CN117375840A - Short authentication data realization method, system, electronic equipment and program product - Google Patents
Short authentication data realization method, system, electronic equipment and program product Download PDFInfo
- Publication number
- CN117375840A CN117375840A CN202311305693.0A CN202311305693A CN117375840A CN 117375840 A CN117375840 A CN 117375840A CN 202311305693 A CN202311305693 A CN 202311305693A CN 117375840 A CN117375840 A CN 117375840A
- Authority
- CN
- China
- Prior art keywords
- key
- authentication
- control center
- identity
- equipment
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 25
- 238000012795 verification Methods 0.000 claims description 21
- 238000004422 calculation algorithm Methods 0.000 claims description 12
- 238000004590 computer program Methods 0.000 claims description 8
- 238000004891 communication Methods 0.000 description 4
- 238000010586 diagram Methods 0.000 description 4
- 238000004364 calculation method Methods 0.000 description 3
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 238000005336 cracking Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0861—Generation of secret information including derivation or calculation of cryptographic keys or passwords
- H04L9/0869—Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3236—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions
Abstract
The invention provides a short authentication data implementation method, which is characterized by comprising the following steps: the control center receives a public key, and the public key is uploaded by the equipment; the control center generates a symmetric key based on equipment for uploading the public key as an identity authentication key; the device constructs authentication information based on its own authentication key and verifies based on the same authentication key.
Description
Technical Field
The invention belongs to the technical field of network communication security, and particularly relates to a short authentication data realization method, a system, electronic equipment and a program product.
Background
Network access control is generally performed according to an IP address, which represents the identity of an access terminal, and an attacker can easily misappropriate the IP address. Even with other identification information, it is difficult to prevent theft by an attacker.
To prevent data spoofing, digital signatures are typically implemented using public/private key asymmetric encryption algorithms to perform authentication, such as RSA, elliptic curves, etc. And carrying out signature calculation by using the private key, and then carrying out calculation and comparison by using the public key and the digital signature by the opposite side to finish identity verification.
The digital signature generated by the asymmetric algorithm is generally equal to the public key in length, resulting in a longer signature data length. For example, with the RSA algorithm, it is generally necessary to select a public key with a length of 2048 bits, and the length of the signature data is 256 bytes.
The authentication data obtained in this way is relatively long, and cannot be transmitted in the IP protocol layer, and authentication is usually implemented in the application protocol layer.
Disclosure of Invention
The invention solves the problem that a section of short authentication data is transmitted at an IP layer or a TCP layer to prevent the IP address or the identification information from being stolen. The invention controls the authentication data in shorter bytes, can be transmitted in IP options or TCP options, and transmits the authentication data in IP protocol layer without affecting application protocol.
In order to solve the problems, the invention adopts the following technical scheme:
the invention provides a short authentication data realization method, which comprises the following steps:
the control center receives a public key, and the public key is uploaded by the equipment;
the control center generates a symmetric key based on equipment for uploading the public key as an identity authentication key;
the equipment for uploading the public key requests identity verification from the control center;
acquiring all identity authentication keys passing through identity verification equipment in the control center by the identity verification equipment;
the device constructs authentication information based on its own authentication key and verifies based on the same authentication key.
Preferably, the request identity verification method includes:
the equipment uses the public and private key pair private key and the random number to generate a digital signature and sends the digital signature to the control center;
the control center verifies the digital signature based on the public key of the sending requesting device.
Preferably, the control center generates the identity authentication key according to a preset period.
Preferably, the device for uploading the public key requests authentication from the control center according to a preset period.
Preferably, the identity authentication key is a random number generated by the control center.
Preferably, the method for acquiring all the authentication keys passing through the identity verification device in the control center by the identity verification device comprises the following steps:
the control center encrypts the stored identity authentication key by using the public key of the equipment and sends the stored identity authentication key to the equipment corresponding to the public key, and the equipment corresponding to the public key obtains all the identity authentication keys by decrypting the encrypted identity authentication key by using the private key.
Preferably, the authentication information is constructed by a device that transmits an authentication request;
the verification information comprises ciphertext to be verified;
the ciphertext to be verified is calculated and generated through a HASH algorithm or a symmetric encryption algorithm based on the symmetric key of the device.
The invention also provides a system for realizing the short authentication data, which comprises:
and the control center: the device is used for receiving the public key uploaded by the device and generating a symmetric key for the device based on the uploaded public key;
the device comprises: for periodically requesting identity verification from the control center and obtaining all symmetric keys passing through the authentication device.
The invention also provides an electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, the processor implementing the above method when executing the computer program.
The invention also provides a computer program product comprising a computer program/instruction which, when executed by a processor, implements the method described above.
The beneficial effects of the invention are as follows:
1. and a short authentication data is transmitted at the IP layer or the TCP layer, so that the IP address or the identification information is prevented from being stolen by an attacker.
2. The symmetric key is used as an authentication key to replace a public key/private key to calculate authentication data, and the obtained authentication data is short and can be transmitted in an IP option or a TCP option. Thereby realizing the identity authentication of the access source at the IP protocol layer without affecting the application layer protocol.
3. The identity authentication key is encrypted and exchanged through the public key/private key, so that the authenticity of the identities of the two communication parties is ensured.
4. The identity authentication key has timeliness, and is updated regularly to prevent violent cracking.
5. The symmetric key is used for replacing the public key/private key to calculate authentication data, so that the public key is prevented from being exchanged between communication parties, and the operation of adding and deleting the access public key is prevented when the access rule is changed.
Drawings
FIG. 1 is a schematic diagram of authentication information according to one embodiment of the present invention.
FIG. 2 is a schematic diagram of a process for obtaining an authentication key according to the present invention.
Fig. 3 is a schematic diagram of a flow of authentication data calculation by a supplicant.
Fig. 4 is a schematic diagram of a receiver verification data flow.
Detailed Description
The following description of the embodiments of the present invention will be made clearly and completely with reference to the accompanying drawings, in which it is apparent that the embodiments described are only some embodiments of the present invention, but not all embodiments.
A preferred embodiment of the present invention will be described in detail below with reference to the accompanying drawings. As shown in fig. 1-4:
in one embodiment of the invention, a number of devices send registration requests to a trusted control center for registration. The registration method can adopt modes such as user name, password, manual verification and the like.
Multiple devices may be registered with the control center, defining device a, device B as devices that complete the registration.
The step of the equipment obtaining the identity authentication key is as follows:
taking the device a as an example,
the device A generates a public-private key pair A and sends the public key A to the control center, and the device A stores the private key A.
The control center generates a symmetric key a for the device a, and in this implementation, the symmetric key a is random data generated by the control center, and the random data is an identity authentication key a of the device a.
All the devices which finish registration generate a symmetric key corresponding to the device by a control center, and the symmetric key of the device is used as an identity authentication key when the device constructs authentication information.
All devices that complete registration request identity authentication from the control center periodically or on demand.
The identity authentication steps of the equipment are as follows:
taking the device a as an example,
the equipment A generates a digital signature A by using the private key A and the random number, and the control center verifies the digital signature of the equipment A by using the received public key A of the equipment A, so that the identity authentication of the equipment A can be completed.
For clarity of presentation, devices that are verified by the control center are referred to as trusted devices.
When the equipment A passes the identity verification, the control center encrypts the symmetric keys of all the trusted equipment by using the public key A of the equipment A and sends the symmetric keys to the equipment A, and the equipment A decrypts the symmetric keys by using the private key A to obtain the symmetric keys of all the trusted equipment stored in the control center, namely the identity authentication keys of all the trusted equipment.
In order to prevent the "authentication key" from being hacked, the authentication keys of the devices will fail within a period of time, and the control center updates the authentication keys of all the devices at regular intervals. The registered device periodically sends an identity authentication request to the control center.
Through the steps, all the trusted devices acquire all the symmetric keys stored in the control center at fixed time, namely all the identity authentication keys.
The identity authentication between devices comprises the following specific steps:
taking as an example device a and device B,
when the equipment B needs to carry out identity verification on the equipment A, the equipment A calculates a 'ciphertext' by using a random number, an own identity ID and an 'identity authentication key A' through a HASH algorithm or a symmetric encryption algorithm. And filling the random number, the identity ID and the ciphertext in the option field of the TCP header and sending the random number, the identity ID and the ciphertext to the device B. The device B can determine the identity of the device A by comparing the ciphertext obtained by calculating the random number, the identity ID and the identity authentication key A through the same algorithm with the received ciphertext because the identity authentication key A is obtained in advance.
In other embodiments of the invention, random numbers, identity IDs, ciphertext may also be padded in the IP options for transmission.
The steps are the same when device a needs to authenticate device B. Similarly, the method of the invention can support mutual authentication of a plurality of devices.
The identity ID of the device, in this embodiment, is assigned and an index is established by the control center from the identity ID to the authentication key. That is, the identity ID of the device may be matched to the corresponding authentication key of the device. The identity ID may be generated by the control center and assigned to the corresponding device, such as by the control center generating a random number as the identity ID of the device.
In this embodiment, to enhance the TCP protocol, a "digital signature" is added to the option field of the TCP header to identify the identity of the client that initiated the TCP communication.
But at most only 40 bytes of data can be accommodated in the option field of the TCP header, requiring that the length of the "digital signature" cannot exceed 20 bytes, considering that some space would also need to be reserved for other situations.
In the scenario of the above example, the related algorithm using public and private keys cannot perform digital signature, and through the method of the present invention, as shown in fig. 1, the device ID occupies 4 bytes, the random number occupies 4 bytes, the authentication ciphertext occupies 4 bytes, and the total length of the authentication data is reduced to less than 20 bytes, so that the identity authentication identifier is transferred in the option field of the TCP header.
By the method of the invention, the symmetric encryption or the hash algorithm can be adopted to replace the traditional digital signature adopting the asymmetric encryption mode, and the length of the digital signature can be greatly shortened.
The foregoing description is only a preferred embodiment of the present invention, but the scope of the present invention is not limited thereto, and any person skilled in the art, who is within the scope of the present invention, should make equivalent substitutions or modifications according to the technical solution of the present invention and the inventive concept thereof, and should be covered by the scope of the present invention.
Claims (10)
1. A short authentication data implementation method, comprising:
the control center receives a public key, and the public key is uploaded by the equipment;
the control center generates a symmetric key based on equipment for uploading the public key as an identity authentication key;
the equipment for uploading the public key requests identity verification from the control center;
acquiring all identity authentication keys passing through identity verification equipment in the control center by the identity verification equipment;
the device constructs authentication information based on its own authentication key and verifies based on the same authentication key.
2. The method for implementing short authentication data according to claim 1, wherein the request identity verification method comprises:
the equipment uses the public and private key pair private key and the random number to generate a digital signature and sends the digital signature to the control center;
the control center verifies the digital signature based on the public key of the sending requesting device.
3. The method for implementing short authentication data according to claim 1, wherein,
and the control center generates an identity authentication key according to a preset period.
4. The method according to claim 1, wherein the device for uploading the public key requests authentication from the control center according to a preset period.
5. The method according to claim 1, wherein the authentication key is a random number generated by the control center.
6. The method for implementing short authentication data according to claim 1, wherein the method for obtaining all authentication keys passing through the identity verification device in the control center by the identity verification device comprises:
the control center encrypts the stored identity authentication key by using the public key of the equipment and sends the stored identity authentication key to the equipment corresponding to the public key, and the equipment corresponding to the public key obtains all the identity authentication keys by decrypting the encrypted identity authentication key by using the private key.
7. A short authentication data implementing method according to claim 1, characterized in that the authentication information is constructed by a device that transmits an authentication request;
the verification information comprises ciphertext to be verified;
the ciphertext to be verified is calculated and generated through a HASH algorithm or a symmetric encryption algorithm based on the symmetric key of the device.
8. A short authentication data implementing system, comprising:
and the control center: the device is used for receiving the public key uploaded by the device and generating a symmetric key for the device based on the uploaded public key;
the device comprises: for periodically requesting identity verification from the control center and obtaining all symmetric keys passing through the authentication device.
9. An electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, characterized in that the processor implements the method of any one of claims 1 to 7 when executing the computer program.
10. A computer program product comprising computer programs/instructions which, when executed by a processor, implement the method of any one of claims 1 to 7.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202311305693.0A CN117375840A (en) | 2023-10-10 | 2023-10-10 | Short authentication data realization method, system, electronic equipment and program product |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202311305693.0A CN117375840A (en) | 2023-10-10 | 2023-10-10 | Short authentication data realization method, system, electronic equipment and program product |
Publications (1)
Publication Number | Publication Date |
---|---|
CN117375840A true CN117375840A (en) | 2024-01-09 |
Family
ID=89406988
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202311305693.0A Pending CN117375840A (en) | 2023-10-10 | 2023-10-10 | Short authentication data realization method, system, electronic equipment and program product |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN117375840A (en) |
-
2023
- 2023-10-10 CN CN202311305693.0A patent/CN117375840A/en active Pending
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US10903991B1 (en) | Systems and methods for generating signatures | |
US10951423B2 (en) | System and method for distribution of identity based key material and certificate | |
JP4617763B2 (en) | Device authentication system, device authentication server, terminal device, device authentication method, and device authentication program | |
JP6976949B2 (en) | Methods and systems for key distribution between servers and medical devices | |
JP6168415B2 (en) | Terminal authentication system, server device, and terminal authentication method | |
CN108599925B (en) | Improved AKA identity authentication system and method based on quantum communication network | |
CN108366063B (en) | Data communication method and device of intelligent equipment and equipment thereof | |
CN113553574A (en) | Internet of things trusted data management method based on block chain technology | |
KR20150080061A (en) | System and method for identity based key management | |
Zhang et al. | Efficient and privacy-preserving blockchain-based multifactor device authentication protocol for cross-domain IIoT | |
WO2020206014A1 (en) | Digital rights management authorization token pairing | |
WO2009143766A1 (en) | Method, system for distributing key and method, system for online updating public key | |
JP2017163612A (en) | Terminal authentication system, server device, and terminal authentication method | |
US20220141004A1 (en) | Efficient Internet-Of-Things (IoT) Data Encryption/Decryption | |
KR20120072032A (en) | The system and method for performing mutual authentication of mobile terminal | |
CN113098681B (en) | Port order enhanced and updatable blinded key management method in cloud storage | |
CN111656728B (en) | Device, system and method for secure data communication | |
KR101241864B1 (en) | System for User-Centric Identity management and method thereof | |
KR20080005344A (en) | System for authenticating user's terminal based on authentication server | |
KR20070035342A (en) | Method for mutual authentication based on the user's password | |
CN116055136A (en) | Secret sharing-based multi-target authentication method | |
KR101256114B1 (en) | Message authentication code test method and system of many mac testserver | |
KR100921153B1 (en) | Method for authentication in network system | |
CN113918971A (en) | Block chain based message transmission method, device, equipment and readable storage medium | |
CN117375840A (en) | Short authentication data realization method, system, electronic equipment and program product |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination |