WO2011075906A1 - Procédé permettant de réaliser une acquisition de clé publique, une validation de certificat et l'authentification d'une entité - Google Patents

Procédé permettant de réaliser une acquisition de clé publique, une validation de certificat et l'authentification d'une entité Download PDF

Info

Publication number
WO2011075906A1
WO2011075906A1 PCT/CN2009/076044 CN2009076044W WO2011075906A1 WO 2011075906 A1 WO2011075906 A1 WO 2011075906A1 CN 2009076044 W CN2009076044 W CN 2009076044W WO 2011075906 A1 WO2011075906 A1 WO 2011075906A1
Authority
WO
WIPO (PCT)
Prior art keywords
entity
public key
message
authentication
certificate
Prior art date
Application number
PCT/CN2009/076044
Other languages
English (en)
Chinese (zh)
Inventor
铁满霞
曹军
赖晓龙
黄振海
Original Assignee
西安西电捷通无线网络通信股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 西安西电捷通无线网络通信股份有限公司 filed Critical 西安西电捷通无线网络通信股份有限公司
Priority to PCT/CN2009/076044 priority Critical patent/WO2011075906A1/fr
Publication of WO2011075906A1 publication Critical patent/WO2011075906A1/fr

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/321Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3263Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
    • H04L9/3268Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements using certificate validation, registration, distribution or revocation, e.g. certificate revocation list [CRL]

Definitions

  • the present invention relates to the field of network security technologies, and in particular, to a method for implementing public key acquisition, certificate verification, and authentication of an entity.
  • entity authentication or one-way authentication or two-way authentication, between the user and the network must be completed before the user logs into the network for secure communication.
  • the authentication mechanisms used generally fall into two categories: based on symmetric key algorithms and based on public key (asymmetric key) algorithms.
  • the authentication mechanism based on public key algorithm and technology requires that the participant entity must have a pair of keys, namely public and private key pairs, where the public key needs to be notified to other participant entities.
  • the available notification methods are the out-of-band notification method and the certificate method.
  • the out-of-band notification method is less used because it is difficult to update, and the certificate method is widely used.
  • the entity authentication method using public key certificates generally needs to be based on a public key infrastructure.
  • the public key infrastructure is a universal security infrastructure that implements and provides security services by using the concepts and technologies of public keys. Provide security services such as authentication, integrity, confidentiality, and more.
  • Two important concepts in public key infrastructure are public key certificates and certificate authorities.
  • Public key certificates are usually issued by the certificate authority.
  • the signature in the public key certificate is provided by the certificate authority.
  • the certificate authority verifies the public key certificate by providing a signature. The binding relationship between the holder and the holder's public key.
  • a public key certificate that has been verified by a certificate authority usually has a lifetime, and the certificate fails after the end of the lifetime. If the private key corresponding to the public key certificate is leaked, the public key certificate also fails. There are also other cases where the public key certificate is invalidated, such as a job change that causes it to fail.
  • Entities participating in authentication in network communications typically refuse to establish secure communications with entities holding expired public key certificates, so public key acquisition and certificate verification typically surround and provide services for the entity authentication process.
  • the existing authentication mechanism must have a valid public key of the claimant or know the public key certificate status of the claimant before or during the operation. Otherwise, the authentication process may be damaged or cannot be successfully completed.
  • entity A and entity B need to complete the authentication between them by performing an authentication protocol.
  • Trusted third party (TP) is a third-party entity trusted by entity A and entity B, and entity A and Entity B must be obtained by a trusted third party TP prior to authentication The status of the effective public key or public key certificate of the end entity.
  • CRL Download Certificate Revocation List CRL (Certificate Revocation List) to obtain the status of the public key certificate, including all certificate list downloads and incremental certificate list downloads.
  • CRL Download Certificate Revocation List CRL (Certificate Revocation List) to obtain the status of the public key certificate, including all certificate list downloads and incremental certificate list downloads.
  • an entity needs to verify the status of a public key certificate, it downloads the latest certificate revocation list from the server and then checks if the public key certificate that needs to be verified is in the latest certificate revocation list CRL.
  • Online Certificate Status Protocol OCSP
  • client and server It is a typical client/server architecture. The client sends a request to the server and the server returns a response. The request contains a series of certificates that need to be verified. The response contains the status of the series certificate and the full certificate interval.
  • the network structure is the access network of the user, the access point, and the server ternary structure.
  • the entity authentication mechanism is usually implemented to implement the user access control function. Before the authentication mechanism is successfully completed, the user is prohibited from accessing the network. Therefore, the user cannot use the certificate revocation list CRL or the online certificate status protocol before authentication. Methods such as OCSP verify the validity of the access point certificate or obtain a valid public key for the access point. Therefore, if you want to complete the authentication completely successfully, you can only rely on the user to complete the authentication and establish the network communication, such as IEEE 802.
  • Hi and IEEE 802.16 Key Management PKM (Privacy Key Management) protocol, that is, afterwards Get the status of a valid public or public key certificate for the access point. Whether obtaining the status of a valid public key or public key certificate of the opposite entity in advance or afterwards, the process of obtaining the valid public key and the public key certificate is separated into two separate processes, which is not conducive to improving the protocol execution. Efficiency, even in some application environments, introduces unsafe factors that affect the authenticity of the authentication.
  • the user is also difficult to use the certificate revocation list CRL, the online certificate status protocol OCSP, etc. in the process of authentication.
  • the user equipment may have limited storage resources, or the user is not willing to store the certificate revocation list CRL, which may result in the periodic download certificate revocation list CRL being impossible.
  • the access network there may be problems such as policy restrictions on the access network.
  • the user uses the online query mechanism such as the online certificate status protocol OCSP, the user needs to execute a separate online certificate status protocol OSCP and other protocols through the background server. These protocols often Running on the HTTP protocol, belonging to the application layer protocol, it is very complicated to use these protocols directly before the authentication of the access network has not been completed. Even if it can be used, it needs to be completed by the structure of the user-server and the access point-server. It does not conform to the structure of the user-in-one server, and cannot be directly and conveniently applied.
  • the present invention solves the above technical problems existing in the background art, and proposes a method for realizing public key acquisition, certificate verification and authentication of an entity.
  • the technical solution of the present invention is:
  • the present invention is a method for realizing public key acquisition, certificate verification and authentication of an entity, including:
  • Entity B sends message 2 to entity A, message 2 includes random number R B , request ReqB and optional text
  • the entity A After receiving the message 2, the entity A sends a message 3 to the trusted third party TP, and the message 3 includes the identity ID A , the request ReqAT, and the optional text Text4;
  • the trusted third party determines to respond to RepTA and returns a message 4 to entity A, which includes a response RepTA and an optional text Text5;
  • the entity A After receiving the message 4 from the trusted third party TP, the entity A returns a message 5 to the entity B, and the message 5 includes the token TokenAB and the response RepB;
  • the entity B After receiving the message 5 from the entity A, the entity B performs processing to obtain the authentication result of the entity A.
  • the trusted third party TP after receiving the message 3, the method comprising determining a response RepTA: The effectiveness of the active public identity ID A of the entity A, the public key certificate Cert Control A check or by the entity distinguishing identifier A search for the entity A key.
  • the processing of the message 5 by the entity B includes:
  • Entity A sends message 1 to entity B, message 1 includes random number R A , identity ID A and optional text Text 1; entity B receives message 1.
  • the message 2 includes a token TokenBA, an identity ID B , a request ReqB, and an optional text Text3.
  • the trusted third party TP determines that the method for responding to the RepTA includes: checking the validity of the public key certificates Cert A and Cert B according to the identity IDs A and ID B of the entity A and the entity B;
  • the processing steps of the entity A for the message 4 include:
  • the processing steps of the entity B to the message 5 include:
  • the response RepB is verified according to the public key authentication protocol or the distribution protocol used, and the state of the public key or the public key certificate of the entity A is obtained if the verification is passed, and the signature of the entity A included in the token TokenAB is verified. Then, it is checked whether the identity field ID B included in the signature data of the token TokenAB is consistent with the identity field of the entity B, and whether the random number R B sent to the entity A in step 1) is included in the token TokenAB The random numbers R B are identical, and the identification result of the entity A is obtained.
  • the ReqB and the ReqAT are respectively a request generated by the entity B and the entity A, requesting the original public information of the valid public key or the public key certificate of the opposite entity; and the RepTA and the RepB are responses generated for requesting the ReqAT and the ReqB, respectively.
  • the form and definition of the ReqB, ReqAT, RepTA, and RepB are determined according to a public key authentication protocol or a distribution protocol that is specifically used, which is a certificate status protocol or a server-based certificate verification protocol.
  • the ReqTA is equal to ReqB, and RepTA is equal to RepB.
  • the ReqTA contains the content of ReqB
  • the RepTA contains the content of RepB.
  • the present invention employs a three-entity framework.
  • Entity A and entity B need to obtain a public key or certificate of a trusted third party before authentication, and obtain a user certificate issued by a trusted third party or give their public key to be trusted.
  • the third party keeps the state without knowing the status of the valid public key or public key certificate of the opposite entity in advance.
  • Ben The invention integrates the entity's public key acquisition, certificate verification and authentication functions in one protocol, which is beneficial to improve the efficiency and effect of protocol execution, and is convenient for combination with various public key acquisition and public key certificate status query protocols.
  • the network user's wife enters the network structure of a server to meet the authentication requirements of the access network.
  • 1 is a schematic diagram of the operation of the authentication mechanism in the prior art
  • FIG. 2 is a schematic diagram of a method according to Embodiment 1 of the present invention.
  • FIG. 3 is a schematic diagram of a method according to Embodiment 2 of the present invention.
  • FIG. 4 is a schematic diagram of a method according to Embodiment 3 of the present invention.
  • the method of the invention involves three security elements, namely two entities ⁇ and ⁇ and a trusted third party TP, through the online trusted third party TP, the entity A and B complete the authentication, and obtain the effective of the peer entity The status of the public or public key certificate.
  • Entity A or B is represented by entity X; then R x represents a random number generated by entity X; Cert x is a public key certificate of entity X; ID X is an identity of entity X, represented by certificate Certx or entity identifier X; ReqX represents the request generated by the entity X, requesting the status of the valid public key or the public key certificate of the opposite entity; ReqXT represents the request generated by the entity X or forwarded to the trusted third party TP; RepX represents the entity to the ReqX
  • the response sent by X that is, information such as the status of the valid public key or public key certificate of the entity requested by the entity X; RepTX indicates the response generated by the trusted third party TP for ReqXT; Token is the token field; Text is Optional text field.
  • ID A A or CertA
  • ID B B or CertB
  • ReqB, ReqAT, RepTA, and RepB are determined according to the specific public key authentication protocol or distribution protocol.
  • These online public key authentication protocols or distribution protocols include certificate status protocols (see GB/T 19713) and server-based certificate verification protocols ( See IETF RFC5055) or other public key distribution or verification protocols.
  • Entity A sends message 1 to entity B, message 1 includes random number R A , identity ID A And optional text Textl;
  • the entity A After receiving the message 2, the entity A sends a message 3 to the trusted third party TP.
  • the message 3 includes the request ReqAT and the optional text Text4, wherein the ReqAT needs to contain the content of the ReqB, and the request ReqAT indicates that the entity B requests the effective public of the entity A.
  • Information such as the status of the key or public key certificate, and information such as the status of the valid public key or public key certificate of entity B requesting entity B;
  • the trusted third party TP After receiving the message 3, the trusted third party TP checks the validity of the public key certificates Cert A and Cert B according to the identity IDs A and ID B of the entity A and the entity B, or searches for entities through the entity identifiers A and B.
  • the valid public key of A and entity B is determined to respond to RepTA, where RepTA needs to include the content of RepB, indicating the status of the valid public key or public key certificate of entity A determined by the trusted third party TP, and the effective public of entity B.
  • Information such as the status of the key or public key certificate, perform step 5);
  • step 6.2 After entity A receives the message from the trusted third party TP 4, the following steps are completed: 6.1) verifying the response RepTA according to the public key authentication protocol or distribution protocol used, and if the verification is passed, proceeding to step 6.2);
  • step 8.2 Verify the response RepB according to the public key authentication protocol or distribution protocol used, if the verification passes Then proceed to step 8.2);
  • steps 7) and 8) may be omitted on the basis of the two-way authentication process, and some fields in messages 1 through 5 may also be omitted.
  • step 1) may be omitted on the basis of the two-way authentication process, and some fields in message 2 to message 5 may also be omitted, and the specific working process thereof may be omitted. as follows:
  • the entity B sends a message 2 to the entity A, the message 2 includes a random number R B , a request ReqB and an optional text Text3, wherein the request ReqB indicates that the entity B requests the peer entity, that is, the state of the valid public key or the public key certificate of the entity A.
  • Information includes a random number R B , a request ReqB and an optional text Text3, wherein the request ReqB indicates that the entity B requests the peer entity, that is, the state of the valid public key or the public key certificate of the entity A.
  • the entity A After receiving the message 2, the entity A sends a message 3 to the trusted third party TP, and the message 3 includes the identity ID A , the request ReqAT, and the optional text Text4, where ReqAT is equal to ReqB, indicating that the entity B requests the valid public entity A.
  • Information such as the status of the key or public key certificate;
  • the trusted third party TP after receiving the message 3, depending on the effectiveness identity ID A of the entity A, checking or public key certificate Cert Control A valid public key of the entity A symbol A search by distinguishing the entity, determine a response
  • RepTA where RepTA is equal to RepB, and RepB is information indicating the status of the valid public key or public key certificate of the entity A determined by the trusted third party TP, and performing step 5);
  • step 8.2 Verify the response RepB according to the public key authentication protocol or distribution protocol used, if the verification passes Then proceed to step 8.2);

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Storage Device Security (AREA)

Abstract

La présente invention se rapporte à un procédé permettant de réaliser une acquisition de clé publique, une validation de certificat et l'authentification d'une entité. Ledit procédé adopte la structure de trois entités. Avant l'authentification, une entité A et une entité B ont besoin d'acquérir la clé publique ou le certificat d'un tiers de confiance et d'acquérir des certificats d'utilisateur qui leur sont délivrés par le tiers de confiance ou confier leurs clés publiques à la garde du tiers de confiance sans connaître à l'avance la clé publique valide ou l'état du certificat de clé publique de l'entité au niveau de l'extrémité opposée. Le procédé fusionne les fonctions d'acquisition de clé publique, de validation de certificat et d'authentification de l'entité dans un seul protocole et les réalise, ce qui permet d'aider à l'amélioration de l'efficacité d'exécution et de l'effet du protocole et de faciliter la combinaison avec divers protocoles d'acquisition de clé publique et d'interrogation d'état de certificat de clé publique. Le procédé convient à une structure de réseau « utilisateur - point d'accès - serveur » du réseau d'accès et satisfait la spécification d'authentification du réseau d'accès.
PCT/CN2009/076044 2009-12-25 2009-12-25 Procédé permettant de réaliser une acquisition de clé publique, une validation de certificat et l'authentification d'une entité WO2011075906A1 (fr)

Priority Applications (1)

Application Number Priority Date Filing Date Title
PCT/CN2009/076044 WO2011075906A1 (fr) 2009-12-25 2009-12-25 Procédé permettant de réaliser une acquisition de clé publique, une validation de certificat et l'authentification d'une entité

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/CN2009/076044 WO2011075906A1 (fr) 2009-12-25 2009-12-25 Procédé permettant de réaliser une acquisition de clé publique, une validation de certificat et l'authentification d'une entité

Publications (1)

Publication Number Publication Date
WO2011075906A1 true WO2011075906A1 (fr) 2011-06-30

Family

ID=44194922

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2009/076044 WO2011075906A1 (fr) 2009-12-25 2009-12-25 Procédé permettant de réaliser une acquisition de clé publique, une validation de certificat et l'authentification d'une entité

Country Status (1)

Country Link
WO (1) WO2011075906A1 (fr)

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101145910A (zh) * 2007-10-23 2008-03-19 西安西电捷通无线网络通信有限公司 一种基于可信第三方的实体双向鉴别方法及其系统
CN101364875A (zh) * 2008-09-12 2009-02-11 西安西电捷通无线网络通信有限公司 一种实现实体的公钥获取、证书验证及双向鉴别的方法
CN101364876A (zh) * 2008-09-12 2009-02-11 西安西电捷通无线网络通信有限公司 一种实现实体的公钥获取、证书验证及鉴别的方法

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101145910A (zh) * 2007-10-23 2008-03-19 西安西电捷通无线网络通信有限公司 一种基于可信第三方的实体双向鉴别方法及其系统
CN101364875A (zh) * 2008-09-12 2009-02-11 西安西电捷通无线网络通信有限公司 一种实现实体的公钥获取、证书验证及双向鉴别的方法
CN101364876A (zh) * 2008-09-12 2009-02-11 西安西电捷通无线网络通信有限公司 一种实现实体的公钥获取、证书验证及鉴别的方法

Similar Documents

Publication Publication Date Title
WO2011038559A1 (fr) Procédé et système d'acquisition de clé publique d'entité, de validation de certificat et d'authentification en introduisant des tiers crédibles en ligne
US8510565B2 (en) Bidirectional entity authentication method based on the credible third party
US8340283B2 (en) Method and system for a PKI-based delegation process
US7496755B2 (en) Method and system for a single-sign-on operation providing grid access and network access
JP5599910B2 (ja) 暗号証拠の再検証に基づく認証委任
US11095635B2 (en) Server authentication using multiple authentication chains
KR100953095B1 (ko) 슈퍼 피어 기반 p2p 네트워크 시스템 및 이를 위한 피어인증 방법
CN101364876B (zh) 一种实现实体的公钥获取、证书验证及鉴别的方法
JP2001229078A (ja) 公開鍵暗号技術に基づいた認可インフラストラクチャ
WO2009076879A1 (fr) Procédé et système d'authentification bidirectionnelle d'entité
WO2009143778A1 (fr) Procédé d'identification bidirectionnelle d'entités pour supporter un transfert rapide
US8966263B2 (en) System and method of network equipment remote access authentication in a communications network
WO2011022918A1 (fr) Procédé d’authentification bidirectionnelle d’entité avec introduction d’une tierce partie en ligne
WO2011026296A1 (fr) Procédé d'authentification d'entités par introduction d'un tiers de confiance en ligne
CN101815294B (zh) P2p网络的接入认证方法、设备和系统
WO2011022919A1 (fr) Procédé d’authentification d’entité avec introduction d’une tierce partie en ligne
JP2024506915A (ja) ゼロ信頼認証
Aiash et al. A formally verified access control mechanism for information centric networks
CN116506118A (zh) 一种pki证书透明化服务中身份隐私性保护方法
WO2011075906A1 (fr) Procédé permettant de réaliser une acquisition de clé publique, une validation de certificat et l'authentification d'une entité
WO2011075907A1 (fr) Procédé permettant de mettre en oeuvre une acquisition de clé publique, une validation de certificat et une authentification bidirectionnelle des entités
Chen et al. Overview of security protocol analysis
Saito et al. A privacy‐enhanced access control
Mahdi et al. A formally verified access control mechanism for information centric networks
Chun-Kan A Client Puzzle Based Public-key Authentication and Key Establishment Protocol

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 09852456

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 09852456

Country of ref document: EP

Kind code of ref document: A1