CN117692138A - Backward secure anonymous authentication and key negotiation method - Google Patents

Backward secure anonymous authentication and key negotiation method Download PDF

Info

Publication number
CN117692138A
CN117692138A CN202311684236.7A CN202311684236A CN117692138A CN 117692138 A CN117692138 A CN 117692138A CN 202311684236 A CN202311684236 A CN 202311684236A CN 117692138 A CN117692138 A CN 117692138A
Authority
CN
China
Prior art keywords
key
user terminal
user
value
user terminals
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202311684236.7A
Other languages
Chinese (zh)
Inventor
李闯
魏子豪
赵鑫
高红敏
刘海英
王勇慧
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Tonghe Shiyi Telecommunication Science And Technology Research Institute Co ltd
Data Communication Science & Technology Research Institute
Xingtang Telecommunication Technology Co ltd
Original Assignee
Beijing Tonghe Shiyi Telecommunication Science And Technology Research Institute Co ltd
Data Communication Science & Technology Research Institute
Xingtang Telecommunication Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Tonghe Shiyi Telecommunication Science And Technology Research Institute Co ltd, Data Communication Science & Technology Research Institute, Xingtang Telecommunication Technology Co ltd filed Critical Beijing Tonghe Shiyi Telecommunication Science And Technology Research Institute Co ltd
Priority to CN202311684236.7A priority Critical patent/CN117692138A/en
Publication of CN117692138A publication Critical patent/CN117692138A/en
Pending legal-status Critical Current

Links

Landscapes

  • Mobile Radio Communication Systems (AREA)

Abstract

The invention relates to a backward safe anonymous authentication and key negotiation method, belongs to the technical field of cryptography, and solves the problem that the forward safety and the backward safety of a communication party cannot be realized by an anonymous authentication key negotiation scheme in the prior art. The method comprises the following steps: the key generation center outputs system parameters according to the input security parameters and secretly stores a master key, wherein the system parameters comprise hash functions for generating random state values with fixed bit lengths, and the system parameters are system parameters of a communication system formed by a plurality of user terminals; the key generation center and each user terminal generate respective public and private key pairs of the user terminal according to system parameters, user identities and master keys of the user terminal; and anonymously authenticating the user terminals to be in conversation with the system parameters according to the public and private key pairs, generating a conversation key and a common state value between the user terminals, and updating the common state value between the user terminals according to the conversation key and the common state value.

Description

Backward secure anonymous authentication and key negotiation method
Technical Field
The invention relates to the technical field of cryptography, in particular to a backward safe anonymous authentication and key negotiation method.
Background
The authentication key negotiation scheme ensures that any two networking nodes realize mutual identity authentication in the public network and negotiate a secure session key. In an identity-based cryptosystem, a trusted center generates a long-term public-private key pair of a user according to user identity information, and a user certificate does not need to be generated and managed by the center. The authentication key negotiation scheme based on the identity applies the authentication key negotiation to a cipher system based on the identity, thereby realizing the authentication and key negotiation under the system.
The anonymous authentication key negotiation scheme based on the identity conceals the identity information of the communication party in the encrypted data, and effectively avoids the entity except the communication party from acquiring the identity information of the communication party. The existing anonymous authentication key negotiation scheme based on identity can also realize forward security of a single communication party (even if the long-term private key of the communication party is revealed, the data sent before the disclosure of the private key of the communication party can still be ensured not to be broken by adversaries). However, current anonymous authentication key agreement schemes do not enable forward security for all communicating parties.
In addition, the current scheme does not consider backward security (even if the long-term private key of the communication party is revealed, it can still be ensured that the adversary cannot impersonate the communication party to perform authentication key negotiation).
Disclosure of Invention
In view of the above analysis, the embodiment of the present invention aims to provide a backward secure anonymous authentication and key agreement method, which is used to solve the problem that the existing anonymous authentication key agreement scheme cannot realize forward security and backward security of a communication party.
The embodiment of the invention provides a backward security anonymous authentication and key negotiation method, which comprises the following steps:
the key generation center outputs system parameters and secretly stores a master key according to the input security parameters, wherein the system parameters comprise hash functions for generating random state values with fixed bit lengths, and the system parameters are system parameters of a communication system formed by a plurality of user terminals;
the key generation center and each user terminal generate respective public and private key pairs of the user terminal according to the system parameters, the user identity of the user terminal and the master key; and
and anonymously authenticating the user terminals to be in conversation with the system parameters according to the public and private keys, generating a conversation key and a common state value between the user terminals, and updating the common state value between the user terminals according to the conversation key and the common state value.
Based on further improvement of the above method, when the user terminals to be conversationed communicate for the first time, anonymously authenticating the user terminals to be conversationed with the system parameters according to the respective public and private key pairs, generating a conversation key and a common state value between the user terminals, and updating the common state value between the user terminals according to the conversation key and the common state value comprises:
each user terminal to be conversationed generates a random challenge value according to the system parameters;
the user terminals generate a common session key and a common state value according to the random challenge value and the system parameter of the opposite party; and
and carrying out anonymous authentication between the user terminals according to the common session key, determining the validity of the common session key and updating the common state value between the user terminals according to the session key and the common state value.
Based on a further improvement of the above method, when n is an integer greater than 1 in the nth communication between the user terminals to be session, anonymously authenticating the user terminals to be session with the system parameter according to the respective public and private key pair, generating a session key and a common state value between the user terminals, and updating the common state value between the user terminals according to the session key and the common state value includes:
each user terminal to be conversationed generates a random challenge value according to the system parameters;
the user terminals generate a common session key according to the random challenge value, the system parameter and the common state value of the other party; and
and carrying out anonymous authentication between the user terminals according to the common session key, determining the validity of the common session key and updating the common state value between the user terminals according to the session key and the common state value.
Based on a further improvement of the above method, the key generation center and each user terminal generate a public-private key pair of each user terminal according to the system parameter, the user identity of the user terminal and the master key, including:
step S10: the user terminal performs the steps of:
registering a user identity of the user terminal to the key generation center;
step S20: the key generation center performs the steps of:
generating a first private key according to the system parameters;
generating a first public key and a second private key according to the first private key, the user identity and the system parameter;
transmitting the second private key and the first public key to the user terminal;
step S30: the user terminal performs the steps of:
and determining the public key of the user terminal according to the user identity and the first public key, and setting the second private key as the private key of the user terminal.
Based on a further improvement of the above method, the key generation center outputting the system parameters and storing the master key in secret according to the input security parameters includes the key generation center performing the following operations:
selecting a large prime number p and coefficients a and b of an elliptic curve, and constructing an elliptic curve E: y is 2 =x 3 +ax+bmod p;
Selecting an addition cyclic group G with a prime number q on an elliptic curve E 1 The generator is G;
selective symmetric encryption algorithmAnd symmetric decryption algorithm-> Wherein {0,1} is a bit string consisting of 0 and 1 of arbitrary length, {0 }>The value space of the symmetric encryption key is +.>Determined by the security parameters;
selecting a hash function H 1 :{0,1}*→Z q * Hash function H 2 :{0,1}*→{0,1} ls Hash functionWherein {0,1} is a bit string consisting of 0 and 1 of arbitrary length, {0 }>Z is the value space of the symmetric encryption key q * Is a set of integers less than q and inter-prime with q, {0,1} ls A bit string consisting of arbitrary 0 and 1 of a bit length of a fixed value ls;
from Z q * Randomly selects the master key s and is according to formula P pub Calculation of primary public key P =sg pub The method comprises the steps of carrying out a first treatment on the surface of the And
parameter G 1 、a、b、p、q、G、Enc(.)、Dec(.)、H 1 、H 2 、H 3 、P pub Outputting the master key s as a system parameter, and secretly storing the master key s; the H is 2 Is a hash function used to generate random state values of fixed bit length.
Based on a further improvement of the above method, the key generation center and each user terminal generate a public-private key pair of each user terminal according to the system parameter, the user identity of the user terminal and the master key, including:
step S100: the user terminal performs the steps of:
registering a user identity id of the user terminal to the key generation center;
step S200: the key generation center performs the steps of:
from Z q * A random number r is selected;
the second private key d and the first public key R are calculated according to the following formula:
R=rG,h=H 1 (id,R,P pub ),d=r+hs;
transmitting the second private key d and the first public key R to the user terminal;
step S300: the user terminal performs the steps of:
setting the public and private key pair of the user identity id as ((id, R), d), wherein the second private key d is the private key of the user identity id, and (id, R) is the public key of the user identity id.
Based on a further improvement of the above method, generating, by each of the user terminals to be session, a respective random challenge value according to the system parameter includes:
from Z q * A random challenge value k is selected, and a random challenge intermediate value T is calculated according to a formula T= (k+d) G;
and sending the random challenge intermediate value T to another user terminal to be session.
Based on a further improvement of the above method, generating a common session key and a common state value between the user terminals according to the random challenge value and the system parameter of the counterpart comprises:
the user terminal generates a shared secret value according to the private key, the random challenge value and the random challenge intermediate value of another user terminal to be session;
the user terminal generates a common symmetric key and a common state value according to the random challenge intermediate value, the shared secret value, the random challenge intermediate value of the other user terminal to be conversationed and the system parameter; and
and the user terminal encrypts the plaintext information by using the common symmetric key and sends the encrypted ciphertext information to another user terminal to be conversationed.
Based on a further improvement of the above method, generating a common session key between the user terminals according to the random challenge value, the system parameter and the common state value of each other includes:
the user terminal generates a shared secret value according to the private key, the random challenge value and the random challenge intermediate value of another user terminal to be session;
the user terminal generates a first symmetric key according to the random challenge intermediate value, the shared secret value, the random challenge intermediate value of the other user terminal to be conversationed and the system parameter;
the user terminal generates a second symmetric key according to the first symmetric key, the common state value and the system parameter;
and the user terminal encrypts the plaintext information by using the second symmetric key and sends the encrypted ciphertext information to another user terminal to be conversationed.
Based on a further improvement of the above method, the anonymous authentication between the user terminals according to the common session key, determining validity of the common session key and updating a common state value between the user terminals according to the session key and the common state value comprises:
the user terminal decrypts the ciphertext sent by the other user terminal by using a symmetric decryption algorithm Dec (DEG) and the second symmetric key;
verifying the identity information of the other user terminal according to the decryption result; and
if the verification is passed, updating the common state value among the user terminals according to the identity information of the user terminals, the identity information of the other user terminals, the common state value and the system parameter, and setting the session key with the other user terminals as the second symmetric key.
Compared with the prior art, the invention has at least one of the following beneficial effects:
1. the invention does not need a center to manage a large number of certificates under an identity-based cryptosystem.
2. The invention realizes the forward security of both communication parties, and even if the key of both communication parties is leaked for a long time, the confidentiality of the communication data before the key leakage can be ensured.
3. The invention realizes the backward identity security of both communication parties, and even if the key of both communication parties is leaked for a long time, the adversary still cannot impersonate the communication party to communicate.
4. The scheme of the invention does not need bilinear pairing operation, and can realize lower calculation and communication expenditure.
In the invention, the technical schemes can be mutually combined to realize more preferable combination schemes. Additional features and advantages of the invention will be set forth in the description which follows, and in part will be obvious from the description, or may be learned by practice of the invention. The objectives and other advantages of the invention may be realized and attained by the structure particularly pointed out in the written description and drawings.
Drawings
The drawings are only for purposes of illustrating particular embodiments and are not to be construed as limiting the invention, like reference numerals being used to designate like parts throughout the drawings;
fig. 1 is a flow diagram of a backward secured anonymous authentication and key agreement method according to an embodiment of the present invention.
Detailed Description
Preferred embodiments of the present invention will now be described in detail with reference to the accompanying drawings, which form a part hereof, and together with the description serve to explain the principles of the invention, and are not intended to limit the scope of the invention.
Fig. 1 is a flow diagram of a backward secure anonymous authentication and key agreement method according to an embodiment of the present invention.
An embodiment of the present invention is described below with reference to fig. 1.
As shown in fig. 1, the backward secure anonymous authentication and key negotiation method includes:
step 101: the key generation center outputs system parameters according to the input security parameters and secretly stores the master key, wherein the system parameters comprise hash functions for generating random state values with fixed bit lengths, and the system parameters are system parameters of a communication system formed by a plurality of user terminals.
In this embodiment, the key generation center (Key Generating Centre, KGC) may output system parameters and a master key of the key generation center according to an initialization algorithm. The initialization algorithm takes a security parameter as an input, and outputs a system parameter of a communication system composed of a key generation center and a plurality of user terminals and a master key of the key generation center. By outputting the system parameters and the master key by the key generation center, the embodiment realizes a certificate-free cryptosystem, namely, the key generation center is not required to manage a large number of certificates, and the safety problem caused by single point invalidation of the key generation center is solved.
In some embodiments, initializing the algorithm includes performing the following:
the algorithm takes the security parameter kappa as input and performs the following operations:
1. selecting a large prime number p and coefficients a and b of an elliptic curve, and constructing an elliptic curve E: y is 2 =x 3 +ax+bmod p。
2. Selecting an addition cyclic group G with a prime number q on an elliptic curve E 1 The generator is G.
3. Selective symmetric encryption algorithmSymmetric decryption algorithmWherein {0,1} is a bit string consisting of 0 and 1 of arbitrary length, {0 }>A value space for symmetric encryption key, said +.>Is determined by the security parameter k. The security parameter κ may be a security level of the communication system, for example, if the security level of the communication system is high, the number of values of the symmetric encryption key is M, and if the security level of the communication system is medium, the number of values of the symmetric encryption key is N, where M is greater than N.
4. Selecting a hash function H 1 :{0,1}*→Z q * Hash function H 2 :{0,1}*→{0,1} ls Hash functionWherein {0,1} is a bit string consisting of 0 and 1 of arbitrary length, {0 }>Z is the value space of the symmetric encryption key q * Is a set of integers less than q and inter-prime with q, {0,1} ls A bit string consisting of arbitrary 0 and 1 with a bit length of a fixed value ls.
5. From Z q * Randomly selects the master key s and is according to formula P pub Calculation of primary public key P =sg pub
6. Parameter G 1 、a、b、p、q、G、Enc(.)、Dec(.)、H 1 、H 2 、H 3 、P pub The output is a system parameter and the master key s is kept secret.
Step 102: and the key generation center and each user terminal generate respective public and private key pairs of the user terminal according to the system parameters, the user identity of the user terminal and the master key.
In this embodiment, the private key may be generated for each user terminal by the user key generation algorithm, otherwise, the return symbol t indicates that the algorithm has failed to execute. The user key generation algorithm may be executed jointly by each user terminal and the key generation center. The user key generation algorithm can take the system parameters, the user identity and the master key of the key generation center as inputs to generate a private key for each user, otherwise, the return symbol T represents that the algorithm fails to execute.
In some embodiments, the user key generation algorithm includes the steps of:
step S10: the user terminal performs the steps of:
registering a user identity of the user terminal to the key generation center;
step S20: the key generation center performs the steps of:
generating a first private key according to the system parameters;
generating a first public key and a second private key according to the first private key, the user identity and the system parameter;
transmitting the second private key and the first public key to the user terminal;
step S30: the user terminal performs the steps of:
and determining the public key of the user terminal according to the user identity and the first public key, and setting the second private key as the private key of the user terminal.
Step S10 to step S30 will be described below with reference to a specific embodiment by taking a user terminal as an example.
Let id denote the user identity of the user terminal, in step S10 the user terminal performs the following operations:
registering the user identity id of the user terminal to the key generation center.
In step S20, KGC performs the following operations:
1. from Z q * A random number r is selected;
2. the second private key d and the first public key R are calculated according to the following formula:
R=rG,h=H 1 (id,R,P pub ),d=r+hs;
3. transmitting the second private key d and the first public key R to the user terminal;
in step S30, the user terminal performs the following operations:
setting the public and private key pair of the user identity id as ((id, R), d), wherein the second private key d is the private key of the user identity id, and (id, R) is the public key of the user identity id.
Step 103: and anonymously authenticating the user terminals to be in conversation with the system parameters according to the public and private keys, generating a conversation key and a common state value between the user terminals, and updating the common state value between the user terminals according to the conversation key and the common state value.
In this embodiment, the user terminals may perform anonymous authentication through a key negotiation algorithm. The key agreement algorithm may be a probabilistic algorithm that may take as input the identity and public-private key pairs of the sender and receiver of the user terminal, enabling anonymous authentication through multi-stage interactions.
In some embodiments, the key agreement algorithm comprises the following steps when the sender and the receiver of the user terminal are in first communication:
step S40: and each user terminal to be conversationed generates a random challenge value according to the system parameters.
Step S50: and generating a common session key and a common state value between the user terminals according to the random challenge value and the system parameter of the opposite party.
Step S60: and carrying out anonymous authentication between the user terminals according to the common session key, determining the validity of the common session key and updating the common state value between the user terminals according to the session key and the common state value.
The following describes step S40 to step S60 in connection with a specific embodiment.
Let the user identity of user terminal A be id A Its public-private key pair is ((id) A ,R A ),d A ) The user identity of the user terminal B is id B Its public-private key pair is ((id) B ,R B ),d B ). The session key may be obtained by the user terminal a and the user terminal B through the following three phases, the first phase corresponds to step S40, the second phase corresponds to step S50, and the third phase corresponds to step S60.
The first stage: the user terminal a performs the following procedure:
1. selecting a random challenge value k A ←Z q * And calculates a random challenge median T A =(k A +d A )G。
2. Will random challenge intermediate value T A To the user terminal B.
The user terminal B performs the following procedure:
1. selecting a random challenge value k B ←Z q * And calculates a random challenge median T B =(k B +d B )G。
2. Will random challenge intermediate value T B To the user terminal a.
And a second stage: receive T B After that, the user terminal a performs the following procedure:
1. calculating a shared secret value v= (k) A +d A )T B
2. Calculating a symmetric encryption key k=h 3 (V,T A ,T B )。
3. Calculate state value state=h 2 (V,T A ,T B )。
4. Encryption computation C A =Enc K (id A ,R A ,k A ) Ciphertext C A To the user terminal B, wherein Enc K (id A ,R A ,k A ) Representing the use of a symmetric encryption algorithm Enc () and a symmetric key K for a plaintext message (id A ,R A ,k A ) Encryption is performed.
Receive T A After that, the user terminal B performs the following procedure:
1. calculating a shared secret value v= (k) B +d B )T A
2. Calculating a symmetric encryption key k=h 3 (V,T A ,T B )。
3. Calculate state value state=h 2 (V,T A ,T B )。
4. Encryption computation C B =Enc K (id B ,R B ,k B ) Ciphertext C B To the user terminal a, wherein Enc K (id B ,R B ,k B ) Representing the use of a symmetric encryption algorithm Enc () and a symmetric key K for a plaintext message (id B ,R B ,k B ) Encryption is performed.
And a third stage: receive C B After that, the user terminal a performs the following procedure:
1. decryption id B ,R B ,k B =Dec K (C B ) Wherein Dec K (C B ) Representing a pair of ciphertext messages C using a symmetric decryption algorithm Dec ()' and a symmetric key K B Decryption is carried out to obtain plaintext id B ,R B ,k B . If it is judged that id B Not a valid user, execution is terminated.
2. Calculate h B =H 1 (id B ,R B ,P pub ) And P B =R B +h B P pub
3. Validating equation T B =P B +k B G is established, if not, execution is terminated.
4. Update state value state=h 3 (state,K,id A ,id B ) The session key is set to K.
Receive C A After that, the user terminal B performs the following procedure:
1. decryption id A ,R A ,k A =Dec K (C A ) Wherein Dec K (C A ) Representing a pair of ciphertext messages C using a symmetric decryption algorithm Dec ()' and a symmetric key K A Decryption is carried out to obtain plaintext id A ,R A ,k A . If it is judged that id A Not a valid user, execution is terminated.
2. Calculate h A =H 1 (id A ,R A ,P pub ) And P A =R A +h A P pub
3. Validating equation T A =P A +k A G is established, if not, execution is terminated.
4. Update state value state=h 3 (state,K,id A ,id B ) The session key is set to K.
In some embodiments, the key agreement algorithm comprises the following steps when the sender and the receiver of the user terminal communicate n-th time (n is an integer greater than 1):
step S70: and each user terminal to be conversationed generates a random challenge value according to the system parameters.
Step S80: and generating a common session key among the user terminals according to the random challenge value, the system parameter and the common state value of the opposite party.
Step S90: and carrying out anonymous authentication between the user terminals according to the common session key, determining the validity of the common session key and updating the common state value between the user terminals according to the session key and the common state value.
Step S70 to step S90 will be described with reference to a specific embodiment.
Let the user identity of user terminal A be id A Its public-private key pair is ((id) A ,R A ),d A ) The user identity of the user terminal B is id B Its public-private key pair is ((id) B ,R B ),d B ). The session key may be obtained by the user terminal a and the user terminal B through the following three phases, the first phase corresponds to step S70, the second phase corresponds to step S80, and the third phase corresponds to step S90.
The first stage: the user terminal a performs the following procedure:
1. selecting a random challenge value k A ←Z q * And calculates a random challenge median T A =(k A +d A )G。
2. Will random challenge intermediate value T A To the user terminal B.
The user terminal B performs the following procedure:
1. selecting a random challenge value k B ←Z q * And calculates a random challenge median T B =(k B +d B )G。
2. Will random challenge intermediate value T B To the user terminal a.
And a second stage: receive T B After that, the user terminal a performs the following procedure:
1. calculating a shared secret value v= (k) A +d A )T B
2. Computing a symmetric encryption key K 1 =H 3 (V,T A ,T B )。
3. Computing a symmetric encryption key K 2 =H 3 (K 1 ,state)。
4. Encryption computation C A =Enc K2 (id A ,R A ,k A ) Ciphertext C A To the user terminal B, wherein Enc K2 (id A ,R A ,k A ) Representing the use of a symmetric encryption algorithm Enc ()' and a symmetric key K 2 For plaintext messages (id A ,R A ,k A ) Encryption is performed.
Receive T A After that, the user terminal B performs the following procedure:
1. calculating a shared secret value v= (k) B +d B )T A
2. Computing a symmetric encryption key K 1 =H 3 (V,T A ,T B )。
3. Computing a symmetric encryption key K 2 =H 3 (K 1 ,state)。
4. Encryption computation C B =Enc K2 (id B ,R B ,k B ) Ciphertext C B To the user terminal a, wherein Enc K2 (id B ,R B ,k B ) Representing the use of a symmetric encryption algorithm Enc ()' and a symmetric key K 2 For plaintext messages (id B ,R B ,k B ) Encryption is performed.
And a third stage: receive C B After that, the user terminal a performs the following procedure:
1. decryption id B ,R B ,k B =Dec K2 (C B ) Wherein Dec K2 (C B ) Representing the use of a symmetric decryption algorithm Dec () and a symmetric key K 2 For ciphertext message C B Decryption is carried out to obtain plaintext id B ,R B ,k B . If it is judged that id B Not a valid user, execution is terminated.
2. Calculate h B =H 1 (id B ,R B ,P pub ) And P B =R B +h B P pub
3. Validating equation T B =P B +k B G is established, if not, execution is terminated.
4. Update state value state=h 3 (state,K 2 ,id A ,id B ) Will beThe key is set to K 2
Receive C A After that, the user terminal B performs the following procedure:
1. decryption id A ,R A ,k A =Dec K2 (C A ) Wherein Dec K2 (C A ) Representing the use of a symmetric decryption algorithm Dec () and a symmetric key K 2 For ciphertext message C A Decryption is carried out to obtain plaintext id A ,R A ,k A . If it is judged that id A Not a valid user, execution is terminated.
2. Calculate h A =H 1 (id A ,R A ,P pub ) And P A =R A +h A P pub
3. Validating equation T A =P A +k A G is established, if not, execution is terminated.
4. Update state value state=h 3 (state,K 2 ,id A ,id B ) Setting the session key to K 2
In this embodiment, anonymity of the communicating party may be achieved by hiding the user identity in the transmitted message. For example, in the first phase, the user terminal a will randomly challenge the intermediate value T A When transmitting to the user terminal B, the identity information id of the user terminal A A Hidden in the random challenge intermediate value T A Thereby achieving anonymity of user a. After hiding the user identity in the transmitted message, the adversary cannot acquire the identity of the communication user, thereby ensuring anonymity.
In this embodiment, through the challenge-response mechanism, it is ensured that the adversary cannot decrypt the message sent before even if the adversary obtains the private key of the user, thereby realizing the forward security and the forward identity security of both communication parties. For example, in the first phase, the user terminal a generates a random challenge value r A The challenge-response mechanism can be started, so that the forward security and the forward identity security of both communication parties are ensured.
In this embodiment, the two communication parties ensure that even if the private key of the user is revealed, the adversary cannot impersonate the user to generate the session key of the subsequent communication through the commonly maintained state value, so that the backward identity security of the two communication parties is realized, and even if the long-term key of the two communication parties is revealed, the adversary cannot impersonate the communication party to communicate.
Another embodiment of a backward secured anonymous authentication and key agreement method according to the present invention comprises the steps of:
first, the key generation center executes an initialization algorithm including:
the algorithm takes the security parameter kappa as input and performs the following operations:
1. selecting a large prime number p and coefficients a and b of an elliptic curve, and constructing an elliptic curve E: y is 2 =x 3 +ax+bmod p。
2. Selecting an addition cyclic group G with a prime number q on an elliptic curve E 1 The generator is G.
3. Selective symmetric encryption algorithmSymmetric decryption algorithmWherein {0,1} is a bit string consisting of 0 and 1 of arbitrary length, {0 }>A value space for symmetric encryption key, said +.>Is determined by the security parameter k. The security parameter κ may be a security level of the communication system, for example, if the security level of the communication system is high, the number of values of the symmetric encryption key is M, and if the security level of the communication system is medium, the number of values of the symmetric encryption key is N, where M is greater than N.
4. Selecting a hash function H 1 :{0,1}*→Z q * Hash function H 2 :{0,1}*→{0,1} ls HashFunction ofWherein {0,1} is a bit string consisting of 0 and 1 of arbitrary length, {0 }>Z is the value space of the symmetric encryption key q * Is a set of integers less than q and inter-prime with q, {0,1} ls A bit string consisting of arbitrary 0 and 1 with a bit length of a fixed value ls.
5. From Z q * Randomly selects the master key s and is according to formula P pub Calculation of primary public key P =sg pub
6. Parameter G 1 、a、b、p、q、G、Enc(.)、Dec(.)、H 1 、H 2 、H 3 、P pub The output is a system parameter and the master key s is kept secret.
Secondly, the key generation center and the user terminal jointly execute a user key generation algorithm, wherein the user key generation algorithm comprises the following steps:
let id denote the user identity of the user terminal, first, the user terminal performs the following operations:
registering the user identity id of the user terminal to the key generation center.
Secondly, KGC performs the following operations:
1. from Z q * A random number r is selected;
2. the second private key d and the first public key R are calculated according to the following formula:
R=rG,h=H 1 (id,R,P pub ),d=r+hs;
3. transmitting the second private key d and the first public key R to the user terminal;
finally, the user terminal performs the following operations:
setting the public-private key pair of the user identity id as ((id, R), d), wherein the second private key d is the private key of the user identity id, and (id, R) is the public key of the user identity id.
Finally, a key negotiation algorithm is executed between the user terminals, and the key negotiation algorithm comprises:
the communication between the user terminal a and the user terminal B needs to maintain a state information state, and when the user terminal a and the user terminal B communicate for the first time, the communication process is as follows:
let the user identity of user terminal A be id A Its public-private key pair is ((id) A ,R A ),d A ) The user identity of the user terminal B is id B Its public-private key pair is ((id) B ,R B ),d B ). The session key may be obtained by the user terminal a and the user terminal B in the following three phases.
Stage 1: the user terminal a performs the following procedure:
1. selecting a random challenge value k A ←Z q * And calculates a random challenge median T A =(k A +d A )G。
2. Will random challenge intermediate value T A To the user terminal B.
The user terminal B performs the following procedure:
1. selecting a random challenge value k B ←Z q * And calculates a random challenge median T B =(k B +d B )G。
2. Will random challenge intermediate value T B To the user terminal a.
Stage 2: receive T B After that, the user terminal a performs the following procedure:
1. calculating a shared secret value v= (k) A +d A )T B
2. Calculating a symmetric encryption key k=h 3 (V,T A ,T B )。
3. Calculate state value state=h 2 (V,T A ,T B )。
4. Encryption computation C A =Enc K (id A ,R A ,k A ) Ciphertext C A To the user terminal B, wherein Enc K (id A ,R A ,k A ) Representing the use of a symmetric encryption algorithm Enc () and a symmetric key K for a plaintext message (id A ,R A ,k A ) Encryption is performed.
Receive T A After that, the user terminal B performs the following procedure:
1. calculating a shared secret value v= (k) B +d B )T A
2. Calculating a symmetric encryption key k=h 3 (V,T A ,T B )。
3. Calculate state value state=h 2 (V,T A ,T B )。
4. Encryption computation C B =Enc K (id B ,R B ,k B ) Ciphertext C B To the user terminal a, wherein Enc K (id B ,R B ,k B ) Representing the use of a symmetric encryption algorithm Enc () and a symmetric key K for a plaintext message (id B ,R B ,k B ) Encryption is performed.
Stage 3: receive C B After that, the user terminal a performs the following procedure:
1. decryption id B ,R B ,k B =Dec K (C B ) Wherein Dec K (C B ) Representing a pair of ciphertext messages C using a symmetric decryption algorithm Dec ()' and a symmetric key K B Decryption is carried out to obtain plaintext id B ,R B ,k B . If it is judged that id B Not a valid user, execution is terminated.
2. Calculate h B =H 1 (id B ,R B ,P pub ) And P B =R B +h B P pub
3. Validating equation T B =P B +k B G is established, if not, execution is terminated.
4. Update state value state=h 3 (state,K,id A ,id B ) The session key is set to K.
Receive C A After that, the user terminal B performs the following procedure:
1. decryption id A ,R A ,k A =Dec K (C A ) Wherein Dec K (C A ) Representing a pair of ciphertext messages C using a symmetric decryption algorithm Dec ()' and a symmetric key K A Decryption is carried out to obtain plaintext id A ,R A ,k A . If it is judged that id A Not a valid user, execution is terminated.
2. Calculate h A =H 1 (id A ,R A ,P pub ) And P A =R A +h A P pub
3. Validating equation T A =P A +k A G is established, if not, execution is terminated.
4. Update state value state=h 3 (state,K,id A ,id B ) The session key is set to K.
When the user terminal A and the user terminal B communicate for the nth time (n is an integer greater than 1), the communication process is as follows:
stage 1: the user terminal a performs the following procedure:
1. selecting a random challenge value k A ←Z q * And calculates a random challenge median T A =(k A +d A )G。
2. Will random challenge intermediate value T A To the user terminal B.
The user terminal B performs the following procedure:
1. selecting a random challenge value k B ←Z q * And calculates a random challenge median T B =(k B +d B )G。
2. Will random challenge intermediate value T B To the user terminal a.
Stage 2: receive T B After that, the user terminal a performs the following procedure:
1. calculating a shared secret value v= (k) A +d A )T B
2. Computing a symmetric encryption key K 1 =H 3 (V,T A ,T B )。
3. Computing a symmetric encryption key K 2 =H 3 (K 1 ,state)。
4. Encryption computation C A =Enc K2 (id A ,R A ,k A ) Ciphertext C A To the user terminal B, wherein Enc K2 (id A ,R A ,k A ) Representing the use of a symmetric encryption algorithm Enc ()' and a symmetric key K 2 For plaintext messages (id A ,R A ,k A ) Encryption is performed.
Receive T A After that, the user terminal B performs the following procedure:
1. calculating a shared secret value v= (k) B +d B )T A
2. Computing a symmetric encryption key K 1 =H 3 (V,T A ,T B )。
3. Computing a symmetric encryption key K 2 =H 3 (K 1 ,state)。
4. Encryption computation C B =Enc K2 (id B ,R B ,k B ) Ciphertext C B To the user terminal a, wherein Enc K2 (id B ,R B ,k B ) Representing the use of a symmetric encryption algorithm Enc ()' and a symmetric key K 2 For plaintext messages (id B ,R B ,k B ) Encryption is performed.
Stage 3: receive C B After that, the user terminal a performs the following procedure:
1. decryption id B ,R B ,k B =Dec K2 (C B ) Wherein Dec K2 (C B ) Representing the use of a symmetric decryption algorithm Dec () and a symmetric key K 2 For ciphertext message C B Decryption is carried out to obtain plaintext id B ,R B ,k B . If it is judged that id B Not a valid user, execution is terminated.
2. Calculate h B =H 1 (id B ,R B ,P pub ) And P B =R B +h B P pub
3. Validating equation T B =P B +k B G is established, if not, execution is terminated.
4. Update state value state=h 3 (state,K 2 ,id A ,id B ) Setting the session key to K 2
Receive C A After that, the user terminal B performs the following procedure:
1. decryption id A ,R A ,k A =Dec K2 (C A ) Wherein Dec K2 (C A ) Representing the use of a symmetric decryption algorithm Dec () and a symmetric key K 2 For ciphertext message C A Decryption is carried out to obtain plaintext id A ,R A ,k A . If it is judged that id A Not a valid user, execution is terminated.
2. Calculate h A =H 1 (id A ,R A ,P pub ) And P A =R A +h A P pub
3. Validating equation T A =P A +k A G is established, if not, execution is terminated.
4. Update state value state=h 3 (state,K 2 ,id A ,id B ) Setting the session key to K 2
The embodiments described above have at least the following advantageous technical effects:
1. the invention does not need a center to manage a large number of certificates under an identity-based cryptosystem.
2. The invention realizes the forward security of both communication parties, and even if the key of both communication parties is leaked for a long time, the confidentiality of the communication data before the key leakage can be ensured.
3. The invention realizes the backward identity security of both communication parties, and even if the key of both communication parties is leaked for a long time, the adversary still cannot impersonate the communication party to communicate.
4. The scheme of the invention does not need bilinear pairing operation, and can realize lower calculation and communication expenditure.
The present invention is not limited to the above-mentioned embodiments, and any changes or substitutions that can be easily understood by those skilled in the art within the technical scope of the present invention are intended to be included in the scope of the present invention.

Claims (10)

1. A backward secure anonymous authentication and key agreement method, comprising the steps of:
the key generation center outputs system parameters and secretly stores a master key according to the input security parameters, wherein the system parameters comprise hash functions for generating random state values with fixed bit lengths, and the system parameters are system parameters of a communication system formed by a plurality of user terminals;
the key generation center and each user terminal generate respective public and private key pairs of the user terminal according to the system parameters, the user identity of the user terminal and the master key; and
and anonymously authenticating the user terminals to be in conversation with the system parameters according to the public and private keys, generating a conversation key and a common state value between the user terminals, and updating the common state value between the user terminals according to the conversation key and the common state value.
2. The backward secure anonymous authentication and key agreement method as recited in claim 1, wherein, upon first communication between the user terminals to be session, anonymously authenticating the system parameters with the user terminals to be session according to the respective public-private key pairs, generating a session key and a common state value between the user terminals, and updating the common state value between the user terminals according to the session key and the common state value comprises:
each user terminal to be conversationed generates a random challenge value according to the system parameters;
the user terminals generate a common session key and a common state value according to the random challenge value and the system parameter of the opposite party; and
and carrying out anonymous authentication between the user terminals according to the common session key, determining the validity of the common session key and updating the common state value between the user terminals according to the session key and the common state value.
3. The backward secure anonymous authentication and key agreement method as recited in claim 2, wherein, at the nth communication between the user terminals to be session, n is an integer greater than 1, the anonymous authentication is performed between the user terminals to be session according to the respective public-private key pair and the system parameter, generating a session key and a common state value between the user terminals, and updating the common state value between the user terminals according to the session key and the common state value comprises:
each user terminal to be conversationed generates a random challenge value according to the system parameters;
the user terminals generate a common session key according to the random challenge value, the system parameter and the common state value of the other party; and
and carrying out anonymous authentication between the user terminals according to the common session key, determining the validity of the common session key and updating the common state value between the user terminals according to the session key and the common state value.
4. A backward secure anonymous authentication and key agreement method as recited in claim 3, wherein said key generation center and each user terminal generating respective public-private key pairs of said user terminal based on said system parameters, user identities of said user terminal, and said master key comprises:
step S10: the user terminal performs the steps of:
registering a user identity of the user terminal to the key generation center;
step S20: the key generation center performs the steps of:
generating a first private key according to the system parameters;
generating a first public key and a second private key according to the first private key, the user identity and the system parameter;
transmitting the second private key and the first public key to the user terminal;
step S30: the user terminal performs the steps of:
and determining the public key of the user terminal according to the user identity and the first public key, and setting the second private key as the private key of the user terminal.
5. The backward secure anonymous authentication and key agreement method as recited in claim 4, wherein the key generation center outputting system parameters and secretly storing master keys according to the inputted security parameters comprises the key generation center performing the operations of:
selecting a large prime number p and coefficients a and b of an elliptic curve, and constructing an elliptic curve E: y is 2 =x 3 +ax+bmod p;
Selecting an addition cyclic group G with a prime number q on an elliptic curve E 1 The generator is G;
selecting a symmetric encryption algorithm Enc ():and a symmetric decryption algorithm Dec ():wherein {0,1} is a bit string consisting of 0 and 1 of arbitrary length, {0 }>The value space of the symmetric encryption key is +.>Determined by the security parameters;
selecting a hash function H 1 :{0,1}*→Z q * Hash function H 2 :{0,1}*→{0,1} ls HaFunction of his H 3Wherein {0,1} is a bit string consisting of 0 and 1 of arbitrary length, {0 }>Z is the value space of the symmetric encryption key q * Is a set of integers less than q and inter-prime with q, {0,1} ls A bit string consisting of arbitrary 0 and 1 of a bit length of a fixed value ls;
from Z q * Randomly selects the master key s and is according to formula P pub Calculation of primary public key P =sg pub The method comprises the steps of carrying out a first treatment on the surface of the And
parameter G 1 、a、b、p、q、G、Enc(.)、Dec(.)、H 1 、H 2 、H 3 、P pub Outputting the master key s as a system parameter, and secretly storing the master key s; the H is 2 Is a hash function used to generate random state values of fixed bit length.
6. The backward secure anonymous authentication and key agreement method as recited in claim 5, wherein said key generation center and each user terminal generating respective public-private key pairs of said user terminal based on said system parameters, user identities of said user terminal and said master key comprises:
step S100: the user terminal performs the steps of:
registering a user identity id of the user terminal to the key generation center;
step S200: the key generation center performs the steps of:
from Z q * A random number r is selected;
the second private key d and the first public key R are calculated according to the following formula:
R=rG,h=H 1 (id,R,P pub ),d=r+hs;
transmitting the second private key d and the first public key R to the user terminal;
step S300: the user terminal performs the steps of:
setting the public and private key pair of the user identity id as ((id, R), d), wherein the second private key d is the private key of the user identity id, and (id, R) is the public key of the user identity id.
7. The backward secure anonymous authentication and key agreement method as recited in claim 6, wherein each of said user terminals to be session generating a respective random challenge value based on said system parameters comprises:
from Z q * A random challenge value k is selected, and a random challenge intermediate value T is calculated according to a formula T= (k+d) G;
and sending the random challenge intermediate value T to another user terminal to be session.
8. The backward secure anonymous authentication and key agreement method as recited in claim 7, wherein the generating a common session key and a common state value between the user terminals based on the random challenge value and the system parameter of the counterpart comprises:
the user terminal generates a shared secret value according to the private key, the random challenge value and the random challenge intermediate value of another user terminal to be session;
the user terminal generates a common symmetric key and a common state value according to the random challenge intermediate value, the shared secret value, the random challenge intermediate value of the other user terminal to be conversationed and the system parameter; and
and the user terminal encrypts the plaintext information by using the common symmetric key and sends the encrypted ciphertext information to another user terminal to be conversationed.
9. The backward secure anonymous authentication and key agreement method as recited in claim 7, wherein generating a common session key between the user terminals based on the random challenge value, the system parameter, and the common state value of the counterpart comprises:
the user terminal generates a shared secret value according to the private key, the random challenge value and the random challenge intermediate value of another user terminal to be session;
the user terminal generates a first symmetric key according to the random challenge intermediate value, the shared secret value, the random challenge intermediate value of the other user terminal to be conversationed and the system parameter;
the user terminal generates a second symmetric key according to the first symmetric key, the common state value and the system parameter;
and the user terminal encrypts the plaintext information by using the second symmetric key and sends the encrypted ciphertext information to another user terminal to be conversationed.
10. The backward secure anonymous authentication and key agreement method as recited in claim 9, wherein anonymously authenticating between the user terminals based on the common session key, determining the validity of the common session key and updating the common state value between the user terminals based on the session key and the common state value comprises:
the user terminal decrypts the ciphertext sent by the other user terminal by using a symmetric decryption algorithm Dec (DEG) and the second symmetric key;
verifying the identity information of the other user terminal according to the decryption result; and
if the verification is passed, updating the common state value among the user terminals according to the identity information of the user terminals, the identity information of the other user terminals, the common state value and the system parameter, and setting the session key with the other user terminals as the second symmetric key.
CN202311684236.7A 2023-12-08 2023-12-08 Backward secure anonymous authentication and key negotiation method Pending CN117692138A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202311684236.7A CN117692138A (en) 2023-12-08 2023-12-08 Backward secure anonymous authentication and key negotiation method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202311684236.7A CN117692138A (en) 2023-12-08 2023-12-08 Backward secure anonymous authentication and key negotiation method

Publications (1)

Publication Number Publication Date
CN117692138A true CN117692138A (en) 2024-03-12

Family

ID=90134592

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202311684236.7A Pending CN117692138A (en) 2023-12-08 2023-12-08 Backward secure anonymous authentication and key negotiation method

Country Status (1)

Country Link
CN (1) CN117692138A (en)

Similar Documents

Publication Publication Date Title
US9106410B2 (en) Identity based authenticated key agreement protocol
US7814320B2 (en) Cryptographic authentication, and/or establishment of shared cryptographic keys, using a signing key encrypted with a non-one-time-pad encryption, including (but not limited to) techniques with improved security against malleability attacks
US5796833A (en) Public key sterilization
CN107659395B (en) Identity-based distributed authentication method and system in multi-server environment
Al-Riyami Cryptographic schemes based on elliptic curve pairings
CN114268439B (en) Identity-based authentication key negotiation method based on grid
CN112699394B (en) SM9 algorithm-based key application method
CN112104453A (en) Anti-quantum computation digital signature system and signature method based on digital certificate
CN113132104A (en) Active and safe ECDSA (electronic signature SA) digital signature two-party generation method
Kumar et al. Anonymous ID-based Group Key Agreement Protocol without Pairing.
CN113098681B (en) Port order enhanced and updatable blinded key management method in cloud storage
CN115694827A (en) SM 2-based certificate encryption method and system
Kilciauskas et al. Authenticated key agreement protocol based on provable secure cryptographic functions
CN113242129A (en) End-to-end data confidentiality and integrity protection method based on lattice encryption
CN117692138A (en) Backward secure anonymous authentication and key negotiation method
CN117527227A (en) Certificate-free anonymous authentication and key negotiation method
CN113014376A (en) Method for safety authentication between user and server
Dugardin et al. A New Fair Identity Based Encryption Scheme
Reddi et al. Identity-based signcryption groupkey agreement protocol using bilinear pairing
CN117527225A (en) Backward secure certificateless authentication and key agreement method
CN116781243B (en) Unintentional transmission method based on homomorphic encryption, medium and electronic equipment
Lee Cryptanalysis of Zhu et al.’s Identity-Based Encryption with Equality Test without Random Oracles
Shim Security analysis of various authentication schemes based on three types of digital signature schemes
Hölbl et al. Comparative study of tripartite identity-based authenticated key agreement protocols
JP3862397B2 (en) Information communication system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination