CN1889434A - Method for safety efficient network user identity discrimination - Google Patents
Method for safety efficient network user identity discrimination Download PDFInfo
- Publication number
- CN1889434A CN1889434A CN 200610103357 CN200610103357A CN1889434A CN 1889434 A CN1889434 A CN 1889434A CN 200610103357 CN200610103357 CN 200610103357 CN 200610103357 A CN200610103357 A CN 200610103357A CN 1889434 A CN1889434 A CN 1889434A
- Authority
- CN
- China
- Prior art keywords
- user
- password
- key
- network
- authentication server
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Abstract
This invention relates to a method for identifying network user identities, first of all, a customer end machine initiates an identification request, a network identification server generates a set of time stamps and random numbers and sends them to the customer machine and generates the life period T of the identification process, the customer machine and the server compute a set of symmetrical cryptographic keys and identification passwords separately, the passwords of the customer end are transmitted to the network identification server, which computes if T is finished, if so, it is the illegal user, if not, it compares if the passwords at both ends are the same, if so, they are legal and the log-on is successful otherwise they are illegal and the log-on is failed.
Description
Technical field:
The present invention relates to information security field, is to utilize cryptographic technique to carry out the discriminating of network user identity, and this technical method can prevent access to netwoks illegal or that go beyond one's commission, is applicable to E-Government, ecommerce, the Internet bank, online game and electronics national defence etc.
Background technology:
At present, the network identity based on cryptographic algorithm of some manufacturers produce is differentiated product both at home and abroad, all be to adopt public-key technology as PKI and IBE etc., the PKI technology need be set up CA digital authenticating center, PKI sets up the cost height, 10,000 CA digital authenticating centers are promptly: contain sub-CA system and will set up 10,000 databases, the customer volume that can only manage is: 10
7-10
8That is: the scale of leading subscriber is very limited, in addition, PKI and IBE will set up huge certificate or parameter database and differentiate that for the identity discriminating provides online contrast efficient is low, and key updating needs manual intervention, then to hand over the key updating service charge every year, operating cost is very high, thereby, cause PKI and IBE The Application of Technology and universal difficulty bigger.
Summary of the invention:
The method that safety high-efficiency network user identity is differentiated is to utilize computer, password and chip technology come the building network identity identification system, at client computer and network authentication server two ends, a pair of identical symmetry algorithm is set respectively, the symmetry algorithm of client-side leaves a smart card in promptly: in the hardware device based on USB interface band cpu chip, the symmetry algorithm of network authentication server end leaves a block encryption card in promptly: in the hardware device based on api interface band cpu chip, the discrimination process of network user identity is promptly: the network user identity authentication protocol is that client computer is sent the request of discriminating promptly: send user number or other unique user ID to the network authentication server, the network authentication server produces one group of timestamp and random number and sends to client computer, simultaneously, the network authentication server produces the life cycle T of discrimination process, according to this group timestamp and random number preceding 16, client computer and network authentication server two ends calculate one group of symmetric key respectively, wherein: generation is chosen in the symmetric key combination, each symmetric key that generates is all different, back 32 bit data of random number are used the symmetric key of symmetry algorithm and two ends generation as bright password, encrypt respectively and generate client-side password 1 and network authentication server end password 2, that is: differentiate password 1 and differentiate password 2, client computer sends to the network authentication server with parameters such as user number and discriminating passwords 1 again, whether the network authentication server at first calculates T finishes, if it then is the disabled user that T finishes, if T does not finish, is contrast differentiated password 1 and is differentiated whether password 2 identical again? if it is identical, it then is validated user, otherwise, be the disabled user, thereby, realize the network user's identity discriminating, if validated user, then login successfully, otherwise, login failure, all processes is by soft, the combination of hardware mode realizes that concrete grammar is as follows:
1, symmetric cryptographic algorithm and the cover user's key " seed " with client-side is total to N group M group, leave in the USB interface-based smart card, wherein: N=16, M=912~1744, the length of every group of user key " seed " is K:K=1~2 bytes, that is: 8~16 bits, the user key of depositing in the smart card " seed " total amount is: 0.9KB byte~3.4KB byte.
2, utilize randomizer to produce user key " seed ", assurance user key " seed " is produced at random, each user has the different user key " seed " of a cover respectively, and issue USB interface-based smart card of each user, this has not only solved the storage security of user key " seed ", and solved the distribution problem of user key " seed ", also deposit other authentication protocols and parameter etc. in the smart card, that is: have in depositing in the smart card: user number or other user ID, one cover user's key " seed ", cryptographic algorithm, key generates agreement and differentiates that password generates agreement etc.
3, the symmetry algorithm of network authentication server end and one group of fixing key K 1, leave in the encrypted card based on api interface, wherein: K1=128 bit~256 bits, the K1 variable quantity is: 2128~2256, K1 in each identification system is different, also deposit other authentication protocols and parameter etc. in the encrypted card, that is: have in depositing in the encrypted card: the symmetric key K1 that symmetry algorithm, a group are fixing and differentiate that password generates agreement etc.
4, USB interface-based smart card is the hardware device of a built-in cpu chip, can guarantee that the agreement and the data that write in the chip are not illegally read, encrypted card based on api interface is the hardware device of a fast built-in cpu chip, the agreement and the data that can guarantee to write in the chip are not illegally read yet, simultaneously, two kinds of hardware devices can both guarantee that the variety of protocol software that writes moves in cpu chip.
5, user number or other user ID are made up of English alphabet or numeral, and length is 4~20, or replaces user number with user's identification card number, and user number is as having uniqueness among the whole user group of being identified at of user.
6, the algorithm of being made up of timestamp and random number is controlled jointly, user key " seed " made up choose, and synthetic one group of symmetric key, the symmetric key of this interim generation can reach one time one change, do not repeat, key length after synthetic is K=128~256 bits, and the network user that then can manage amount is: 2
K, big like this supervising the network customer volume has guaranteed that the management scale of identification system is unrestricted, by the end of in April, 2005, the PKI technology of the U.S. can only solve the network management of 1,000,000,000 scale customer volumes.
7, random number is also produced at random by the system of network authentication server, each discriminating process all is one time one change, random number is made up of 48 hexadecimal numbers, form algorithm with preceding 16 with timestamp and choose user key " seed " generation symmetric key, with back 32 bit data of random number as bright password, become password promptly with symmetry algorithm and the interim symmetric key encryption that generates: differentiate password, wherein: the length of differentiating password is: 16 bytes promptly: 128 bits.
8, timestamp is that system time according to the network authentication server produces, timestamp is made up of 8 or 10 bit digital, represent year, month, day or year, month, day and the time etc., get L, wherein: L=1~30, have 12 months every year, there were 31 at most in every month, have 24 hours every day, as: timestamp is then to use " 20060728 " expression on July 28th, 2006, if timestamp is 18 o'clock on the 28th July in 2006, then use " 2006072818 " expression, determine the figure place of timestamp according to the level of security difference.
9, set up various user keys " seed " group according to timestamp, if timestamp is got 10 figure places, definition " year " group, " moon " group, " day " crowd with " time " group, other each groups all have 16 groups of user keys " seed " respectively except that these 4 groups, if year L>1 o'clock, " year " group comprises L " son year " group, " moon " group comprises 12 " the son moon " groups, " day " group comprises 31 " son day " groups, " time " group comprise 24 " period of the day from 11 p.m. to 1 a.m " group, each subgroup all has 16 groups of user keys " seed " respectively.
10, set up user key " seed ", illustrate: if get L=30,16 groups of user keys " seed " are then all arranged every year, " year " group comprises 30 " son year " groups, upright 30 * the 16=480 that builds together organizes, " moon " group comprises 12 " the son moon " groups, upright 12 * the 16=192 that builds together organizes, " day " group comprises 31 " son day " groups, upright 31 * the 16=496 that builds together organizes, " time " group comprise 24 " period of the day from 11 p.m. to 1 a.m " group, upright 24 * 16=384 the group of building together, remaining also have 12 groups, and every group has 16 groups of user keys " seed " upright 12 * 16=192 group of building together, these 16 groups total 480+192+496+384+192=1744 group user keys " seed " account for memory space 1744 * 2=3488 byte altogether.
11, set up the corresponding relation of preceding 16 bit data of random number and timestamp and user key " seed ", with among everybody numerical value and the N group of 16 random numbers respectively 16 groups of user keys " seed " set up corresponding relation, preceding 1-3 or 1-4 group according to the timestamp correspondence, if timestamp selects 10 figure places, then get " year ", " moon ", " day " and " time " group, L>1 o'clock then, " year " group comprises L " son year " group, with the 1st hexadecimal numerical value 0-F of 16 random numbers promptly: decimal system 0-15, each 16 groups of user key " seed " of corresponding L respectively " son year " group, with the 2nd hexadecimal numerical value 0-F of 16 random numbers promptly: decimal system 0-15, each 16 groups of user key " seed " of corresponding 12 respectively " the son moon " groups, with the 3rd hexadecimal numerical value 0-F of 16 random numbers promptly: decimal system 0-15, each 16 groups of user key " seed " of corresponding 31 respectively " son day " groups, with the 4th hexadecimal numerical value 0-F of 16 random numbers promptly: decimal system 0-15, each 16 groups of user key " seed " of corresponding respectively 24 " period of the day from 11 p.m. to 1 a.m " group, again promptly: decimal system 0-16 according to the hexadecimal numerical value 0-F of random number 5-16 position, 16 groups of user keys " seed " of each group among the corresponding 5-16 group of difference, thereby, stab settling time and 16 random numbers and N group M organize the corresponding relation of user key " seed ".
12, set up symmetric key and generate agreement, algorithm with 16 bit data composition before timestamp and the random number, N group M group user key " seed " made up to choose generate symmetric key, its process illustrates as follows: if timestamp is: " 2008072818 ", 16 random numbers are DE60A9F728B13BC5, get the 1st group promptly: corresponding 16 groups of user keys in 2008 are " seed " the 13rd group among " year " group, get the 2nd group promptly: among " moon " group the 14th group of corresponding 16 groups of user keys in July " seed ", get the 3rd group promptly: corresponding 16 groups of user keys on the 28th are " seed " the 6th group among " day " group, get the 4th group promptly: " time " 18 hours corresponding 16 groups of user keys " seed " the 0th group among the group, get the 5th group of 16 groups of user keys of correspondence " seed " the 10th group, get 16 groups of user keys of 16 groups of correspondences " seed " the 5th group, 16 groups of user keys " seed " that will take out again synthesize one group of symmetric key, and wherein: 16 groups of user keys " seed " amount to: 16~32 bytes promptly: 128~256 bits.
13, the algorithm of forming according to timestamp and random number, be from 16 groups of respectively corresponding 16 groups of user keys " seed ", respectively to select 1 group to select 16 groups altogether and synthesize one group of symmetric key, select 8 bit digital promptly at timestamp: select under year, month and the situation of day, the variable quantity of its symmetric key is: 16
16=2
64/ day, select 10 bit digital promptly at timestamp: select year, month, day and the time situation under, the variable quantity of its symmetric key is: 16
16=2
64/ hour, big like this symmetric key variable quantity is enough to guarantee to differentiate that process all uses one group of different symmetric keys at every turn.
14, symmetric key that in USB interface-based smart card, generates and discriminating password, symmetric key that generates and discriminating password all are interim, be used from smart card, to remove at once and do not preserve, the life cycle TM of the symmetric key of this interim generation<0.3 second, wherein: TM is meant: symmetric key is from generating, be used and the needed time of three phases such as removing, and the key life cycle in the PKI technology was at least 1 year, this both had been beneficial to the safety of network user identity authentication protocol, saved the space resources of system again.
15, each user key " seed " of network authentication server end, it is it to be encrypted to ciphertext promptly respectively by group: decryption key " seed " with the symmetry algorithm in this end encrypted card and one group of fixing symmetric key K1, and leave the hard-disc storage district corresponding in advance in user number, that is: network authentication server end subscriber key " seed " is the form storage with ciphertext, both guaranteed the safety of this end subscriber key " seed ", thereby, greatly reduce the cost of safe storage.
16, the symmetric key of network authentication server end generation agreement is to leave in its hard disk, combination is chosen 16 groups of user keys " seed " ciphertext promptly in depositing within it: decryption key " seed ", and be transferred in the encrypted card, this 16 groups of user keys " seed " decrypt ciphertext is become expressly with symmetry algorithm with one group of fixing symmetric key K1, synthetic again one group of interim symmetric key is differentiated password 2 with the back 32 bit data generation of its encrypted random number.
17, have in the hard disk of network authentication server, depositing: each user's user number or other user ID, user key " seed " ciphertext promptly: decryption key " seed ", symmetric key generate agreement etc.
18, set up the network user identity authentication protocol, this agreement is to adopt challenge/answer-mode to realize, also is process formula differential mode,
(1) sends the request of discriminating and user number is sent to the network authentication server by client computer, the network authentication server produces one group of timestamp and random number and is transferred to client computer, client computer and network authentication server two ends are according to identical one group of timestamp and random number, calculate symmetric key respectively and differentiate password, also be to calculate symmetric key simultaneously and differentiate password, improved the speed that challenge/answer-mode is differentiated;
(2) client computer differentiates that with it password and user number send to the network authentication server, whether the discriminating password at contrast two ends is identical in the network authentication server, finish process formula discrimination process, client computer not retransmission time is stabbed and random number, thereby, increased the hacker simultaneously capture time stamp and random number and differentiate the difficulty of password.
19, after the network authentication server is transferred to client computer with one group of timestamp and random number, produce the life cycle T of discrimination process at once, will once discriminating process be controlled in the life cycle T promptly: the control client-side returns the time of differentiating password, prevent that the hacker from intercepting in the mailbox of oneself by the discriminating password that the user is sent, call this discriminating password " acting as fraudulent substitute for a person " again and attack identification system.
20, the discriminating password of setting up the client-server two ends generates agreement promptly: generating the process that password is differentiated at two ends, all is to carry out in the chip of the hardware device at two ends,
(1) client-side in the chip of smart card, is selected 16 groups of user keys " seed " according to random number preceding 16 and timestamp, synthetic one group of symmetric key, and back 32 bit data with random number become password promptly as bright password encryption again: differentiate password 1;
(2) network authentication server end is according to user number, random number preceding 16 and timestamp, select 16 groups of user key " seed " ciphertexts of user number correspondence and import in the chip with back 32 bit data of random number, with one group of fixing in chip symmetric key K1,16 groups of user keys " seed " decrypt ciphertext is become expressly and synthetic one group of symmetric key, and again with this group symmetric key with back 32 bit data of random number promptly: bright password encryption becomes ciphertext promptly: discriminating password 2.
21, in the network user identity authentication protocol, each discriminating process of symmetric key and random number all is one time one change, differentiates that then password also is one time one change, thereby, prevent to differentiate that password usurped by the hacker and carry out " playback " and attack.
22, the discrimination method of network user identity is to realize by the discriminating password at contrast network authentication server and client computer two ends, only back 32 bit data of one group of random number of interim generation are encrypted and do not need its deciphering, the discriminating password that two ends generate leaves in respectively in two memory variables of network authentication server, whether the identical identity of finishing is differentiated through these two memory variables of contrast, this discrimination process is that the process formula is differentiated, do not use user certificate in the network user identity authentication protocol, certainly, discrimination process does not need that the user certificate encryption and decryption is carried out the user certificate contrast again and differentiates, the efficient height, and the PKI Technology Need provides the huge online contrast of certificate database to differentiate that efficient is low.
23, user number or user ID etc. are expressly in the network user identity authentication protocol, it only plays the choose effect of guiding to user key " seed ", simultaneously, also be used for rights management to system, even the symmetric key of different user occurs or differentiate that password is identical, can not cause the identification system collapse yet, thereby, guarantee that network user identity authentication protocol of the present invention is simple, complete and be easy in application system, dispose, and utilize public key system to carry out the network user's identity identification system, when the key that different user occurs is identical, will cause the collapse of identification system.
Description of drawings:
Fig. 1: the method flow diagram that a kind of safety efficient network user identity is differentiated
Fig. 2: the flow chart that user key " seed " is produced, stored and distribute
Embodiment:
Performing step below in conjunction with the description of drawings authentication identifying method:
Fig. 1: the discrimination process that network user identity is described promptly: the network user identity authentication protocol, client computer is at first sent the request of discriminating and is sent user number to the network authentication server, the network authentication server generates one group of timestamp and random number at once and sends to client computer after receiving user number, two ends generate discriminating password separately simultaneously, and its process is:
(1) network authentication server regeneration is differentiated life cycle T, algorithm according to 16 bit data composition before the user number of receiving and timestamp that self generates and the random number, organize user key " seed " ciphertext promptly from the N group M of this user number correspondence: choose a cover totally 16 groups of user keys " seed " ciphertext the decryption key " seed ", and and back 32 bit data of random number be transferred in the encrypted card together, should overlap user's key " seed " decrypt ciphertext with symmetry algorithm with one group of fixing symmetric key K1 in encrypted card becomes expressly, again with the synthetic one group of symmetric key of the user key " seed " of deciphering, and with back 32 bit data of random number promptly: bright password encryption becomes ciphertext promptly: differentiate password 2, and will differentiate that password 2 transmits back the network authentication server in encrypted card;
(2) one group of timestamp and the random number that will receive of client computer is transferred in the smart card, the algorithm of forming with 16 bit data before timestamp and the random number in smart card is chosen 16 groups and synthetic one group of symmetric key from N group M group user key " seed ", and with 32 bit data after the random number promptly: bright password encryption becomes ciphertext promptly: differentiate password 1, and will differentiate that password 1 transmits back client computer;
To differentiate that password 1 sends to the network authentication server by client computer, and after the network authentication server is received the next discriminating password 1 of client-side transmission, calculate the generation period T earlier and whether finish, if T finishes, then the user of client-side is the disabled user, login failure, if T does not finish, then password 1 and 2 is differentiated in contrast, if both differences, then the user of client-side is the disabled user, login failure, if both are identical, then the user of client-side is a validated user, logins successfully.
Fig. 2: at first initiating hardware equipment is described: smart card and encrypted card, the identical symmetry algorithm of one cover is stored in respectively in smart card and the encrypted card, one cover randomizer is stored in the smart card, again one group of fixing symmetric key K1 is stored in the encrypted card, next, write user number to smart card, produce N group M group random number with the randomizer in the smart card, these random numbers are write in the smart card as user key " seed ", and the smart card that will have user key " seed " is distributed to each user, simultaneously, in user key " seed " input encrypted card, with the symmetry algorithm in the encrypted card and one group of fixing symmetric key K1, user key " seed " is encrypted to ciphertext promptly respectively by group: decryption key " seed ", at last, these user keys " seed " ciphertext and corresponding user number are stored in together the hard-disc storage district of network authentication server.
Claims (10)
1, a kind of method of safety efficient network user identity discriminating is to utilize computer, password and chip technology to realize that implementation step is as follows:
At client computer and network authentication server two ends, a pair of identical symmetry algorithm is set respectively, the symmetry algorithm of client-side leaves a smart card in promptly: in the hardware device based on USB interface band cpu chip, the symmetry algorithm of network authentication server end leaves a block encryption card in promptly: in the hardware device based on api interface band cpu chip, the discrimination process of network user identity is promptly: the network user identity authentication protocol is that client computer is sent the request of discriminating promptly: send user number or other unique user ID to the network authentication server, the network authentication server produces one group of timestamp and random number and sends to client computer, simultaneously, the network authentication server produces the life cycle T of discrimination process, according to this group timestamp and random number preceding 16, client computer and network authentication server two ends calculate one group of symmetric key respectively, wherein: generation is chosen in the symmetric key combination, each symmetric key that generates is all different, back 32 bit data of random number are used the symmetric key of symmetry algorithm and two ends generation as bright password, encrypt respectively and generate client-side password 1 and authentication server end password 2, that is: differentiate password 1 and differentiate password 2, client computer sends to the network authentication server with parameters such as user number and discriminating passwords 1 again, whether the network authentication server at first calculates T finishes, if it then is the disabled user that T finishes, if T does not finish, is contrast differentiated password 1 and is differentiated whether password 2 identical again? if it is identical, it then is validated user, otherwise, be the disabled user, thereby, realize the network user's identity discriminating, if validated user, then login successfully, otherwise, login failure.
2, the method that requires according to right 1 is characterized in that:
(1) each user is provided with the different user key " seed " of cover N group M group altogether respectively, under the control of one group of timestamp and random number, the generation symmetric key is chosen in combination, the renewal of symmetric key is not need manual intervention by algorithm, do not need to receive the key updating service charge, thereby, save operation cost of the present invention;
(2) each user by the variable quantity that timestamp and random number control generate symmetric key is: in L, wherein: L=1~30,2
64/ sky or 2
64/ hour, guarantee that each discriminating process all uses one group of different symmetric keys;
(3) the network user identity identification system is by the user key " seed " of storage about 0.9KB byte~3.4BK byte in the chip of smart card, and the symmetric key variable quantity that can generate is 2
K, can manage super large customer volume 2 simultaneously
K, wherein: K=128~256 can adapt to the network management of any scale customer volume, and the PKI technology can only solve the network management of 1,000,000,000 scale customer volumes at present.
3, according to the method for right 1 and right 2 requirements, it is characterized in that:
One time one change of symmetric key of generation is chosen in combination, do not repeat, used symmetric key is removed at once and is not preserved, cancel the process that this time network user identity is differentiated simultaneously, the life cycle TM of symmetric key<0.3 second, and the key life cycle in the PKI technology was at least 1 year, and the present invention had both guaranteed the safety of network user identity authentication protocol, saved the space resources of system again.
4, according to the method for right 1 and right 3 requirements, it is characterized in that:
Differentiate that password is by symmetry algorithm and symmetric key back 32 bit data of random number to be encrypted to generate, each discriminating process of symmetric key and random number all is one time one change, differentiate that password also is one time one change, thereby, prevent to differentiate that password usurped by the hacker and carry out " playbacks " attack.
5, the method that requires according to right 1 is characterized in that:
Client computer and network authentication server two ends calculate symmetric key simultaneously and differentiate password according to identical one group of timestamp and random number, have improved the speed that challenge/answer-mode is differentiated.
6, the method that requires according to right 1 is characterized in that:
Timestamp and random number are to produce and send to client-side at network authentication server end, what client-side was issued network authentication server end again is user number and discriminating password, retransmission time does not stab and random number, thereby, increased the hacker simultaneously capture time stamp and random number and differentiate the difficulty of password.
7, the method that requires according to right 1, right 4 and right 6 is characterized in that:
The symmetric key that client-side generates and differentiate that password is parameters such as the timestamp that provided by network authentication server end and random number, controlled by the strictness of network authentication server end, and one group of timestamp and random number can only be with once, if the user key " seed " of client-side is not right, then can't generate correct discriminating password, thereby, guarantee the safe and reliable of network user identity authentication protocol.
8, the method that requires according to right 1 is characterized in that:
Network authentication server end is provided with the life cycle T of discrimination process, the control client-side is beamed back the time of differentiating password, stop the hacker and intercept in the mailbox of oneself, call this discriminating password " acting as fraudulent substitute for a person " again and attack identification system by the discriminating password that the user is sent.
9, the method that requires according to right 1, right 4 and right 5 is characterized in that:
(1) method of network user identity discriminating is that the discriminating password that contrasts client computer and network authentication server two ends is realized, only back 32 bit data of one group of random number of interim generation are encrypted and do not need its deciphering, the discriminating password that two ends generate leaves in respectively in two memory variables of network authentication server, whether the identical identity of finishing is differentiated through these two memory variables of contrast, do not use user certificate in the network user identity authentication protocol, certainly, discrimination process does not need that the user certificate encryption and decryption is carried out the user certificate contrast again and differentiates, not resembling the online contrast of the certificate database that will provide huge the PKI technology differentiates, identification efficiency is low, what the present invention adopted is that the process formula is differentiated the identification efficiency height;
(2) the network user identity authentication protocol is indicated user number or user ID and is chosen its corresponding user key " seed " and generate symmetric key and differentiate password, user number or user ID etc. is not encrypted, user number or user ID etc. only play the choose effect of guiding to user key " seed ", even the symmetric key of different user occurs or differentiate that password is identical, can not resemble the collapse that causes identification system the public key system yet, thereby, guarantee that network user identity authentication protocol of the present invention is simple, complete and be easy in application system, dispose.
10, the method that requires according to right 1 is characterized in that:
(1) each user key " seed " of network authentication server end, be it to be encrypted to ciphertext respectively by group with symmetry algorithm in this end encrypted card and one group of fixing symmetric key K1, and leave the hard-disc storage district corresponding in advance in user number, that is: network authentication server end subscriber key " seed " is the form storage with ciphertext, this had both guaranteed the safety of network authentication server end subscriber key " seed ", thereby, greatly reduce the cost of safe storage;
(2) client-side user key significant datas such as " seeds " is the chip that leaves smart card in, chip can guarantee that interior data is not illegally read, this user key " seed " that had both prevented client-side leaks, and is convenient to the distribution management of user key " seed " again;
(3) symmetry algorithm at network authentication server and client computer two ends, symmetric key generate agreement and differentiate that it all is to leave in the chip of encrypted card or smart card that password generates agreement, and import server or computer again after all in chip, calculating symmetric key and differentiating password, thereby, prevent symmetric key and differentiate that password generates agreement and analyzed by other people.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB2006101033578A CN100539500C (en) | 2006-07-21 | 2006-07-21 | The method that a kind of safety efficient network user identity is differentiated |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB2006101033578A CN100539500C (en) | 2006-07-21 | 2006-07-21 | The method that a kind of safety efficient network user identity is differentiated |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN1889434A true CN1889434A (en) | 2007-01-03 |
| CN100539500C CN100539500C (en) | 2009-09-09 |
Family
ID=37578695
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CNB2006101033578A Active CN100539500C (en) | 2006-07-21 | 2006-07-21 | The method that a kind of safety efficient network user identity is differentiated |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN100539500C (en) |
Cited By (20)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN100579007C (en) * | 2007-08-07 | 2010-01-06 | 上海交通大学 | Method for generating cipher key, communication system, communication apparatus and server |
| CN101018131B (en) * | 2007-02-16 | 2010-11-03 | 北京飞天诚信科技有限公司 | Information security device with the function selection device and its control method |
| CN101478407B (en) * | 2008-01-03 | 2011-05-25 | 联想(北京)有限公司 | Method and apparatus for on-line safe login |
| WO2011150650A1 (en) * | 2010-06-01 | 2011-12-08 | 华为技术有限公司 | Method and device for key authorization information management |
| CN101772025B (en) * | 2008-12-29 | 2012-06-06 | 中国移动通信集团公司 | User identification method, device and system |
| CN101641976B (en) * | 2007-03-27 | 2012-07-25 | 英国电讯有限公司 | An authentication method |
| CN101291224B (en) * | 2007-04-17 | 2012-09-05 | 美国博通公司 | Method and system for processing data in communication system |
| CN103259768A (en) * | 2012-02-17 | 2013-08-21 | 中兴通讯股份有限公司 | Method, system and device of message authentication |
| US8887307B2 (en) | 2007-10-12 | 2014-11-11 | Broadcom Corporation | Method and system for using location information acquired from GPS for secure authentication |
| CN104158807A (en) * | 2014-08-14 | 2014-11-19 | 四川九成信息技术有限公司 | PaaS-based secure cloud computing method and PaaS-based secure cloud computing system |
| CN104184580A (en) * | 2013-05-21 | 2014-12-03 | 北京神州泰岳软件股份有限公司 | Network operating method and network operating system |
| CN104539609A (en) * | 2014-12-25 | 2015-04-22 | 深圳联友科技有限公司 | Method for solving problem that illegal client end occupies server resources |
| CN104935431A (en) * | 2014-03-17 | 2015-09-23 | 株式会社理光 | Authentication device,authentication system,and authentication method |
| CN104978144A (en) * | 2015-06-26 | 2015-10-14 | 中国工商银行股份有限公司 | Gesture password input device and system and method for transaction based on system |
| CN105959110A (en) * | 2016-06-30 | 2016-09-21 | 苏州众天力信息科技有限公司 | Multi-combination dynamic encryption communication authentication method and system |
| CN109150891A (en) * | 2018-09-05 | 2019-01-04 | 北京深思数盾科技股份有限公司 | A kind of verification method, device and information safety devices |
| WO2019052027A1 (en) * | 2017-09-14 | 2019-03-21 | 深圳光峰科技股份有限公司 | Authentication method, control device, and central control service device |
| CN106789076B (en) * | 2016-12-28 | 2020-01-14 | Tcl集团股份有限公司 | Interaction method and device for server and intelligent equipment |
| CN111432405A (en) * | 2020-03-31 | 2020-07-17 | 中电四川数据服务有限公司 | Authorization authentication method and system for electronic medical record |
| CN112769569A (en) * | 2021-03-04 | 2021-05-07 | 北京德风新征程科技有限公司 | Internet of things equipment secure communication method and equipment |
-
2006
- 2006-07-21 CN CNB2006101033578A patent/CN100539500C/en active Active
Cited By (26)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101018131B (en) * | 2007-02-16 | 2010-11-03 | 北京飞天诚信科技有限公司 | Information security device with the function selection device and its control method |
| CN101641976B (en) * | 2007-03-27 | 2012-07-25 | 英国电讯有限公司 | An authentication method |
| CN101291224B (en) * | 2007-04-17 | 2012-09-05 | 美国博通公司 | Method and system for processing data in communication system |
| US9767319B2 (en) | 2007-04-17 | 2017-09-19 | Avago Technologies General Ip (Singapore) Pte. Ltd. | Method and apparatus of secure authentication for system on chip (SoC) |
| CN100579007C (en) * | 2007-08-07 | 2010-01-06 | 上海交通大学 | Method for generating cipher key, communication system, communication apparatus and server |
| US8887307B2 (en) | 2007-10-12 | 2014-11-11 | Broadcom Corporation | Method and system for using location information acquired from GPS for secure authentication |
| CN101478407B (en) * | 2008-01-03 | 2011-05-25 | 联想(北京)有限公司 | Method and apparatus for on-line safe login |
| CN101772025B (en) * | 2008-12-29 | 2012-06-06 | 中国移动通信集团公司 | User identification method, device and system |
| WO2011150650A1 (en) * | 2010-06-01 | 2011-12-08 | 华为技术有限公司 | Method and device for key authorization information management |
| CN103259768A (en) * | 2012-02-17 | 2013-08-21 | 中兴通讯股份有限公司 | Method, system and device of message authentication |
| CN104184580A (en) * | 2013-05-21 | 2014-12-03 | 北京神州泰岳软件股份有限公司 | Network operating method and network operating system |
| CN104935431A (en) * | 2014-03-17 | 2015-09-23 | 株式会社理光 | Authentication device,authentication system,and authentication method |
| CN104935431B (en) * | 2014-03-17 | 2018-08-14 | 株式会社理光 | Authentication device, Verification System, authentication method |
| CN104158807B (en) * | 2014-08-14 | 2017-07-28 | 福州环亚众志计算机有限公司 | A kind of safe cloud computing method and system based on PaaS |
| CN104158807A (en) * | 2014-08-14 | 2014-11-19 | 四川九成信息技术有限公司 | PaaS-based secure cloud computing method and PaaS-based secure cloud computing system |
| CN104539609A (en) * | 2014-12-25 | 2015-04-22 | 深圳联友科技有限公司 | Method for solving problem that illegal client end occupies server resources |
| CN104978144A (en) * | 2015-06-26 | 2015-10-14 | 中国工商银行股份有限公司 | Gesture password input device and system and method for transaction based on system |
| CN105959110A (en) * | 2016-06-30 | 2016-09-21 | 苏州众天力信息科技有限公司 | Multi-combination dynamic encryption communication authentication method and system |
| CN106789076B (en) * | 2016-12-28 | 2020-01-14 | Tcl集团股份有限公司 | Interaction method and device for server and intelligent equipment |
| WO2019052027A1 (en) * | 2017-09-14 | 2019-03-21 | 深圳光峰科技股份有限公司 | Authentication method, control device, and central control service device |
| CN109510798A (en) * | 2017-09-14 | 2019-03-22 | 深圳光峰科技股份有限公司 | Method for authenticating and control equipment, middle control service equipment |
| CN109150891A (en) * | 2018-09-05 | 2019-01-04 | 北京深思数盾科技股份有限公司 | A kind of verification method, device and information safety devices |
| CN109150891B (en) * | 2018-09-05 | 2020-03-17 | 北京深思数盾科技股份有限公司 | Verification method and device and information security equipment |
| CN111432405A (en) * | 2020-03-31 | 2020-07-17 | 中电四川数据服务有限公司 | Authorization authentication method and system for electronic medical record |
| CN112769569A (en) * | 2021-03-04 | 2021-05-07 | 北京德风新征程科技有限公司 | Internet of things equipment secure communication method and equipment |
| CN112769569B (en) * | 2021-03-04 | 2023-02-07 | 北京德风新征程科技有限公司 | Internet of things equipment secure communication method and equipment |
Also Published As
| Publication number | Publication date |
|---|---|
| CN100539500C (en) | 2009-09-09 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN100539500C (en) | The method that a kind of safety efficient network user identity is differentiated | |
| CN101282222B (en) | Digital signature method based on CSK | |
| CN104104517B (en) | The method and system of disposal password checking | |
| US9069940B2 (en) | Secure host authentication using symmetric key cryptography | |
| CN1270471C (en) | Administration and utilization of secret fresh random numbers in networked environment | |
| CN1234081C (en) | Method and device for realizing computer safety and enciphering based on identity confirmation | |
| EP3596680A1 (en) | Methods and systems for universal storage and access to user-owned credentials for trans-institutional digital authentication | |
| RU2351978C2 (en) | Method for provision of data records set integrity | |
| CN109040067A (en) | A kind of user authentication device and authentication method based on the unclonable technology PUF of physics | |
| CN102664739A (en) | PKI (Public Key Infrastructure) implementation method based on safety certificate | |
| CN101022337A (en) | Network identification card realizing method | |
| CN1516388A (en) | Network accreditation method based no symmetric cryptosystem | |
| CN110750541A (en) | Data storage indexing system and method based on block chain | |
| CN111541542A (en) | Request sending and verifying method, device and equipment | |
| CN114357492A (en) | Medical data privacy fusion method and device based on block chain | |
| CN111242611A (en) | Method and system for recovering digital wallet key | |
| CN106778292A (en) | A kind of quick restoring method of Word encrypted documents | |
| CN112699352B (en) | Trusted data acquisition terminal identity verification method, computer storage medium and electronic equipment | |
| CN110837634A (en) | Electronic signature method based on hardware encryption machine | |
| CN107733936B (en) | Encryption method for mobile data | |
| CN1703003A (en) | Black box technique based network safety platform implementing method | |
| Sevis et al. | Survey on data integrity in cloud | |
| CN1329418A (en) | Method for authenticating network user identity and method for overcoming user password loophole in Kerberous authentication system | |
| CN113468596B (en) | Multi-element identity authentication method and system for outsourcing calculation of power grid data | |
| CN108833379A (en) | A kind of data encryption and transmission method and device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant |