TWI381696B - Authentication based on asymmetric cryptography utilizing rsa with personalized secret - Google Patents

Description

User authentication based on RSA asymmetric cryptography using personalized secrets

The technical field of this patent application belongs to information security "user authentication", especially in various digital devices, systems and network related user authentication methods and systems.

The cryptosystem uses a crypto key for cryptographically related calculations. In a cryptosystem based on asymmetric cryptography, such as the RSA (Rivest, Shamir, Adleman) system, the cryptographic key is a public key and a private key. (private key) is generated in pairs. The use of "public, private key pairs" determines the two applications. One is to use the private key as a signature key, generate a digital signature on the digital message, and use the public key as a verification key to verify whether a value is a correct signature value; Another application is to use the public key as the encryption key, encrypt the plaintext encryption into ciphertext, and use the private key as the decryption key to decrypt the ciphertext back to the plaintext.

A user who performs a digital signature must keep his signature key confidential, and a recipient of a ciphertext must keep his decryption key confidential. Therefore, the private key is a secret. Although the private key is a value associated with the public key, the disclosure of the public key should not reveal the secret of the corresponding private key. Due to this confidentiality requirement, the computational difficulty of deriving a private key from a public key is a necessary condition for the security of an asymmetric cryptosystem.

In the RSA method, the execution of the calculation uses a modulo operation, and the modulus of the modulo operation is the product of two prime numbers. The computational difficulty of deriving a private key from a public key is partly due to the lack of an efficient algorithm to resolve the multiplicative integral of the two prime numbers back to the original two prime numbers. In RSA, a pair of public and private keys has a specific relationship with the two secret prime numbers that generate the key pair. This relationship does not allow the user to choose the private key autonomously; this relationship further limits the relationship. Changes to the private key, the private key change must be traced back to the process of regenerating the key pair.

The background knowledge of RSA is described below.

The RSA cryptosystem is described in U.S. Patent No. 4,405,823 and the paper published by Rivest, Shamir and Adleman: "A Method for Obtaining Digital Signatures and Public-Key Cryptosystems," Communications of the ACM, vol. 21 (1978), pp. 120-126. There are currently several international standards that can be used to teach this asymmetric cryptography, including PKCS #1: RSA Cryptography Standard, Nov. 1993 (v.1.5) & June 2002 (v.2.1) and IEEE Std 1363-2000: IEEE Standard Specification for Public-Key Cryptography, which is available on the RSA Laboratories and IEEE websites, respectively. The contents of these standard documents include key generation, encryption, decryption, signature generation, signature verification, and other related technologies.

The calculation of RSA involves modulo operations. The modulo operation is defined as follows: If x and y are two prime numbers, and if the positive integer z is divisible (x-y), then the result of modulo operation of x and y for z is congruence, represented by a symbol It is x≡y(mod z); a positive integer z is called the modulus of the congruence.

The process of RSA key generation proposed by PKCS# 1 v.1.5 is summarized as follows: (1) Select a positive integer e as an encryption exponent, also known as public exponent.

(2) Two different odd numbers (p) and q are randomly selected so that both p-1 and q-1 are homogenous to e.

(3) Take the public modulus as the product of p and q, that is, n=p×q.

(4) Select a private exponent, denoted by the symbol d, so that both p-1 and q-1 can be divisible by d×e-1.

The public exponent e of the RSA and the modulus n are used to encrypt the plaintext integer value m, and the ciphertext integer value c is calculated by c≡m ^e (mod n), where m is assumed to be less than n. The ciphertext value c is decrypted back to the plaintext value m by the calculation of m≡c ^d (mod n) by the private index d and the modulus n.

In some cryptosystems, an encryption/decryption system constructed by a protocol such as SSL/TLS (Secure Sockets Layer/Transport Layer Security) is an encryption and decryption system that uses a symmetric cryptography method and an asymmetric cryptography method. In this hybrid system, one party to the communication encrypts a randomly generated secret using one RSA public key, and the other uses the corresponding RSA private key to decrypt the encrypted secret to obtain the randomness. Secret; then, both parties use the same random secret as a symmetric cryptographic key to perform secret communication in a symmetric cryptographic manner. In this process, the symmetric crypto key shared by both parties is called the session key, which is a randomly generated random number. The above procedure is called the secret key exchange process. For details, please refer to RFC 2246 and other related documents on the Internet Engineering Task Force website.

The privacy index d and the modulus n in RSA can be used to make a digital signature. First, a digital message M generates a M message digest via a collision-resistant hash function, which is represented as hash (M); then, the digital sign of the message M The chapter can be calculated by hash(M) ^d (mod n), which is represented as signature(M).

The public index e and the modulus n in the RSA are used to verify whether a certain value is a correct digital signature. Suppose a verifier receives M ∥ SGN, where M represents a digit message, ∥ represents a link to two messages, and SGN represents a digital signature value appended to M. First, the verifier uses the selected collision impedance epoch function to calculate the hash(M). Second, the public key (n, e) is used to calculate the SGN ^e mod n, and the calculated result is combined with the hash(M). For comparison, if the result of the comparison is equal, SGN is a correct signature.

The collision impedance epoch function used to verify the signature must be the same as the collision impedance epoch function that generates the signature, that is, the function represented by the symbol hash.

Generating a digital signature uses the Her-order function. The Her-order function is a deterministic function (non-probability), which means that the output value of the function is completely determined by the input value. The Her-order function used for digital signatures must have anti-collision properties, which means that it is very difficult to find two different input values to produce the same output value. The collision-impact octave function also has the necessary properties of unidirectional; this means that given an output value, it is very difficult to find an input value such that the output value after the epoch is equal to the given output value. In addition, the Her-order function should have a mask generation function that produces the pseudorandom output capability, meaning that only a portion of the output value is given without giving an input value. It is not feasible to predict another part of the output value. In the PKCS# 1 v.2.1 standard, six different heuristic functions with the above characteristics are proposed for different implementations: MD2, MD5, SHA-1, SHA-256, SHA-384, and SHA-512. .

The output value of the Her-order function is called the hash value, and is also called the hash digest, or the message digest, or the hash value.

The application of asymmetric cryptography raises a concern. How can a user of a public key, such as a verifier of an electronic signature or a sender of a confidential message, know the authenticity of the public key used? A scammer may deceive the certifier to verify that the incorrect digital signature is correct, or the spoofed message sender encrypts the confidential message using a fake public key to obtain the confidential message. A public-key certificate, also known as a digital certificate, provides a solution.

Abstractly, a public key certificate contains three main parts: a public key, an individual's identifying name, and a digital signature with a credential authority. Thus, the public key voucher combines the public key with the individual's distinguished name to ensure that the public key belongs to the named individual and that the individual holds the paired private key. The user of the public key can prove such a combination by verifying the digital signature of the credential institution on the voucher. A Certification Authority (CA) is a trusted institution whose main function is to sign and issue public key certificates. The cancellation of certain documents and the issuance of the cancelled documents is also part of the responsibility of the certificate authority.

Asymmetric cryptosystems have been around for a while, but have not been widely used as expected. For example, users still use the password to log in to the system. There is no use of "public, private key pairs". One of the reasons is that the infrastructure that determines whether the credentials are correct is not easy to build and operate, and the lack of flexibility in changing the private key makes the job more complicated. Therefore, there is a need to reduce the complexity of the public key system infrastructure.

In a particular environment, a digital message may need to be signed by several signers and verified by only one verifier, and the creation of multiple signature techniques is in line with this need. See Colin Boyd, "Digital Multisignatures," in Cryptography and Coding (H. J. Becker and F. C. Piper Eds.), Oxford University Press, 1989, pp. 241-246. In U.S. Patent No. 6,209,091, two multi-signature systems are described: (1) a multi-signature multi-signature system in which partial signatures are executed in sequence, and (2) an additive multi-signature in which partial signatures are not sequentially executed. Chapter system. These and other related research results have an advantage: the signature operation no longer uses the private key, because the digital signature is calculated by several partial signatures, and these partial signatures are digitally signed and signed. The chapter key is calculated. After the signing subkey is exported by the private key, the private key no longer exists. Therefore, the privacy of the private key is well protected.

Derived from multiple signature techniques, Ravi Ganesan et al. created split-private-key cryptosystems. For details, see U.S. Patent Nos. 5,535,276, 5,557,678, 5,905,799, etc., in which the private key is divided into a first partial private key and a second partial private key. Through these two parts of the private key, the asymmetric cryptosystem has at least two advantages: first, the secret is divided into two parts and separately protected, which can enhance the privacy of the private key; second, the user A short secret key can be used, but a substantial cryptosystem uses a long and secure private key. The first benefit stems from the wisdom of traditional secret protection. The second benefit has its special significance, in part because the short RSA secret index may be cracked by a special method of densification, see MJ Wiener's paper: "Cryptanalysis of Short RSA Secret Exponents, IEEE Trans. On Information Theory , May, 1990, vol. 36, no. 3, pp. 553-558." Recently, there has been a new development in the analysis of the short RSA privacy index, see Dan Boneh and Glenn Durfee's paper: " Cryptanalysis of RSA with Private Key d Less Than N ^{0 . 2 9 2} , IEEE Trans. On Information Theory, July, 2000, vol. 46, no. 4, pp. 1339-1349.

The technology of multiple signatures and private key segmentation enhances the value of RSA theory in terms of security and user convenience. However, the lack of flexibility in the change of private keys has not been overcome. In order to change the various parts of the private key, the user still needs to rely on one of the following two methods to perform the update action: first, obtain the two partial private subkeys to restore the original private key and divide again; Second, regenerate a pair of "public, private keys" and cut the new private key.

However, it is not ideal to reply the original private key because this action violates the principle of secret separation and requires a special protection measure to prevent the secret of the reply from being leaked during the reply process; regenerating a pair of "open, private" The key should also be avoided, which would be more complicated than the initial "public, private key pair", because the additional cost of canceling the replaced public key certificate would be added.

Therefore, in private key cutting technology, a more efficient and flexible method is needed to perform the updating of various parts of the private key.

The digital signature can be applied to user authentication. Suppose a user on the user side requests login from the system, and the system sends a random message as a challenge to the user. Then, the user responds to the challenge message by calculating a digital signature. When the system verifies the response from the client and the verification result is a correct digital signature, the system allows the user to log in. A detailed description can be found in "ISO/IEC 9798-3:1998, Information technology-Security techniques-Entity authentication - Part 3: Mechanisms using digital signature techniques."

This type of login has an advantage. Assuming that the "public and private key pair" is in compliance with security requirements, the public key allows the system to verify the response from the client, but its disclosure does not reveal the privacy of the user's private key. As mentioned earlier, the private key is a secret generated by the computer and not chosen by the user. Thus, the private key is typically stored in a physical carrier, such as an IC card, and accessed via the user's personal identification number (PIN). To achieve such an application, additional hardware costs are required, including the user's IC card and card reader and equipment required for the manufacture of the card. In addition, some novel cryptographic analysis techniques have been developed, such as time analysis and error analysis attacks, which can be used to crack private keys in IC cards.

In contrast, the current general login process, including implementations of the Windows NT and UNIX family of systems, uses passcodes and symmetric cryptography. The process can be described as follows. On the system side, there is a hash digest of the identification data and the user-chosen password registered by the legitimate user. On the user side, a user requests to log in and enter his identification identity and passcode. The input passcode passes through the same Hertz function to generate a new Hermitian summary, the result of which is the pass and the input pass. The code will not be sent to the system you want to log in to. Instead, the logged-in system randomly generates a message as a challenge, and the new epoch summary used to challenge the user is generated by the correct passcode. This challenge is transmitted to the client, and the client uses the new Hertz digest as the encryption key to encrypt the received challenge and generate a response. Then, the system extracts the claimed user's pass code from the authentication database as a decryption key to decrypt the received response message. If the result of the decryption is the same as the original challenge, the login is considered successful.

As described above, the method of user authentication using the pass code has been widely used, and in fact, there are still some security defects to be overcome. One of the threats to passcode security comes from the theft of passcodes by Trojans. The Trojan is a kind of intrusion code embedded in the computer by the hacker. The invaded computer still looks like normal operation, but the intrusive Trojan hides the unauthorized action, such as recording the keyboard input. Transfer this record to an external computer. Attackers can use the Trojan horse intrusion technique to steal confidential information.

The dictionary attack method also shows the weakness of the passcode. In the various dictionary attack methods known, the comprehensive dictionary attack method is quite difficult to defend. The attacker guesses with the same passcode and tries to log in for all user accounts. If the attacker can obtain the authentication database, the comprehensive dictionary attack method can be performed offline, and it is likely to be successful, because the average user usually chooses a weak password that is easy to remember, and such a pass code can be arranged. As a higher priority guess in the attacker's dictionary. The comprehensive dictionary attack of the connection is another type of dictionary attack, and its comprehensive guess is wired. If a blocking mechanism is included in the system being logged in to limit the number of attempts, then to a single user. Account connection attacks are usually less successful, but a comprehensive dictionary attack with a chance has the opportunity to break the defense of such a blocking mechanism, because each guess is attempted to log in to all accounts one by one instead of trying to log in to a single use. Account number. In addition, a comprehensive dictionary attack will also serve the system.

Another dictionary attack, known as the encryption dictionary attack, is described below: An eavesdropper may eavesdrop on a pair of challenges and responses, as defined, by using a passcode input. The sequence digest value is obtained as an encryption key for the encryption calculation of the challenge; therefore, the attacker can guess the pass code in an offline manner, assuming that PWD is a guess for the pass code, and the attacker can use the PWD order. The value is encrypted as the encryption key challenge, and the encrypted ciphertext is compared with the response to determine whether the guessed PWD is correct. This dictionary attack is very threatening.

In addition, a determined attacker can develop a specially crafted login software that directly accepts a Hermitian digest value as input rather than a passcode as input. With this software, the attacker can easily log in as long as he gets the correct epoch summary value, and does not need to crack the passcode.

Since the user authentication system for passcodes is still prevalent in general information systems, there is a need to defend against known attacks, allowing users to easily and confidently use their familiar passcode systems.

Based on asymmetric key cryptography and two published patent applications, this patent application describes exemplary methods, techniques, devices, systems, and the like related to digital user authentication. The first is US Patent Application Publication No. 20060083370, entitled "RSA with personalized secret"; the second is US Patent Application Publication No. 20060036857, entitled "User authentication by linking randomly-generated secret with personalized secret" .

The two patent applications, "RSA with personalized secret" and "User authentication by linking randomly-generated secret with personalized secret", are referred to as the first and second publications, respectively. The first publication was also published by the Intellectual Property Office of the Republic of China, and its name was "RSA Cryptography Method and System Using Personalized Secrets", published as 200629856.

The methods and techniques described in this patent application may be designed in an authentication system that utilizes the "challenge and response" procedure to achieve secure communication between the user and the system.

This application assumes that a user requests to log into a system workstation at a user workstation, where the system workstation is a computer system and is often referred to as a system or a system station; the user workstation is A personal computer, or a device that has cryptographic computing capabilities and can communicate with other computing devices. The terms "system side" and "user side" are also used in this article.

An example method utilizes two authentication data pieces to verify a user requesting to log into a computer system. One of the authentication data pieces is a personalized secret, such as a pass code selected by the user, and the other is a password key authentication data piece, which is generated by a password key generation program, which is described in the first A public case. The two authentication data pieces are related: the cryptographic key generation program utilizes the personalized secret and two prime numbers as input values to generate a public module (a public module) and a public index (a public Exponent), a combination of three elements consisting of a private-key-dependent exponent (a trio) as the crypto-key authenticator. Users need to provide these two authentication materials in order to obtain permission to log in to the computer system.

In one embodiment, a user, upon requesting access to a computer system, utilizes a first input and a second input to generate a digital signature in response to a challenge from the computer system. When the first input and the second input respectively conform to the first and second authentication data items held by the user, the digital signature is valid; according to the inference, the validity of the digital signature determines the input. Whether the value matches the authentication data piece, and also determines whether to authorize or reject the login request.

In this embodiment, the computer system uses a public key to verify a received digital signature. In another embodiment, the digital signature described above is also verified at the user end prior to adding a response message. The public key used for authentication at the user end is composed of the public modulus and the public index in the combination of the three components of the cryptographic key. The same public key must also be used on the system side.

In one embodiment, the user workstation obtains the aforementioned cryptographic key authentication data in an automated manner; in other words, the user workstation is stylized to automatically obtain the cryptographic key from a persistent memory. The combination of the three components of the key does not require a clear indication from the user. In this embodiment, the user workstation is further programmed, and the user receives a password input value as a request to log in to a computer system, and uses the input value of the password to generate a digital signature. And the computer system is also programmed to use a verification data to determine whether the digital signature is valid. If the digital signature is valid, it may be determined that the input of the password conforms to a pre-selected passcode, and Based on this result, the login for this request is authorized. In this embodiment, the verification material is a public key, and the user independently selects the pass code, that is, the pass code selection does not rely on any information about the public key. Both the passcode and the public key are determined during the registration phase.

The user must be guaranteed that the system side uses a correct public key to verify the digital signature. This patent application further proposes a commercial method to replace the traditional method of ensuring the authenticity of a public key with a digital public-key certificate. According to this business method, the user registers a public key on the system side and receives a registration confirmation. The registration confirmation explains the registered public key and guarantees to the user that the system is responsible for using the public key to verify the digital signature; if there is a dispute, the user can The agreement specifies the public key to be registered and accordingly rejects any incorrect digital signatures that were incorrectly accepted by the system.

This patent application further extends the functionality of the registration confirmation to include a guarantee on the system side: if the validity of a digital signature can be verified by the public key recorded on the registration confirmation, then The user cannot deny the validity of this digital signature. In this extended method, the registration confirmation becomes a legal agreement between the user and the system.

An embodiment further provides a complementary procedure to the above-described business method to check the public key in an instant connection. This program assures the user that the public key used by the computer system in communication with it is the same as that used at the user end.

User authentication in a network having multiple computer systems is further described in this patent application, including example methods, techniques, devices, and systems.

In one example method, a user selects a passcode and uses the passcode with a collective authentication profile to log in to all systems on the network. The collective authentication data piece includes a plurality of individual user authentication data pieces, and the individual user authentication data pieces respectively correspond to individual systems on the network. In one embodiment, each record in the collective authentication profile includes a combination of a cryptographic key three component, an identifying title of the user, and an identifying title of the system corresponding to the pen record. The combination of each cryptographic key three component is associated with a passcode selected by the user; the establishment of the associated cryptographic key generation procedure is described in the so-called first disclosure: the use of the passcode A separate pair of prime numbers is used to generate three outputs as a combination of cryptographic key elements of the individual records in the collective authentication profile.

In the above exemplary method, the selected pass code and the collective authentication data piece are authentication factors of two users. On the system side, users are allowed to register different public keys on different computer systems; therefore, users can use one and the same passcode to log in to different computer systems, but use individual public funds in individual computer systems. The key verifies the correctness of the digital signature to determine if the unique passcode is used.

The patent application also describes an object comprising a machine readable medium device storing instructions executable by the machine for user authentication based on asymmetric cryptography, the instructions indicating a machine Perform the following actions: send a login request to a computer system; receive a challenge message from the computer system; use the first input, the second input, and the challenge message from the computer system as an input to the conversion process Generating a digital signature; transmitting the digital signature and a recognized name of the user to the computer system; and receiving a decision from the computer system whether or not to permit the login, the decision is to use the corresponding system on the computer system The person identifies the registered public key of the title to verify a result of the digital signature.

In one embodiment, the machine previously executed in accordance with the instructions is a personal computer. The machine can be another user-side system or device, such as a Personal Digital Assistant (PDA), or a mobile phone with computing and communication capabilities.

From the user's point of view, some embodiments function as a traditional passcode system. Here, there is a technical difference: in a conventional system, a hash value of a pass code is stored to It is used to verify the input of the pass code; and according to the method of the patent application, it is verified that the correctness of the digital signature generated by the pass code input value verifies the correctness of the pass code input value.

For those skilled in the art, the objectives described in this patent application will be better understood after reading the detailed description of the preferred embodiments herein.

The above general description and the following detailed description are examples of the contents of the present invention, and the purpose thereof is to further explain the scope of the patent.

The above and other examples, embodiments and variations thereof are explained in more detail in the following drawings, detailed description, and claims. The details, technical contents, features, and effects achieved by the present patent application are more readily understood by the following detailed description in conjunction with the accompanying drawings.

The present specification provides a detailed description of the preferred embodiments of the present application, while the various exemplary embodiments are illustrated in the following figures. The reference numbers used in this document will be as similar as possible to the subsequent illustration numbers.

The user authentication described in this patent application is constructed on a challenge and response process, and the communication between the user end and the system side is performed according to the program. This program is a communication protocol that describes a step-by-step approach to defining communication between the two ends. In this procedure, the client uses two authenticators from one user to generate a digital signature in response to a challenge from the system side, and the system uses a link to the user. The registered public key (a registered public key) is used as the verification data to verify the validity of the digital signature.

In the various embodiments of user authentication described in this patent application, there are at least the following characteristics: First, there is a certain relationship between the public key and the two authentication materials, but the disclosure of the public key does not cause The leakage of secret information on the two certified data files; second, the user can choose a personalized secret, such as the pass code selected by the user, as the first authentication data piece; third, the user It is allowed to change the second authentication data without changing the registration public key; fourth, the user is allowed to use the same secret, such as a pass code, as the first authentication data, but in a different Different public keys are registered in the system.

Refer to Figure 1, which illustrates the basic concepts of this challenge and response procedure. In step 110, a user workstation transmits a request to log into the system to a system workstation; in step 120, the system workstation sends a challenge message to the user workstation requesting the user workstation to use the two correct authentication data pieces. Preparing a response message; in step 130, the user workstation receives a first input value representing the first authentication profile and a second input value representing the second authentication profile, and utilizing the two input values Generating a digital signature for the challenge message; in step 140, the user workstation uses the second input value to verify whether the digital signature is valid; steps 130 and 140 can be repeated until a valid digital signature is In step 150, the user workstation merges the verified digital signature and a user identifier into a response message; in step 160, the user workstation sends the response message. To the system workstation; in step 170, the system workstation uses a registered public key (a registered public key) For verifying the data, the validity of the digital signature is verified, and the public key is obtained according to the user identification; in step 180, the system workstation decides to allow or deny the login according to the verification result of step 170. The system requests and notifies the user of the workstation's decision.

The first authentication data piece is a personalized secret, which is selected by the user autonomously, such as a pass code selected by the user. The second authentication data piece is also called a crypto-key authenticator, which is a public module, a public exponent, and a private key correlation index (private-key). -dependent exponent) A combination of three components (trio).

Referring to Figure 2, this figure is used to illustrate the conceptual architecture of the method described in this patent application, similar to the aforementioned second publication "User authentication method by linking randomly generated authentication secrets and personalized secrets" One of the architectures mentioned. The main difference between the two is that the method described in the patent publication is not based on asymmetric cryptography.

Figure 2 illustrates two basic concepts in an architectural manner to guide the design and embodiments described in this patent application.

First, a pair of "public/private key pairs" (a public/private key pair) plays a link role, linking the two authentication data pieces of the user side and the verification data of the system side. This link is established between the public key of the key pair and the private key. In the system side, the data used for the verification is the public key; and at the user end, the two authentication data pieces have another relationship with the key pair, and in the process of generating and verifying the digital signature Replaced the key pair. In Figure 2, the component 210 placed between the client and the system is a pair of "public, private key pairs" ((n, e), d) that are used to establish the above description. Linkage. The component 220 on the system side is a public key (n, e) as a material for verification. The two lines 230 and 240 on the figure indicate that the two verification data pieces 250, 260 replace the key pair. In the user authentication system described in this patent application, after the two authentication data pieces are generated, the private key d will be destroyed and will not appear in the subsequent calculation process.

Second, the user is allowed to update the two pieces of authentication data held by the system while maintaining the verification data on the system side. In FIG. 2, the update program 270 receives a new first authentication profile 280, indicated by s', and is used to update the two authentication profiles 250 and 260.

The features described above will be explained in more detail below. These and other features will allow us to create a passcode system for user authentication that is equivalent to the RSA system, but by allowing user autonomy. Select and update passcodes to overcome the shortcomings of traditional RSA cryptography.

Referring to Figure 3, this figure depicts an example program for creating the two certified data pieces defined above. The program 300 includes a cryptographic key generation program that has been described in the first publication, which can be executed on a user workstation, such as a personal computer, or other implementation of "RSA disclosure." , a private key pair, a personalization device that produces the computing power of the program. The user workstation includes machine readable media devices to store machine executable instructions that direct the user workstation to perform the following tasks. Step 310: Receive a personalized secret 305, denoted by s, which is regarded as the first authentication data piece. Step 330: Convert the personalized secret 305 into a temporary value 332 via a first conversion formula, denoted by u. Step 340: Using the "RSA Public, Private Key" generating program, two explicit prime numbers p(312) and q(314) are used to generate a public modulus n (344), a public index e (346), and a private address. Key d (342). Step 350: using the temporary value u (332) in step 330, and the two odd prime numbers p (312) and q (314) of step 340, and the private key d (342) in a second conversion formula to generate a Private key correlation index v (355). Step 360: Delete the private key d (342), the two prime numbers p (312) and q (314) from the associated calculated memory, and the temporary value u (332). Step 370: Combine the public modulus n (344) and the public index e (346) obtained in step 340 with the private key correlation index v (355) obtained in step 350 into a cryptographic key three. A combination of components (n, e, v) (375), which is a combination of the three components (n, e, v) of the cryptographic key. Step 380: The second authentication data piece is stored in the persistent memory 385.

According to FIG. 3, the first authentication data piece does not need to be stored in the persistent memory, and the user can remember it by himself and input it manually when needed. The hash value or similar derivative value of the authentication data piece does not need to be stored in the persistent memory as the verification data. In the user authentication method described in this patent application, the validity of a digital signature generated by the input of the first authentication data piece is verified, and the correctness of the input can be confirmed "indirectly". This feature enhances the security of the system, especially when the first authentication data item is a pass code selected by the user.

The public modulus n and the public index e in the combination (n, e, v) of the cryptographic key three elements of Fig. 3 constitute a public key. The user registers the public key as a verification data in a computer system, and can also be used as a user side verification data, as shown in the program in FIG.

In Fig. 3, step 330 uses a first conversion formula, and step 350 uses a second conversion equation, which can be regarded as a pair of conversion equations, denoted by f1 and f2. According to the first publication, a pair of conversion formulas can be expressed by the following expression: f1(x)=H(x); f2(y,h,k,z)=c×LCM(h-1, K-1) + z + ((-y) mod LCM (h-1, k-1)).

In this expression, x, y, h, k, and z represent the first authentication data piece s (305), the temporary value u (332), the first prime number p (312), and the second prime number q (314), respectively. And numerical examples of the private key d (342). The pair of conversions are two mathematical functions. To avoid confusion, the input variables of f1 and f2 are replaced by new variable symbols.

In the expression of f2, the parameter c is a non-negative positive integer, LCM is the abbreviation of Least Common Multiple, and H represents a collision-resistant hash function. In the method of the first publication, the second expression of the conversion formulas f1 and f2 is: f1(x)=H(x), where H and x are as defined above; f2(y, h, k, z) =c×Φ(h×k)+z+((-y)modΦ(h×k)), where c is a non-negative positive integer, Φ is a Euler Φ function, and y, h, k, and z are like f2 The definition of the first expression.

Assuming that f1, s, v, e, and n are as defined above, and M is a digital message, the digital signature of the digital message M can be signedature(M)≡hash(M) ^{f 1 ( s )} × Hash(M) ^v mod n is also equivalent to ((hash(M) ^{f 1 ( s )} mod n)×(hash(M) ^v mod n)) mod n; here, two of the modulus n The exponential mathematical formula, hash(M) ^{f 1 ( s )} mod n and hash(M) ^v mod n, are used to calculate the two partial digit signatures of M. This calculation of the two partial digital signatures can be performed on a single processor or on two cooperating processors.

In order to verify whether a given value SGN is a correct digital signature calculated for M, the required work is to verify whether the congruence of hash(M)≡(SGN) ^e (mod n) is equal.

The above-mentioned calculation of the hash order of the hash (M) is no different from the one used by the traditional RSA to calculate the hash function used in the digital signature. The same Hertz function can also be used for the first conversion formula f1, but this is not a necessary condition for f1.

In the embodiment of the program of Figure 1, the digital signature is executed on a user workstation, which may use a single processor or two processors.

The first conversion must also be used on the user's workstation, while the second conversion is no longer used after creating two certified data pieces.

As described above, the second authentication data piece is a combination of three components of a cryptographic key, which includes a public modulus, a public index, and a private key correlation index. The public modulus and private key correlation index are used in the calculation of the digital signature, while the public index is required for the calculation of the non-digital signature. The public index is included in the purpose of authenticating the data piece in order to verify the validity of the digital signature at the user end. The verification work of the user end enables the system to detect the attack at the beginning of the guessing attack, because the digital signature received by the system from the authorized user is necessarily correct.

Referring now to Figure 4, this figure illustrates a procedure for updating the first and second authentication data items, which is executed on the user side and includes the following tasks. Step 410: Receive an old personalized secret 402, denoted by s, as the first authentication data piece, and receive a set of cryptographic key three components (n(404), e() from a persistent memory 409. 406), a combination of v(408)), as the second authentication data piece. Step 420: Verify the correctness of the received and obtained verification data by verifying the validity of the digital signature of the test message. The test message may be randomly generated. Step 430: If the verification result of step 420 is "correct", proceed to the next step, otherwise return to step 410 to repeat different inputs as needed. Step 440: Receive a new personalized secret 445, denoted by s', as a new first authentication profile, and ask the user to give confirmation. Step 450: Calculate two temporary values u = f1 (s) and u' = f1 (s') using the same first conversion equation as in step 330 of Fig. 3. Step 460: Calculate v' = v - (u' - u). Step 470: Replace the second authentication data piece (n, e, v) with (n, e, v') and store it in the same persistent memory 409.

It is worth noting that the update procedure in the foregoing keeps the public modulus and the public index unchanged, and the program is executed separately on the user side.

A disadvantage that arises in the above update procedure needs to be overcome: the v' obtained in step 460 must be guaranteed to be a positive integer. c×LCM(h-1,k-1) in the first expression of f2 and c×Φ(h×k) in the second expression are designed to overcome this disadvantage; with an appropriate For the selection of a positive integer c, the new private key correlation index v can be guaranteed to be larger than the absolute value of the difference between f1(s') and f1(s). This guarantee can be proved as follows: according to f1(x)=H For the setting of (x), the absolute value of the difference between f1(s') and f1(S) must be less than the absolute value of H(s')-H(s). When H is known, its maximum value is known. Constant, therefore, we can choose a parameter c to be a positive integer, so that c × LCM (p-1, q-1) or c × Φ (h × k) is greater than this maximum, so that the selected c will be guaranteed The old private key correlation index v minus a difference produces a constant positive result.

Referring to Figures 5-1 and 5-2, these two figures illustrate a variation of the embodiment of Figure 4. In this variation, the user workstation utilizes an active processor 501 and a passive processor 502 to perform an update procedure; it assumes that the combination of cryptographic key three components (n, e, v) is stored in a build. In a persistent memory in a passive processor, the purpose of the design is to allow the information of the private key correlation index v and its updated value v' to be limited to passive processors.

As shown in Figure 4, part of the update process is to verify that the old first authentication data entry is correct, and in the program in Figure 5-1, using a proactive processor and a passive It will be more complicated to perform the above confirmation work. The two processors calculate a digital signature for a test message in a cooperative manner, and then the active processor verifies the correctness of the generated digital signature to confirm that the input is correct.

The details of Figure 5-1 are described below. Step 510, the active processor receives an input s (503) from the user as an old personalized secret, and transmits a coordinated request to the passive processor to generate a digital signature; steps 512, 514, and 516 Respectively, the passive processor receives the request, retrieves the three components (n(504), e(506), v(508)) from the persistent memory 509, and transmits (n, e) to the active processor. Steps 520, 525, 528, and 530, the active processor sequentially performs the following tasks: generating a test message M, calculating a hash (M), transmitting a hash (M) to the passive processor, and calculating a DS1 for the test message M. Hash(M) ^{f 1 ( s )} mod n, generating a first partial digital signature DS1; in step 535, the passive processor receives a hash (M) from the active processor and receives the hash from step 514 Exposing the modulus n (504) to the private key correlation index v (508); in step 540, the passive processor generates a second partial digital signature DS2 by computing DS2≡hash(M) ^v mod n; 542, the passive processor transmits the second partial digital signature DS2 to the active processor; step 545 The active processor receives the first partial digital signature DS1 and the second partial digital signature DS2 and calculates a digital signature of M: SGN (M) ≡ DS1 × DS2 mod n; Verify that the congruence equals hash(M)≡(SGN(M)) ^e mod n to verify the correctness of the digital signature; and in step 560, if the verification result of step 550 is “correct,” the proactive processor Continuing to perform the work from step 570 as shown in Figure 5-2, if the verification result is an error, it is necessary to return to step 510 as appropriate.

Figure 5-2 illustrates the update of the combination of the three components of the cryptographic key (n(504), e(506), v(508)). In step 570, the proactive processor receives a new personalized secret s' (565) and asks the user to give an acknowledgment. In step 575, the active processor calculates the two temporary values u = f1(s) and u' = f1(s') using the same first conversion formula f1 as in step 330 of FIG. Step 580, the active processor calculates the difference between the two temporary values, denoted by D, that is, D = u'-u, and transmits to the passive processor. In step 585, the passive processor calculates v'=v-D. In step 590, the passive processor replaces the original (n, e, v) with (n, e, v') to update the second authentication data piece. In step 595, the active processor obtains a notification message from the passive processor and informs the user that the update is successful.

This patent application uses the term "private key correlation index" to emphasize that the cryptographic key of this part is related to the private key, and the personalization secret is independent of the private key. "Personalized Secrets" and "Private Key Related Index" replace "Private Key", and private key becomes a "hidden" secret.

In the process of generating and updating certified documents, the choice of personalized secrets is quite flexible, and such flexibility is due to the fact that f1 is designed as a collision-impedance epoch function. In the following, it is assumed that the personalized secret is a pass code selected by the user.

In the registered program, the user selects a pass code as the first authentication data piece by using the program illustrated in FIG. 3, and generates a combination of a set of cryptographic key three elements (n, e, v) as the second. Certified information. The user registers his identification name, the modulus n, and the public index e at the system workstation.

Refer to Figure 6-1, which is a detailed flow description of the procedure for implementing Figure 1. Element 601 is a user workstation used by a user to issue a login request to a system workstation, and component 602 is represented as the system workstation. In a network environment, a system identification name must be used to identify the system workstation. Similarly, a user identification name must also be used to identify the user. Step 610, the user workstation receives a user identification name (605), a system identification name (607), and a pass code input PWD (603) from the user, and provides a persistence from the user. In the memory, a combination of a set of cryptographic key components (n, e, v) is obtained (608); in step 615, the user workstation transmits a login request to a system workstation, and the system workstation identifies the system Referring to the identified decision; in step 620, the system workstation generates a challenge message C, which can be generated in a random manner; in step 625, the system workstation transmits the challenge message C to the user workstation; step 630, the use The workstation receives the challenge message C; in step 640, the user workstation calculates a digital signature for the received challenge message C: SGN(C)≡hash(C) ^{f 1 ( P W D )} ×hash( C) ^v mod n; Step 660, the user workstation confirms whether the digital signature is correct by verifying the congruence equal hash (C) ≡ ((SGN(C) ^e ) mod n; step 662, if the verification result If it is correct, proceed to step 665 The program, otherwise the input of step 610 needs to be repeated as needed; in step 665, the user workstation includes the correct digital signature and the user identification name (605) in a response message; in step 670, the user workstation transmits the Responding to the system workstation; step 680, the system workstation searches for a corresponding registered public key from an authentication database 675 by using the user identification name in the received response message as an index; 685. The system workstation verifies whether the digital signature in the response message is correct by verifying the equivalence equivalent hash(C)≡((SGN(C) ^e ) mod n, where (n, e) is the registered Public key, which is the public modulus n and the public index e in the combination of the cryptographic key three components (n, e, v) (608); in step 690, the system workstation authorizes or denies the login based on the verification result. The user workstation is requested and notified; in step 695, the user workstation receives the decision of the login request and decides to perform subsequent work accordingly.

In an embodiment according to the flow chart of Figure 6-1, the user workstation receives the cryptographic key authentication data piece in an automated manner, in other words, the user workstation is programmed to be from persistent memory. The combination of receiving the cryptographic key three components does not require any indication from the user. This embodiment creates a passcode system that is similar to a conventional passcode system. From a user's point of view, this passcode method is derived from the two authentication datagram methods described above. The passcode method includes the steps of: receiving an input as a passcode when asked to log in to the system; generating a digital signature using the input; using a public key to verify the correctness of the digital signature; such as the digit If the signature is verified to be correct, then the input is confirmed to conform to the passcode and the request for the login is authorized with the result.

Figure 6-2 illustrates a variation of step 640 in Figure 6-1. In this variation, the user workstation 601 uses an active processor 651 and a passive processor 652 to perform step 640, and all of the steps described in FIG. 6-2 can be used in place of step 640, assuming that the three The combination of components (n, e, v) (608) is stored in persistent memory within the passive processor. Step 641, the active processor calculates a hash (C), where C is the challenge message received in step 630, and then sends a hash (C) to the passive processor; and in step 642, the passive processor receives the hash ( C); Step 643, the passive processor obtains the combination of the three components (n, e, v) from the persistent memory, and transmits the public key (n, e) to the active processor; The active processor receives (n, e) and generates a first partial digital signature DS1 by computing DS1≡hash(C) ^{f 1 ( P W D )} mod n; step 645, the passive processor Generating a second partial digital signature DS2 by computing DS2≡hash(C) ^v mod n and transmitting the calculation result to the active processor; in step 646, the active processor calculates SGN(C) for C ≡DS1×DS2 mod n generates a digital signature and continues to perform the subsequent operations in step 660 of Figure 6-1. All of the steps in Figure 6-1, except for step 640, are performed on the active processor, and the two processors perform step 640 in a cooperative manner as described above.

According to the embodiments of Figures 6-1 and 6-2, the input of a pass code, such as a pass code entered by the user by the keyboard, is not derived from the derived value of the pass code, such as the Hertz value of the pass code. Verify the correctness of the passcode input. In this embodiment, it is not until step 662 that the result of the passcode is confirmed to match the pre-selected passcode. If the result of step 662 is erroneous, it indicates that the input of the passcode or the provided cryptographic key authentication data piece is erroneous. Since the cryptographic key authentication data piece is not manually input, the pass code input error is incorrect. The possibility is higher.

In the example program illustrated in Figure 6-1, the cryptographic key authentication data can be stored in a lower cost storage device such as a memory card, a USB (Universal Serial Bus) flash drive, or a radio frequency identification. Label (RFID tag).

The passive processor 652 in Figure 6-2 includes built-in persistent memory for storing n, e, and v, and has the ability to calculate a partial digital signature with v, where the active processor boots Execution of all steps. The passive processor in Figure 6-2 may be built into an IC crypto card. This cipher card has the advantage over the traditional IC PIN card: the traditional IC PIN card stores a pair of "public" , the secret key pair, and the secret stored in it is the private key, which must be kept strictly confidential. Losing such a password card will pose a major threat to security; in contrast, Figure 6-2 In the passive processor cipher card, there is a secret between the public key and the private key v, v is only half of the secret, so the loss of the secret of this half is relatively low.

The private key correlation index v is related to the public key. However, it is difficult to derive the "hidden private key d" by the public key (n, e). Under this premise, whether from the system side or The disclosure of the public key (n, e) by the client does not help to successfully derive v, which is a result of the second transition f2 defined above.

Here we discuss the security of the other half of the secret, namely the security of the passcode. The public key (n, e) in the system side is the information used for verification, and the disclosure of the public key does not reveal any information of the pass code, because the choice of the pass code is the user's independent situation. Feel free to choose. In the update procedure designed by the patent application, the user is allowed to change the pass code selected by the user while the public key is unchanged, and also changes the private key correlation index. The system workstation does not need to contact the user workstation during the process of changing the passcode, so the system workstation does not get any relevant information to facilitate the guess of the passcode.

System workstations and user workstations communicate using challenge and response methods. A challenge message response message contains a digital signature calculated for this challenge message. This communication is also secure as long as the "hidden private key" is secure.

At the user end, the input of the pass code is not directly verified by the derivative value of the pass code, but indirectly confirms the correctness of the input of each pass code by verifying the correctness of the digital signature generated by the input. no. Therefore, the passcode and its derived values, such as the H-order value or the encrypted value of the passcode, are not saved for verifying the correctness of the passcode input. In the present patent application, the derivative value of the pass code is an output of a conversion type with the pass code as a single input.

Broadly speaking, the private key correlation index v is a derivative of the pass code. But v is the output value via the f2 conversion type, in which f2 receives three input values p, q and d: v=f2 (f1 (pass code), p, q, d) in addition to the pass code. =c×LCM(p-1,q-1)+d+((-f1(passcode))mod LCM(p-1,q-1)) or v=f2(f1(passcode),p,q, d) = c × Φ (n) + d + ((-f1 (pass code))) mod Φ (n). It can be seen from the above derivation process that when the values of p, q and d are not known, the pass code cannot be known by exposing the v value.

One of the methods of cracking a passcode is an exhaustive search or dictionary attack, that is, attacking in a guessing manner. In order to determine whether a certain guess is correct, the attacker must be forced to calculate a digital signature and verify that the digital signature is correct. Therefore, each guess requires an exponential calculation under the modulus n, and the guess ratio is such With conventional passcode systems, the calculations required for guessing are time consuming.

Information security experts have been working hard to discover new ways of user authentication, in part because popular passcode authentication methods seem to be less secure and prevent unauthorized logins. Two-factor authentication provides a new direction. The method proposed in this patent application can be said to be one of two-factor authentication but has new features. Two-factor authentication methods typically use a user-selected passcode as an identification factor and use biometrics like fingerprints as another discriminating factor, and some believe that this type of two-factor authentication violates individual privacy. Other two-factor authentication methods use a physical token and a personal identification number as two discriminating factors. In this type of method, the so-called PIN is not It is half of the authentication secret, but a complete secret used to obtain the "real authentication secret", and the real authentication secret, such as the cryptographic private key, is stored in the entity's object. The method described in this patent application is to split the private key into two parts as two identification factors. As shown in Fig. 3, the secret private key is destroyed after generating the cryptographic key authentication data and It will not appear again in the calculation process in the future.

According to the embodiment described above, the cryptographic key authentication data piece is stored in a device. The first authentication data item, that is, the pass code, may not be stored in any device as long as the user can remember. As mentioned above, the heuristic value of the passcode or its encrypted value does not need to be stored in the persistent memory in order to confirm the correctness of the input, but by confirming the correctness of the digital signature generated by the input. No to verify the entry of the passcode. This unique way of combining two certified data pieces is different from other two-factor authentication mechanisms.

Go back to the procedures in Figure 1 and Challenges and Responses in 6-1. In this procedure, the verification of the digital signature is repeated twice: at the user workstation, the digital signature is verified once before being included in the response message, and at the other end, the system workstation receives the response message from it. The digital signature inside has been verified again. Thanks to this ingenious design, the system workstation has the ability to distinguish between authorized logged in and unauthorized hackers, as authorized registrants always respond to challenges with a valid digital signature. In order to make this ingenious design more efficient, it is helpful to make the following modifications to the challenge and response process: the user identification name included in the response message is also checked. There are several possible ways to modify this, such as adding a check bit or a check code as part of the user's identification, or using the he-order value as the verification information. Based on the above design, the system workstation has the ability to detect attacks on any online guessing attack.

The public key (n, e) is registered with the system workstation, and the system workstation uses the public key to verify that the response from the user workstation is correct. The system side is responsible for ensuring the authenticity of the public key, and the public key certificate is the traditional method used to meet this need. According to this method, the registered public key is part of a voucher, and the voucher is the voucher body. (Certification Authority, referred to as CA) issued. In other words, the system relies on the credential mechanism to guarantee the authenticity of the registered public key.

Since both the system side and the credential organization share responsibility for the authenticity of the public key, the traditional CA method can benefit the user. Unless the system side colludes with the CA, the wrong digital signature will be checked on the system side; therefore, the CA method is used to protect the user from the system misbehavior.

Due to the lack of system-side security controls, system-side misconduct is likely to occur. In fact, this is one of the main causes of information security incidents that have occurred. As described in the background above, there are several technical disadvantages in current passcode authentication systems. For example, system administrators or other internal employees can steal user identification names from the system's authentication database. Corresponding he-order value, and unauthorized login to the user account; such unauthorized login technology available includes offline dictionary attacks, or a special software to receive the pass code. The ordinal value is an input rather than an input to receive a passcode.

Therefore, the user authentication method described in this patent application is an authentication method using a pass code, but the security of the system is enhanced by the authenticity of the public key of the CA visa.

The use of traditional credential mechanisms to protect the authenticity of public keys adds considerable complexity. Information security experts have understood the shortcomings of this complexity, and the passcode authentication method proposed in this patent application can simplify this complexity because secret segmentation enhances the benefits of security; loss of protected secrets Any one half of the security concerns caused by the loss of the entire secret will be less. If lost, the other half of the secret still provides a considerable degree of security, so users do not need to immediately request the abolition of their public key certificate. Eliminating the need to report the loss to the voucher and requesting the abolition of the public key voucher, the user can register a new public key at the system workstation and ask the system workstation to reject the digits that were verified by the old public key. Signature; this way, the complexity caused by the abolition of the public key certificate can be greatly reduced.

This patent application also proposes a commercial method to replace the role of the credential institution, which is described in detail below.

The user registers a public key on the system workstation, which is actually an agreement between the system side and the user side. The system workstation accepts the registration of the public key, and the system workstation is obliged to accept the correct digital signature and reject the incorrect digital signature; on the other hand, if the registered public key is used as the verification data. When the validity of the digital signature is obtained, the user cannot deny its validity.

Therefore, the contract of the registered public key can be used as a method for both parties to resolve the dispute. Figure 7 is an example of a contract for a public key registered by a user on a system side. According to the terms of the contract, if the digital signature accepted by the system is verified as incorrect by the public key on the contract, the user has the right to reject the incorrect digital signature accepted by the system. Similarly, according to the provisions of the contract, if the digital signature accepted by the system is proved to be correct by the public key on the contract, the user is obliged to acknowledge the validity of the digital signature.

The registration contract provides a means to resolve disputes regarding the validity of the digital signature. With the guarantee in the contract, the user can trust the system to use the correct public key, so it is no longer necessary to use the credentials to check the correctness of the public key.

The method of registering a contract provides a new direction to ensure the authenticity of the public key, which is a means of replacing technology with a commercial method. This method is also in line with the traditional business habits, that is, in the daily business transaction behavior, it is usually not necessary for the third party to intervene. The user can trust the system to protect the authenticity of the registered public key but retain the registration contract as A guarantee that can be used to resolve a dispute in the event of a dispute.

The commercial method of using the registration contract can be applied to an asymmetric cryptosystem without being limited to the RSA system.

Referring to Figure 8, this figure illustrates a procedure that allows a user to check if a correct public key can be accessed on a system workstation. While the user issues a request for login to the system workstation, the checker can be executed concurrently, so the program can further convince the user to trust the system side and can be considered as an auxiliary method of using the public key registration contract.

The public key connection check described above is a challenge and response process based on symmetric cryptography. Step 810, a user workstation (801) receives a system identification name (803) and a user identification name (804) from a user; in step 815, the user workstation randomly generates a message and The random message and the user identification name are included in a challenge message; in step 820, the user station transmits the challenge message to a system workstation (802) corresponding to the system identification name; and step 830, the system workstation uses The user identification name in the received challenge message is used as an index to retrieve a public key used on the system side from the authentication database (825) on the system side; in step 835, the system workstation receives the public key from the public key. Deriving a symmetric cryptographic key used on the system side; in step 840, the system workstation encrypts the random message in the challenge message into ciphertext by using the symmetric cryptographic key as an encryption key; step 845, The system workstation includes the ciphertext in a response message; in step 850, the system workstation transmits the response message to the user workstation; Step 852, the user workstation receives the response message, and obtains a public key used by the user from a persistent memory; and step 855, the user workstation uses the public gold used by the user. The key derives a symmetric cryptographic key used at the user end; in step 860, the user workstation uses the symmetric cryptographic key used by the user as a decryption key to receive the received response message. If the result of the decryption meets the random message of step 815, the user workstation determines that the public key used on the system side complies with the public key used at the user end and regards it as correct.

In the flow diagram illustrated in Figure 8, step 835 uses a first conversion formula to derive a symmetric cryptographic key for use on the system side, and step 855 uses a second conversion formula to derive A symmetric cryptographic key used on the consumer side. The two conversions must be the same. A function of intercepting an appropriate length from a binary string connecting the public modulus n and the public index e can be used as the same conversion, and other types of functions are also possible.

The procedure for generating two pieces of authentication data as described in FIG. 3 allows the user to arbitrarily select the pass code autonomously. Even if the user continues to use the same passcode, he can still change the registered public key.

The procedure for changing a registered public key is different from the update procedure described in Figures 4 and 5, in which the public key is always the same. Changing the registered public key requires reusing the key generation procedure described in Figure 3. If the CA is used to protect the authenticity of the public key, the change of the public key requires reissuing the new public key voucher and abolishing the voucher of the abandoned public key. As described above, the method of registering a contract can completely remove the role of the CA.

The following assumes that users need to log in to a number of system workstations in a single network environment. In this case, the common information security code requires users to select different passcodes to log in to different system workstations, but this will cause a general user's memory burden. Applying the method of this patent application, this security code is not necessary because the user registers with the system workstation a public key, and the public key does not disclose any information about the pass code.

As described earlier, the method of registering a contract eliminates the need for CA and greatly simplifies the complexity of managing public keys, thus allowing users to register different public keys on different system workstations, or register the same The public key is in several system workstations. This flexibility comes from two reasons: (1) the difficulty in deriving the private key from the corresponding public key; and (2) the simplification of public key management.

The user authentication method designed by the pass code of the patent application utilizes two authentication factors: (1) a pass code; (2) a combination of a public modulus, a public index, and a private key correlation index. A crypto-key authenticator. When a user registers a different public key on a number of system workstations, the number of cryptographic key authentication data pieces will increase. At first glance, this is a disadvantage of using different public keys, but the registration is different. The public key has the advantage of different system workstations: when a "hidden private key" is disintegrated, the risk caused by it can be limited to the corresponding public key registration system; The solution provided below allows the user to have multiple public keys but overcomes their shortcomings.

In a network environment with a plurality of system workstations, when the user requests to log in to the system, he must present the identification name of the system to be logged in on the user workstation, and the system identification name can be used as an index information. To search for the corresponding cryptographic key authentication data; in other words, a cryptographic key authentication data piece can be linked to a system identification name, and such a link can be collected and recorded in a single file, so that the file and the access Both codes can be considered as inputs used by the user authentication process. This collection system identifies the file formed by the title and password key authentication data pieces and their links, which simplifies the input procedure of the login process. It is called a "collective authenticator".

The aggregated authentication data piece is a digital file owned by the user and can be stored in a portable device such as a USB storage device, a memory card, and an IC password card (IC crypto). Card) or cell phone. By carrying such a device and remembering its passcode, the user can roam on the network to log in to any of their registered systems.

Referring to Figure 9, this figure illustrates all of the components in a collective authentication profile.

As shown in Fig. 9, a collective authentication data piece is a collection of records of a plurality of individual authentication data pieces. The record of each individual certification data item consists of the following three items: (1) a system identification name of a system workstation to be logged in; (2) a combination of three components of a cryptographic key; (3) A recognized name for a user. Each cryptographic key three component combination contains three components: (1) a public modulus; (2) a public index; and (3) a private key correlation index. The record of each individual authentication data item in the collection indicates that the user has registered one of his user identification names and a public key on a certain system workstation. In this collection, each user identification name can be unique or repetitive, as is the public key. In this illustration, the user who owns this collection file registers the email account, bank account number, student number and ID number, etc. as their personal user identification names in different systems, and this collective file The system identification name in each individual record identifies the unique system workstation, and also serves as an indexing information for searching and obtaining the combination of the three components of the cryptographic key and the corresponding user identification name from the collective file. .

In Fig. 9, numbers 910, 920, and 930 represent a system identification name, a combination of a cryptographic key three elements, and a user identification name, and number 940 is a record of an individual authentication data item, and number 922 924 and 926 represent a public modulus, a public index, and a private key correlation index, respectively.

The collective authentication data piece is a personal data management folder equivalent to the management identification information and the login data. According to the method of registration of the contract, the public key certificate will not be required, so the user identification name and the public key corresponding to the registration in the system are not linked by a certificate signed by a CA, but can be separately change.

The above features allow users to flexibly and easily manage their own collection of authentication data, and allow him to register a large number of system workstations in a network environment, and securely and conveniently log into the system.

Figure 10 illustrates an implementation of user authentication in a network environment with a majority of system workstations. The workflow described in this figure is almost the same as the workflow in Figure 6-1. The difference is that Figure 10 uses a collective authentication data piece (1008), while Figure 6-1 uses a A single password key authentication data piece (608). The implementation details of Fig. 10 will be described below.

The component 1001 is a user workstation used by a user to log into the system, and the component 1002 is a system workstation that the user wants to log in to. Step 1010, the user workstation receives a user identification name (1005), a system identification name (1007), and a pass code input PWD (1003) from the user, and is further provided by the user. The storage device receives a collective authentication data piece (1008); in step 1012, the user workstation uses the system to identify the title as an index information, and searches for the corresponding combination of the three components of the cryptographic key from the collective authentication data piece. In step 1015, the user workstation sends a request for login to the system workstation identified by the system to identify the title; in step 1020, the system workstation generates a challenge message C, which can be generated in a random manner; step 1025, the system The workstation transmits the challenge message C to the user workstation; in step 1040, the user workstation receives the challenge message C and calculates a digital signature for the received message C, and the calculation formula is as follows: SGN(C)≡ Hash(C) ^{f 1 ( P W D )} ×hash(C) ^v mod n; Step 1060, the user workstation verifies the congruence equal hash(C)≡((SGN(C) ^e ) mod n, to verify whether the digital signature is valid; step 1062, if the verification result is valid, continue to step 1065, otherwise it is necessary to repeat back to step 1010 as needed; in step 1065, the user workstation will be valid The digital signature and the user identification name (1005) are included in a response message; in step 1070, the user workstation transmits the response message to the system workstation; in step 1080, the system workstation receives the response message. The user identifies the title as an index information, and searches for a registered public key from an authentication database 1075; in step 1085, the system workstation equals the hash (C) by verifying the congruence ((SGN(C) ^e ) mod n to verify whether the digital signature in the response message is valid, where (n, e) is the registered public key; in step 1090, the system workstation authorizes or denies the login based on the result of the verification. Requesting, and notifying the user workstation of the decision; in step 1095, the user workstation receives the result of the login request and performs subsequent procedures accordingly. In step 1080, the registered public key obtained by the system workstation, and the public modulus n and the public index in the combination (n, e, v) of the three components of the cryptographic key obtained by the user workstation in step 1012. The public key composed of e is the same.

In another embodiment obtained by the process depicted in FIG. 10, the collective authentication profile can be accessed by the user workstation in an automated manner, in other words, the user workstation does not require explicit instructions from the user. Obtain a record of individual certified documents. A typical user may not be able to distinguish the difference between this embodiment and the conventional conventional passcode system, however, as explained in detail above, there is indeed a considerable degree of technical difference.

It is possible for those skilled in the art to make various modifications or variations that do not depart from the scope or spirit of the design of the patent application. Such modifications or variations will be considered as a part of this patent application. And, as long as the modification or change is equivalent to the description in this patent application.

The embodiments described above are merely preferred embodiments of the methods and techniques described in this patent application, and are not intended to limit the scope of the application. Therefore, any change or modification of the shape, structure, characteristics and spirit described in the application scope of the present application is intended to be included in the scope of the patent application of the present application.

110. . . step

120. . . step

130. . . step

140. . . step

150. . . step

160. . . step

170. . . step

180. . . step

210. . . Public, private key pair

220. . . Public key

230. . . a connecting line that expresses the relevance of components

240. . . a connecting line that expresses the relevance of components

250. . . The first certified data piece, that is, the personalized secret, is represented by the symbol s

260. . . The second authentication data piece, that is, the password key authentication data piece

270. . . Update program

280. . . New first certified data piece, represented by the symbol s’

300. . . Second certified data piece generation program

305. . . Personalized secret, represented by the symbol s

310. . . step

312. . . Prime number p

314. . . Prime number q

330. . . step

332. . . Temporary value, represented by the symbol u

340. . . Generate RSA public, private key pair calculation program

342. . . Private key, represented by the symbol d

344. . . Expose the modulus, denoted by the symbol n

346. . . Public index, represented by the symbol e

350. . . step

355. . . Private key correlation index, represented by the symbol v

360. . . step

370. . . step

375. . . The combination of the three components of the cryptographic key is regarded as the second certified data piece.

380. . . step

385. . . Persistent memory

402. . . Personalized secret, represented by the symbol s

404. . . Expose the modulus, denoted by the symbol n

406. . . Public index, represented by the symbol e

408. . . Private key correlation index, represented by the symbol v

409. . . Persistent memory

410. . . step

420. . . step

430. . . Confirm that the verified digital signature is valid

440. . . step

445. . . New personalization secret, represented by the symbol s’

450. . . step

460. . . step

470. . . step

501. . . The work performed by the processor

502. . . The work performed by the processor

503. . . Personalized secret, represented by the symbol s

504. . . Expose the modulus, denoted by the symbol n

506. . . Public index, represented by the symbol e

508. . . Private key correlation index, represented by the symbol v

509. . . Persistent memory with a combination of three components of a cryptographic key

510. . . step

512. . . step

514. . . step

516. . . step

520. . . step

525. . . step

528. . . step

530. . . step

535. . . step

540. . . step

542. . . step

545. . . step

550. . . step

560. . . Confirm that the verified digital signature is valid

565. . . New personalization secret, represented by the symbol s’

570. . . step

575. . . step

580. . . step

585. . . step

590. . . step

595. . . step

601. . . Work performed by the user's workstation

602. . . Work performed by the system workstation

603. . . Enter the pass code, represented by the symbol PWD

605. . . User identification

607. . . System identification

608. . . Persistent memory with a combination of three components of a cryptographic key

610. . . step

615. . . step

620. . . step

625. . . step

630. . . step

640. . . step

641. . . step

642. . . step

643. . . step

644. . . step

645. . . step

646. . . step

651. . . The work performed by the processor

652. . . The work performed by the processor

660. . . step

662. . . Confirm that the verified digital signature is valid

665. . . step

670. . . step

675. . . User authentication database

680. . . step

685. . . step

690. . . step

695. . . step

801. . . Work performed by the user's workstation

802. . . Work performed by the system workstation

803. . . System identification

804. . . User identification

810. . . step

815. . . step

820. . . step

825. . . User authentication database

830. . . step

835. . . step

840. . . step

845. . . step

850. . . step

852. . . step

855. . . step

860. . . step

865. . . step

900. . . Collective certified data piece

910. . . System identification

920. . . Combination of three components of cryptographic key

922. . . Expose the modulus, denoted by the symbol n

924. . . Public index public index, represented by the symbol e

926. . . Private key correlation index, represented by the symbol v

930. . . User identification

940. . . A record in a collective authentication document, the record containing a system identification name, a combination of three components of a cryptographic key, and a user identification name

1001. . . Work performed by the user's workstation

1002. . . Work performed by the system workstation

1003. . . Enter the pass code, represented by the symbol PWD

1005. . . User identification

1007. . . System identification

1008. . . Storage device with aggregated authentication data

1010. . . step

1012. . . step

1015. . . step

1020. . . step

1025. . . step

1040. . . step

1060. . . step

1062. . . Confirm that the verified digital signature is valid

1065. . . step

1070. . . step

1075. . . User authentication database

1080. . . step

1085. . . step

1090. . . step

1095. . . step

The drawings in the present document are drawn to provide a further understanding of the present patent application and are incorporated herein by reference. In the drawings: Figure 1 depicts the "challenge and response" procedure used in this patent application as a communication architecture between the user and the system. Here, a user presents at the user end. Two authentication factors are requested to log in to the system, and the system uses a public key to verify; Figure 2 is a conceptual architecture diagram showing a pair of "public, private keys" (a public/private key) Pair), the link between the two authentication factors on the user side and a verification data on the system side, and further describes an update program that allows the user to keep the verification data on the system side unchanged. Updating the two authentication factors it holds; Figure 3 depicts the procedure for generating the two authentication factors described in Figures 1 and 2, which is from the so-called first disclosure; Figure 4 depicts An update procedure to update the two authentication factors generated by the procedure of Figure 3, which is also from the so-called first disclosure; the 5-1 and 5-2 depict the description of Figure 4. Update process A change in Figure 6-1 is a flow chart depicting an example of the implementation of the "challenge and response" procedure described in Figure 1; Figure 6-2 is a flow chart depicting the 6th Figure 1 shows a change in a specific step when the user workstation uses a proactive processor and a passive processor; Figure 7 depicts an example of a user public key contract that expresses the user and A system-side agreement on the use of public keys, the purpose of which is to implement a commercial method to replace the public-key certificate that is traditionally used; Figure 8 depicts a public key connection check procedure. , a reinforcement method for the business method of the public key contract in Figure 7; Figure 9 depicts an example of a collective authentication data piece and its components for use in a network environment with multiple systems User authentication; Figure 10 depicts an example implementation that utilizes the collective authentication data of Figure 9.

210. . . Public, private key pair

220. . . Public key

230. . . a connecting line that expresses the relevance of components

240. . . a connecting line that expresses the relevance of components

250. . . The first certified data piece, that is, the personalized secret, is represented by the symbol s

260. . . The second authentication data piece, that is, the password key authentication data piece

270. . . Update program

280. . . New first certified data piece, represented by the symbol s’

Claims (10)

A user authentication method based on asymmetric cryptography, comprising: providing a first input and a second input when a user requests to log in to a computer system; and providing a first input and an individual The secret is met, and when the second input provided is consistent with a password key authentication data, the user is authorized to log into the computer system, where the password key authentication data piece includes a public modulus and a public index. An index associated with the private key, the cryptographic key authentication data is generated by the first input and the two prime numbers; and the original personalized secret is changed without changing the public modulo and the public index Be a new secret and update the private key correlation index. In the method of claim 1, the personalization secret includes a pass code selected by the user. The method of claim 1, further comprising: generating the public modulus, the public index, and the index associated with the private key in a program generated by a cryptographic key using the personalized secret and two odd prime numbers . In the method described in claim 1, the challenge and response procedure is further used to authorize the login system. In the method of claim 4, the challenge and response procedure includes responding to a challenge from the computer system using a digital signature generated by the first and second inputs. The method of claim 5, further comprising performing verification of the digital signature on both the user end and the computer system end. A user authentication method based on asymmetric cryptography, including: requesting permission to log in by verifying a digital signature; and using a public key on a registration contract to overturn the error verification to be valid The effectiveness of a digital signature. The method of claim 7, further comprising using the public key on the registration contract to resolve the dispute regarding the validity of the digital signature. The method of claim 7, further comprising the step of checking whether a correct public key can be accessed on a computer system workstation. In the method of claim 9, the public key checking program comprises: transmitting a random message to the computer system workstation at a user workstation; and at the computer system workstation, by a system end The public key is used to derive a symmetric cryptographic key on the system side; at the computer system workstation, the symmetric cryptographic key of the system is used as an encryption key to encrypt the random message to obtain a ciphertext; Transmitting the ciphertext to the user workstation at the computer system workstation; at the user workstation, a symmetric cryptographic key of the user end is derived from a public key of the user end; at the user workstation Using the symmetric cryptographic key of the user end as a decryption key to decrypt the ciphertext; and at the user workstation, when the decrypted result conforms to the original random message, it is determined that the public key of the system end is met. The public key of the user side is therefore correct.