RU2184390C1 - Method for authenticating objects - Google Patents

Abstract

FIELD: computer engineering. SUBSTANCE: method involves creating authenticating center source data including electronic digital subscript parameters and its authentication information in advance. Traffic centers source data including identification messages, certificates and traffic center authentication data. Data exchange is maintained that any encoded session key is excluded from being sent via open communication channel of restricted carrying capacity and its formation is provided on the traffic stations in independent way. EFFECT: enhanced effectiveness in preventing unauthorized access under conditions of real time object authentication in low capacity channels. 5 cl, 66 dwg

Description

 The invention relates to the field of cryptography, namely to authentication of objects, and can be used as a separate element in the construction of authentication systems intended for authentication (recognition) of objects (correspondents) in communication networks.

 The proposed authentication method can be used in authentication systems in the case of establishing a connection between legitimate (legal) correspondents (legitimate (legal) correspondents - correspondents of a network or direction of communication who have a legal right to conduct information exchange) in the conditions of interception by the violator of information transmitted via communication channels .

 A known authentication method is described, for example, in the book Romanets Yu. V., Timofeev P.A., Shangin V.F. Information Security in Computer Systems and Networks / Ed. V.F. Shangina. - M.: Radio and Communications, 1999, pp. 150-152. The known method consists in the preliminary formation at the first corresponding point of the source data: the module of the final group n, secret s and public v keys, and subsequent transmission via a secure channel (safe channel is a channel for transmitting information in which the adversary is not able to intercept information) to the second corresponding point copies of the public key v. If authentication is necessary, a random number r is selected at the first corresponding item, and then the number x is calculated based on r and n. The calculated x is transmitted over an open channel to the second corresponding point, at which a random binary sequence b is generated, which is transmitted to the first corresponding point. At the first corresponding point, based on the secret key s, random number r, module n and random binary sequence b, the number y is calculated, which is transmitted to the second corresponding point. In the second paragraph, the correctness of the calculation of the number y is checked. If the test fails, the connection is disconnected. The indicated steps (except for the preliminary formation of the initial data) are repeated t times until the second corresponding item is convinced that the first corresponding item really knows the secret key s. The method allows authentication of objects with zero knowledge transfer regarding the secret key.

 However, the known method provides only one-way authentication, in addition, with an increase in the probability of error in the open communication channel through which the message is exchanged, the execution time of the protocol increases dramatically.

 An authentication method is also known, as described, for example, in the book of A. Menezes, P. van Oorschot. S. Vanstone. Handbook of Applied Cryptography. CRC Press, N. Y., 1996, p. 508. The known method consists in the preliminary formation of secret and public encryption keys, identification messages of the respective parties on both corresponding points, and the subsequent mutual exchange of copies of the public keys through a secure channel. If authentication is necessary, the first symmetric session key is formed at the first correspondent point, which is combined by concatenation (concatenation is a sequential connection of sequences to the right from each other) with the identification message of the first corresponding point. The received message is encrypted using the public encryption key of the second corresponding item. The encrypted message is transmitted to the second corresponding point, at which it is decrypted using its secret encryption key. After that, the correctness of the identification message is checked, and then a second symmetric session key is formed, which is combined by concatenation with the received first symmetric session key. The received message is encrypted using the public encryption key of the first corresponding item and is transmitted to the first corresponding item. At the first corresponding point, the received message is decrypted using its secret encryption key. After that, the correct transmission of the first symmetric session key is checked. If the verification is successful, the second symmetric session key is encrypted using the public encryption key of the second corresponding item. The received encrypted message is transmitted to the second corresponding point, where it is decrypted using its secret encryption key. After that, the second symmetric session key is checked for correctness. If the test succeeds at both corresponding points using the first and second symmetric session keys, a common session key is generated. The method provides mutual authentication of correspondents with high durability.

 However, with a large number of correspondents of the communication network, the known method requires large amounts of storage devices for storing public encryption keys of all correspondents.

 The closest in technical essence to the claimed method of authentication of objects is the Beller-Jacobi authentication method, described, for example, in the book A. Menezes, P. van Oorschot, S. Vanstone. Handbook of Applied Cryptography. CRC Press, N.Y., 1996, pp. 512-514.

 The prototype method includes preliminary generation of the initial data of the authentication center (authentication center (certification center, third party) - a telecommunication network object not participating in the information exchange between the corresponding points and performing the functions of generating certificates of the corresponding points and (or) the source data for them) and identification messages of the first and second correspondent points, transmission from the authentication center to the first and second corresponding points of the source data authentication center and identification messages, generating the initial data of the first corresponding item, generating the initial data of the second corresponding item, and then authentication with the first corresponding item of the second corresponding item and authentication with the second corresponding item of the first.

The formation of the initial data of the authentication center and the identification messages of the first and second corresponding points consists in the formation of a large prime number n _{s of the} primitive element of the multiplicative group in the Galois field GF (n _s ), parameters of the electronic digital signature (EDS) of the authentication center, and the public key of the EDS is the authentication center is selected equal to 2 or 3, as well as the formation of identification messages of the first and second corresponding items by assigning each of them a unique name.

The transfer from the authentication center to the first and second corresponding points of the original data of the authentication center and identification messages consists in transferring to each of them a large prime number n _s , a primitive element of the multiplicative group in the Galois field GF (n _s ), the module and the public key of the digital signature of the authentication center as well as their corresponding identification messages.

 The formation of the initial data of the first offsetting point consists in generating the EDS secret key of the first offsetting point by generating a random number, calculating the EDS public key of the first offsetting point, transmitting the first electronic offsetting point's public key authentication center to the authentication center, forming the information part of the first certificate on the authentication center corresponding item by concatenating the corresponding identification message and the public key of the EDS of the first corresponding point, calculating the EDS of the authentication center for the information part of the certificate, generating the certificate of the first corresponding point by concatenating the corresponding information part and its EDS, transferring the certificate to the first corresponding point.

 The formation of the initial data of the second corresponding point consists in the formation of encryption parameters with the public key of the second corresponding point, with the public encryption key being selected equal to 2 or 3, transmission to the authentication center via the secure channel of the public key encryption module, the formation of the information part of the second corresponding certificate on the authentication center clause by concatenating the corresponding identification message and the received encryption module with open to yuchom, calculating the authentication center for electronic signature of the information certificate, certificate of formation of the second corresponding points by concatenating corresponding thereto) of the information part and its digital signature, the transfer to the second corresponding points of his certificate, the transfer from the second to the first corresponding points of the second public key encryption corresponding points.

 Authentication by the first corresponding point of the second corresponding point consists in transferring the certificate from the second corresponding point to the first, checking the accepted certificate and, if positive, dividing it into the information part and its digital signature, dividing the information part of the certificate of the second corresponding point into an identification message and encryption module with open key and their memorization, the formation of the session key by generating the first random number of the first correspondence the encryption item using the public key and the encryption module of the second corresponding item of the session key, transferring the encrypted session key from the first corresponding item to the second encrypted item, decrypting the received encrypted session key with its module and secret key and remembering it, generating the first random number of the second corresponding item and its memorization, the formation of a ringing message by concatenating the first random number and the second corresponding item and the sequence of t zeros, encrypting the call message with the session key and transmitting it to the first corresponding item, decrypting the received call message with the session key on it and dividing it into the first random number of the second corresponding item and the sequence of t zeros , remembering the first random number of the second corresponding item and checking the integrity of the sequence of t zeros. In case of a positive check, the second offsetting point is considered authenticated by the first offsetting point.

 Authentication by the second correspondent point of the first consists in the formation of the first correspondent point of the message M by concatenation of the first random number of the second corresponding point and its identification message, the formation of the E-message with the help of its secret key, the formation of the response message by concatenation of the digital signature of the message M and the certificate of the first correspondent encrypting with the session key the response message, transmitting the encrypted response message to the second offsetting point, decrypting with the session key the second offsetting point of the received encrypted response message, dividing it into EDS of message M and the certificate of the first offsetting point, checking the certificate of the first offsetting point and, if it is checking positive, dividing it into the information part and EDS, dividing the information part certificate for an identification message and an EDS public key of the first corresponding item, forming message M by concatenating of the first random number and the identification message of the second corresponding item, checking with the public key of the EDS the first corresponding item of the received EDS message M. If the check is positive, the first corresponding item is considered authenticated as the second corresponding item.

 In the case of a negative result of any of the above checks, the connection between the corresponding points is broken.

 The prototype method provides mutual authentication of correspondents in the conditions of imbalance in their computing power.

 The disadvantage of the prototype of the claimed method is its relatively low resistance to possible effects of the enemy (possible effects of the enemy - a set of actions aimed at opening the content of the transmitted information by the enemy and (or) its modification, as well as entering false information) in real-time authentication of objects at work on channels with low bandwidth, due to transmission over an open communication channel (open communication channel - a communication channel between two correspondents clauses in which the information transmitted through it is available to the adversary for intercepting and modifying the encrypted session key. (Under the conditions of limiting the authentication time of objects, it becomes necessary to limit the order of a numerical field (the order of a numerical field is the number of its elements) in which encryption is performed, as a result of which the adversary has the option of opening a session key).

 The purpose of the claimed technical solution is to develop a method of authentication of objects, which provides increased resistance to possible enemy attacks in real-time authentication of objects when working on channels with low bandwidth.

ненулевых случайных чисел, где l= 1, 2, 3... - требуемая стойкость к компрометациям аутентификационной информации, r=n/d, d - разрядность вычислителя в битах, n - требуемая длина ключа аутентификации в битах, а аутентификациониую информацию центра аутентификации формируют путем конкатенации ненулевых случайных чисел. Для формирования аутентификационной информации первого и второго корреспондирующих пунктов вычисляют для каждого из них коэффициенты полиномов {g_i ^[N](x)} вида

где

N - номер корреспондирующего пункта, b_i,kh=b_i,hk≠0 - элементы аутентификационной информации центра аутентификации, а аутентификационную информацию корреспондирующего пункта формируют путем конкатенации соответствующих его номеру коэффициентов полиномов { g_i ^[N](x)}. После передачи на каждый корреспондирующий пункт соответствующего ему сертификата на них передают по безопасному каналу соответствующую им аутентификационную информацию. Затем при положительной проверке принятого на первом корреспондирующем пункте сертификата второго корреспондирующего пункта разделяют его на идентификационное сообщение и электронную цифровую подпись идентификационного сообщения. После чего разделяют идентификационное сообщение второго корреспондирующего пункта на номер и опознавательный признак. Проверяют правильность опознавательного признака и при положительной проверке запоминают номер второго корреспондирующего пункта. На втором корреспондирующем пункте генерируют второе случайное число второго корреспондирующего пункта и передают его на первый корреспондирующий пункт, где его запоминают. После чего передают сертификат первого корреспондирующего пункта на второй корреспондирующий пункт, где его проверяют и при положительной проверке разделяют на идентификационное сообщение и электронную цифровую подпись идентификационного сообщения. Затем разделяют идентификационное сообщение первого корреспондирующего пункта на номер и опознавательный признак. Проверяют правильность опознавательного признака (проверка правильности опознавательного признака - проверка того факта, что объект действительно может (или должен) обладать данным признаком), и при положительной проверке запоминают номер первого корреспондирующего пункта. После чего на первом корреспондирующем пункте генерируют первое случайное число первого корреспондирующего пункта и передают его на второй корреспондирующий пункт, где принятое первое случайное число первого корреспондирующего пункта запоминают. Затем на обоих корреспондирующих пунктах формируют сеансовый ключ. Причем для формирования на первом корреспондирующем пункте сеансового ключа вычисляют базовые ключи аутентификации K_i ^l путем подстановки хранящегося номера второго корреспондирующего пункта в полиномы g_i ^[l](x) вместо аргумента x, где I - номер первого корреспондирующего пункта, а

Затем формируют ключ аутентификации путем конкатенации r базовых ключей аутентификации K_i ^l, а сеансовый ключ формируют с помощью ключа аутентификации, первого случайного числа первого корреспондирующего пункта и второго случайного числа второго корреспондирующего пункта. Для формирования на втором корреспондирующем пункте сеансового ключа вычисляют базовые ключи аутентификации K_i ^ll путем подстановки хранящегося номера первого корреспондирующего пункта в полиномы g_i ^[ll](x) вместо аргумента x, где II - номер второго корреспондирующего пункта, а

После чего формируют ключ аутентификации путем конкатенации r базовых ключей аутентификации K_i ^ll, а сеансовый ключ формируют с помощью ключа аутентификации, первого случайного числа первого корреспондирующего пункта и второго случайного числа второго корреспондирующего пункта. На втором корреспондирующем пункте в качестве вызывного сообщения используют первое случайное число второго корреспондирующего пункта. На первом корреспондирующем пункте после запоминания первого случайного числа второго корреспондирующего пункта генерируют второе случайное число первого корреспондирующего пункта, а ответное сообщение формируют путем конкатенации второго случайного числа первого корреспондирующего пункта и первого случайного числа второго корреспондирующего пункта. На втором корреспондирующем пункте после дешифрования принятого ответного сообщения его разделяют на второе случайное число первого корреспондирующего пункта и первое случайное число второго корреспондирующего пункта. Проверяют правильность первого случайного числа второго корреспондирующего пункта. При положительной проверке запоминают второе случайное число первого корреспондирующего пункта и шифруют его с помощью сеансового ключа. Передают зашифрованное второе случайное число первого корреспондирующего пункта на первый корреспондирующий пункт, где его дешифруют с помощью сеансового ключа, проверяют его правильность, а затем на обоих корреспондирующих пунктах формируют сеансовый ключ конфиденциальной связи. Причем сеансовый ключ конфиденциальной связи формируют с помощью сеансового ключа, второго случайного числа первого корреспондирующего пункта и первого случайного числа второго корреспондирующего пункта.This goal is achieved by the fact that in the known method of authentication of objects, namely, that first certificates and identification messages are generated on the authentication center for the first and second corresponding points, as well as the parameters of the electronic digital signature of the authentication center, the corresponding points are transmitted on the first and second identification messages and certificates to them and, in addition, the module and the public key of the electronic digital signature of the authentication center, then from the WTO The certificate of the second correspondent point is transmitted to the first correspondent point, the certificate accepted at the first correspondent point is checked and, if the check is positive, the first random number of the first corresponding point is generated, the first random number of the second corresponding point is generated, and the call message containing the first random number is encrypted using the session key the second offsetting point, and transmit the encrypted ringing message to the first offsetting point, where it is decrypted using the session key, the first random number of the second offsetting point is stored, a response message is generated, it is encrypted with the session key, and the encrypted response message is transmitted to the second offsetting point; where it is decrypted using the session key, the identification message of each of the corresponding points on the authentication center is formed by concatenating the number and the identification sign corresponding to the corresponding point (an identification sign is a sequence that carries information about some characteristic features of this corresponding point (for example, about its functions in telecommunication network). Then on the authentication center using the secret key of electronic digital signature for and The identification messages of the first and second corresponding points are formed by their electronic digital signatures. Then, the certificates of the first and second corresponding points are generated by concatenating the corresponding identification messages and their electronic digital signatures. After that, the authentication center authentication information and authentication information for the first and second are generated corresponding points. Moreover, for the formation of authentication information center ay identifications generate

nonzero random numbers, where l = 1, 2, 3 ... is the required resistance to compromise of authentication information, r = n / d, d is the bit depth of the computer, n is the required length of the authentication key in bits, and authentication information of the authentication center form by concatenating nonzero random numbers. To generate authentication information of the first and second corresponding points, the coefficients of the polynomials {g _i ^[N] (x)} of the form are calculated

Where

N is the number of the corresponding item, b _{i, kh} = b _{i, hk} ≠ 0 are the authentication information elements of the authentication center, and the authentication information of the corresponding item is formed by concatenating the coefficients of the polynomials {g _i ^[N] (x)} corresponding to its number. After the corresponding certificate is transferred to each corresponding point, the authentication information corresponding to them is transmitted to them via a secure channel. Then, upon a positive verification of the certificate of the second corresponding paragraph adopted at the first corresponding point, they divide it into an identification message and an electronic digital signature of the identification message. After that, the identification message of the second corresponding item is divided into a number and an identification sign. Check the correctness of the identification sign and with a positive check, remember the number of the second corresponding item. At the second offsetting point, a second random number of the second offsetting point is generated and transmitted to the first offsetting point, where it is stored. After that, the certificate of the first correspondent point is transferred to the second corresponding point, where it is checked and, if positive, it is divided into an identification message and an electronic digital signature of the identification message. Then, the identification message of the first corresponding item is divided into a number and an identification feature. Check the correctness of the identification sign (verification of the accuracy of the identification sign - verification of the fact that the object really can (or should) possess this sign), and with a positive check, remember the number of the first corresponding item. Then, at the first correspondent point, the first random number of the first corresponding point is generated and transmitted to the second corresponding point, where the received first random number of the first corresponding point is stored. Then, a session key is formed on both corresponding points. Moreover, to generate a session key on the first corresponding item, the basic authentication keys K _i ^l are calculated by substituting the stored number of the second corresponding item in the polynomials g _i ^[l] (x) instead of the argument x, where I is the number of the first corresponding item, and

Then, an authentication key is generated by concatenating r basic authentication keys K _i ^l , and a session key is generated using the authentication key, the first random number of the first corresponding item and the second random number of the second corresponding item. To generate a session key on the second corresponding item, the basic authentication keys K _i ^ll are calculated by substituting the stored number of the first corresponding item in the polynomials g _i ^[ll] (x) instead of the argument x, where II is the number of the second corresponding item, and

After that, the authentication key is generated by concatenating r basic authentication keys K _i ^ll , and the session key is generated using the authentication key, the first random number of the first corresponding item and the second random number of the second corresponding item. At the second corresponding point, the first random number of the second corresponding point is used as the ringing message. At the first corresponding point, after storing the first random number of the second corresponding point, a second random number of the first corresponding point is generated, and a response message is generated by concatenating the second random number of the first corresponding point and the first random number of the second corresponding point. At the second offsetting point, after deciphering the received response message, it is divided into a second random number of the first offsetting point and the first random number of the second offsetting point. Check the correctness of the first random number of the second corresponding item. A positive check remembers the second random number of the first corresponding item and encrypts it using a session key. The encrypted second random number of the first correspondent item is transmitted to the first corresponding item, where it is decrypted using the session key, it is checked for correctness, and then a confidential communication session key is generated at both of the corresponding points. Moreover, the confidential communication session key is formed using the session key, the second random number of the first corresponding item and the first random number of the second corresponding item.

 The specified new set of essential features due to the exclusion of transmission over an open communication channel with limited bandwidth of the encrypted session key and its formation at corresponding points independently of each other will increase the resistance to possible enemy attacks.

 The analysis of the prior art made it possible to establish that analogues that are characterized by a combination of features that are identical to all the features of the claimed solution are absent, which indicates the compliance of the claimed method with the condition of patentability "novelty". Search results for known solutions in this and related fields of technology in order to identify features that match the distinctive features of the prototype of the claimed method showed that they do not follow explicitly from the prior art. The prior art also did not reveal the popularity of the impact provided by the essential features of the claimed invention transformations to achieve the specified technical result. Therefore, the claimed invention meets the condition of patentability "inventive step".

The claimed method is illustrated by figures, which show:
figure 1 - the General structure of the proposed method of authentication of objects;
figure 2 is a timing diagram of the formation of the parameters of the digital signature of the authentication center (CA);
figure 3 is a timing chart of the formation of the number of the first corresponding item (I KP);
figure 4 is a timing chart of the formation of the number of the second corresponding item (II KP);
figure 5 is a timing diagram of the formation of the identification sign I KP;
figure 6 is a timing diagram of the formation of the identification sign II KP;
figure 7 is a timing diagram of the formation of the identification message I KP;
figure 8 is a timing diagram of the formation of the identification message II KP;
figure 9 is a drawing explaining the procedure for the formation of the digital signature of the digital signature of the identification message I CP;
figure 10 is a figure explaining the procedure for the formation of the digital signature of the digital signature of the identification message of II KP;
figure 11 is a timing diagram of the formation of certificate I KP;
figure 12 is a timing diagram of the formation of certificate II KP;
figure 13 is a timing diagram of the generation of nonzero random numbers;
figure 14 is a timing diagram of the formation of authentication information (AI) CA;
figure 15 is a drawing explaining the procedure for calculating the coefficients of the polynomials {g _i ^[l] (x)} for the I CP;
figure 16 is a timing diagram of the formation of AI I KP;
figure 17 is a timing chart for calculating the coefficients of the polynomials {g _i ^[ll] (x)} for II KP;
figure 18 is a timing diagram of the formation of AI II KP;
figure 19 is a timing chart of the transfer of certificate II KP to I KP;
in figure 20 is a timing chart of the receipt at I KP certificate of II KP;
figure 21 is a drawing explaining the verification procedure for I KP certificate of II KP;
figure 22 is a timing chart explaining the procedure for dividing the certificate of II KP into I KP;
figure 23 is a timing diagram of the identification message II KP;
figure 24 is a timing chart of the digital signature of the identification message II KP;
figure 25 is a timing diagram of the number II KP;
figure 26 is a timing diagram of an identifying attribute II KP;
in figure 27 is a drawing explaining the procedure for checking the identification sign of II KP;
figure 28 is a timing diagram of the generation of a second random number II KP;
in figure 29 - timing diagrams of the transmission from the II KP and reception on the I KP of the second random number II KP;
in figure 30 is a timing chart of the transfer to II KP certificate I KP;
in figure 31 is a timing chart for receiving certificate I KP for II KP;
figure 32 is a drawing explaining the verification procedure for II KP certificate I KP;
figure 33 is a timing chart explaining the procedure for dividing the certificate I KP into II KP;
figure 34 is a timing diagram of the identification message I KP;
figure 35 is a timing chart of the digital signature of the identification message I KP;
figure 36 is a timing diagram of the number I KP;
figure 37 is a timing chart of an identifying attribute I KP;
figure 38 is a drawing explaining the verification procedure for the II CP identification mark I CP;
figure 39 is a timing chart for generating a first random number I KP;
in figure 40 - timing diagrams of the transmission from the I CP and reception on the II CP of the first random number I KP;
figure 41 is a drawing explaining the procedure for the formation of basic authentication keys I KP;
in figure 42 is a timing diagram of the formation of the authentication key I KP;
figure 43 is a drawing explaining the formation of the session key I KP;
figure 44 is a drawing explaining the procedure for the formation of basic authentication keys II KP;
figure 45 is a timing diagram of the formation of the authentication key II KP;
figure 46 is a drawing explaining the formation of the session key II KP;
figure 47 is a timing diagram of the generation of the first random number II KP;
figure 48 is a figure explaining the encryption of the ringing message on the II CP;
in figure 49 is a timing diagram of the transmission from II KP encrypted ringing message;
figure 50 is a timing chart of the reception on I KP encrypted ringing message;
figure 51 is a drawing explaining the decryption of the ringing message;
in figure 52 is a timing diagram of a second random number I KP received at II KP as part of a ringing message;
figure 53 is a timing chart of a response message;
figure 54 is a drawing explaining the encryption order on the II CP response message;
figure 55 is a timing diagram of the transmission of an encrypted response message;
in figure 56 is a timing diagram of an encrypted response message received at I KP;
figure 57 is a drawing explaining the decryption procedure for the I KP response message;
figure 58 is a timing chart of a second random number I KP, received as part of the response message;
figure 59 is a timing diagram of a first random number II KP received as part of a response message;
figure 60 is a drawing explaining the verification of the first random number II KP;
figure 61 is a drawing explaining the encryption order on the second CP of the second random number I CP;
figure 62 is a timing diagram of the transmission of an encrypted second random number I KP;
figure 63 is a timing diagram of the reception of an encrypted second random number on I CP;
figure 64 is a drawing explaining a decryption order for an IK received encrypted message;
figure 65 is a drawing explaining the verification procedure of the second random number I KP;
figure 66 is a drawing explaining the procedure for generating a confidential communication session key.

 In the presented figures, the number "I" denotes binary sequences belonging to the corresponding item, the number "II" - belonging to the second corresponding item. In the figures, the hatched pulse represents the binary symbol "I", and unshaded pulse represents the binary pulse "0". The abbreviations "prd" and "prm" mean the transmission and reception of a message, respectively.

 The implementation of the claimed method is as follows. The resistance of the authentication method of objects to possible enemy influences is determined by the resistance of the cryptographic information protection mechanisms (encryption and electronic digital signature) implemented in it. In public key cryptographic systems, the achievement of high strength is associated with an increase in the order of the numerical field in which the cryptographic conversion is performed, which, in turn, leads to an increase in the time of generation and transmission of converted messages and, therefore, requires an increase in the authentication time of objects. However, the amount of permissible authentication time for objects is determined by the requirements for a telecommunication system.

 One of the ways to increase resistance to possible adversary influences in conditions of limited authentication time is to eliminate or reduce the number of messages protected by public key cryptographic systems.

 The formation and mutual exchange of certificates containing EDS of identification messages is not advisable to exclude from the method, since they help to prevent “invading the middle” (“Invading the middle” impacts, in which the adversary connects to the communication path between legitimate correspondents and modifies messages transmitted by them in such a way that in the future they remain “transparent” for legitimate parties to control and modify the content of the information transmitted between them). Therefore, in order to increase resistance to possible influences, it is advisable to exclude encryption of the session key and its transmission in encrypted form via an open communication channel, and generate the session key independently on the corresponding points based on their numbers and pre-generated authentication information. The method that implements this principle can be represented in the form of the following steps (see FIG. 1): the preliminary step, the step of generating the session key, the step of authenticating the corresponding items, and the step of generating the session key of the confidential communication.

 The preliminary stage is the formation at the authentication center (CA) of its initial data, including the parameters of the digital signature of the CA and its authentication information (AI), the formation of the initial data of the corresponding points (KP), including identification messages, certificates and authentication information of the KP, the transfer to the KP of the corresponding source data.

 The stage of generating a session key consists in the mutual exchange of certificates, their verification and generation of a session key based on the numbers and authentication information of the KP.

 The authentication step of the correspondent points consists in forming, on the basis of the initial data, and sending messages, by analyzing which it is possible to make sure that the corresponding points are really who they say they are.

ненулевых случайных чисел (см. фиг.13), где l=1, 2, 3... - требуемая стойкость к компрометациям аутентификационной информации, r=n/d, d - разрядность вычислителя в битах, n - требуемая длина ключа аутентификации в битах. Формируют аутентификационную информацию ЦА путем конкатенации ненулевых случайных чисел (см. фиг.14). Вычисляют для каждого из КП коэффициенты полиномов {g_i ^[N](x)} (см. фиг.15а, 17а) вида

где

N - номер корреспондирующего пункта, b_i,kh=b_i,hk≠0 - элементы аутентификационной информации центра аутентификации. Формируют аутентификационную информацию первого и второго КП путем конкатенации соответствующих их номерам коэффициентов полиномов {g_i ^[N](x)} (см. фиг.16, 18). Затем передают на первый и второй КП соответствующие им идентификационные сообщения, сертификаты, а также модуль и открытый ключ ЭЦП ЦА. Причем их передача может производиться как по безопасному, так и по открытому каналу связи. Далее по безопасному каналу на каждый КП передают соответствующую ему аутентификационную информацию. Известные способы передачи последовательностей по каналам связи описаны, например, в книге Д. Зюко, Д. Кловский. М. Назаров, Л. Финк. Теория передачи сигналов. М.: Радио и связь, 1986, стр.11. На этом предварительный этап заканчивается.In the claimed method of authenticating objects to increase resistance to possible enemy influences, the following sequence of actions is implemented. Preliminarily, on the authentication center, the parameters of the digital signature of the digital signature are generated, including the module (see Fig. 2a), secret (see Fig. 2b) and public (see Fig. 2c) EDS keys. Known methods for forming the parameters of EDS are described, for example, in the book Romanets Yu.V., Timofeev P.A., Shangin V.F. Information Security in Computer Systems and Networks / Ed. V.F.Shangina. - M.: Radio and communications, 1999, pp. 162-171. Then form for each KP its number and identification sign (see Fig. 3-6). The number of the corresponding item is unique and can correspond to the registration number of KP in the network or assigned based on the generation of random numbers. Known methods for generating random numbers are described, for example, in the book of D. Knut. The art of computer programming. - M .: Mir, 1977, v. 2, p. 22. An identifying attribute is a sequence that carries information about some of the characteristic features of a given corresponding item (for example, about its functions in a telecommunication network). Features about which it is necessary to have information are selected based on the principles of building a telecommunication network. The formation of an identifying attribute is performed by presenting this information in binary code. Then, by concatenating the corresponding number and identification item, identification messages are generated for the first and second corresponding items (see Figs. 7, 8). Then, using the secret key of the digital signature of the CA (see Fig. 2b), the digital signature of the identification message I CP (see Fig. 9a) and II CP (see Fig. 10a) is formed. Known methods for forming EDS are described, for example, in the book Romanets Yu. V., Timofeev P.A., Shangin V.F. Information Security in Computer Systems and Networks / Ed. V.F. Shangina. - M .: Radio and communications. 1999, pp. 162-171. After that, the certificates of the first and second corresponding points are formed by concatenating the corresponding identification messages and their electronic digital signatures (see Figs. 11, 12). Generate

nonzero random numbers (see Fig. 13), where l = 1, 2, 3 ... is the required resistance to compromise of authentication information, r = n / d, d is the bit depth of the computer, n is the required length of the authentication key in bits. Authentication information of the CA is generated by concatenation of nonzero random numbers (see Fig. 14). The coefficients of the polynomials {g _i ^[N] (x)} (see Fig. 15a, 17a) of the form are calculated

Where

N is the number of the corresponding item, b _{i, kh} = b _{i, hk} ≠ 0 are the authentication information elements of the authentication center. The authentication information of the first and second CP is generated by concatenating the coefficients of the polynomials {g _i ^[N] (x)} corresponding to their numbers (see Figs. 16, 18). Then, the corresponding identification messages, certificates, as well as the module and the public key of the digital signature of the digital signature are transmitted to the first and second KP. Moreover, their transmission can be carried out both through a secure and open communication channel. Then, through the secure channel, authentication information corresponding to it is transmitted to each control unit. Known methods for transmitting sequences over communication channels are described, for example, in the book of D. Zyuko, D. Klovsky. M. Nazarov, L. Fink. Theory of signal transmission. M .: Radio and communications, 1986, p. 11. At this preliminary stage ends.

 If authentication is necessary (for example, at the beginning of a communication session), a certificate of II CP is transferred from the second to the first CP (see Fig. 19). At the first CP, the accepted certificate of II CP (see Fig. 20) is checked (see Fig. 21). Known methods for verifying a certificate are described, for example, in A. Menezes, P. van Oorschot, S. Vanstone. Handbook of Applied Cryptography. CRC Press, N.Y., 1996, p. 560. Then, with a positive verification of the received certificate, it is divided (see Fig. 22) into the identification message II of the CP (see Fig. 23) and an electronic digital signature of the identification message (see Fig. 24). Separate the identification message II KP (see Fig.23) on the number (see Fig.25) and the identification sign (see Fig.26). Check the correctness of the identification sign II KP (see Fig.27). At the same time, by checking the correctness of an identifying attribute is meant the verification of the fact that an object can indeed (or should) possess this attribute. For example, in communication networks with mobile objects, the object's functions (base station, mobile subscriber, etc.) can be selected as an identification feature. Then, when the mobile subscriber checks the identification of the correspondent who has contacted him, he makes sure that this correspondent is indeed a base station. Then, with a positive verification of the identification sign, the number of the second corresponding item is stored. Known methods for storing sequences are described, for example, in the book of L. Maltsev, E. Flomberg, V. Yampolsky. Basics of digital technology. M .: Radio and communications, 1986, p. 79.

 At the second CP, a second random number of the second corresponding item is generated (see FIG. 28). The second random number of the second gearbox is transmitted to the first gearbox (see Fig. 29), where it is stored. Then pass the certificate of the first KP to the second corresponding point (see Fig. 30).

 On II KP, the accepted certificate (see Fig. 31) is checked (see Fig. 32). In case of a positive check, the certificate I KP (see Fig. 33) is divided into the identification message I KP (see Fig. 34) and the electronic digital signature of the identification message (see Fig. 35). Then, the identification message I KP (see Fig. 34) is divided into a number (see Fig. 36) and the identification sign of I KP (see Fig. 37). Check the correctness of the identification sign (see Fig. 38) and with a positive check, remember the number of the first corresponding item.

 At I CP, the first random number of the first corresponding item is generated (see FIG. 39) and transmitted to II corresponding item (see FIG. 40), where it is stored. Further, a session key is formed on both corresponding points.

Формируют ключ аутентификации (см. фиг. 42) путем конкатенации r базовых ключей аутентификации K_i ^l (см. фиг. 41б, в). Далее сеансовый ключ формируют (см. фиг.43а) с помощью ключа аутентификации (см. фиг. 42), первого случайного чиста первого корреспондирующего пункта (см. фиг.39) и второго случайного числа второго корреспондирующего пункта (см. фиг.29б). Например, формирование сеансового ключа может быть выполнено путем побитного сложения по модулю два последовательности ключа аутентификации с последовательностями первого случайного числа I КП и второго случайного числа II КП.To generate a session key on the first KP, the basic authentication keys K _i ^l are calculated (see Fig. 41a) by substituting the stored number of the second KP (see Fig. 25) into the polynomials {g _i ^[l] (x)} instead of the argument x, where I is the number of the first corresponding item, and

An authentication key is generated (see Fig. 42) by concatenating r basic authentication keys K _i ^l (see Fig. 41b, c). Next, the session key is generated (see Fig. 43a) using the authentication key (see Fig. 42), the first random clean of the first corresponding item (see Fig. 39) and the second random number of the second corresponding item (see Fig. 29b) . For example, the formation of a session key can be performed by bitwise addition modulo two sequences of the authentication key with sequences of the first random number I KP and the second random number II KP.

Формируют ключ аутентификации (см. фиг.45) путем конкатенации r базовых ключей аутентификации K_i ^ll (см. фиг.44б, в). Далее сеансовый ключ формируют (см. фиг.46а) с помощью ключа аутентификации (см. фиг.45), первого случайного числа I КП (см. фиг.40а) и второго случайного числа II КП (см. фиг.28). На этом этап формирования сеансового ключа заканчивается.To generate a session key on the second KP, the basic authentication keys K _i ^ll are calculated by substituting the stored number of the first KP (see Fig. 36) into polynomials g _i ^[ll] (x) instead of the argument x (see Fig. 44a), where II - number of the second gearbox,

An authentication key is generated (see Fig. 45) by concatenating r basic authentication keys K _i ^ll (see Fig. 44b, c). Next, the session key is generated (see Fig. 46a) using the authentication key (see Fig. 45), the first random number I KP (see Fig. 40a) and the second random number II KP (see Fig. 28). At this stage, the formation of the session key ends.

 At the authentication step of the correspondent points, the first random number is generated in the second CP (see Fig. 47). The first random number II KP is used as a ringing message, which is encrypted using a session key (see Fig. 48a). Known encryption methods with a symmetric key are described, for example, in the book Romanets Yu.V., Timofeev P.A., Shangin V.F. Information Security in Computer Systems and Networks / Ed. V.F.Shangina. - M.: Radio and Communications, 1999, pp. 106-120. The encrypted ringing message (see Fig. 48b) is transmitted (see Fig. 49) to the first corresponding point, at which the received message (see Fig. 50) is decrypted using the session key (see Fig. 51a) and stored. Known decryption methods with a symmetric key are described, for example, in the book Romanets Yu.V., Timofeev P.A., Shangin V.F. Information Security in Computer Systems and Networks / Ed. V.F. Shangina. - M.: Radio and Communications, 1999, pp. 106-120. Then, a second random number I KP is generated at the I CP (see FIG. 52). A response message is generated (see FIG. 53) by concatenating the first random number II of the CP (see FIG. 51 b) and the second random number I of the CP (see FIG. 52). The response message is encrypted using a session key (see Fig. 54a). An encrypted response message is transmitted to II CP (see FIG. 55).

 At II KP, the received message (see Fig. 56) is decrypted using a session key (see Fig. 57a). The decrypted response message (see Fig. 57b) is divided into a second random number I KP (see Fig. 58) and the first random number II KP (see Fig. 59). Then check the correctness of the first random number II KP (see Fig. 60). Moreover, under the verification of correctness in this case we mean the bitwise equality of the sequences of the generated random number (see Fig. 47) and received as part of the response message (see Fig. 59). Known bitwise comparison methods are described, for example, in the book of P. Horovets, W. Hill. The art of circuitry. M.: Mir, t. 1, 1983, p. 212. With a positive check, the second random number I KP is stored (see Fig. 58) and encrypted with a session key (see Fig. 61). Next, the encrypted second random number is transmitted to I KP (see Fig.62).

 At the first CP, the received encrypted message (see Fig. 63) is decrypted using a session key (see Fig. 64a). Then check the correctness (see Fig. 65) of the decrypted second random number I KP. At this point, the authentication step for the corresponding items ends.

 If the second random number is checked positively at I KP, a confidential communication session key is generated at both corresponding points (see Fig. 66a) using a session key (see Fig. 43b, 46b), a second random number of the first corresponding item (see Fig. .52, 64b) and the first random number of the second corresponding item (see Fig. 47, 59). For example, the formation of a confidential communication session key can be performed by bitwise modulo-adding two sequences of a session key with sequences of a second random number I KP and a first random number II KP.

 In the case of a negative result of any of the above checks, the connection between the corresponding points is broken.

 Thus, by eliminating the transmission of an encrypted session key through an open communication channel with limited bandwidth and generating it at corresponding points, independently of each other, it will increase the resistance of the authentication method of objects to possible enemy influences.

Claims (5)

 1. The method of authentication of correspondents, which consists of first generating certificates and identification messages for the first and second corresponding points on the authentication center, as well as parameters for the electronic digital signature of the authentication center, transmitting the corresponding identification messages and certificates to the first and second corresponding points and in addition, the module and the public key of the electronic digital signature of the authentication center, then from the second to the first corresponding point the certificate of the second corresponding point is checked, the certificate accepted at the first corresponding point is checked and, if the check is positive, the first random number of the first corresponding point is generated, the first random number of the second corresponding point is generated, the call message containing the first random number of the second corresponding point is encrypted using the session key and transmitted the encrypted call message to the first corresponding point, where it is decrypted using the session key, the first random number of the second correspondent point is remembered, a response message is generated, it is encrypted using a session key and an encrypted response message is transmitted to the second offset point, where it is decrypted using a session key, characterized in that the identification message of each of the corresponding points on the authentication center is formed by concatenating the number corresponding to the corresponding item and the identification sign, after which, at the authentication center, using the secret The electronic digital signature key for the identification messages of the first and second corresponding points is formed by their electronic digital signatures, then the certificates of the first and second corresponding points are generated by concatenating the corresponding identification messages and their electronic digital signatures, after which authentication information of the authentication center is generated on the authentication center and authentication information for the first and second corresponding points, after being transferred to Each correspondent clause of the corresponding certificate is transmitted to them via a secure channel the authentication information corresponding to them, then, upon a positive verification of the certificate of the second corresponding clause received at the first correspondent clause, they are divided into an identification message and an electronic digital signature of the identification message, the identification message of the second corresponding clause is divided into a number and identification tag, verify the identity of the sign and with a positive check remember the number of the second correspondent point, at the second corresponding point generate the second random number of the second corresponding point and transfer it to the first correspondent point, where it is remembered, then transfer the certificate of the first corresponding point to the second correspondent point, where it is checked and in case of a positive check, they are divided into an identification message and an electronic digital signature of the identification message, then a typification message of the first corresponding item to the number and the identification sign, check the correctness of the identification sign, and if the check is positive, remember the number of the first corresponding item, after which the first random number of the first corresponding item is generated and transmitted to the second corresponding item, where the first a random number of the first corresponding item is remembered, and then session sessions are formed on both of the corresponding items the first key, moreover, at the second offsetting point, the first random number of the second offsetting point is used as a ringing message, at the first offsetting point, after storing the first random number of the second offsetting point, the second random number of the first offsetting point is generated, and the response message is generated by concatenating the second random number of the first corresponding item and the first random number of the second corresponding item, at the second corresponding item After deciphering the received response message, it is divided into the second random number of the first corresponding item and the first random number of the second corresponding item, the correctness of the first random number of the second corresponding item, and in case of a positive check, the second random number of the first corresponding item is stored and encrypted using the session key transmit the encrypted second random number of the first corresponding item to the first corresponding item, where it they are decrypted using the session key, verify its correctness, and then a confidential communication session key is formed on both corresponding points. 2. The method according to p. 1, characterized in that to generate authentication information of the authentication center generate

nonzero random numbers, where l = 1, 2, 3.. . is the required resistance to compromise of authentication information, r = n / d, d is the bit depth of the computer in bits, n is the required length of the authentication key in bits, and authentication information of the authentication center is formed by concatenating nonzero random numbers. 3. The method according to any one of paragraphs. 1 and 2, characterized in that in order to generate authentication information of the first and second corresponding points, the coefficients of the polynomials {g _i ^[N] (x)} of the form are calculated

Where

N is the number of the corresponding item, b _{i, kh} = b _{i, hk} ≠ 0 are the authentication information elements of the authentication center, and the authentication information of the corresponding item is formed by concatenating the coefficients of the polynomials {g _i ^[N] (x)} corresponding to its number. 4. The method according to p. 3, characterized in that for the formation of the first corresponding item of the session key, the basic authentication keys K _i ^I are calculated by substituting the stored number of the second corresponding item in the polynomials g _i ^[I] (x) instead of the argument x, where I - number of the first corresponding item, and

the authentication key is generated by concatenating r basic authentication keys K _i ^I , the session key being generated using the authentication key, the first random number of the first corresponding item and the second random number of the second corresponding item, and the basic authentication keys K are calculated on the second corresponding item of the session key _i ^II by substituting the stored number of first corresponding points in the polynomials g _i ^[II] (x) instead of the argument x, where II - a second number korrespondiruyuscheg points and

generating an authentication key by concatenating r basic authentication keys K _i ^II , wherein the session key is generated using the authentication key, a first random number of the first corresponding item and a second random number of the second corresponding item.  5. The method according to any one of paragraphs. 1-4 characterized in that the confidential communication session key is generated using the session key, a second random number of the first corresponding item and the first random number of the second corresponding item.

Images