographic keys or passwords
- H04L9/0869—Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3263—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Physics & Mathematics (AREA)
- Electromagnetism (AREA)
- Theoretical Computer Science (AREA)
- Computer And Data Communications (AREA)
Abstract
The application discloses an authentication data processing method, an authentication data processing device, an authentication data processing system, authentication data processing equipment and an authentication data processing medium. Receiving authentication data returned by a server, wherein the first true random number is generated by the server through a quantum random number generator; decrypting the first true random number encrypted by the private key in the server certificate according to the public key in the server certificate to obtain a decrypted first true random number; encrypting the first true random number according to a private key and a first quantum key in the client certificate to obtain encrypted first encrypted data; and sending the first encrypted data to the server, wherein the first encrypted data is used for the server to carry out identity authentication on the client. According to the method and the device for authenticating the data, the difficulty that the data are cracked by violence in the authentication process can be increased, and the security of the authentication process is further improved.
Description
Technical Field
The application belongs to the technical field of information security, and particularly relates to an authentication data processing method, an authentication data processing device, an authentication data processing system, authentication data processing equipment and an authentication data processing medium.
Background
For information security, a secure authentication between the server and the client is required before the server and the client can establish an encrypted session.
At present, the most common authentication modes between the mobile client and the server include an authentication mode based on an account number and a password, an authentication mode based on a mobile phone number and a short message verification code and an authentication mode based on a SIM card digital certificate. In the first two authentication modes, data often has risks of being cracked in the authentication process, the authentication process is not safe, and the information security of a user cannot be guaranteed. Based on the authentication mode of the SIM card digital certificate, the risk of cracking data in the authentication process is high, and the authentication process is still unsafe.
Therefore, how to improve the difficulty of data violently cracked in authentication and further improve the security of authentication becomes a technical problem to be solved urgently at present.
Disclosure of Invention
The embodiment of the application provides an authentication data processing method, an authentication data processing device, an authentication data processing system, an authentication data processing device and an authentication data processing medium, which can improve the difficulty of data brute force cracking in authentication and further improve the security of authentication.
In a first aspect, an embodiment of the present application provides an authentication data processing method, including:
Sending an authentication request to a server;
receiving authentication data returned by a server, wherein the authentication data comprises a server certificate and a first true random number encrypted by a private key in the server certificate, and the first true random number is generated by the server through a quantum random number generator;
decrypting the first true random number encrypted by the private key in the server certificate according to the public key in the server certificate to obtain the first true random number;
encrypting the first true random number according to a private key and a first quantum key in a client certificate to obtain first encrypted data, wherein the first quantum key is a quantum key determined from a quantum key pool through a target quantum key selection algorithm;
and sending the first encrypted data to the server, wherein the first encrypted data is used for the server to carry out identity authentication on the client.
In one embodiment, after obtaining the first encrypted data, further comprising:
generating a second random number, wherein the second random number comprises a true random number generated by a quantum random number generator or a pseudo random number generated by a pseudo random number generation algorithm;
Encrypting the second random number according to the public key in the server certificate to obtain an encrypted second random number;
and sending the encrypted second random number and the first encrypted data to the server.
In one embodiment, before sending the authentication request to the server, the method further comprises:
generating a first random number, wherein the first random number comprises a true random number generated by a random number generator or a pseudo random number generated by a pseudo random number generation algorithm;
and generating an authentication request according to the client certificate, the quantum key selection algorithm supported by the client, the session encryption algorithm supported by the client and the first random number.
In one embodiment, after sending the encrypted second random number and the first encrypted data to the server, the method further includes:
and generating a first session key through the target session encryption algorithm according to the first random number, the first true random number and the second random number, wherein the first session key is used for encrypting session data between a client and the server.
In one embodiment, before generating the first random number, further comprising:
And under the condition of no network, receiving a client certificate issued by a certificate server and a quantum key pool, wherein the client certificate comprises a digital certificate generated by the certificate server according to the real information of the client, and the quantum key pool is used for storing a quantum key.
In a second aspect, an embodiment of the present application provides an authentication data processing method, which is applied to a server, and includes:
responding to a client to send an authentication request, and generating a first true random number through a quantum random number generator, wherein the authentication request comprises a quantum key selection algorithm supported by the client and a session encryption algorithm supported by the client;
encrypting the first true random number according to the private key in the server certificate to obtain a first true random number encrypted by the private key in the server certificate;
according to the quantum key selection algorithm supported by the client and the session encryption algorithm supported by the client, respectively determining the quantum key selection algorithm supported by the server and the session encryption algorithm supported by the client to obtain a target quantum key selection algorithm and a target session encryption algorithm;
generating authentication data according to a server certificate, a first true random number encrypted by a private key in the server certificate, the target session encryption algorithm and the target quantum key selection algorithm;
And sending the authentication data to the client.
In one embodiment, after sending the authentication data to the client, the method further comprises:
receiving encrypted second random numbers and first encrypted data sent by a client;
decrypting the first encrypted data according to the public key in the client certificate to obtain the first true random number encrypted by the first quantum key;
decrypting the first true random number encrypted by the first quantum key according to a second quantum key to obtain decrypted data, wherein the second quantum key is a quantum key determined in a client quantum key pool through a target quantum key selection algorithm;
and when the decrypted data is consistent with the first true random number, decrypting the encrypted second random number according to a private key in the server certificate to obtain the second random number.
In one embodiment, after decrypting the encrypted second random number according to the private key in the server certificate, obtaining the second random number, the method further includes:
and establishing a second session key through a target session encryption algorithm according to the first random number, the second random number and the first true random number, wherein the second session key is used for encrypting session data between the server and the client.
In a third aspect, an embodiment of the present application provides an authentication data processing apparatus, including:
the first sending module is used for sending an authentication request to the server;
the first receiving module is used for receiving authentication data returned by the server, wherein the authentication data comprises a server certificate and a first true random number encrypted by a private key in the server certificate;
the first decryption module is used for decrypting the first true random number encrypted by the private key in the server certificate according to the public key in the server certificate to obtain a decrypted first true random number;
the first encryption module is used for encrypting the first true random number according to a private key and a first quantum key in the client certificate to obtain encrypted first encrypted data, wherein the first quantum key is a quantum key determined from a quantum key pool through a target quantum key selection algorithm;
and the second sending module is used for sending the first encrypted data to the server by the first encrypted data, wherein the first encrypted data is used for carrying out identity authentication on the client by the server.
In a fourth aspect, an embodiment of the present application provides an authentication data processing apparatus, applied to a server, where the apparatus includes:
The first generation module is used for responding to the client to send an authentication request, and generating a first true random number through the quantum random number generator, wherein the authentication request comprises a quantum key selection algorithm supported by the client, a session encryption algorithm supported by the client and a client certificate;
the second encryption module is used for encrypting the first true random number according to the private key in the server certificate to obtain the first true random number encrypted by the private key in the server certificate;
the determining module is used for respectively determining the quantum key selection algorithm and the session encryption algorithm supported by the server according to the quantum key selection algorithm and the session encryption algorithm supported by the client to obtain a target session encryption algorithm and a target quantum key selection algorithm;
the second generation module is used for generating authentication data according to the server certificate, the first true random number encrypted by the private key in the server certificate, the target session encryption algorithm and the target quantum key selection algorithm;
and the third sending module is used for sending the authentication data to the client.
In a fifth aspect, embodiments of the present application provide an authentication data processing system, the system comprising:
The system comprises a client and a server, wherein the client comprises a quantum identity identification card and a communication module;
the communication module is used for: sending an authentication request to the server; receiving authentication data returned by a server, wherein the authentication data comprises a server certificate and a first true random number encrypted by a private key in the server certificate; the first encrypted data is sent to the server, wherein the first encrypted data is used for the server to carry out identity authentication on the client;
the quantum identity card is used for: decrypting the first true random number encrypted by the private key in the server certificate according to the public key in the server certificate to obtain a decrypted first true random number; and encrypting the first true random number according to a private key and a first quantum key in the client certificate to obtain encrypted first encrypted data, wherein the first quantum key is a quantum key determined from a quantum key pool through a target quantum key selection algorithm.
In a sixth aspect, an embodiment of the present application provides an authentication data processing apparatus, including:
a processor and a memory storing computer program instructions;
The processor, when executing the computer program instructions, implements the authentication data processing method described in any embodiment of the present application.
In a seventh aspect, embodiments of the present application provide a computer storage medium having stored thereon computer program instructions which, when executed by a processor, implement an authentication data processing method as described in any of the embodiments of the present application.
According to the authentication data processing method, device, system, equipment and medium, the first true random number is generated by the server through the quantum random number generator, the random number generated by the server is more accidental than the pseudo random number generated by the algorithm, the generation of the true random number by the client is avoided while no rule is found, the server equipment is attacked firstly when the client wants to crack the first true random number, and the difficulty of attacking to crack the first true random number is further increased. The received first true random number is data encrypted by the public key of the server certificate, and the difficulty of cracking the data is increased. The first true random number is encrypted through the private key in the server certificate and then decrypted through the public key in the server certificate, then the first true random number is encrypted through the private key and the first quantum key of the client certificate, so that the complexity of data interaction in the authentication process is increased, the security of the data is ensured, meanwhile, the selected quantum key has higher security, the first encrypted data obtained after encryption also has higher security and is not easy to crack, the identity of the client is authenticated through the first encrypted data with higher security and not easy to crack, the information security of the client can be ensured, and the security of authentication is further improved.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings that are needed in the embodiments of the present application will be briefly described, and it is possible for a person skilled in the art to obtain other drawings according to these drawings without inventive effort.
Fig. 1 is a schematic diagram of an authentication flow of an access authentication mode based on a SIM card digital certificate in the prior art;
FIG. 2 is an authentication data processing system provided in an embodiment of the present application;
fig. 3 is a schematic flow chart of an authentication data processing method according to an embodiment of the present application;
FIG. 4 is a flowchart of another authentication data processing method according to an embodiment of the present application;
FIG. 5 is a flowchart of another authentication data processing method according to an embodiment of the present application;
FIG. 6 is a flowchart of another authentication data processing method according to an embodiment of the present application;
FIG. 7 is a schematic diagram of an authentication data processing apparatus according to an embodiment of the present application;
fig. 8 is a schematic diagram of another authentication data processing apparatus according to an embodiment of the present application.
Detailed Description
Features and exemplary embodiments of various aspects of the present application are described in detail below to make the objects, technical solutions and advantages of the present application more apparent, and to further describe the present application in conjunction with the accompanying drawings and the detailed embodiments. It should be understood that the specific embodiments described herein are intended to be illustrative of the application and are not intended to be limiting. It will be apparent to one skilled in the art that the present application may be practiced without some of these specific details. The following description of the embodiments is merely intended to provide a better understanding of the present application by showing examples of the present application.
It is noted that relational terms such as first and second, and the like are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Moreover, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising … …" does not exclude the presence of other like elements in a process, method, article or apparatus that comprises the element.
First, the technical terms related to the specification of the present application are introduced:
digital certificate: a data structure comprising public key owner information, public keys, issuer information, validity periods, and extension information is issued by a digital certificate authority (Certificate Authority, CA) based on the user's associated materials or information.
Secure Element (SE): the carrier which realizes the functions of data security storage, encryption and decryption operation and the like through the security chip and/or the chip operating system can be packaged into various forms. Common security carriers may include subscriber identity (Subscriber Identification Module, SIM) cards, hardware digital certificate carriers (Universal Serial Bus Key, USBKey), and the like.
The conventional authentication modes include an access authentication mode based on an account number and a password, an access authentication mode based on a mobile phone number and a short message verification code and an access authentication mode based on a SIM card digital certificate. The access authentication mode based on the account password is that a user registers an account in an application system, sets a password corresponding to the account, and inputs the account and the password when logging in, so that the user can log in the system. The access authentication mode based on the mobile phone number and the short message authentication code is that the user logs in the system through the mobile phone number and the short message authentication code obtained dynamically. Both authentication methods often risk data being hacked during the authentication process, which is not secure.
The access authentication mode based on the SIM card digital certificate is mainly used for confirming that a legal user can access the system, and the key point is not to pay attention to the security of the authentication process. Under the authentication method, a user firstly needs to register in a CA organization through legal qualification proving materials to obtain a CA certificate; the application system performs certificate verification on a user needing to log in through an identity authentication gateway; when a user logs in an application system, certificate information is submitted to an identity authentication gateway, the identity authentication gateway performs certificate verification to a CA (certificate authority) in an online or offline mode, and only the authenticated user can further access the application system. The client personal certificate is mainly used for identity verification and electronic signature, is generally stored in a special intelligent password key, and needs to input a protection password when in use, and the storage medium intelligent key of the client personal certificate needs to be physically obtained by using the certificate, and needs to know the protection password of the intelligent password key. The main authentication flow between the server and the client is shown in fig. 1, and mainly comprises the following steps:
S110, the client initiates an establishment request to the server.
S120, the server sends the digital certificate to the client.
And S130, the client verifies the digital certificate, and after the certificate verification is passed, the client sends the certificate to the server to generate a session key.
S140, the server verifies the certificate of the client to generate a session key.
S150, the client and the server start to carry out encryption session.
The inventor considers the two-way authentication mode of the server and the client, although the legal user can be confirmed through the digital certificate issued by the CA mechanism, the interaction of related data in the authentication process is not complex, the digital certificate is often stored in a secure carrier, and under the condition that the time for obtaining a private key by cracking a public key by a quantum computer is shorter, the related data of the digital certificate stored in the secure carrier has the risk of being cracked, so that the data in the authentication process still has the risk of being cracked based on the access authentication mode of the SIM card digital certificate, and the authentication process is still unsafe.
In order to improve the difficulty of violent cracking of data in an authentication process and further improve the safety of the authentication process, the inventor considers an access authentication mode based on a symmetric quantum key, and the authentication mode firstly obtains the quantum key from a quantum communication network, and charges the quantum key to a sub-certificate module through a quantum key charging machine, wherein the quantum certificate module is stored in a safety carrier. During authentication, a client randomly selects a quantum key from quantum keys stored in a quantum certificate module, generates authentication data by using a symmetric encryption algorithm, completes generation of access authentication information, and sends a data packet to a quantum security access authentication gateway; the quantum security access authentication gateway synchronously stores the quantum key, the quantum key number, the corresponding relation of the client and the validity period distributed by the quantum communication network; and finally, the quantum security access authentication gateway extracts authentication data and the number of the quantum key from the received data packet, extracts the corresponding key according to the number, decrypts the authentication data into plaintext data by using a symmetric decryption algorithm, and finally completes authentication.
The inventor finds that the access authentication mode based on the symmetric quantum key seems to improve the authentication security, but the authentication of the client is not involved in the authentication process, that is to say, the authentication mode can present the risk of malicious displacement of the client, is not safe for the client, and has the risk of revealing key information required by the identity recognition of the user of the client. Therefore, the inventor proposes that in the process of two-way authentication of the client and the server, the server generates a true random number, the true random number is transmitted to the server after encryption protection of a server certificate private key, encryption protection of a client quantum key and encryption protection of a client certificate private key, whether the true random number is consistent or not is compared after decryption of the server, the effective identity of the client is authenticated, and meanwhile, a high-safety session key is generated, so that the risk of data being cracked in authentication is avoided, and the security of authentication is enhanced.
In order to solve the problems in the prior art, the embodiment of the application provides an authentication data processing method, an authentication data processing device, an authentication data processing system, an authentication data processing device and an authentication data processing medium. An authentication data processing system according to an embodiment of the present application will be described first.
FIG. 2 illustrates an authentication data processing system provided by an embodiment of the present application, the system including:
a client 210 and a server 220, wherein the client 210 comprises a quantum user identity card 211 and a communication module 212;
the communication module 212 is configured to: sending an authentication request to the server; receiving authentication data returned by a server, wherein the authentication data comprises a server certificate and a first true random number encrypted by a private key in the server certificate; and sending the first encrypted data to the server, wherein the first encrypted data is used for the server to carry out identity authentication on the client.
The quantum user identification card 211 is used for: decrypting the first true random number encrypted by the private key in the server certificate according to the first true random number, and obtaining a decrypted first true random number; and encrypting the first true random number according to a private key and a first quantum key in the client certificate to obtain first encrypted data, wherein the first quantum key is a quantum key determined from a quantum key pool through a target quantum key selection algorithm.
Specifically, at least one client 210 interacts with a server 220 through a communication module 212, and the client 210 interacts with a quantum identification card 211 through the communication module 212.
Specifically, the communication module 212 may include an Open Mobile API (OMA), after the client sends authentication data returned by the server received by the communication module 212 to the quantum user identification card 211 through the OMA, the quantum user identification card 211 decrypts the first true random number encrypted by the private key in the server certificate by using the public key of the server certificate included in the authentication data, and then the quantum user identification card 211 encrypts the first true random number by using the private key in the client certificate and the first quantum key to obtain the first encrypted data. The quantum user identification card 211 transmits the first encrypted data to the client 210 through the communication module 212, or the client 210 accesses the quantum user identification card 211 through the communication module 212 and after reading the first encrypted data, the client 210 transmits the first encrypted data to the server 220 through the communication module 212.
In one embodiment, quantum user identification card 211 may include a processing chip that may include storage of digital certificates and quantum key pools, generation of true random numbers, generation of pseudorandom numbers, quantum key selection algorithms and interface services for quantum key pools, selection of quantum key encrypted data, and private key encryption and public key decryption services for digital certificates.
In one embodiment, the client 210 may comprise a mobile client.
According to the system in the embodiment of the application, the first true random number received by the client 210 through the communication module 212 is generated by the server 220 through the quantum random number generator, so that the generation of the true random number by the client 210 is avoided while the random number is more accidental than the pseudo random number generated by an algorithm and is not regularly found, the server 220 equipment is firstly attacked when the first true random number is required to be cracked, and the difficulty of cracking the first true random number by attack is further increased. The received first true random number is data encrypted by the public key of the server certificate, and the difficulty of cracking the data is increased. The first true random number is encrypted through the private key in the server certificate and then decrypted through the public key in the server certificate, then the first true random number is encrypted through the private key and the first quantum key of the client certificate, so that the complexity of data interaction in the authentication process is increased, the security of the data is ensured, meanwhile, the selected quantum key has higher security, the first encrypted data obtained after encryption also has higher security and is not easy to crack, the identity of the client is authenticated through the first encrypted data with higher security and not easy to crack, the information security of the client can be ensured, and the security of authentication is further improved.
In order to increase the difficulty of cracking the authentication data, in one embodiment, an authentication data processing system provided in the embodiment of the present application as shown in fig. 2, the system may further include:
the server 220 is configured to: responding to a client to send an authentication request, and generating a first true random number through a quantum random number generator, wherein the authentication request comprises a quantum key selection algorithm supported by the client, a session encryption algorithm supported by the client and a client certificate; encrypting the first true random number according to the private key in the server certificate to obtain a first true random number encrypted by the private key in the server certificate; according to the quantum key selection algorithm and the session encryption algorithm supported by the client, respectively determining the quantum key selection algorithm and the session encryption algorithm supported by the server to obtain a target session encryption algorithm and a target quantum key selection algorithm; generating authentication data according to a server certificate, a first true random number encrypted by a private key in the server certificate, the target session encryption algorithm and the target quantum key selection algorithm; and sending the authentication data to the client.
In this embodiment of the present application, the server 220 generates the first true random number, which is more accidental than the pseudo random number generated by the algorithm, and avoids the generation of the true random number by the client while being random and searchable, and the server encrypts the first true random number by using the public key of the server certificate, thereby protecting the random number, and the server device is first attacked when the first true random number is to be cracked, so that the difficulty of attacking to crack the first true random number is further increased. The server 220 can also select a target quantum key selection algorithm and a target session encryption algorithm supported by both the server and the client according to the algorithm supported by the client, and send the selected authentication data to the client, that is, the target quantum key selection algorithm and the target session encryption algorithm used in the authentication process are mutually negotiated by the server and the client, it can be understood that the probability that the target quantum key selection algorithm negotiated by each authentication is the same as the target session encryption algorithm is very small, which further increases the difficulty that the authentication is broken maliciously, and further improves the security information of the authentication.
In order to avoid the risk of the identity of the user of the client being impersonated, in one embodiment, an authentication data processing system provided in an embodiment of the present application as shown in fig. 2, the system may further include:
the server 220 is configured to: receiving encrypted second random numbers and first encrypted data sent by a client; decrypting the first encrypted data according to the public key in the client certificate to obtain the first true random number encrypted by the first quantum key; decrypting the first true random number encrypted by the first quantum key according to a second quantum key to obtain decrypted data, wherein the second quantum key is a quantum key determined in a client quantum key pool through a target quantum key selection algorithm; and when the decrypted data is consistent with the first true random number, decrypting the encrypted second random number according to a private key in the server certificate to obtain the second random number.
In this embodiment, the decrypted data compared with the first true random number is obtained by the server 220 decrypting the first encrypted data using the public key in the client certificate and the second quantum key, and it can be understood that the client certificate is a digital certificate corresponding to the true identity of the client, and then the server 220 also corresponds to the true identity of the client using the public key in the client certificate, and the second quantum key is a quantum key determined in the client quantum key pool by the target quantum key selection algorithm. When the decrypted data is consistent with the first true random number, it means that the public key in the client certificate used by the server 220 corresponds to the private key in the client certificate, is the client certificate of the same client, can prove that the client is not falsified, and the second quantum key is the quantum key pool of the same client where the first quantum key is located, so that the client 210 corresponding to the first encrypted data can be further determined to be a trusted client, and after the client is determined to be the trusted client, the server 220 decrypts the encrypted second random number sent by the customer service side, thereby avoiding the risk of falsification of the client user. In addition, the decryption data is decrypted by the second quantum key in addition to the public key in the client certificate, and compared with an authentication scheme of decrypting by only using the public key in the client certificate, the method has the advantages that one layer of quantum key protection is added, the difficulty in decrypting the authentication data can be increased, and the authentication security is further improved.
Fig. 3 shows a flowchart of an authentication data processing method according to an embodiment of the present application, which is applied to the system shown in fig. 2, where the method includes:
s310, sending an authentication request to a server.
S320, receiving authentication data returned by the server, wherein the authentication data comprises a server certificate and a first true random number encrypted by a private key in the server certificate, and the first true random number is generated by the server through a quantum random number generator.
S330, decrypting the first true random number encrypted by the private key in the server certificate according to the public key in the server certificate to obtain the first true random number.
And S340, encrypting the first true random number according to a private key and a first quantum key in the client certificate to obtain first encrypted data, wherein the first quantum key is a quantum key determined from a quantum key pool through a target quantum key selection algorithm.
And S350, the first encrypted data is sent to the server, wherein the first encrypted data is used for the server to carry out identity authentication on the client.
In the embodiment of the application, the first true random number is generated by the server through the quantum random number generator, so that the server is more accidental than the pseudo random number generated by the algorithm, the generation of the true random number by the client is avoided while no rule is found, the server equipment is firstly attacked when the client wants to crack the first true random number, and the difficulty of attacking and cracking the first true random number is further increased. The received first true random number is data encrypted by the public key of the server certificate, and the difficulty of cracking the data is increased. The first true random number is encrypted through the private key in the server certificate and then decrypted through the public key in the server certificate, then the first true random number is encrypted through the private key and the first quantum key of the client certificate, so that the complexity of data interaction in the authentication process is increased, the security of the data is ensured, meanwhile, the selected quantum key has higher security, the first encrypted data obtained after encryption also has higher security and is not easy to crack, the identity of the client is authenticated through the first encrypted data with higher security and not easy to crack, the information security of the client can be ensured, and the security of authentication is further improved.
The above steps are described in detail below.
In S310, specifically, the client transmits an authentication request to the server through the communication module. It will be appreciated that the communication module supports common communication means such as fourth generation mobile messaging technology (the 4th Generation Mobile Communication Technology,4G), fifth generation mobile messaging technology (the 5th Generation Mobile Communication Technology,5G), wireless local area network technology (Wireless Fidelity, WIFI), and the like.
In order to further improve the security of authentication, in an embodiment, as shown in fig. 4, another flowchart of an authentication data processing method according to an embodiment of the present application may further include S410-S420 before sending the authentication request to the server,
s410, generating a first random number, wherein the first random number comprises a true random number generated by a random number generator or a pseudo random number generated by a pseudo random number generation algorithm.
S420, generating an authentication request according to the client certificate, the quantum key selection algorithm supported by the client, the session encryption algorithm supported by the client and the first random number.
In the embodiment of the application, a first random number is generated before an authentication request is sent to a server, and the authentication request is generated according to the random number, a client certificate, a quantum key selection algorithm supported by a client and a session encryption algorithm supported by the client. It will be appreciated that the first random number is regenerated each time before the authentication request is sent to the server, that is, each time the authentication request received by the server is different because the first random number is included, the unpredictability of each sent authentication request can be increased, so that the security of authentication is improved before the authentication starts.
S410-S420 are described in detail below.
In S410, specifically, the client accesses the quantum user id card through the communication module, reads the first random number generated by the quantum user id card through the pseudo random number generation algorithm preset therein, or accesses the quantum user id card through the communication module, reads the first random number generated by the quantum user id card through the quantum random number generator preset therein.
In order to ensure the security of the authentication data, in an embodiment, as shown in fig. 4, another flowchart of an authentication data processing method according to an embodiment of the present application may further include S401 before the first random number is generated,
s401, under the condition of no network, receiving a client certificate issued by a certificate server and a quantum key pool, wherein the client certificate comprises a digital certificate generated by the certificate server according to the real information of the client, and the quantum key pool is used for storing a quantum key.
Specifically, the client certificate and the quantum key pool received by the client may be injected into the quantum user identity card in the client through the filling machine under the offline condition, or the client certificate and the quantum key pool may be injected into the quantum user identity card in the client through a device such as a usb (universal serial bus) without connecting a network, wherein the size of the quantum key pool does not exceed the storage capacity of the quantum user identity card, and it can be understood that each client certificate is provided with the quantum key pool corresponding to the quantum key pool. The digital certificate generated by the certificate server according to the client's real information is also a digital certificate for the client's identity.
In the embodiment of the application, the client certificate and the quantum key pool issued by the certificate server are received under the condition of no network, so that the problem of data leakage during connection with public networks is avoided, the safety of the client certificate and the quantum key pool is ensured, and the safety of authentication data is further ensured. In addition, the received client certificate is a digital certificate generated for the true identity of the client, that is, the client certificate is capable of characterizing the identity of the client.
The above is a specific implementation of S410, and a specific implementation of S420 is described below.
In S420, specifically, the client accesses the quantum user id card through the communication module, reads the client certificate stored in the quantum user id card, the quantum key selection algorithm supported by the client, the session encryption algorithm supported by the client, and the first random number, and then generates an authentication request including the client certificate, the quantum key selection algorithm supported by the client, the session encryption algorithm supported by the client, and the first random number.
The above is a specific implementation of S310, and a specific implementation of S320 is described below.
In S320, specifically, the client receives authentication data returned from the server through the communication module, and the first true random number is generated by the server through the quantum random number generator.
To confirm the authenticity and legitimacy of the server certificate, further to improve the security of the authentication, in one embodiment, after the client receives the authentication data returned by the server, the method may further include,
and verifying the server certificate to obtain a verification result of the server certificate, wherein the server certificate comprises a certificate public key, enterprise information, domain name expiration time and an algorithm supported by a server.
And decrypting the first true random number encrypted by the private key in the server certificate when the verification result meets a preset condition, wherein the preset condition comprises at least one of that the server certificate is not revoked, that the server certificate is not expired and that the domain name in the server certificate is consistent with the domain name of the server.
The above is a specific implementation of S320, and a specific implementation of S330 is described below.
In S330, specifically, the client sends the authentication data returned by the server to the quantum user id card through the communication module, and the quantum user id card decrypts the first true random number encrypted by the private key in the server certificate by using the public key in the server certificate, to obtain the first true random number.
In S340, specifically, the quantum user id card may encrypt the first true random number using the first quantum key, then encrypt the first encrypted data obtained by encrypting the first true random number using the private key in the client certificate, and then store the first encrypted data obtained in the quantum user id card, or the quantum user id card may encrypt the first true random number using the private key in the client certificate, then encrypt the first true random number using the first quantum key, and then store the first encrypted data obtained in the quantum user id card. The encryption sequence of the first true random number is not limited in the embodiment of the present application.
In order to further improve the security of authentication, in an embodiment, as shown in fig. 4, another flowchart of an authentication data processing method according to an embodiment of the present application may further include S430-S450 after obtaining the first encrypted data,
s430, generating a second random number, wherein the second random number comprises a true random number generated by a quantum random number generator or a pseudo random number generated by a pseudo random number generation algorithm.
Specifically, the client accesses the quantum user identity card through the communication module, reads the second random number generated by the quantum user identity card through the pseudorandom number generation algorithm preset in the quantum user identity card, or accesses the quantum user identity card through the communication module, and reads the second random number generated by the quantum user identity card through the quantum random number generator preset in the quantum user identity card.
S440, encrypting the second random number according to the public key in the server certificate, and obtaining the encrypted second random number.
Specifically, the client sends authentication data returned by the server including the public key in the server certificate to the quantum user identity card through the communication module, the quantum user identity card encrypts the second random number by using the public key in the server certificate, and the encrypted second random number is stored in the quantum user identity card.
S450, the encrypted second random number and the first encrypted data are sent to the server.
Specifically, the client accesses the quantum user identity card through the communication module, reads the encrypted second random number and the first encrypted data stored in the quantum user identity card, and then sends the second random number and the first encrypted data to the server through the communication module.
In the embodiment of the application, the second random number is generated and encrypted by using the public key of the server certificate, and it can be understood that the newly generated second random number is generated after the encrypted data is obtained each time, so that the randomness of the authentication data can be enhanced, the difficulty of cracking the data is increased, the random number is in an encrypted state when being sent to the server, and the actions such as malicious injection or replay attack can be effectively prevented, so that the security of the authentication can be further improved.
The above is a specific implementation of S340, and a specific implementation of S350 is described below.
In S350, specifically, the client accesses the quantum user id card through the communication module, reads the first encrypted data, and then sends the first encrypted data to the server through the communication module.
The above is a specific implementation of S350.
From the foregoing, it can be appreciated that the first nonce, the first true nonce, and the second nonce are not generated by the same device at one time, where the first true nonce is generated by the server, the first nonce is generated before the client sends an authentication request to the server, and the second nonce is generated after the client encrypts the first true nonce to obtain the first encrypted data. This means that each authentication has a different first random number, first true random number and second random number, and that there is no necessary association between the first random number, first true random number and second random number.
Therefore, in order to improve the security of the authentication result, in one embodiment, as shown in fig. 4, another flowchart of the authentication data processing method according to the embodiment of the present application may further include S460 after sending the encrypted second random number and the first encrypted data to the server,
S460, generating a first session key through the target session encryption algorithm according to the first random number, the first true random number and the second random number, wherein the first session key is used for encrypting session data between a client and the server.
Specifically, the quantum user identity card generates a first session key for encrypting session data between the client and the server according to the first random number, the first true random number and the second random number through a target session encryption algorithm, the client accesses the quantum user identity card through the communication module, reads the first session key, and then carries out a session through the first session key and the server.
In this embodiment of the present application, each time the first random number, the first true random number, and the second random number used for generating the first session key by the target session encryption algorithm are different, and the first random number, the first true random number, and the second random number are also different from each other, which means that the first session key generated by using the three random numbers is higher in unpredictability and is more difficult to crack, and at least one of the three random numbers is a true random number, so that the difficulty of cracking the first session key is increased, the security of the first session key is improved, and further when session data between the client and the server is encrypted by using the first session key, the session data is difficult to crack, eavesdropping can be effectively prevented, and the security of the authentication result is improved.
In order to increase the difficulty of cracking the authentication data, in one embodiment, a flowchart of another authentication data processing method provided in the embodiment of the present application as shown in fig. 5 is applied to a server, where the method includes,
s510, responding to a client to send an authentication request, and generating a first true random number through a quantum random number generator, wherein the authentication request comprises a quantum key selection algorithm supported by the client and a session encryption algorithm supported by the client.
Specifically, after receiving an authentication request sent by a client, a server stores data in the authentication request on the server, and generates a first true random number by triggering a quantum random number generator installed on the server.
In one embodiment, the authentication request may include a client-supported quantum key selection algorithm, a client-supported session encryption algorithm, a client certificate, and a quantum key pool, and the server stores the client certificate and the quantum key pool in the server after receiving the authentication request sent by the client.
S520, encrypting the first true random number according to the private key in the server certificate to obtain the first true random number encrypted by the private key in the server certificate.
Specifically, the server encrypts the first true random number using the private key in the server certificate, resulting in a first true random number encrypted by the private key in the server certificate.
S530, according to the quantum key selection algorithm supported by the client and the session encryption algorithm supported by the client, respectively determining the quantum key selection algorithm supported by the server and the session encryption algorithm supported by the client, and obtaining a target quantum key selection algorithm and a target session encryption algorithm.
In one embodiment, the server selects one server-supported algorithm from the client-supported algorithms as a target quantum key selection algorithm of the stored quantum key pool and a target session encryption algorithm for generating a session key after authentication is completed after the server receives the client authentication request.
S540, generating authentication data according to the server certificate, the first true random number encrypted by the private key in the server certificate, the target session encryption algorithm and the target quantum key selection algorithm.
And S550, the authentication data is sent to the client.
Specifically, the authentication data sent to the client by the server may include a server certificate, a first true random number encrypted by a private key in the server certificate, a target session encryption algorithm, and a target quantum key selection algorithm.
In the embodiment of the application, the server generates the first true random number, so that the server is more accidental than the pseudo random number generated by the algorithm, the generation of the true random number by the client is avoided while the random number is irregular and can be found, the server encrypts the first true random number by using the public key of the server certificate, the random number is protected, and the server equipment is attacked firstly when the first true random number is required to be cracked, so that the difficulty of attacking and cracking the first true random number is further increased. The server can also select a target quantum key selection algorithm and a target session encryption algorithm which are supported by the server and the client according to the algorithm supported by the client, and send the selected authentication data to the client, that is, the target quantum key selection algorithm and the target session encryption algorithm which are used in the authentication process are mutually negotiated by the server and the client, and it can be understood that the probability that the target quantum key selection algorithm negotiated by each authentication is the same as the target session encryption algorithm is very small, so that the difficulty of maliciously cracking the authentication is further increased, and the security information of the authentication is further improved.
In order to avoid the risk of the user identity of the client being impersonated, in one embodiment, a flowchart of another authentication data processing method provided in the embodiment of the present application as shown in fig. 6 is applied to the server, and after the authentication data is sent to the client, the method may further include,
S610, the encrypted second random number and the first encrypted data sent by the client are received.
Specifically, the server receives the encrypted second random number and the first encrypted data sent by the client.
To confirm the authenticity and validity of the client certificate, further to improve the security of the authentication, in one embodiment, after receiving the encrypted second random number and the first encrypted data sent by the client, the server may further include,
and verifying the client certificate to obtain a verification result of the client certificate, wherein the client certificate comprises a certificate public key, enterprise information, domain name expiration time and an algorithm supported by the client.
And decrypting the first encrypted data when the verification result meets a preset condition, wherein the preset condition comprises at least one of that the client certificate is not revoked, that the client certificate is not expired and that the domain name in the client certificate is consistent with the domain name of the client.
S620, decrypting the first encrypted data according to the public key in the client certificate to obtain the first true random number encrypted by the first quantum key.
S630, decrypting the first true random number encrypted by the first quantum key according to a second quantum key to obtain decrypted data, wherein the second quantum key is a quantum key determined in a client quantum key pool through a target quantum key selection algorithm.
Specifically, in S620-S630, the order in which the server decrypts the first encrypted data using the public key in the client certificate and the second quantum key is related to the order in which the first truly random number is encrypted in the client using the private key in the client certificate and the first quantum key. When the client encrypts the first true random number by using the first quantum key and then encrypts by using the private key in the client certificate, the server decrypts the first encrypted data by using the public key in the client certificate and then decrypts by using the second quantum key; when the client encrypts the first true random number by using the private key in the client certificate and then encrypts by using the first quantum key, the server decrypts the first encrypted data by using the second quantum key and decrypts by using the public key in the client certificate. In this application, the encryption order of the first true random number is not limited, and only one order is taken as an example in this embodiment.
And S640, decrypting the encrypted second random number according to a private key in the server certificate to obtain the second random number when the decrypted data is consistent with the first true random number.
In this embodiment of the present application, the decrypted data compared with the first true random number is obtained by the server decrypting the first encrypted data using the public key in the client certificate and the second quantum key, and it may be understood that the client certificate is a digital certificate corresponding to the true identity of the client, and then the server uses the public key in the client certificate to also correspond to the true identity of the client, and the second quantum key is a quantum key determined in the client quantum key pool by the target quantum key selection algorithm. When the decrypted data is consistent with the first true random number, the public key in the client certificate used by the server corresponds to the private key in the client certificate, is the client certificate of the same client, can prove that the client is not falsified, and the second quantum key is a quantum key pool of the same client where the first quantum key is located, so that the client corresponding to the first encrypted data can be further determined to be a trusted client, after the client is determined to be the trusted client, the server decrypts the encrypted second random number sent by the customer service side, and the risk that a user of the client is falsified is avoided. In addition, the decryption data is decrypted by the second quantum key in addition to the public key in the client certificate, and compared with an authentication scheme of decrypting by only using the public key in the client certificate, the method has the advantages that one layer of quantum key protection is added, the difficulty in decrypting the authentication data can be increased, and the authentication security is further improved.
In order to improve the security of the authentication result, in one embodiment, the further authentication data processing method provided in the embodiment of the present application as shown in fig. 6 is applied to the server, and after decrypting the encrypted second random number according to the private key in the server certificate to obtain the second random number, S650 may further include,
and S650, establishing a second session key through a target session encryption algorithm according to the first random number, the second random number and the first true random number, wherein the second session key is used for encrypting session data between the server and the client.
Specifically, the server generates a second session key for encrypting session data between the server and the client from the first random number, the first true random number, and the second random number by a target session encryption algorithm, and thereafter performs a session with the client through the second session key.
In the embodiment of the application, the first random number, the first true random number and the second random number used for generating the second session key through the target session encryption algorithm are different each time, and the first random number, the first true random number and the second random number are different from each other, which means that the second session key generated by using the three random numbers is higher in unpredictability and higher in cracking difficulty, at least one of the three random numbers is the true random number, so that the cracking difficulty of the second session key is improved, the security of the second session key is improved, further, when the session data between the server and the client is encrypted by using the second session key, the session data is difficult to crack, eavesdropping can be effectively prevented, and the security of an authentication result is improved.
Based on the authentication data processing method provided by any one of the embodiments, the application also provides an embodiment of an authentication data processing device. See in particular fig. 7.
Fig. 7 shows a schematic diagram of an authentication data processing apparatus according to an embodiment of the present application. As shown in fig. 7, the apparatus may include:
a first sending module 710, configured to send an authentication request to a server.
The first receiving module 720 is configured to receive authentication data returned by the server, where the authentication data includes a server certificate and a first true random number encrypted by a private key in the server certificate, and the first true random number is generated by the server through a quantum random number generator.
And the first decryption module 730 is configured to decrypt the first true random number encrypted by the private key in the server certificate according to the public key in the server certificate, to obtain a decrypted first true random number.
The first encryption module 740 is configured to encrypt the first true random number according to a private key and a first quantum key in the client certificate, to obtain encrypted first encrypted data, where the first quantum key is a quantum key determined from a quantum key pool by a target quantum key selection algorithm.
And the second sending module 750 is configured to send the first encrypted data to the server, where the first encrypted data is used for the server to authenticate the identity of the client.
According to the device provided by the embodiment of the application, the first true random number received by the first receiving module 720 is generated by the server through the quantum random number generator, so that the server is more accidental than the pseudo random number generated by the algorithm, the generation of the true random number by the client is avoided while no rule is found, the server equipment is attacked firstly when the client wants to crack the first true random number, and the difficulty of attacking to crack the first true random number is further increased. The received first true random number is data encrypted by the public key of the server certificate, and the difficulty of cracking the data is increased. The first decryption module 730 encrypts the first true random number through a private key in the server certificate and then decrypts the first true random number through a public key in the server certificate, and then the first encryption module 740 encrypts the first true random number through the private key and the first quantum key of the client certificate, so that the complexity of data interaction in the authentication process is increased, the security of the data is ensured, and meanwhile, the selected quantum key has higher security, so that the first encrypted data obtained after encryption also has higher security and is not easy to crack, the identity of the client is authenticated through the first encrypted data which has higher security and is not easy to crack, the information security of the client can be ensured, and the security of authentication is further improved.
In one embodiment, prior to sending the authentication request to the server, the first sending module 710 may further include,
and a first generation unit for generating a first random number, wherein the first random number comprises a true random number generated by a random number generator or a pseudo random number generated by a pseudo random number generation algorithm.
And the second generation unit is used for generating an authentication request according to the client certificate, the quantum key selection algorithm supported by the client, the session encryption algorithm supported by the client and the first random number.
In the embodiment of the application, the first generation unit generates the first random number before sending the authentication request to the server, and the second generation unit generates the authentication request according to the random number, the client certificate, the quantum key selection algorithm supported by the client and the session encryption algorithm supported by the client. It will be appreciated that the first random number is regenerated each time before the authentication request is sent to the server, that is, each time the authentication request received by the server is different because the first random number is included, the unpredictability of each sent authentication request can be increased, so that the security of authentication is improved before the authentication starts.
In one embodiment, after obtaining the first encrypted data, the first encryption module 740 may further include,
and a third generation unit for generating a second random number, wherein the second random number comprises a true random number generated by a quantum random number generator or a pseudo random number generated by a pseudo random number generation algorithm.
And the first encryption unit is used for encrypting the second random number according to the public key in the server certificate to obtain the encrypted second random number.
And the first sending unit is used for sending the encrypted second random number and the first encrypted data to the server.
In this embodiment of the present application, the first generating unit generates a second random number, and the first encrypting unit encrypts the random number by using the public key of the server certificate, which can be understood that there is a newly generated second random number after each time of obtaining the encrypted data, so that randomness of the authentication data can be enhanced, difficulty in cracking the data is increased, and the random number is in an encrypted state when sent to the server, so that malicious injection or replay attack and other actions can be effectively prevented, and thus security of authentication can be further improved.
In one embodiment, after transmitting the encrypted second random number and the first encrypted data to the server, the first transmitting unit may further include,
and the first generation subunit is used for generating a first session key through the target session encryption algorithm according to the first random number, the first true random number and the second random number, wherein the first session key is used for encrypting session data between the client and the server.
In this embodiment of the present application, each time the first random number, the first true random number, and the second random number used for generating the first session key by using the target session encryption algorithm are different, and the first random number, the first true random number, and the second random number are also different from each other, which means that the first generation subunit uses the first session key generated by using the three random numbers to have higher unpredictability and greater difficulty in hacking, and at least one of the three random numbers is a true random number, so that the hacking difficulty of the first session key is increased by the progress, the security of the first session key is improved, and further, when the session data between the client and the server is encrypted by using the first session key, the session data is difficult to be hacked, which can effectively prevent eavesdropping, and the security of the authentication result is improved.
In one embodiment, the first generation unit may further include,
the first receiving subunit is used for receiving the client certificate issued by the certificate server and the quantum key pool under the condition of no network, wherein the client certificate comprises a digital certificate generated by the certificate server according to the real information of the client, and the quantum key pool is used for storing the quantum key.
Based on the authentication data processing method provided by any one of the above embodiments, another embodiment of an authentication data processing apparatus is provided, and in particular, see fig. 8.
Fig. 8 shows a schematic diagram of another authentication data processing apparatus according to an embodiment of the present application. As shown in fig. 8, the apparatus, applied to a server, may include:
a first generation module 810 is configured to generate, by means of a quantum random number generator, a first true random number in response to a client sending an authentication request, where the authentication request includes a quantum key selection algorithm supported by the client, a session encryption algorithm supported by the client, and a client certificate.
The second encryption module 820 is configured to encrypt the first true random number according to the private key in the server certificate, to obtain the first true random number encrypted by the private key in the server certificate.
And the determining module 830 is configured to determine the quantum key selection algorithm and the session encryption algorithm supported by the server according to the quantum key selection algorithm and the session encryption algorithm supported by the client, so as to obtain a target session encryption algorithm and a target quantum key selection algorithm.
The second generating module 840 is configured to generate authentication data according to the server certificate, the first true random number encrypted by the private key in the server certificate, the target session encryption algorithm, and the target quantum key selection algorithm.
And a third sending module 850, configured to send the authentication data to the client.
In this embodiment of the present application, the first generating module 810 generates the first true random number, while ensuring that the first true random number is more accidental than the pseudo random number generated by the algorithm, and is not regularly and searchable, the generation of the true random number by the client is avoided, the server encrypts the first true random number by using the public key of the server certificate, so that the random number is protected, and the server device is first attacked when the first true random number is to be cracked, so that the difficulty of attacking to crack the first true random number is further increased. The determining module 830 can also select a target quantum key selection algorithm and a target session encryption algorithm supported by the server and the client according to the algorithm supported by the client, the second generating module 840 and the third sending module 850 send the selected algorithm to the client for authentication data, that is, the target quantum key selection algorithm and the target session encryption algorithm used in the authentication process are mutually negotiated by the server and the client, it can be understood that the probability that the target quantum key selection algorithm negotiated by each authentication is the same as the target session encryption algorithm is very small, which further increases the difficulty that the authentication is broken maliciously, and further improves the security information of the authentication.
In one embodiment, after transmitting the authentication data to the client, the third transmitting module 850 may further include,
the first receiving unit is used for receiving the encrypted second random number and the first encrypted data sent by the client;
the first decryption unit is used for decrypting the first encrypted data according to the public key in the client certificate to obtain the first true random number encrypted by the first quantum key;
the second decryption unit is used for decrypting the first true random number encrypted by the first quantum key according to a second quantum key to obtain decrypted data, wherein the second quantum key is a quantum key determined in a client quantum key pool through a target quantum key selection algorithm;
and the third decryption unit is used for decrypting the encrypted second random number according to the private key in the server certificate to obtain the second random number when the decrypted data is consistent with the first true random number.
In this embodiment of the present application, the decrypted data compared with the first true random number is obtained by decrypting the first encrypted data by the first decryption unit and the second decryption unit using the public key in the client certificate and the second quantum key, and it can be understood that the client certificate is a digital certificate corresponding to the true identity of the client, and then the server uses the public key in the client certificate to also correspond to the true identity of the client, and the second quantum key is a quantum key determined in the client quantum key pool by the target quantum key selection algorithm. When the decrypted data is consistent with the first true random number, the fact that the public key in the client certificate used by the first decryption unit corresponds to the private key in the client certificate and is the client certificate of the same client can prove that the client is not falsified, the second quantum key is also a quantum key pool of the same client where the first quantum key is located, therefore the client corresponding to the first encrypted data can be further determined to be a trusted client, after the client is determined to be the trusted client, the third decryption unit decrypts the encrypted second random number sent by the customer service side, and the risk that a user of the client is falsified is avoided. In addition, the decryption data is decrypted by the second quantum key in addition to the public key in the client certificate, and compared with an authentication scheme of decrypting by only using the public key in the client certificate, the method has the advantages that one layer of quantum key protection is added, the difficulty in decrypting the authentication data can be increased, and the authentication security is further improved.
In one embodiment, after decrypting the encrypted second random number based on the private key in the server certificate, the third decryption unit may further comprise,
and the second generation subunit is used for establishing a second session key through a target session encryption algorithm according to the first random number, the second random number and the first true random number, wherein the second session key is used for encrypting session data between the server and the client.
In this embodiment of the present application, each time the first random number, the first true random number, and the second random number used for generating the second session key by using the target session encryption algorithm are different, and the first random number, the first true random number, and the second random number are also different from each other, which means that the second generation subunit uses the unpredictability of the second session key generated by using the three random numbers to be higher, the difficulty of cracking is greater, and at least one of the three random numbers is a true random number, so that the difficulty of cracking the second session key is increased, the security of the second session key is improved, and further, when the session data between the server and the client is encrypted by using the second session key, the session data is difficult to crack, eavesdropping can be effectively prevented, and the security of the authentication result is improved.
In addition, in combination with the authentication data processing method in the above embodiment, the embodiment of the present application may provide an authentication data processing apparatus, which may include a processor and a memory storing computer program instructions, where the processor implements the authentication data processing method described above when executing the computer program instructions.
In addition, in combination with the authentication data processing method described above, the embodiments of the present application may provide a computer storage medium having stored thereon computer program instructions that, when executed by a processor, implement the authentication data processing method described above.
The processor may comprise a Central Processing Unit (CPU), or an application specific integrated circuit (Application Specific Integrated Circuit, ASIC), or may be configured as one or more integrated circuits that implement embodiments of the present invention.
The memory may include Read Only Memory (ROM), random Access Memory (RAM), magnetic disk storage media devices, optical storage media devices, flash memory devices, electrical, optical, or other physical/tangible memory storage devices. Thus, in general, the memory includes one or more tangible (non-transitory) computer-readable storage media (e.g., memory devices) encoded with software comprising computer-executable instructions and when the software is executed (e.g., by one or more processors) it is operable to perform the operations described with reference to methods in accordance with aspects of the present disclosure.
It should be clear that the present application is not limited to the particular arrangements and processes described above and illustrated in the drawings. For the sake of brevity, a detailed description of known methods is omitted here. In the above embodiments, several specific steps are described and shown as examples. However, the method processes of the present application are not limited to the specific steps described and illustrated, and those skilled in the art can make various changes, modifications, and additions, or change the order between steps, after appreciating the spirit of the present application.
The functional blocks shown in the above-described structural block diagrams may be implemented in hardware, software, firmware, or a combination thereof. When implemented in hardware, it may be, for example, an electronic circuit, an Application Specific Integrated Circuit (ASIC), suitable firmware, a plug-in, a function card, or the like. When implemented in software, the elements of the present application are the programs or code segments used to perform the required tasks. The program or code segments may be stored in a machine readable medium or transmitted over transmission media or communication links by a data signal carried in a carrier wave. A "machine-readable medium" may include any medium that can store or transfer information. Examples of machine-readable media include electronic circuitry, semiconductor memory devices, ROM, flash memory, erasable ROM (EROM), floppy disks, CD-ROMs, optical disks, hard disks, fiber optic media, radio Frequency (RF) links, and the like. The code segments may be downloaded via computer networks such as the internet, intranets, etc.
It should also be noted that the exemplary embodiments mentioned in this application describe some methods or systems based on a series of steps or devices. However, the present application is not limited to the order of the above-described steps, that is, the steps may be performed in the order mentioned in the embodiments, may be different from the order in the embodiments, or several steps may be performed simultaneously.
Aspects of the present disclosure are described above with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems) and computer program products according to embodiments of the disclosure. It will be understood that each block of the flowchart illustrations and/or block diagrams, and combinations of blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, enable the implementation of the functions/acts specified in the flowchart and/or block diagram block or blocks. Such a processor may be, but is not limited to being, a general purpose processor, a special purpose processor, an application specific processor, or a field programmable logic circuit. It will also be understood that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware which performs the specified functions or acts, or combinations of special purpose hardware and computer instructions.
In the foregoing, only the specific embodiments of the present application are described, and it will be clearly understood by those skilled in the art that, for convenience and brevity of description, the specific working processes of the systems, modules and units described above may refer to the corresponding processes in the foregoing method embodiments, which are not repeated herein. It should be understood that the scope of the present application is not limited thereto, and any person skilled in the art can easily conceive various equivalent modifications or substitutions within the technical scope of the present application, which are intended to be included in the scope of the present application.
Claims (13)
1. An authentication data processing method, comprising:
sending an authentication request to a server;
receiving authentication data returned by a server, wherein the authentication data comprises a server certificate and a first true random number encrypted by a private key in the server certificate, and the first true random number is generated by the server through a quantum random number generator;
decrypting the first true random number encrypted by the private key in the server certificate according to the public key in the server certificate to obtain the first true random number;
encrypting the first true random number according to a private key and a first quantum key in a client certificate to obtain first encrypted data, wherein the first quantum key is a quantum key determined from a quantum key pool through a target quantum key selection algorithm;
And sending the first encrypted data to the server, wherein the first encrypted data is used for the server to carry out identity authentication on the client.
2. The method of claim 1, further comprising, after obtaining the first encrypted data:
generating a second random number, wherein the second random number comprises a true random number generated by a quantum random number generator or a pseudo random number generated by a pseudo random number generation algorithm;
encrypting the second random number according to the public key in the server certificate to obtain an encrypted second random number;
and sending the encrypted second random number and the first encrypted data to the server.
3. The method of claim 1, further comprising, prior to sending the authentication request to the server:
generating a first random number, wherein the first random number comprises a true random number generated by a random number generator or a pseudo random number generated by a pseudo random number generation algorithm;
and generating an authentication request according to the client certificate, the quantum key selection algorithm supported by the client, the session encryption algorithm supported by the client and the first random number.
4. A method according to any one of claims 1-3, further comprising, after sending the encrypted second random number and the first encrypted data to the server:
and generating a first session key through the target session encryption algorithm according to the first random number, the first true random number and the second random number, wherein the first session key is used for encrypting session data between a client and the server.
5. A method according to claim 3, further comprising, prior to generating the first random number:
and under the condition of no network, receiving a client certificate issued by a certificate server and a quantum key pool, wherein the client certificate comprises a digital certificate generated by the certificate server according to the real information of the client, and the quantum key pool is used for storing a quantum key.
6. An authentication data processing method, applied to a server, comprising:
responding to a client to send an authentication request, and generating a first true random number through a quantum random number generator, wherein the authentication request comprises a quantum key selection algorithm supported by the client and a session encryption algorithm supported by the client;
Encrypting the first true random number according to the private key in the server certificate to obtain a first true random number encrypted by the private key in the server certificate;
according to the quantum key selection algorithm supported by the client and the session encryption algorithm supported by the client, respectively determining the quantum key selection algorithm supported by the server and the session encryption algorithm supported by the client to obtain a target quantum key selection algorithm and a target session encryption algorithm;
generating authentication data according to a server certificate, a first true random number encrypted by a private key in the server certificate, the target session encryption algorithm and the target quantum key selection algorithm;
and sending the authentication data to the client.
7. The method of claim 6, further comprising, after transmitting the authentication data to the client:
receiving encrypted second random numbers and first encrypted data sent by a client;
decrypting the first encrypted data according to the public key in the client certificate to obtain the first true random number encrypted by the first quantum key;
decrypting the first true random number encrypted by the first quantum key according to a second quantum key to obtain decrypted data, wherein the second quantum key is a quantum key determined in a client quantum key pool through a target quantum key selection algorithm;
And when the decrypted data is consistent with the first true random number, decrypting the encrypted second random number according to a private key in the server certificate to obtain the second random number.
8. The method of claim 7, further comprising, after decrypting the encrypted second random number based on a private key in a server certificate to obtain a second random number:
and establishing a second session key through a target session encryption algorithm according to the first random number, the second random number and the first true random number, wherein the second session key is used for encrypting session data between the server and the client.
9. An authentication data processing apparatus, the apparatus comprising:
the first sending module is used for sending an authentication request to the server;
the first receiving module is used for receiving authentication data returned by the server, wherein the authentication data comprises a server certificate and a first true random number encrypted by a private key in the server certificate, and the first true random number is generated by the server through a quantum random number generator;
the first decryption module is used for decrypting the first true random number encrypted by the private key in the server certificate according to the public key in the server certificate to obtain a decrypted first true random number;
The first encryption module is used for encrypting the first true random number according to a private key and a first quantum key in the client certificate to obtain encrypted first encrypted data, wherein the first quantum key is a quantum key determined from a quantum key pool through a target quantum key selection algorithm;
and the second sending module is used for sending the first encrypted data to the server by the first encrypted data, wherein the first encrypted data is used for carrying out identity authentication on the client by the server.
10. An authentication data processing apparatus for application to a server, the apparatus comprising:
the first generation module is used for responding to the client to send an authentication request, and generating a first true random number through the quantum random number generator, wherein the authentication request comprises a quantum key selection algorithm supported by the client, a session encryption algorithm supported by the client and a client certificate;
the second encryption module is used for encrypting the first true random number according to the private key in the server certificate to obtain the first true random number encrypted by the private key in the server certificate;
the determining module is used for respectively determining the quantum key selection algorithm and the session encryption algorithm supported by the server according to the quantum key selection algorithm and the session encryption algorithm supported by the client to obtain a target session encryption algorithm and a target quantum key selection algorithm;
The second generation module is used for generating authentication data according to the server certificate, the first true random number encrypted by the private key in the server certificate, the target session encryption algorithm and the target quantum key selection algorithm;
and the third sending module is used for sending the authentication data to the client.
11. An authentication data processing system, comprising:
the system comprises a client and a server, wherein the client comprises a quantum user identity identification card and a communication module;
the communication module is used for: sending an authentication request to the server; receiving authentication data returned by a server, wherein the authentication data comprises a server certificate and a first true random number encrypted by a private key in the server certificate; the first encrypted data is sent to the server, wherein the first encrypted data is used for the server to carry out identity authentication on the client;
the quantum user identity card is used for: decrypting the first true random number encrypted by the private key in the server certificate according to the public key in the server certificate to obtain a decrypted first true random number; and encrypting the first true random number according to a private key and a first quantum key in the client certificate to obtain first encrypted data, wherein the first quantum key is a quantum key determined from a quantum key pool through a target quantum key selection algorithm.
12. An authentication data processing apparatus, the apparatus comprising: a processor and a memory storing computer program instructions;
the processor, when executing the computer program instructions, implements the authentication data processing method according to any one of claims 1-8.
13. A computer storage medium having stored thereon computer program instructions which, when executed by a processor, implement the authentication data processing method according to any of claims 1-8.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111276205.9A CN116073989A (en) | 2021-10-29 | 2021-10-29 | Authentication data processing method, device, system, equipment and medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111276205.9A CN116073989A (en) | 2021-10-29 | 2021-10-29 | Authentication data processing method, device, system, equipment and medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN116073989A true CN116073989A (en) | 2023-05-05 |
Family
ID=86177296
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111276205.9A Pending CN116073989A (en) | 2021-10-29 | 2021-10-29 | Authentication data processing method, device, system, equipment and medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116073989A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116319073A (en) * | 2023-05-12 | 2023-06-23 | 国开启科量子技术(北京)有限公司 | API (application program interface) replay attack prevention method and system based on quantum random numbers |
-
2021
- 2021-10-29 CN CN202111276205.9A patent/CN116073989A/en active Pending
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116319073A (en) * | 2023-05-12 | 2023-06-23 | 国开启科量子技术(北京)有限公司 | API (application program interface) replay attack prevention method and system based on quantum random numbers |
| CN116319073B (en) * | 2023-05-12 | 2024-03-26 | 国开启科量子技术(北京)有限公司 | API (application program interface) replay attack prevention method and system based on quantum random numbers |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| JP6586446B2 (en) | Method for confirming identification information of user of communication terminal and related system | |
| CN103166958B (en) | A kind of guard method of file and system | |
| WO2018025991A1 (en) | Communication system, communication client, communication server, communication method, and program | |
| US20170208049A1 (en) | Key agreement method and device for verification information | |
| US10594479B2 (en) | Method for managing smart home environment, method for joining smart home environment and method for connecting communication session with smart device | |
| CN112751821B (en) | Data transmission method, electronic equipment and storage medium | |
| CN108243176B (en) | Data transmission method and device | |
| CN110868291B (en) | Data encryption transmission method, device, system and storage medium | |
| CN111404664B (en) | Quantum secret communication identity authentication system and method based on secret sharing and multiple mobile devices | |
| CN107920052B (en) | Encryption method and intelligent device | |
| CN109716725B (en) | Data security system, method of operating the same, and computer-readable storage medium | |
| KR100315387B1 (en) | Private Key, Certificate Administration System and Method Thereof | |
| CN109684129B (en) | Data backup recovery method, storage medium, encryption machine, client and server | |
| EP2414983B1 (en) | Secure Data System | |
| Lee et al. | Two factor authentication for cloud computing | |
| CN113612852A (en) | Communication method, device, equipment and storage medium based on vehicle-mounted terminal | |
| CN116073989A (en) | Authentication data processing method, device, system, equipment and medium | |
| CN105873043B (en) | Method and system for generating and applying network private key for mobile terminal | |
| CN117040857A (en) | User identity verification method for enhancing authorization code security | |
| CN114389793B (en) | Method, device, equipment and computer storage medium for verifying session key | |
| CN110061895B (en) | Close-range energy-saving communication method and system for quantum computing resisting application system based on key fob | |
| CN116033415A (en) | Reference station data transmission method and device, reference station, server and medium | |
| Nishimura et al. | Secure authentication key sharing between personal mobile devices based on owner identity | |
| Lee et al. | An interactive mobile SMS confirmation method using secret sharing technique | |
| KR101490638B1 (en) | Method of authenticating smart card, server performing the same and system performint the same |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |