WO2017059743A1 - Multi-ttp-based method and device for verifying validity of identity of entity - Google Patents

Multi-ttp-based method and device for verifying validity of identity of entity Download PDF

Info

Publication number
WO2017059743A1
WO2017059743A1 PCT/CN2016/096341 CN2016096341W WO2017059743A1 WO 2017059743 A1 WO2017059743 A1 WO 2017059743A1 CN 2016096341 W CN2016096341 W CN 2016096341W WO 2017059743 A1 WO2017059743 A1 WO 2017059743A1
Authority
WO
WIPO (PCT)
Prior art keywords
message
entity
trusted
ttp
signature
Prior art date
Application number
PCT/CN2016/096341
Other languages
French (fr)
Chinese (zh)
Inventor
杜志强
张变玲
李琴
颜湘
张国强
Original Assignee
西安西电捷通无线网络通信股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 西安西电捷通无线网络通信股份有限公司 filed Critical 西安西电捷通无线网络通信股份有限公司
Publication of WO2017059743A1 publication Critical patent/WO2017059743A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/321Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority
    • H04L9/3213Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority using tickets or tokens, e.g. Kerberos

Definitions

  • the invention relates to an entity identity validity verification method and device, in particular to an entity identity validity verification method and device with multiple trusted third parties participating.
  • the specific identity validity verification environment is an environment that authenticates each other's identity validity between entities that trust different trusted third-party TTPs, and at the same time requires a trusted third party to participate and provide authentication. In this way, an entity identity validity verification method is needed to solve the above problem.
  • the present invention provides a method for verifying the validity of an entity identity including two TTPs, and provides a service for entity B to verify the identity validity of entity A.
  • a multi-TTP participation entity identity verification method involves entity A, entity B, trusted third party TTP A and trusted third party TTP B.
  • the identity valid performance of entity A is verified by TTP A
  • the identity of entity B is valid.
  • the performance is verified by TTP B
  • entity A trusts TTP A
  • entity B trusts TTP B , characterized in that the method comprises the following steps:
  • entity B sends message 1 to entity A, message 1 includes the random number R B generated by entity B ;
  • the entity A After receiving the message 1, the entity A sends a message 2 to the trusted third party TTP A , the message 2 includes the identity information I A of the entity A, the random number R A generated by the entity A, and the random number R B of the entity B ;
  • the TTP Trusted Third Party A receives the message sent by the entity A 2, I A according to verify the identity of the entity A, and the trusted third party TTP B 3 sends a message, the message comprising Res 3 A, the TTP randomly generated A and R TPA token number TokenTPAB, wherein, a is the TTP Res a verification result for the entity a, TokenTPAB a contains the TTP the signature, the signature of the TTP signature object comprises Res a and a R B;
  • the TTP B After receiving the message 3 sent by the TTP A , the TTP B verifies the signature of the TTP A in the TokenTPAB. After the verification is passed, the message 4 is returned to the TTP A.
  • the message 4 includes the R TPA and the token TokenTPBA, wherein the TokenTPBA includes the TTP B.
  • Signature, signature object of TTP B signature includes Res A and R B ;
  • the TTP A After receiving the message 4 sent by the TTP B , the TTP A verifies the signature of the TTP B included in the TokenTPBA. After the verification is passed, it checks whether the R TPA obtained from the message 4 is random with the TTP B that it sends to the TTP B in the message 3. The number R TPA is consistent. If consistent, the TTP A construct message 5 is sent to the entity A, and the message 5 includes the token TokenTA, wherein the TokenTA contains the signature of the TTP B ;
  • construct message 6 is sent to entity B, and message 6 includes TokenTA;
  • the entity B After receiving the message 6, the entity B verifies the signature of the TTP B. After the verification is passed, it checks whether the R B obtained from the message 6 is consistent with the random number R B that is sent to the entity A in the message 1. The entity B determines the validity of the identity of the entity A based on the verification result Res A.
  • the first entity identity validity verification device includes a storage unit, a transceiver unit, and a processing unit. among them:
  • the processing unit is configured to generate a random number R A ;
  • the storage unit is configured to store the identity information I A of the first entity identity validity verification device
  • the transceiver unit is configured to receive the message 1 sent by the second entity identity validity verification device, and send the message 2 to the first trusted third party device, where the message 1 includes the second entity identity validity verification a random number R B generated by the device, the message 2 comprising I A , R A and R B ;
  • the transceiver unit is further configured to receive the message 5 sent by the first trusted third party device, and send the message 6 to the second entity identity validity verification device, where the message 5 includes a token TokenTA, where the TokenTA includes a signature of the second trusted third party device, the signature object of the signature of the second trusted third party device includes Res A and R B , and Res A is the first trusted third party device to the first The verification result of the entity identity validity verification device, the message 6 including TokenTA;
  • the processing unit is also used to construct the message 6.
  • the second entity identity validity verification device comprises a transceiver unit and a processing unit, wherein:
  • the processing unit is configured to generate a random number R B ;
  • the transceiver unit is configured to send a message 1 and receive the message 6 sent by the first entity identity validity verification device, the message 1 includes R B , and the message 6 includes a token TokenTA, where the TokenTA includes the a signature of the second trusted third party device, the signature object of the signature of the second trusted third party device includes Res A and R B , and Res A is valid for the first trusted third party device to identify the first entity Verification result of the verification device;
  • the processing unit is further configured to verify the signature of the second trusted third party device, and check whether the R B obtained from the message 6 is a random number R that is sent to the first entity identity validity verification device in the message 1 B is consistent, and the validity of the first entity identity validity verification device identity is determined according to the verification result Res A.
  • the first trusted third party device comprises a transceiver unit and a processing unit, wherein:
  • the transceiver unit is configured to receive the message 2 sent by the first entity identity validity verification device, where the message 2 includes the identity information I A of the first entity identity validity verification device, and the first entity identity validity verification a random number R A generated by the device and a random number R B generated by the second entity identity validity verification device;
  • the processing unit is configured to verify the identity of the first entity identity validity verification device according to the I A ;
  • the transceiver unit is further configured to send a message 3 to the second trusted third party device, where the message 3 includes Res A , a random number R TPA generated by the first trusted third party device, and a token TokenTPAB, where Res A is the verification result of the first trusted third party device to the first entity identity validity verification device, and the TokenTPAB includes the signature of the first trusted third party device, the first trusted third party device Signature objects of the signature include Res A and R B ;
  • the transceiver unit is further configured to receive the message 4 sent by the second trusted third party device, where the message 4 includes an R TPA and a token TokenTPBA, where the TokenTPBA includes a signature of the second trusted third party device,
  • the signature object of the signature of the second trusted third party device includes Res A and R B ;
  • the processing unit is further configured to verify the signature of the second trusted third party device included in the TokenTPBA, and check whether the R TPA obtained from the message 4 is sent to the second trusted third party device in the message 3
  • the random number R TPA is consistent, and constructs a message 5, the message 5 including a token TokenTA, wherein the TokenTA includes a signature of the second trusted third party device;
  • the transceiver unit is further configured to send the message 5 to the first entity identity validity verification device.
  • the second trusted third party device comprises a transceiver unit and a processing unit, wherein:
  • the transceiver unit is configured to receive the message 3 sent by the first trusted third party device, where the message 3 includes Res A , a random number R TPA generated by the first trusted third party device, and a token TokenTPAB, where Res A is the verification result of the first trusted third party device to the first entity identity validity verification device, and the TokenTPAB includes the signature of the first trusted third party device, the first trusted third party device
  • the signature object of the signature includes Res A and R B , and R B is a random number generated by the second entity identity validity verification device;
  • the processing unit is configured to verify the signature of the first trusted third party device in TokenTPAB;
  • the transceiver unit is further configured to return a message 4 to the first trusted third party device, where the message 4 includes an R TPA and a token TokenTPBA, where the TokenTPBA includes a signature of the second trusted third party device, and the second The signed object of the signature of the third party device includes Res A and R B .
  • the identity validity of the entity performing mutual identity validity verification can only be verified by different trusted third party TTPs.
  • the interaction between the TTPs trusted by the two entities is one entity to another.
  • An entity's identity validity verification provides an authentication service that completes the identity validity verification between entities. The invention solves the problem of identity validity verification when an entity trusts different TTPs respectively.
  • FIG. 1 is a schematic diagram of a preferred embodiment of a multi-TTP entity identity validity verification method according to the present invention.
  • FIG. 2 is a schematic diagram of a first entity identity validity verification apparatus according to the present invention.
  • FIG. 3 is a schematic diagram of a second entity identity validity verification apparatus according to the present invention.
  • FIG. 4 is a schematic diagram of a first trusted third party device of the present invention.
  • FIG. 5 is a schematic diagram of a second trusted third party device of the present invention.
  • Entities involved in the method of the present invention include entities A and B, trusted third parties TTP A and TTP B .
  • the identity valid performance of entity A is verified by TTP A
  • the identity valid performance of entity B is verified by TTP B
  • Entity A trusts TTP A
  • Entity B trusts TTP B
  • the connection relationship between the entity and the TTP is: entity B only connects to entity A, entity A connects entity B and trusted third party TTP A , and trusted third party TTP A simultaneously connects entity A.
  • trusted third party TTP B trusted third party TTP B only connects to trusted third party TTP A.
  • the method for verifying entity identity validity of multi-TTP participation relates to entity A, entity B, trusted third party TTP A and trusted third party TTP B , and the effective performance of entity A is verified by TTP A
  • the identity valid performance of entity B is verified by TTP B
  • entity A trusts TTP A
  • entity B trusts TTP B , characterized in that the method comprises the following steps:
  • entity B sends message 1 to entity A, message 1 includes the random number R B generated by entity B ;
  • the entity A After receiving the message 1, the entity A sends a message 2 to the trusted third party TTP A , the message 2 includes the identity information I A of the entity A, the random number R A generated by the entity A, and the random number R B of the entity B ;
  • the TTP Trusted Third Party A receives the message sent by the entity A 2, I A according to verify the identity of the entity A, and the trusted third party TTP B 3 sends a message, the message comprising Res 3 A, the TTP randomly generated A and R TPA token number TokenTPAB, wherein, a is the TTP Res a verification result for the entity a, TokenTPAB a contains the TTP the signature, the signature of the TTP signature object comprises Res a and a R B;
  • the TTP B After receiving the message 3 sent by the TTP A , the TTP B verifies the signature of the TTP A in the TokenTPAB. After the verification is passed, the message 4 is returned to the TTP A.
  • the message 4 includes the R TPA and the token TokenTPBA, wherein the TokenTPBA includes the TTP B.
  • Signature, signature object of TTP B signature includes Res A and R B ;
  • the TTP A After receiving the message 4 sent by the TTP B , the TTP A verifies the signature of the TTP B included in the TokenTPBA. After the verification is passed, it checks whether the R TPA obtained from the message 4 is random with the TTP B that it sends to the TTP B in the message 3. The number R TPA is consistent. If consistent, the TTP A construct message 5 is sent to the entity A, and the message 5 includes the token TokenTA, wherein the TokenTA contains the signature of the TTP B ;
  • construct message 6 is sent to entity B, and message 6 includes TokenTA;
  • the entity B After receiving the message 6, the entity B verifies the signature of the TTP B. After the verification is passed, it checks whether the R B obtained from the message 6 is consistent with the random number R B that is sent to the entity A in the message 1. The entity B determines the validity of the identity of the entity A based on the verification result Res A.
  • entity B has completed verification of the validity of entity A identity.
  • the TTP Trusted Third Party A receives the message sent by the entity A 2, I A according to verify the identity of the entity A comprises:
  • TTP A extracts the public key P A of entity A , and Re A includes P A at this time;
  • Res A includes the content indicating that the verification failed.
  • the TTP generates a random number A may not necessarily be the RTP A, but used directly in the message 3 by the entity A generated and sent to the TTP A random number R A in place of R TPA, the subsequent step 4) R A is also used instead of R TPA in step 5).
  • TTP A does not have to generate random numbers without affecting the security, which reduces the computational complexity of TTP A , thereby improving the efficiency of the system.
  • step 5 when the verification signature fails or the random number is determined to be inconsistent, the corresponding message may be discarded or the identity validity verification process may be terminated. The way to deal with it.
  • the digital signature algorithm includes an algorithm with message recovery and no message recovery. If the target field can be restored when the signature is verified, the verification signer can directly recover the target from the signature after the verification signature is passed. Field; if the target field cannot be recovered when the signature is verified, those skilled in the art will usually carry the target field in the message, thereby verifying that the signer can directly obtain the target field from the message.
  • step 5 if the target field R TPA can be restored when the TTP A verifies the signature, the TTP A can directly recover the R TPA from the signature after verifying the signature of the TTP B ; if the TTP A verifies the signature, it cannot To restore the target field R TPA , you need to carry R TPA directly in message 4, and TTP A can directly obtain R TPA from message 4.
  • the present invention further provides a first entity identity validity verification apparatus, which is used by the first trusted third party device and the second trusted third party device. And performing identity validity verification with the second entity identity validity verification device, where the first entity identity validity verification device includes a storage unit 11, a transceiver unit 12, and a processing unit 13, wherein:
  • the processing unit 13 is configured to generate a random number R A ;
  • the storage unit 11 is configured to store the identity information I A of the first entity identity validity verification device
  • the transceiver unit 12 is configured to receive the message 1 sent by the second entity identity validity verification device, and send the message 2 to the first trusted third party device, where the message 1 includes the second entity identity validity Verifying the random number R B generated by the device, the message 2 including I A , R A and R B ;
  • the transceiver unit 12 is further configured to receive the message 5 sent by the first trusted third party device, and send a message 6 to the second entity identity validity verification device, where the message 5 includes a token TokenTA, where TokenTA
  • the signature of the second trusted third party device, the signature object of the signature of the second trusted third party device includes Res A and R B , and Res A is the first trusted third party device a verification result of an entity identity validity verification device, the message 6 including TokenTA;
  • the processing unit 13 is also used to construct the message 6.
  • the present invention further provides a second entity identity validity verification apparatus for participation by the first trusted third party device and the second trusted third party device. And performing identity validity verification with the first entity identity validity verification device, where the second entity identity validity verification device includes a transceiver unit 21 and a processing unit 22, wherein:
  • the processing unit 22 is configured to generate a random number R B ;
  • the transceiver unit 21 is configured to send a message 1 and receive the message 6 sent by the first entity identity validity verification device, the message 1 includes R B , and the message 6 includes a token TokenTA, where the TokenTA includes the a signature of the second trusted third party device, the signature object of the signature of the second trusted third party device includes Res A and R B , and Res A is the identity of the first entity by the first trusted third party device The verification result of the validity verification device;
  • For further processing unit 22 of the second trusted third party signature verification device checks the message obtained from 6 R B whether to transmit the random number with its own identity the first entity the validity verification means in a message R B is consistent, and the validity of the identity of the first entity identity validity verification device is determined according to the verification result Res A.
  • the present invention further provides a first trusted third party device for participating in the first entity identity validity verification device together with the second trusted third party device.
  • Identity validity verification between the second entity identity validity verification device, the first trusted third party device comprising a transceiver unit 31 and a processing unit 32, characterized in that:
  • the transceiver unit 31 is configured to receive the message 2 sent by the first entity identity validity verification device, where the message 2 includes the identity information I A of the first entity identity validity verification device, and the first entity identity validity a random number R A generated by the verification device and a random number R B generated by the second entity identity validity verification device;
  • the processing unit 32 is configured to verify the identity of the first entity identity validity verification device according to the I A ;
  • the transceiver unit 31 is further configured to send a message 3 to the second trusted third party device, where the message 3 includes Res A , a random number R TPA generated by the first trusted third party device, and a token TokenTPAB, where Res A is the verification result of the first trusted third party device to the first entity identity validity verification device, and the TokenTPAB includes the signature of the first trusted third party device, the first trusted third party
  • the signed object of the signature of the device includes Res A and R B ;
  • the transceiver unit 31 is further configured to receive the message 4 sent by the second trusted third party device, where the message 4 includes an R TPA and a token TokenTPBA, where the TokenTPBA includes a signature of the second trusted third party device.
  • the signature object of the signature of the second trusted third party device includes Res A and R B ;
  • the processing unit 32 is further configured to verify the signature of the second trusted third party device included in the TokenTPBA, and check whether the R TPA obtained from the message 4 is sent to the second trusted third party device in the message 3 The random number R TPA is consistent, and constructs a message 5, the message 5 including a token TokenTA, wherein the TokenTA contains the signature of the second trusted third party device;
  • the transceiver unit 31 is further configured to send the message 5 to the first entity identity validity verification device.
  • the first trusted third party TTP A receives the message 2 sent by the first entity identity validity verification device, and verifies the identity of the first entity identity validity verification device according to the I A ,
  • I A is a discriminator of the first entity identity validity verification device
  • the processing unit 32 is further configured to extract the public key P A of the first entity identity validity verification device
  • Processing unit 32 is further configured to check the validity of Cert A.
  • the present invention further provides a second trusted third party device for participating in the first entity identity validity verification device together with the first trusted third party device.
  • Identity validity verification between the second entity identity validity verification device, the second trusted third party device comprising a transceiver unit 41 and a processing unit 42, characterized in that:
  • the transceiver unit 41 is configured to receive the message 3 sent by the first trusted third party device, where the message 3 includes Res A , a random number R TPA generated by the first trusted third party device, and a token TokenTPAB, where Res A is the verification result of the first trusted third party device to the first entity identity validity verification device, and the TokenTPAB includes the signature of the first trusted third party device, the first trusted third party
  • the signature object of the signature of the device includes Res A and R B , and the R B is a random number generated by the second entity identity validity verification device;
  • the processing unit 42 is configured to verify the signature of the first trusted third party device in the TokenTPAB;
  • the transceiver unit 41 is further configured to return a message 4 to the first trusted third party device, where the message 4 includes an R TPA and a token TokenTPBA, where the TokenTPBA includes a signature of the second trusted third party device, and the second The signature objects of the signature of the trusted third party device include Res A and R B .
  • the foregoing apparatus corresponds to each entity in the method embodiment of the present invention.
  • the first entity identity validity verification apparatus includes an entity A
  • the second entity identity validity verification apparatus includes Entity B
  • the first trusted third party device includes a trusted third party TTP A
  • the second trusted third party device includes a trusted third party TTP B .
  • the system of the above described apparatus provided in accordance with Figure 1 is capable of implementing the method of the present invention. It should be understood by those skilled in the art that the specific configuration of each device has been demonstrated by the foregoing device embodiments, and further working details are also corresponding to the foregoing method embodiments, and need not be described.
  • embodiments of the present invention can be provided as a method, system, or computer program product. Accordingly, the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment, or a combination of software and hardware. Moreover, the invention can take the form of a computer program product embodied on one or more computer-usable storage media (including but not limited to disk storage, CD-ROM, optical storage, etc.) including computer usable program code.
  • computer-usable storage media including but not limited to disk storage, CD-ROM, optical storage, etc.
  • the computer program instructions can also be stored in a computer readable memory that can direct a computer or other programmable data processing device to operate in a particular manner, such that the instructions stored in the computer readable memory produce an article of manufacture comprising the instruction device.
  • the apparatus implements the functions specified in one or more blocks of a flow or a flow and/or block diagram of the flowchart.
  • These computer program instructions can also be loaded onto a computer or other programmable data processing device such that a series of operational steps are performed on a computer or other programmable device to produce computer-implemented processing for execution on a computer or other programmable device.
  • the instructions provide steps for implementing the functions specified in one or more of the flow or in a block or blocks of a flow diagram.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Mobile Radio Communication Systems (AREA)
  • Storage Device Security (AREA)

Abstract

The invention relates to a multi-TTP-based method and device for verifying whether the identity of an entity is valid. The method comprises: transmitting, by an entity B, a message 1 to an entity A; after receiving the message 1, transmitting, by the entity A, a message 2 to a trusted third party (TTPA); after receiving the message 2, verifying, by the TTPA, whether the identity of the entity A is valid, and transmitting a message 3 to the TTPB; after receiving the message 3, verifying, by the TTPB, a first signature of the TTPA in the message 3, and transmitting a message 4 to the TTPA; after receiving the message 4, verifying, by the TTPA, a first signature of the TTPB in the message 4, and transmitting a message 5 to the entity A; after receiving the message 5, configuring, by the entity A, a message 6 and transmitting the message 6 to the entity B; and after receiving the message 6, verifying, by the entity B, whether the identity of the entity A is valid. The invention realizes verification of validity of the identity of entities trusting different trusted third parties, respectively.

Description

一种多TTP参与的实体身份有效性验证方法及装置Method and device for verifying entity identity validity with multiple TTP participation
本申请要求于2015年10月10日提交中国专利局、申请号为201510654784.4、发明名称为“一种多TTP参与的实体身份有效性验证方法及装置”的中国专利申请的优先权,其全部内容通过引用结合在本申请中。This application claims priority to Chinese Patent Application No. 201510654784.4, entitled "A Multi-TTP Participating Entity Identity Validation Method and Apparatus", filed on October 10, 2015, the entire contents of which are hereby incorporated by reference. This is incorporated herein by reference.
技术领域Technical field
本发明涉及实体身份有效性验证方法及装置,尤其是有多可信第三方参与的实体身份有效性验证方法及装置。The invention relates to an entity identity validity verification method and device, in particular to an entity identity validity verification method and device with multiple trusted third parties participating.
背景技术Background technique
在实体之间的身份有效性验证方法中,有一类需要可信第三方TTP参与并提供验证服务的方法,这类方法中,存在一个身份有效性验证双方共同信任的TTP,其用于为参与身份有效性验证的双方提供验证服务,通过将验证结果反馈给参与身份有效性验证的双方实体,从而帮助实体之间完成对彼此身份的有效性验证。但这类方法并不能指导本领域技术人员完成一些特定环境下的身份有效性验证工作。所述的特定身份有效性验证环境例如:分别信任不同可信第三方TTP的实体之间对彼此身份有效性进行验证,且又同时需要可信第三方参与并提供验证的环境。这样,就需要一种实体身份有效性验证方法,用于解决上述问题。Among the methods for verifying the validity of identity between entities, there is a method that requires trusted third-party TTP to participate in and provide authentication services. In this method, there is a TTP that is mutually trusted by the identity verification parties, which is used for participation. Both parties to the identity validity verification provide verification services, which help the entities to verify the validity of each other's identity by feeding back the verification results to the two entities participating in the identity verification. However, such methods do not guide the person skilled in the art to perform identity verification work in certain environments. The specific identity validity verification environment, for example, is an environment that authenticates each other's identity validity between entities that trust different trusted third-party TTPs, and at the same time requires a trusted third party to participate and provide authentication. In this way, an entity identity validity verification method is needed to solve the above problem.
发明内容Summary of the invention
为解决背景技术中提到的问题,本发明提供一种包括两个TTP参与的实体身份有效性验证的方法,为实体B验证实体A的身份有效性提供服务。To solve the problems mentioned in the background, the present invention provides a method for verifying the validity of an entity identity including two TTPs, and provides a service for entity B to verify the identity validity of entity A.
一种多TTP参与的实体身份有效性验证方法,涉及实体A、实体B、可信第三方TTPA和可信第三方TTPB,实体A的身份有效性能被TTPA验证,实体B的身份有效性能被TTPB验证,实体A信任TTPA,实体B信任TTPB,其特征在于,所述方法包括以下步骤: A multi-TTP participation entity identity verification method involves entity A, entity B, trusted third party TTP A and trusted third party TTP B. The identity valid performance of entity A is verified by TTP A , and the identity of entity B is valid. The performance is verified by TTP B , entity A trusts TTP A , and entity B trusts TTP B , characterized in that the method comprises the following steps:
1)实体B发送消息1到实体A,消息1包括实体B产生的随机数RB1) entity B sends message 1 to entity A, message 1 includes the random number R B generated by entity B ;
2)实体A收到消息1后,向可信第三方TTPA发送消息2,消息2包括实体A的身份信息IA、实体A产生的随机数RA以及实体B的随机数RB2) After receiving the message 1, the entity A sends a message 2 to the trusted third party TTP A , the message 2 includes the identity information I A of the entity A, the random number R A generated by the entity A, and the random number R B of the entity B ;
3)可信第三方TTPA收到实体A发送的消息2后,根据IA验证实体A的身份,并向可信第三方TTPB发送消息3,消息3包括ResA、TTPA产生的随机数RTPA以及权标TokenTPAB,其中,ResA为TTPA对实体A的验证结果,TokenTPAB中包含TTPA的签名,TTPA的签名的签名对象包括ResA和RB3) the TTP Trusted Third Party A receives the message sent by the entity A 2, I A according to verify the identity of the entity A, and the trusted third party TTP B 3 sends a message, the message comprising Res 3 A, the TTP randomly generated A and R TPA token number TokenTPAB, wherein, a is the TTP Res a verification result for the entity a, TokenTPAB a contains the TTP the signature, the signature of the TTP signature object comprises Res a and a R B;
4)TTPB收到TTPA发送的消息3后,验证TokenTPAB中TTPA的签名,验证通过后,向TTPA返回消息4,消息4包括RTPA和权标TokenTPBA,其中,TokenTPBA包含TTPB的签名,TTPB的签名的签名对象包括ResA和RB4) After receiving the message 3 sent by the TTP A , the TTP B verifies the signature of the TTP A in the TokenTPAB. After the verification is passed, the message 4 is returned to the TTP A. The message 4 includes the R TPA and the token TokenTPBA, wherein the TokenTPBA includes the TTP B. Signature, signature object of TTP B signature includes Res A and R B ;
5)TTPA收到TTPB发送的消息4后,验证包含在TokenTPBA中TTPB的签名,验证通过后,检查从消息4中得到的RTPA是否与自己在消息3中发送给TTPB的随机数RTPA一致,若一致,TTPA构造消息5发送给实体A,消息5包括权标TokenTA,其中,TokenTA包含TTPB的签名;5) After receiving the message 4 sent by the TTP B , the TTP A verifies the signature of the TTP B included in the TokenTPBA. After the verification is passed, it checks whether the R TPA obtained from the message 4 is random with the TTP B that it sends to the TTP B in the message 3. The number R TPA is consistent. If consistent, the TTP A construct message 5 is sent to the entity A, and the message 5 includes the token TokenTA, wherein the TokenTA contains the signature of the TTP B ;
6)实体A收到来自TTPA的消息5后,构造消息6发送给实体B,消息6包括TokenTA;6) After entity A receives message 5 from TTP A , construct message 6 is sent to entity B, and message 6 includes TokenTA;
7)实体B收到消息6后,验证TTPB的签名,验证通过后,检查从消息6中得到的RB是否与自己在消息1中发送给实体A的随机数RB一致,若一致,实体B根据验证结果ResA判断实体A身份的有效性。7) After receiving the message 6, the entity B verifies the signature of the TTP B. After the verification is passed, it checks whether the R B obtained from the message 6 is consistent with the random number R B that is sent to the entity A in the message 1. The entity B determines the validity of the identity of the entity A based on the verification result Res A.
一种第一实体身份有效性验证装置,用于在第一可信第三方装置和第二可信第三方装置的参与下,与第二实体身份有效性验证装置进行身份有效性验证,所述第一实体身份有效性验证装置包括存储单元、收发单元和处理单元, 其中:a first entity identity validity verification device, configured to perform identity validity verification with a second entity identity validity verification device with the participation of the first trusted third party device and the second trusted third party device, The first entity identity validity verification device includes a storage unit, a transceiver unit, and a processing unit. among them:
处理单元用于产生随机数RAThe processing unit is configured to generate a random number R A ;
存储单元用于存储所述第一实体身份有效性验证装置的身份信息IAThe storage unit is configured to store the identity information I A of the first entity identity validity verification device;
收发单元用于接收所述第二实体身份有效性验证装置发送的消息1,并用于向所述第一可信第三方装置发送消息2,所述消息1包括所述第二实体身份有效性验证装置产生的随机数RB,所述消息2包括IA、RA和RBThe transceiver unit is configured to receive the message 1 sent by the second entity identity validity verification device, and send the message 2 to the first trusted third party device, where the message 1 includes the second entity identity validity verification a random number R B generated by the device, the message 2 comprising I A , R A and R B ;
收发单元还用于接收所述第一可信第三方装置发送的消息5,并用于向所述第二实体身份有效性验证装置发送消息6,所述消息5包括权标TokenTA,其中,TokenTA包含所述第二可信第三方装置的签名,所述第二可信第三方装置的签名的签名对象包括ResA和RB,ResA为所述第一可信第三方装置对所述第一实体身份有效性验证装置的验证结果,所述消息6包括TokenTA;The transceiver unit is further configured to receive the message 5 sent by the first trusted third party device, and send the message 6 to the second entity identity validity verification device, where the message 5 includes a token TokenTA, where the TokenTA includes a signature of the second trusted third party device, the signature object of the signature of the second trusted third party device includes Res A and R B , and Res A is the first trusted third party device to the first The verification result of the entity identity validity verification device, the message 6 including TokenTA;
处理单元还用于构造所述消息6。The processing unit is also used to construct the message 6.
一种第二实体身份有效性验证装置,用于在第一可信第三方装置和第二可信第三方装置的参与下,与第一实体身份有效性验证装置进行身份有效性验证,所述第二实体身份有效性验证装置包括收发单元和处理单元,其中:a second entity identity validity verification device, configured to perform identity validity verification with a first entity identity validity verification device with the participation of a first trusted third party device and a second trusted third party device, The second entity identity validity verification device comprises a transceiver unit and a processing unit, wherein:
处理单元用于产生随机数RBThe processing unit is configured to generate a random number R B ;
收发单元用于发送消息1,并用于接收所述第一实体身份有效性验证装置发送的消息6,所述消息1包括RB,所述消息6包括权标TokenTA,其中,TokenTA包含所述第二可信第三方装置的签名,所述第二可信第三方装置的签名的签名对象包括ResA和RB,ResA为所述第一可信第三方装置对所述第一实体身份有效性验证装置的验证结果;The transceiver unit is configured to send a message 1 and receive the message 6 sent by the first entity identity validity verification device, the message 1 includes R B , and the message 6 includes a token TokenTA, where the TokenTA includes the a signature of the second trusted third party device, the signature object of the signature of the second trusted third party device includes Res A and R B , and Res A is valid for the first trusted third party device to identify the first entity Verification result of the verification device;
处理单元还用于验证所述第二可信第三方装置的签名,检查从消息6中得 到的RB是否与自己在消息1中发送给所述第一实体身份有效性验证装置的随机数RB一致,以及根据验证结果ResA判断所述第一实体身份有效性验证装置身份的有效性。The processing unit is further configured to verify the signature of the second trusted third party device, and check whether the R B obtained from the message 6 is a random number R that is sent to the first entity identity validity verification device in the message 1 B is consistent, and the validity of the first entity identity validity verification device identity is determined according to the verification result Res A.
一种第一可信第三方装置,用于与第二可信第三方装置一起,参与第一实体身份有效性验证装置和第二实体身份有效性验证装置之间的身份有效性验证,所述第一可信第三方装置包括收发单元和处理单元,其中:a first trusted third party device for participating in identity validity verification between the first entity identity validity verification device and the second entity identity validity verification device, together with the second trusted third party device, The first trusted third party device comprises a transceiver unit and a processing unit, wherein:
收发单元用于接收所述第一实体身份有效性验证装置发送的消息2,所述消息2包括所述第一实体身份有效性验证装置的身份信息IA、所述第一实体身份有效性验证装置产生的随机数RA以及所述第二实体身份有效性验证装置产生的随机数RBThe transceiver unit is configured to receive the message 2 sent by the first entity identity validity verification device, where the message 2 includes the identity information I A of the first entity identity validity verification device, and the first entity identity validity verification a random number R A generated by the device and a random number R B generated by the second entity identity validity verification device;
处理单元用于根据所述IA验证所述第一实体身份有效性验证装置的身份;The processing unit is configured to verify the identity of the first entity identity validity verification device according to the I A ;
收发单元还用于向所述第二可信第三方装置发送消息3,所述消息3包括ResA、所述第一可信第三方装置产生的随机数RTPA以及权标TokenTPAB,其中,ResA为所述第一可信第三方装置对所述第一实体身份有效性验证装置的验证结果,TokenTPAB中包含所述第一可信第三方装置的签名,所述第一可信第三方装置的签名的签名对象包括ResA和RBThe transceiver unit is further configured to send a message 3 to the second trusted third party device, where the message 3 includes Res A , a random number R TPA generated by the first trusted third party device, and a token TokenTPAB, where Res A is the verification result of the first trusted third party device to the first entity identity validity verification device, and the TokenTPAB includes the signature of the first trusted third party device, the first trusted third party device Signature objects of the signature include Res A and R B ;
收发单元还用于接收所述第二可信第三方装置发送的消息4,所述消息4包括RTPA和权标TokenTPBA,其中,TokenTPBA包含所述第二可信第三方装置的签名,所述第二可信第三方装置的签名的签名对象包括ResA和RBThe transceiver unit is further configured to receive the message 4 sent by the second trusted third party device, where the message 4 includes an R TPA and a token TokenTPBA, where the TokenTPBA includes a signature of the second trusted third party device, The signature object of the signature of the second trusted third party device includes Res A and R B ;
处理单元还用于验证包含在TokenTPBA中所述第二可信第三方装置的签名,检查从消息4中得到的RTPA是否与自己在消息3中发送给所述第二可信第三方装置的随机数RTPA一致,以及构造消息5,所述消息5包括权标 TokenTA,其中,TokenTA包含所述第二可信第三方装置的签名;The processing unit is further configured to verify the signature of the second trusted third party device included in the TokenTPBA, and check whether the R TPA obtained from the message 4 is sent to the second trusted third party device in the message 3 The random number R TPA is consistent, and constructs a message 5, the message 5 including a token TokenTA, wherein the TokenTA includes a signature of the second trusted third party device;
收发单元还用于向所述第一实体身份有效性验证装置发送所述消息5。The transceiver unit is further configured to send the message 5 to the first entity identity validity verification device.
一种第二可信第三方装置,用于与第一可信第三方装置一起,参与第一实体身份有效性验证装置和第二实体身份有效性验证装置之间的身份有效性验证,所述第二可信第三方装置包括收发单元和处理单元,其中:a second trusted third party device for participating in identity validity verification between the first entity identity validity verification device and the second entity identity validity verification device, together with the first trusted third party device, The second trusted third party device comprises a transceiver unit and a processing unit, wherein:
收发单元用于接收所述第一可信第三方装置发送的消息3,所述消息3包括ResA、所述第一可信第三方装置产生的随机数RTPA以及权标TokenTPAB,其中,ResA为所述第一可信第三方装置对所述第一实体身份有效性验证装置的验证结果,TokenTPAB中包含所述第一可信第三方装置的签名,所述第一可信第三方装置的签名的签名对象包括ResA和RB,RB为所述第二实体身份有效性验证装置产生的随机数;The transceiver unit is configured to receive the message 3 sent by the first trusted third party device, where the message 3 includes Res A , a random number R TPA generated by the first trusted third party device, and a token TokenTPAB, where Res A is the verification result of the first trusted third party device to the first entity identity validity verification device, and the TokenTPAB includes the signature of the first trusted third party device, the first trusted third party device The signature object of the signature includes Res A and R B , and R B is a random number generated by the second entity identity validity verification device;
处理单元用于验证TokenTPAB中所述第一可信第三方装置的签名;The processing unit is configured to verify the signature of the first trusted third party device in TokenTPAB;
收发单元还用于向所述第一可信第三方装置返回消息4,消息4包括RTPA和权标TokenTPBA,其中,TokenTPBA包含所述第二可信第三方装置的签名,所述第二可信第三方装置的签名的签名对象包括ResA和RBThe transceiver unit is further configured to return a message 4 to the first trusted third party device, where the message 4 includes an R TPA and a token TokenTPBA, where the TokenTPBA includes a signature of the second trusted third party device, and the second The signed object of the signature of the third party device includes Res A and R B .
本发明中,进行相互身份有效性验证的实体的身份有效性只能由不同的可信第三方TTP验证,在验证过程中,通过两个实体分别信任的TTP之间的交互为一个实体对另一实体的身份有效性验证提供验证服务,完成实体间的身份有效性验证。本发明解决了实体分别信任不同TTP时的身份有效性验证问题。In the present invention, the identity validity of the entity performing mutual identity validity verification can only be verified by different trusted third party TTPs. In the verification process, the interaction between the TTPs trusted by the two entities is one entity to another. An entity's identity validity verification provides an authentication service that completes the identity validity verification between entities. The invention solves the problem of identity validity verification when an entity trusts different TTPs respectively.
附图说明DRAWINGS
图1为本发明多TTP的实体身份有效性验证方法较佳实施方式的示意图。FIG. 1 is a schematic diagram of a preferred embodiment of a multi-TTP entity identity validity verification method according to the present invention.
图2为本发明第一实体身份有效性验证装置的示意图;2 is a schematic diagram of a first entity identity validity verification apparatus according to the present invention;
图3为本发明第二实体身份有效性验证装置的示意图;3 is a schematic diagram of a second entity identity validity verification apparatus according to the present invention;
图4为本发明第一可信第三方装置的示意图; 4 is a schematic diagram of a first trusted third party device of the present invention;
图5为本发明第二可信第三方装置的示意图。FIG. 5 is a schematic diagram of a second trusted third party device of the present invention.
具体实施方式Detailed ways
本发明的方法涉及的实体包括实体A和B,可信第三方TTPA和TTPB。实体A的身份有效性能被TTPA验证,实体B的身份有效性能被TTPB验证。实体A信任TTPA,实体B信任TTPB。本发明身份有效性验证过程中实体及TTP相互之间的连接关系为:实体B仅连接实体A,实体A同时连接实体B和可信第三方TTPA,可信第三方TTPA同时连接实体A和可信第三方TTPB,可信第三方TTPB仅连接可信第三方TTPAEntities involved in the method of the present invention include entities A and B, trusted third parties TTP A and TTP B . The identity valid performance of entity A is verified by TTP A , and the identity valid performance of entity B is verified by TTP B. Entity A trusts TTP A and Entity B trusts TTP B . In the identity verification process of the present invention, the connection relationship between the entity and the TTP is: entity B only connects to entity A, entity A connects entity B and trusted third party TTP A , and trusted third party TTP A simultaneously connects entity A. And trusted third party TTP B , trusted third party TTP B only connects to trusted third party TTP A.
参见图1,本发明提供的多TTP参与的实体身份有效性验证方法,涉及实体A、实体B、可信第三方TTPA和可信第三方TTPB,实体A的身份有效性能被TTPA验证,实体B的身份有效性能被TTPB验证,实体A信任TTPA,实体B信任TTPB,其特征在于,所述方法包括以下步骤:Referring to FIG. 1, the method for verifying entity identity validity of multi-TTP participation provided by the present invention relates to entity A, entity B, trusted third party TTP A and trusted third party TTP B , and the effective performance of entity A is verified by TTP A The identity valid performance of entity B is verified by TTP B , entity A trusts TTP A , and entity B trusts TTP B , characterized in that the method comprises the following steps:
1)实体B发送消息1到实体A,消息1包括实体B产生的随机数RB1) entity B sends message 1 to entity A, message 1 includes the random number R B generated by entity B ;
2)实体A收到消息1后,向可信第三方TTPA发送消息2,消息2包括实体A的身份信息IA、实体A产生的随机数RA以及实体B的随机数RB2) After receiving the message 1, the entity A sends a message 2 to the trusted third party TTP A , the message 2 includes the identity information I A of the entity A, the random number R A generated by the entity A, and the random number R B of the entity B ;
3)可信第三方TTPA收到实体A发送的消息2后,根据IA验证实体A的身份,并向可信第三方TTPB发送消息3,消息3包括ResA、TTPA产生的随机数RTPA以及权标TokenTPAB,其中,ResA为TTPA对实体A的验证结果,TokenTPAB中包含TTPA的签名,TTPA的签名的签名对象包括ResA和RB3) the TTP Trusted Third Party A receives the message sent by the entity A 2, I A according to verify the identity of the entity A, and the trusted third party TTP B 3 sends a message, the message comprising Res 3 A, the TTP randomly generated A and R TPA token number TokenTPAB, wherein, a is the TTP Res a verification result for the entity a, TokenTPAB a contains the TTP the signature, the signature of the TTP signature object comprises Res a and a R B;
4)TTPB收到TTPA发送的消息3后,验证TokenTPAB中TTPA的签名,验证通过后,向TTPA返回消息4,消息4包括RTPA和权标TokenTPBA,其中,TokenTPBA包含TTPB的签名,TTPB的签名的签名对象包括ResA和RB4) After receiving the message 3 sent by the TTP A , the TTP B verifies the signature of the TTP A in the TokenTPAB. After the verification is passed, the message 4 is returned to the TTP A. The message 4 includes the R TPA and the token TokenTPBA, wherein the TokenTPBA includes the TTP B. Signature, signature object of TTP B signature includes Res A and R B ;
5)TTPA收到TTPB发送的消息4后,验证包含在TokenTPBA中TTPB的 签名,验证通过后,检查从消息4中得到的RTPA是否与自己在消息3中发送给TTPB的随机数RTPA一致,若一致,TTPA构造消息5发送给实体A,消息5包括权标TokenTA,其中,TokenTA包含TTPB的签名;5) After receiving the message 4 sent by the TTP B , the TTP A verifies the signature of the TTP B included in the TokenTPBA. After the verification is passed, it checks whether the R TPA obtained from the message 4 is random with the TTP B that it sends to the TTP B in the message 3. The number R TPA is consistent. If consistent, the TTP A construct message 5 is sent to the entity A, and the message 5 includes the token TokenTA, wherein the TokenTA contains the signature of the TTP B ;
6)实体A收到来自TTPA的消息5后,构造消息6发送给实体B,消息6包括TokenTA;6) After entity A receives message 5 from TTP A , construct message 6 is sent to entity B, and message 6 includes TokenTA;
7)实体B收到消息6后,验证TTPB的签名,验证通过后,检查从消息6中得到的RB是否与自己在消息1中发送给实体A的随机数RB一致,若一致,实体B根据验证结果ResA判断实体A身份的有效性。7) After receiving the message 6, the entity B verifies the signature of the TTP B. After the verification is passed, it checks whether the R B obtained from the message 6 is consistent with the random number R B that is sent to the entity A in the message 1. The entity B determines the validity of the identity of the entity A based on the verification result Res A.
至此,实体B完成了对实体A身份有效性的验证。At this point, entity B has completed verification of the validity of entity A identity.
具体的,上述步骤3)中,可信第三方TTPA收到实体A发送的消息2后,根据IA验证实体A的身份,具体包括:Specifically, the above step 3), the TTP Trusted Third Party A receives the message sent by the entity A 2, I A according to verify the identity of the entity A comprises:
如果IA是实体A的区分符,则TTPA提取实体A的公钥PA,此时ResA中包括PAIf I A is the identifier of entity A, TTP A extracts the public key P A of entity A , and Re A includes P A at this time;
如果IA是实体A的证书CertA,则TTPA检查CertA的有效性,此时ResA中包括CertA的有效性状态;If I A is a certificate of the entity A Cert Control A, then the TTP A check the validity of the Cert Control A, when A is included Res validity status of Cert Control A;
如果实体A的公钥或证书的有效性不能被TTPA获得,此时ResA中包括表示验证失败的内容。If the validity of the public key or certificate of entity A cannot be obtained by TTP A , Res A includes the content indicating that the verification failed.
具体的,在步骤3)中,TTPA可不必产生随机数RTPA,而是在消息3中直接使用由实体A产生并发送给TTPA的随机数RA代替RTPA,则后续步骤4)和步骤5)中也同样用RA代替RTPASpecifically, in step 3), the TTP generates a random number A may not necessarily be the RTP A, but used directly in the message 3 by the entity A generated and sent to the TTP A random number R A in place of R TPA, the subsequent step 4) R A is also used instead of R TPA in step 5).
这样可在几乎不影响安全性的前提下,TTPA不必再产生随机数,降低了TTPA的计算复杂度,从而提升了系统的效率。In this way, TTP A does not have to generate random numbers without affecting the security, which reduces the computational complexity of TTP A , thereby improving the efficiency of the system.
具体的,在步骤5)和步骤7)中,在验证签名不通过或者判断随机数不一致时,则可以采取丢弃对应的消息或终止身份有效性验证过程等本领域公知 的处理方式。Specifically, in step 5) and step 7), when the verification signature fails or the random number is determined to be inconsistent, the corresponding message may be discarded or the identity validity verification process may be terminated. The way to deal with it.
作为本领域公知技术,数字签名算法包括带消息恢复的、不带消息恢复的等算法,如果验证签名时能够恢复目标字段的,则验证签名者可在验证签名通过后从该签名中直接恢复目标字段;如果验证签名时不能够恢复目标字段,则本领域技术人员通常都会在消息中携带该目标字段,从而验证签名者可直接从该消息中获取该目标字段。以上述步骤5)为例,如果TTPA验证签名时能够恢复目标字段RTPA,则TTPA可在验证TTPB的签名通过后从该签名中直接恢复RTPA;如果TTPA验证签名时不能够恢复目标字段RTPA,则需要在消息4中直接携带RTPA,TTPA则可从消息4中直接获取RTPAAs is well known in the art, the digital signature algorithm includes an algorithm with message recovery and no message recovery. If the target field can be restored when the signature is verified, the verification signer can directly recover the target from the signature after the verification signature is passed. Field; if the target field cannot be recovered when the signature is verified, those skilled in the art will usually carry the target field in the message, thereby verifying that the signer can directly obtain the target field from the message. Taking the above step 5) as an example, if the target field R TPA can be restored when the TTP A verifies the signature, the TTP A can directly recover the R TPA from the signature after verifying the signature of the TTP B ; if the TTP A verifies the signature, it cannot To restore the target field R TPA , you need to carry R TPA directly in message 4, and TTP A can directly obtain R TPA from message 4.
基于上述实体身份有效性验证方法,如图2,本发明还提供了一种第一实体身份有效性验证装置,用于在第一可信第三方装置和第二可信第三方装置的参与下,与第二实体身份有效性验证装置进行身份有效性验证,所述第一实体身份有效性验证装置包括存储单元11、收发单元12和处理单元13,其特征在于:Based on the above entity identity validity verification method, as shown in FIG. 2, the present invention further provides a first entity identity validity verification apparatus, which is used by the first trusted third party device and the second trusted third party device. And performing identity validity verification with the second entity identity validity verification device, where the first entity identity validity verification device includes a storage unit 11, a transceiver unit 12, and a processing unit 13, wherein:
处理单元13用于产生随机数RAThe processing unit 13 is configured to generate a random number R A ;
存储单元11用于存储所述第一实体身份有效性验证装置的身份信息IAThe storage unit 11 is configured to store the identity information I A of the first entity identity validity verification device;
收发单元12用于接收所述第二实体身份有效性验证装置发送的消息1,并用于向所述第一可信第三方装置发送消息2,所述消息1包括所述第二实体身份有效性验证装置产生的随机数RB,所述消息2包括IA、RA和RBThe transceiver unit 12 is configured to receive the message 1 sent by the second entity identity validity verification device, and send the message 2 to the first trusted third party device, where the message 1 includes the second entity identity validity Verifying the random number R B generated by the device, the message 2 including I A , R A and R B ;
收发单元12还用于接收所述第一可信第三方装置发送的消息5,并用于向所述第二实体身份有效性验证装置发送消息6,所述消息5包括权标TokenTA,其中,TokenTA包含所述第二可信第三方装置的签名,所述第二可信第三方装置的签名的签名对象包括ResA和RB,ResA为所述第一可信第三方 装置对所述第一实体身份有效性验证装置的验证结果,所述消息6包括TokenTA;The transceiver unit 12 is further configured to receive the message 5 sent by the first trusted third party device, and send a message 6 to the second entity identity validity verification device, where the message 5 includes a token TokenTA, where TokenTA The signature of the second trusted third party device, the signature object of the signature of the second trusted third party device includes Res A and R B , and Res A is the first trusted third party device a verification result of an entity identity validity verification device, the message 6 including TokenTA;
处理单元13还用于构造所述消息6。The processing unit 13 is also used to construct the message 6.
基于上述实体身份有效性验证方法,如图3,本发明还提供了一种第二实体身份有效性验证装置,用于在第一可信第三方装置和第二可信第三方装置的参与下,与第一实体身份有效性验证装置进行身份有效性验证,所述第二实体身份有效性验证装置包括收发单元21和处理单元22,其特征在于:Based on the foregoing entity identity validity verification method, as shown in FIG. 3, the present invention further provides a second entity identity validity verification apparatus for participation by the first trusted third party device and the second trusted third party device. And performing identity validity verification with the first entity identity validity verification device, where the second entity identity validity verification device includes a transceiver unit 21 and a processing unit 22, wherein:
处理单元22用于产生随机数RBThe processing unit 22 is configured to generate a random number R B ;
收发单元21用于发送消息1,并用于接收所述第一实体身份有效性验证装置发送的消息6,所述消息1包括RB,所述消息6包括权标TokenTA,其中,TokenTA包含所述第二可信第三方装置的签名,所述第二可信第三方装置的签名的签名对象包括ResA和RB,ResA为所述第一可信第三方装置对所述第一实体身份有效性验证装置的验证结果;The transceiver unit 21 is configured to send a message 1 and receive the message 6 sent by the first entity identity validity verification device, the message 1 includes R B , and the message 6 includes a token TokenTA, where the TokenTA includes the a signature of the second trusted third party device, the signature object of the signature of the second trusted third party device includes Res A and R B , and Res A is the identity of the first entity by the first trusted third party device The verification result of the validity verification device;
处理单元22还用于验证所述第二可信第三方装置的签名,检查从消息6中得到的RB是否与自己在消息1中发送给所述第一实体身份有效性验证装置的随机数RB一致,以及根据验证结果ResA判断所述第一实体身份有效性验证装置身份的有效性。For further processing unit 22 of the second trusted third party signature verification device checks the message obtained from 6 R B whether to transmit the random number with its own identity the first entity the validity verification means in a message R B is consistent, and the validity of the identity of the first entity identity validity verification device is determined according to the verification result Res A.
基于上述实体身份有效性验证方法,如图4,本发明还提供了一种第一可信第三方装置,用于与第二可信第三方装置一起,参与第一实体身份有效性验证装置和第二实体身份有效性验证装置之间的身份有效性验证,所述第一可信第三方装置包括收发单元31和处理单元32,其特征在于:Based on the above entity identity validity verification method, as shown in FIG. 4, the present invention further provides a first trusted third party device for participating in the first entity identity validity verification device together with the second trusted third party device. Identity validity verification between the second entity identity validity verification device, the first trusted third party device comprising a transceiver unit 31 and a processing unit 32, characterized in that:
收发单元31用于接收所述第一实体身份有效性验证装置发送的消息2,所述消息2包括所述第一实体身份有效性验证装置的身份信息IA、所述第一实 体身份有效性验证装置产生的随机数RA以及所述第二实体身份有效性验证装置产生的随机数RBThe transceiver unit 31 is configured to receive the message 2 sent by the first entity identity validity verification device, where the message 2 includes the identity information I A of the first entity identity validity verification device, and the first entity identity validity a random number R A generated by the verification device and a random number R B generated by the second entity identity validity verification device;
处理单元32用于根据所述IA验证所述第一实体身份有效性验证装置的身份;The processing unit 32 is configured to verify the identity of the first entity identity validity verification device according to the I A ;
收发单元31还用于向所述第二可信第三方装置发送消息3,所述消息3包括ResA、所述第一可信第三方装置产生的随机数RTPA以及权标TokenTPAB,其中,ResA为所述第一可信第三方装置对所述第一实体身份有效性验证装置的验证结果,TokenTPAB中包含所述第一可信第三方装置的签名,所述第一可信第三方装置的签名的签名对象包括ResA和RBThe transceiver unit 31 is further configured to send a message 3 to the second trusted third party device, where the message 3 includes Res A , a random number R TPA generated by the first trusted third party device, and a token TokenTPAB, where Res A is the verification result of the first trusted third party device to the first entity identity validity verification device, and the TokenTPAB includes the signature of the first trusted third party device, the first trusted third party The signed object of the signature of the device includes Res A and R B ;
收发单元31还用于接收所述第二可信第三方装置发送的消息4,所述消息4包括RTPA和权标TokenTPBA,其中,TokenTPBA包含所述第二可信第三方装置的签名,所述第二可信第三方装置的签名的签名对象包括ResA和RBThe transceiver unit 31 is further configured to receive the message 4 sent by the second trusted third party device, where the message 4 includes an R TPA and a token TokenTPBA, where the TokenTPBA includes a signature of the second trusted third party device. The signature object of the signature of the second trusted third party device includes Res A and R B ;
处理单元32还用于验证包含在TokenTPBA中所述第二可信第三方装置的签名,检查从消息4中得到的RTPA是否与自己在消息3中发送给所述第二可信第三方装置的随机数RTPA一致,以及构造消息5,所述消息5包括权标TokenTA,其中,TokenTA包含所述第二可信第三方装置的签名;The processing unit 32 is further configured to verify the signature of the second trusted third party device included in the TokenTPBA, and check whether the R TPA obtained from the message 4 is sent to the second trusted third party device in the message 3 The random number R TPA is consistent, and constructs a message 5, the message 5 including a token TokenTA, wherein the TokenTA contains the signature of the second trusted third party device;
收发单元31还用于向所述第一实体身份有效性验证装置发送所述消息5。The transceiver unit 31 is further configured to send the message 5 to the first entity identity validity verification device.
具体的,当所述第一可信第三方TTPA收到所述第一实体身份有效性验证装置发送的消息2后,根据IA验证所述第一实体身份有效性验证装置的身份时,Specifically, when the first trusted third party TTP A receives the message 2 sent by the first entity identity validity verification device, and verifies the identity of the first entity identity validity verification device according to the I A ,
如果IA是所述第一实体身份有效性验证装置的区分符,If I A is a discriminator of the first entity identity validity verification device,
处理单元32进一步用于提取所述第一实体身份有效性验证装置的公钥 PAThe processing unit 32 is further configured to extract the public key P A of the first entity identity validity verification device;
如果IA是所述第一实体身份有效性验证装置的证书CertAIf I A is the certificate Cert A of the first entity identity validity verification device,
处理单元32进一步用于检查CertA的有效性。Processing unit 32 is further configured to check the validity of Cert A.
基于上述实体身份有效性验证方法,如图5,本发明还提供了一种第二可信第三方装置,用于与第一可信第三方装置一起,参与第一实体身份有效性验证装置和第二实体身份有效性验证装置之间的身份有效性验证,所述第二可信第三方装置包括收发单元41和处理单元42,其特征在于:Based on the above entity identity validity verification method, as shown in FIG. 5, the present invention further provides a second trusted third party device for participating in the first entity identity validity verification device together with the first trusted third party device. Identity validity verification between the second entity identity validity verification device, the second trusted third party device comprising a transceiver unit 41 and a processing unit 42, characterized in that:
收发单元41用于接收所述第一可信第三方装置发送的消息3,所述消息3包括ResA、所述第一可信第三方装置产生的随机数RTPA以及权标TokenTPAB,其中,ResA为所述第一可信第三方装置对所述第一实体身份有效性验证装置的验证结果,TokenTPAB中包含所述第一可信第三方装置的签名,所述第一可信第三方装置的签名的签名对象包括ResA和RB,RB为所述第二实体身份有效性验证装置产生的随机数;The transceiver unit 41 is configured to receive the message 3 sent by the first trusted third party device, where the message 3 includes Res A , a random number R TPA generated by the first trusted third party device, and a token TokenTPAB, where Res A is the verification result of the first trusted third party device to the first entity identity validity verification device, and the TokenTPAB includes the signature of the first trusted third party device, the first trusted third party The signature object of the signature of the device includes Res A and R B , and the R B is a random number generated by the second entity identity validity verification device;
处理单元42用于验证TokenTPAB中所述第一可信第三方装置的签名;The processing unit 42 is configured to verify the signature of the first trusted third party device in the TokenTPAB;
收发单元41还用于向所述第一可信第三方装置返回消息4,消息4包括RTPA和权标TokenTPBA,其中,TokenTPBA包含所述第二可信第三方装置的签名,所述第二可信第三方装置的签名的签名对象包括ResA和RBThe transceiver unit 41 is further configured to return a message 4 to the first trusted third party device, where the message 4 includes an R TPA and a token TokenTPBA, where the TokenTPBA includes a signature of the second trusted third party device, and the second The signature objects of the signature of the trusted third party device include Res A and R B .
需要说明的是,本发明提供的前述装置与本发明方法实施例中各实体是相对应的,具体的:第一实体身份有效性验证装置包含了实体A,第二实体身份有效性验证装置包含了实体B,第一可信第三方装置中包含了可信第三方TTPA,第二可信第三方装置中包含了可信第三方TTPB。因而,本发明提供的上述装置依照图1组成的系统是能够实施本发明方法的。本领域技术人员应当明白,各装置的具体构成情况已通过前述装置实施例进行了展示,其更进一步的工作细节也与前述方法实施例对应,无需赘述。 It should be noted that the foregoing apparatus provided by the present invention corresponds to each entity in the method embodiment of the present invention. Specifically, the first entity identity validity verification apparatus includes an entity A, and the second entity identity validity verification apparatus includes Entity B, the first trusted third party device includes a trusted third party TTP A , and the second trusted third party device includes a trusted third party TTP B . Thus, the system of the above described apparatus provided in accordance with Figure 1 is capable of implementing the method of the present invention. It should be understood by those skilled in the art that the specific configuration of each device has been demonstrated by the foregoing device embodiments, and further working details are also corresponding to the foregoing method embodiments, and need not be described.
本领域内的技术人员应明白,本发明的实施例可提供为方法、系统、或计算机程序产品。因此,本发明可采用完全硬件实施例、完全软件实施例、或结合软件和硬件方面的实施例的形式。而且,本发明可采用在一个或多个其中包含有计算机可用程序代码的计算机可用存储介质(包括但不限于磁盘存储器、CD-ROM、光学存储器等)上实施的计算机程序产品的形式。Those skilled in the art will appreciate that embodiments of the present invention can be provided as a method, system, or computer program product. Accordingly, the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment, or a combination of software and hardware. Moreover, the invention can take the form of a computer program product embodied on one or more computer-usable storage media (including but not limited to disk storage, CD-ROM, optical storage, etc.) including computer usable program code.
本发明是参照根据本发明实施例的方法、设备(系统)、和计算机程序产品的流程图和/或方框图来描述的。应理解可由计算机程序指令实现流程图和/或方框图中的每一流程和/或方框、以及流程图和/或方框图中的流程和/或方框的结合。可提供这些计算机程序指令到通用计算机、专用计算机、嵌入式处理机或其他可编程数据处理设备的处理器以产生一个机器,使得通过计算机或其他可编程数据处理设备的处理器执行的指令产生用于实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能的装置。The present invention has been described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (system), and computer program products according to embodiments of the invention. It will be understood that each flow and/or block of the flowchart illustrations and/or FIG. These computer program instructions can be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing device to produce a machine for the execution of instructions for execution by a processor of a computer or other programmable data processing device. Means for implementing the functions specified in one or more of the flow or in a block or blocks of the flow chart.
这些计算机程序指令也可存储在能引导计算机或其他可编程数据处理设备以特定方式工作的计算机可读存储器中,使得存储在该计算机可读存储器中的指令产生包括指令装置的制造品,该指令装置实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能。The computer program instructions can also be stored in a computer readable memory that can direct a computer or other programmable data processing device to operate in a particular manner, such that the instructions stored in the computer readable memory produce an article of manufacture comprising the instruction device. The apparatus implements the functions specified in one or more blocks of a flow or a flow and/or block diagram of the flowchart.
这些计算机程序指令也可装载到计算机或其他可编程数据处理设备上,使得在计算机或其他可编程设备上执行一系列操作步骤以产生计算机实现的处理,从而在计算机或其他可编程设备上执行的指令提供用于实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能的步骤。These computer program instructions can also be loaded onto a computer or other programmable data processing device such that a series of operational steps are performed on a computer or other programmable device to produce computer-implemented processing for execution on a computer or other programmable device. The instructions provide steps for implementing the functions specified in one or more of the flow or in a block or blocks of a flow diagram.
尽管已描述了本发明的优选实施例,但本领域内的技术人员一旦得知了基本创造性概念,则可对这些实施例作出另外的变更和修改。所以,所附权利要求意欲解释为包括优选实施例以及落入本发明范围的所有变更和修改。While the preferred embodiment of the invention has been described, it will be understood that Therefore, the appended claims are intended to be interpreted as including the preferred embodiments and the modifications and
显然,本领域的技术人员可以对本发明进行各种改动和变型而不脱离本发明的精神和范围。这样,倘若本发明的这些修改和变型属于本发明权利要求及其等同技术的范围之内,则本发明也意图包含这些改动和变型在内。 It is apparent that those skilled in the art can make various modifications and variations to the invention without departing from the spirit and scope of the invention. Thus, it is intended that the present invention cover the modifications and modifications of the invention

Claims (11)

  1. 一种多TTP参与的实体身份有效性验证方法,涉及实体A、实体B、可信第三方TTPA和可信第三方TTPB,实体A的身份有效性能被TTPA验证,实体B的身份有效性能被TTPB验证,实体A信任TTPA,实体B信任TTPB,其特征在于,所述方法包括以下步骤:A multi-TTP participation entity identity verification method involves entity A, entity B, trusted third party TTP A and trusted third party TTP B. The identity valid performance of entity A is verified by TTP A , and the identity of entity B is valid. The performance is verified by TTP B , entity A trusts TTP A , and entity B trusts TTP B , characterized in that the method comprises the following steps:
    1)实体B发送消息1到实体A,消息1包括实体B产生的随机数RB1) entity B sends message 1 to entity A, message 1 includes the random number R B generated by entity B ;
    2)实体A收到消息1后,向可信第三方TTPA发送消息2,消息2包括实体A的身份信息IA、实体A产生的随机数RA以及实体B的随机数RB2) After receiving the message 1, the entity A sends a message 2 to the trusted third party TTP A , the message 2 includes the identity information I A of the entity A, the random number R A generated by the entity A, and the random number R B of the entity B ;
    3)可信第三方TTPA收到实体A发送的消息2后,根据IA验证实体A的身份,并向可信第三方TTPB发送消息3,消息3包括ResA、TTPA产生的随机数RTPA以及权标TokenTPAB,其中,ResA为TTPA对实体A的验证结果,TokenTPAB中包含TTPA的签名,TTPA的签名的签名对象包括ResA和RB3) the TTP Trusted Third Party A receives the message sent by the entity A 2, I A according to verify the identity of the entity A, and the trusted third party TTP B 3 sends a message, the message comprising Res 3 A, the TTP randomly generated A and R TPA token number TokenTPAB, wherein, a is the TTP Res a verification result for the entity a, TokenTPAB a contains the TTP the signature, the signature of the TTP signature object comprises Res a and a R B;
    4)TTPB收到TTPA发送的消息3后,验证TokenTPAB中TTPA的签名,验证通过后,向TTPA返回消息4,消息4包括RTPA和权标TokenTPBA,其中,TokenTPBA包含TTPB的签名,TTPB的签名的签名对象包括ResA和RB4) After receiving the message 3 sent by the TTP A , the TTP B verifies the signature of the TTP A in the TokenTPAB. After the verification is passed, the message 4 is returned to the TTP A. The message 4 includes the R TPA and the token TokenTPBA, wherein the TokenTPBA includes the TTP B. Signature, signature object of TTP B signature includes Res A and R B ;
    5)TTPA收到TTPB发送的消息4后,验证包含在TokenTPBA中TTPB的签名,验证通过后,检查从消息4中得到的RTPA是否与自己在消息3中发送给TTPB的随机数RTPA一致,若一致,TTPA构造消息5发送给实体A,消息5包括权标TokenTA,其中,TokenTA包含TTPB的签名;5) After receiving the message 4 sent by the TTP B , the TTP A verifies the signature of the TTP B included in the TokenTPBA. After the verification is passed, it checks whether the R TPA obtained from the message 4 is random with the TTP B that it sends to the TTP B in the message 3. The number R TPA is consistent. If consistent, the TTP A construct message 5 is sent to the entity A, and the message 5 includes the token TokenTA, wherein the TokenTA contains the signature of the TTP B ;
    6)实体A收到来自TTPA的消息5后,构造消息6发送给实体B,消息6包括TokenTA;6) After entity A receives message 5 from TTP A , construct message 6 is sent to entity B, and message 6 includes TokenTA;
    7)实体B收到消息6后,验证TTPB的签名,验证通过后,检查从消息6 中得到的RB是否与自己在消息1中发送给实体A的随机数RB一致,若一致,实体B根据验证结果ResA判断实体A身份的有效性。7) After receiving the message 6, the entity B verifies the signature of the TTP B. After the verification is passed, it checks whether the R B obtained from the message 6 is consistent with the random number R B that is sent to the entity A in the message 1. If they are consistent, The entity B determines the validity of the identity of the entity A based on the verification result Res A.
  2. 根据权利要求1所述的实体身份有效性验证方法,其特征在于:步骤3)中,所述可信第三方TTPA收到实体A发送的消息2后,根据IA验证实体A的身份,具体包括:The entity identity validation method according to claim 1, wherein: the step 3), the trusted third party after receiving the TTP A 2, according to verify the identity of the entity A I A message sent by the entity A, Specifically include:
    如果IA是实体A的区分符,则TTPA提取实体A的公钥PA,此时ResA中包括PAIf I A is the identifier of entity A, TTP A extracts the public key P A of entity A , and Re A includes P A at this time;
    如果IA是实体A的证书CertA,则TTPA检查CertA的有效性,此时ResA中包括CertA的有效性状态;If I A is a certificate of the entity A Cert Control A, then the TTP A check the validity of the Cert Control A, when A is included Res validity status of Cert Control A;
    如果实体A的公钥或证书的有效性不能被TTPA获得,此时ResA中包括表示验证失败的内容。If the validity of the public key or certificate of entity A cannot be obtained by TTP A , Res A includes the content indicating that the verification failed.
  3. 根据权利要求1所述的实体身份有效性验证方法,其特征在于:The method for verifying the validity of an entity identity according to claim 1, wherein:
    在所述步骤5)中,TTPA从消息4中得到RTPA的具体方式是:如果TTPA验证TTPB的签名时能够从该签名中恢复RTPA,则TTPA在验证TTPB的签名通过后从该签名中直接恢复RTPA;如果TTPA验证TTPB的签名时不能够从该签名中恢复RTPA,则消息4中还进一步包括RTPA字段,TTPA从消息4中直接获取RTPADETAILED DESCRIPTION In the 5) step, TTP A R TPA obtained from the message 4 is: R TPA can be recovered from the signature verification of the signature if TTP A TTP B, the TTP A signature verification by the TTP B Afterwards , the R TPA is directly recovered from the signature; if the TTP A cannot recover the R TPA from the signature when the signature of the TTP B is verified, the message T further includes the R TPA field, and the TTP A directly obtains the R TPA from the message 4. ;
    在所述步骤7)中,实体B从消息6中得到RB的具体方式是:如果实体B验证TTPB的签名时能够从该签名中恢复RB,则实体B在验证TTPB的签名通过后从该签名中直接恢复RB;如果实体B验证TTPB的签名时不能够从该签名中恢复RB,则消息6中还进一步包括RB字段,实体B从消息6中直接获取RBIn) in the step 7, the entity B the message 6 from the detailed R B is obtained: R B can be recovered from the signature when the signature of the TTP to verify if the entity B B, the entity B verifying the signature of the TTP by B Afterwards, R B is directly recovered from the signature; if entity B cannot recover R B from the signature when verifying the signature of TTP B , message 6 further includes an R B field, and entity B directly obtains R B from message 6. .
  4. 根据权利要求1-3中任意一项所述的实体身份有效性验证方法,其特征在于:所述步骤3)、4)及5)中的RTPA被RA代替。The entity identity validity verification method according to any one of claims 1 to 3, characterized in that the R TPA in the steps 3), 4) and 5) is replaced by R A.
  5. 一种第一实体身份有效性验证装置,用于在第一可信第三方装置和第二可信第三方装置的参与下,与第二实体身份有效性验证装置进行身份有效性验证,所述第一实体身份有效性验证装置包括存储单元、收发单元和处理单元,其特征在于:a first entity identity validity verification device, configured to perform identity validity verification with a second entity identity validity verification device with the participation of the first trusted third party device and the second trusted third party device, The first entity identity validity verification device comprises a storage unit, a transceiver unit and a processing unit, and is characterized in that:
    处理单元用于产生随机数RAThe processing unit is configured to generate a random number R A ;
    存储单元用于存储所述第一实体身份有效性验证装置的身份信息IAThe storage unit is configured to store the identity information I A of the first entity identity validity verification device;
    收发单元用于接收所述第二实体身份有效性验证装置发送的消息1,并用于向所述第一可信第三方装置发送消息2,所述消息1包括所述第二实体身份有效性验证装置产生的随机数RB,所述消息2包括IA、RA和RBThe transceiver unit is configured to receive the message 1 sent by the second entity identity validity verification device, and send the message 2 to the first trusted third party device, where the message 1 includes the second entity identity validity verification a random number R B generated by the device, the message 2 comprising I A , R A and R B ;
    收发单元还用于接收所述第一可信第三方装置发送的消息5,并用于向所述第二实体身份有效性验证装置发送消息6,所述消息5包括权标TokenTA,其中,TokenTA包含所述第二可信第三方装置的签名,所述第二可信第三方装置的签名的签名对象包括ResA和RB,ResA为所述第一可信第三方装置对所述第一实体身份有效性验证装置的验证结果,所述消息6包括TokenTA;The transceiver unit is further configured to receive the message 5 sent by the first trusted third party device, and send the message 6 to the second entity identity validity verification device, where the message 5 includes a token TokenTA, where the TokenTA includes a signature of the second trusted third party device, the signature object of the signature of the second trusted third party device includes Res A and R B , and Res A is the first trusted third party device to the first The verification result of the entity identity validity verification device, the message 6 including TokenTA;
    处理单元还用于构造所述消息6。The processing unit is also used to construct the message 6.
  6. 一种第二实体身份有效性验证装置,用于在第一可信第三方装置和第二可信第三方装置的参与下,与第一实体身份有效性验证装置进行身份有效性验证,所述第二实体身份有效性验证装置包括收发单元和处理单元,其特征在于:a second entity identity validity verification device, configured to perform identity validity verification with a first entity identity validity verification device with the participation of a first trusted third party device and a second trusted third party device, The second entity identity validity verification device comprises a transceiver unit and a processing unit, and is characterized in that:
    处理单元用于产生随机数RBThe processing unit is configured to generate a random number R B ;
    收发单元用于发送消息1,并用于接收所述第一实体身份有效性验证装置发送的消息6,所述消息1包括RB,所述消息6包括权标TokenTA,其中,TokenTA包含所述第二可信第三方装置的签名,所述第二可信第三方装置的签名的签名对象包括ResA和RB,ResA为所述第一可信第三方装置对所述第一实体身份有效性验证装置的验证结果;The transceiver unit is configured to send a message 1 and receive the message 6 sent by the first entity identity validity verification device, the message 1 includes R B , and the message 6 includes a token TokenTA, where the TokenTA includes the a signature of the second trusted third party device, the signature object of the signature of the second trusted third party device includes Res A and R B , and Res A is valid for the first trusted third party device to identify the first entity Verification result of the verification device;
    处理单元还用于验证所述第二可信第三方装置的签名,检查从消息6中得到的RB是否与自己在消息1中发送给所述第一实体身份有效性验证装置的随机数RB一致,以及根据验证结果ResA判断所述第一实体身份有效性验证装置身份的有效性。The processing unit is further configured to verify the signature of the second trusted third party device, and check whether the R B obtained from the message 6 is different from the random number R sent by the user in the message 1 to the first entity identity validity verification device. B is consistent, and the validity of the first entity identity validity verification device identity is determined according to the verification result Res A.
  7. 一种第一可信第三方装置,用于与第二可信第三方装置一起,参与第一实体身份有效性验证装置和第二实体身份有效性验证装置之间的身份有效性验证,所述第一可信第三方装置包括收发单元和处理单元,其特征在于:a first trusted third party device for participating in identity validity verification between the first entity identity validity verification device and the second entity identity validity verification device, together with the second trusted third party device, The first trusted third party device comprises a transceiver unit and a processing unit, and is characterized in that:
    收发单元用于接收所述第一实体身份有效性验证装置发送的消息2,所述消息2包括所述第一实体身份有效性验证装置的身份信息IA、所述第一实体身份有效性验证装置产生的随机数RA以及所述第二实体身份有效性验证装置产生的随机数RBThe transceiver unit is configured to receive the message 2 sent by the first entity identity validity verification device, where the message 2 includes the identity information I A of the first entity identity validity verification device, and the first entity identity validity verification a random number R A generated by the device and a random number R B generated by the second entity identity validity verification device;
    处理单元用于根据所述IA验证所述第一实体身份有效性验证装置的身份;The processing unit is configured to verify the identity of the first entity identity validity verification device according to the I A ;
    收发单元还用于向所述第二可信第三方装置发送消息3,所述消息3包括ResA、所述第一可信第三方装置产生的随机数RTPA以及权标TokenTPAB,其中,ResA为所述第一可信第三方装置对所述第一实体身份有效性验证装置的验证结果,TokenTPAB中包含所述第一可信第三方装置的签名,所述第一可信第三方装置的签名的签名对象包括ResA和RBThe transceiver unit is further configured to send a message 3 to the second trusted third party device, where the message 3 includes Res A , a random number R TPA generated by the first trusted third party device, and a token TokenTPAB, where Res A is the verification result of the first trusted third party device to the first entity identity validity verification device, and the TokenTPAB includes the signature of the first trusted third party device, the first trusted third party device Signature objects of the signature include Res A and R B ;
    收发单元还用于接收所述第二可信第三方装置发送的消息4,所述消息4包括RTPA和权标TokenTPBA,其中,TokenTPBA包含所述第二可信第三方装置的签名,所述第二可信第三方装置的签名的签名对象包括ResA和RBThe transceiver unit is further configured to receive the message 4 sent by the second trusted third party device, where the message 4 includes an R TPA and a token TokenTPBA, where the TokenTPBA includes a signature of the second trusted third party device, The signature object of the signature of the second trusted third party device includes Res A and R B ;
    处理单元还用于验证包含在TokenTPBA中所述第二可信第三方装置的签名,检查从消息4中得到的RTPA是否与自己在消息3中发送给所述第二可信第三方装置的随机数RTPA一致,以及构造消息5,所述消息5包括权标TokenTA,其中,TokenTA包含所述第二可信第三方装置的签名;The processing unit is further configured to verify the signature of the second trusted third party device included in the TokenTPBA, and check whether the R TPA obtained from the message 4 is sent to the second trusted third party device in the message 3 The random number R TPA is consistent, and constructs a message 5, the message 5 including a token TokenTA, wherein the TokenTA includes a signature of the second trusted third party device;
    收发单元还用于向所述第一实体身份有效性验证装置发送所述消息5。The transceiver unit is further configured to send the message 5 to the first entity identity validity verification device.
  8. 根据权利要求7所述的第一可信第三方装置,其特征在于:The first trusted third party device according to claim 7, wherein:
    当所述第一可信第三方TTPA收到所述第一实体身份有效性验证装置发送的消息2后,根据IA验证所述第一实体身份有效性验证装置的身份时,After the first trusted third party TTP A receives the message 2 sent by the first entity identity validity verification device, and verifies the identity of the first entity identity validity verification device according to I A ,
    如果IA是所述第一实体身份有效性验证装置的区分符,If I A is a discriminator of the first entity identity validity verification device,
    处理单元进一步用于提取所述第一实体身份有效性验证装置的公钥PAThe processing unit is further configured to extract the public key P A of the first entity identity validity verification device;
    如果IA是所述第一实体身份有效性验证装置的证书CertAIf I A is the certificate Cert A of the first entity identity validity verification device,
    处理单元进一步用于检查CertA的有效性。The processing unit is further used to check the validity of Cert A.
  9. 一种第二可信第三方装置,用于与第一可信第三方装置一起,参与第一实体身份有效性验证装置和第二实体身份有效性验证装置之间的身份有效性验证,所述第二可信第三方装置包括收发单元和处理单元,其特征在于:a second trusted third party device for participating in identity validity verification between the first entity identity validity verification device and the second entity identity validity verification device, together with the first trusted third party device, The second trusted third party device comprises a transceiver unit and a processing unit, and is characterized in that:
    收发单元用于接收所述第一可信第三方装置发送的消息3,所述消息3包括ResA、所述第一可信第三方装置产生的随机数RTPA以及权标TokenTPAB,其中,ResA为所述第一可信第三方装置对所述第一实体身份有效性验证装置的验证结果,TokenTPAB中包含所述第一可信第三方装置的签名,所述第一 可信第三方装置的签名的签名对象包括ResA和RB,RB为所述第二实体身份有效性验证装置产生的随机数;The transceiver unit is configured to receive the message 3 sent by the first trusted third party device, where the message 3 includes Res A , a random number R TPA generated by the first trusted third party device, and a token TokenTPAB, where Res A is the verification result of the first trusted third party device to the first entity identity validity verification device, and the TokenTPAB includes the signature of the first trusted third party device, the first trusted third party device The signature object of the signature includes Res A and R B , and R B is a random number generated by the second entity identity validity verification device;
    处理单元用于验证TokenTPAB中所述第一可信第三方装置的签名;The processing unit is configured to verify the signature of the first trusted third party device in TokenTPAB;
    收发单元还用于向所述第一可信第三方装置返回消息4,消息4包括RTPA和权标TokenTPBA,其中,TokenTPBA包含所述第二可信第三方装置的签名,所述第二可信第三方装置的签名的签名对象包括ResA和RBThe transceiver unit is further configured to return a message 4 to the first trusted third party device, where the message 4 includes an R TPA and a token TokenTPBA, where the TokenTPBA includes a signature of the second trusted third party device, and the second The signed object of the signature of the third party device includes Res A and R B .
  10. 根据权利要求5-9任意一项所述的第一实体身份有效性验证装置、第二实体身份有效性验证装置、第一可信第三方装置或第二可信第三方装置,其特征在于:所述消息1-6的发生顺序依次是消息1、消息2、消息3、消息4、消息5、消息6。The first entity identity validity verification device, the second entity identity validity verification device, the first trusted third party device or the second trusted third party device according to any one of claims 5-9, wherein: The order of occurrence of the messages 1-6 is, in order, message 1, message 2, message 3, message 4, message 5, and message 6.
  11. 根据权利要求7-9任意一项所述的第一可信第三方装置或第二可信第三方装置,其特征在于:所述RTPA被RA代替。 7-9 according to a first trusted third party, or the apparatus of any one of the second trusted third party device as claimed in claim, wherein: said R A R TPA is replaced.
PCT/CN2016/096341 2015-10-10 2016-08-23 Multi-ttp-based method and device for verifying validity of identity of entity WO2017059743A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201510654784.4A CN106571920B (en) 2015-10-10 2015-10-10 A kind of entity identities validation verification method and device that more TTP are participated in
CN201510654784.4 2015-10-10

Publications (1)

Publication Number Publication Date
WO2017059743A1 true WO2017059743A1 (en) 2017-04-13

Family

ID=58487276

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2016/096341 WO2017059743A1 (en) 2015-10-10 2016-08-23 Multi-ttp-based method and device for verifying validity of identity of entity

Country Status (2)

Country Link
CN (1) CN106571920B (en)
WO (1) WO2017059743A1 (en)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20020174075A1 (en) * 2001-05-15 2002-11-21 International Business Machines Corporation System & method for on-line payment
CN101247223A (en) * 2008-03-06 2008-08-20 西安西电捷通无线网络通信有限公司 Practical entity bidirectional identification method based on reliable third-party
WO2009031082A1 (en) * 2007-09-03 2009-03-12 Koninklijke Philips Electronics N.V. Apparatus and methods for transferring digital content
CN101453476A (en) * 2009-01-06 2009-06-10 中国人民解放军信息工程大学 Cross domain authentication method and system

Family Cites Families (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
GB2415579B (en) * 2004-06-23 2006-12-20 Hewlett Packard Development Co Cryptographic method and apparatus
GB2416282B (en) * 2004-07-15 2007-05-16 Hewlett Packard Development Co Identifier-based signcryption with two trusted authorities
EP2128781A1 (en) * 2008-05-27 2009-12-02 Benny Kalbratt Method for authentication
CN101378318B (en) * 2008-10-08 2010-09-15 南京邮电大学 Identification authentication method of open network based on dynamic credible third-party
CN101640593B (en) * 2009-08-28 2011-11-02 西安西电捷通无线网络通信股份有限公司 Entity two-way identification method of introducing the online third party
CN101674182B (en) * 2009-09-30 2011-07-06 西安西电捷通无线网络通信股份有限公司 Entity public key acquisition and certificate verification and authentication method and system of introducing online trusted third party

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20020174075A1 (en) * 2001-05-15 2002-11-21 International Business Machines Corporation System & method for on-line payment
WO2009031082A1 (en) * 2007-09-03 2009-03-12 Koninklijke Philips Electronics N.V. Apparatus and methods for transferring digital content
CN101247223A (en) * 2008-03-06 2008-08-20 西安西电捷通无线网络通信有限公司 Practical entity bidirectional identification method based on reliable third-party
CN101453476A (en) * 2009-01-06 2009-06-10 中国人民解放军信息工程大学 Cross domain authentication method and system

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
BODKHE, B. ET AL.: "An Efficient Free Fair Contract Signing Protocol Using OTPK", IEEE XPLORE, 3 October 2013 (2013-10-03), pages 1 - 5, XP032492692 *

Also Published As

Publication number Publication date
CN106571920B (en) 2019-09-27
CN106571920A (en) 2017-04-19

Similar Documents

Publication Publication Date Title
CN109756338B (en) Authentication apparatus, computer-implemented method of authentication apparatus, and computer-readable medium
WO2018177093A1 (en) Block chain processing method, accounting node, verification node and storage medium
RU2019116772A (en) SYSTEMS AND METHODS FOR CREATING A UNIVERSAL RECORD
US10176307B2 (en) Licensing using a node locked virtual machine
WO2019047418A1 (en) Digital signature method, device and system
EP3206329A1 (en) Security check method, device, terminal and server
WO2017059737A1 (en) Method and device for verifying validity of identity of entity
CN111552950A (en) Software authorization method and device and computer readable storage medium
WO2017059753A1 (en) Multi-ttp-based method and device for verifying validity of identity of entity
WO2017219886A1 (en) Simple network protocol authentication method and device
WO2017059743A1 (en) Multi-ttp-based method and device for verifying validity of identity of entity
WO2017059735A1 (en) Multi-ttp-based method and device for verifying validity of identity of entity
WO2017059744A1 (en) Multi-ttp-based method and device for verifying validity of identity of entity
WO2017059736A1 (en) Method and device for verifying validity of identity of entity
WO2017059755A1 (en) Method and device for verifying validity of identity of entity
CN112749964B (en) Information monitoring method, system, equipment and storage medium
CN115514504A (en) Cross-alliance node authentication method and device, computer equipment and storage medium
CN114338027A (en) Privacy processing method of block chain, request terminal and storage medium

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 16853049

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 16853049

Country of ref document: EP

Kind code of ref document: A1