[go: up one dir, main page]

CN102739660B - Key exchange method for single sign on system - Google Patents

Key exchange method for single sign on system Download PDF

Info

Publication number
CN102739660B
CN102739660B CN201210200320.2A CN201210200320A CN102739660B CN 102739660 B CN102739660 B CN 102739660B CN 201210200320 A CN201210200320 A CN 201210200320A CN 102739660 B CN102739660 B CN 102739660B
Authority
CN
China
Prior art keywords
data
key
key exchange
transmit leg
recipient
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201210200320.2A
Other languages
Chinese (zh)
Other versions
CN102739660A (en
Inventor
赵淦森
巴钟杰
李子柳
李惊生
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
South China Normal University
GCI Science and Technology Co Ltd
Original Assignee
South China Normal University
GCI Science and Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by South China Normal University, GCI Science and Technology Co Ltd filed Critical South China Normal University
Priority to CN201210200320.2A priority Critical patent/CN102739660B/en
Publication of CN102739660A publication Critical patent/CN102739660A/en
Application granted granted Critical
Publication of CN102739660B publication Critical patent/CN102739660B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Landscapes

  • Storage Device Security (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

本发明公开了一种单点登录系统的密钥交换方法,应用于身份认证请求或者服务请求中交互的发送方和接收方之间的密钥交换,本发明方法通过发送方和接收方共享的共享密钥对交互的额外信息进行HMAC操作得到第二数据,并将第二数据与要交换的密钥进行位异或操作后的第三数据传送给接收方,接收方根据接收的第一数据和本地的共享密钥进行HMAC操作得到第二数据;接收方对计算得到的第二数据和接收的第三数据进行位异或操作得到发送方发送的密钥。本方法既减轻了密钥交互算法的复杂性,在保证密钥交互的时效性下又支持长密钥的交换,保证密钥换的安全性,适用于瘦终端间的密钥交换。

The invention discloses a key exchange method of a single sign-on system, which is applied to the key exchange between the sending party and the receiving party interacting in the identity authentication request or service request. The shared key performs the HMAC operation on the additional information exchanged to obtain the second data, and transmits the third data after the second data and the key to be exchanged to the receiver, and the receiver receives the first data according to the The HMAC operation is performed with the local shared key to obtain the second data; the receiver performs a bit-exclusive OR operation on the calculated second data and the received third data to obtain the key sent by the sender. The method not only reduces the complexity of the key exchange algorithm, but also supports the exchange of long keys while ensuring the timeliness of key exchange, ensures the security of key exchange, and is suitable for key exchange between thin terminals.

Description

一种单点登录系统的密钥交换方法A key exchange method for a single sign-on system

技术领域 technical field

本发明涉及一种单点登录系统,尤其是一种单点登录系统的密钥交换方法。 The invention relates to a single sign-on system, in particular to a key exchange method of the single sign-on system.

背景技术 Background technique

单点登录(Single Sign On):简称为SSO,是目前比较流行的企业业务整合的解决方案之一。SSO的定义是在多个应用系统中,用户只需要登录一次就可以访问所有相互信任的应用系统,避免了用户每次请求一个服务时都要验证一次身份造成的性能损耗。为了实现单点登录,所有应用系统都共享一个身份认证系统。若在单点登录系统的整个认证或者服务交互过程中,长时间或者过多使用永久密码对消息进行加密,则容易导致密钥被攻击者获取,造成密钥的泄露。 Single Sign On (SSO): SSO for short, is one of the more popular enterprise business integration solutions. The definition of SSO is that in multiple application systems, users only need to log in once to access all mutually trusted application systems, avoiding the performance loss caused by verifying their identity every time a user requests a service. In order to achieve single sign-on, all application systems share an identity authentication system. If a permanent password is used to encrypt messages for a long time or too much during the entire authentication or service interaction process of the single sign-on system, it is easy to cause the key to be obtained by the attacker and cause the key to be leaked.

现有的密钥交换方法一般基于迪菲-赫尔曼密钥交换(Diffie–Hellman key exchange,简称“D-H”)协议,所述D-H协议是一种安全协议,它可以让双方在完全没有对方任何信息的条件下通过不安全信道建立起一个密钥。这个密钥可以在后续的通讯中作为对称密钥来加密通讯内容。在申请号为CN03116619.9,专利名称为《一种基于公匙证书的密钥交换方法》的中国发明专利文献中公开了一种基于公匙证书的密钥交换方法,它从大素数域上的离散对数问题和D-H协议出发,辅以抗碰撞杂凑函数、公匙证书和数字签名的会话密钥交换方法。该D-H协议基于离散对数的应用,但是若出现了一个高效的解决离散对数问题的算法,那么则可以用来简化a或者b的计算,就可以解决迪菲-赫尔曼问题,使得该迪菲-赫尔曼密钥交换系统在内的很多公匙密码学系统变得不安全。 Existing key exchange methods are generally based on the Diffie–Hellman key exchange (Diffie–Hellman key exchange, referred to as "D-H") protocol. The D-H protocol is a security protocol that allows both parties to A key is established over an insecure channel without any information. This key can be used as a symmetric key to encrypt the communication content in subsequent communication. In the Chinese invention patent document whose application number is CN03116619.9 and whose patent title is "A Key Exchange Method Based on Public Key Certificate", a key exchange method based on public key certificate is disclosed. Based on the discrete logarithm problem and the D-H protocol, supplemented by anti-collision hash function, public key certificate and digital signature session key exchange method. The D-H protocol is based on the application of discrete logarithms, but if there is an efficient algorithm for solving the discrete logarithm problem, it can be used to simplify the calculation of a or b, and it can solve the Diffie-Hellman problem, making the Many public-key cryptography systems, including the Diffie-Hellman key exchange system, become insecure.

在申请号为CN200610103449.6,专利名称为《一种椭圆曲线密钥交换方法在MANET网络中的应用》的中国发明专利文献中公开了一种MANET网络安全保护过程的新型加密解密体制和密钥管理方法,该方法采用了椭圆形曲线密码体制,但椭圆形曲线加密的密钥交换方法对计算量要求很大,不适用于瘦终端。 In the Chinese invention patent document with the application number CN200610103449.6 and the patent name "Application of an Elliptic Curve Key Exchange Method in MANET Networks", a new encryption and decryption system and key for MANET network security protection process are disclosed Management method, this method adopts the elliptic curve encryption system, but the key exchange method of elliptic curve encryption requires a large amount of calculation and is not suitable for thin terminals.

发明内容 Contents of the invention

本发明要解决的技术问题是:提供一种单点登录系统的密钥交换方法,该密钥交换方法对计算量的要求低且安全性高。 The technical problem to be solved by the present invention is to provide a key exchange method for a single sign-on system, which has low requirements for calculation and high security.

为了解决上述技术问题,本发明所采用的技术方案是: In order to solve the problems of the technologies described above, the technical solution adopted in the present invention is:

一种单点登录系统的密钥交换方法,应用于发送方与接收方之间的密钥交换,所述发送方与接收方之间存在双方共享的共享密钥,所述密钥交换包括以下步骤: A key exchange method for a single sign-on system, which is applied to the key exchange between a sender and a receiver, where there is a shared key shared by both parties between the sender and the receiver, and the key exchange includes the following step:

发送方以共享密钥对要发送的第一数据进行HMAC操作得到第二数据; The sender uses the shared key to perform an HMAC operation on the first data to be sent to obtain the second data;

发送方对所述第二数据与要发送的密钥进行位异或操作得到第三数据; The sender performs a bit-exclusive OR operation on the second data and the key to be sent to obtain third data;

发送方将第一数据和第三数据发送给接收方; The sender sends the first data and the third data to the receiver;

接收方根据接收的第一数据和本地的共享密钥进行HMAC操作得到第二数据; The receiver performs an HMAC operation according to the received first data and the local shared key to obtain the second data;

接收方对计算得到的第二数据和接收的第三数据进行位异或操作得到发送方发送的密钥。 The receiver performs a bit-exclusive OR operation on the calculated second data and the received third data to obtain the key sent by the sender.

进一步作为优选的实施方式,所述第一数据为密钥交换过程中参与交互的额外信息。 As a further preferred implementation manner, the first data is additional information involved in the interaction during the key exchange process.

进一步作为优选的实施方式,所述发送方或者接收方为身份认证请求或者服务请求中交互的客户端或者服务器。 As a further preferred implementation manner, the sender or receiver is a client or server interacting in an identity authentication request or a service request.

本发明的有益效果是:本发明单点登录系统的密钥交换方法,应用于身份认证请求或者服务请求中交互的发送方和接收方之间的密钥交换,本发明方法通过发送方和接收方共享的共享密钥对交互的额外信息进行HMAC操作得到第二数据,并将第二数据与要交换的密钥进行位异或操作后的结果传送给接收方,既减轻了密钥交互算法的复杂性,在保证密钥交互的时效性下又支持长密钥的交换,保证密钥换的安全性,适用于瘦终端间的密钥交换。 The beneficial effects of the present invention are: the key exchange method of the single sign-on system of the present invention is applied to the key exchange between the sending party and the receiving party interacting in the identity authentication request or service request, and the method of the present invention passes the sending party and the receiving party The shared key shared by both parties performs the HMAC operation on the additional information exchanged to obtain the second data, and the result of the bit-exclusive OR operation between the second data and the key to be exchanged is transmitted to the receiver, which not only reduces the key exchange algorithm It supports the exchange of long keys while ensuring the timeliness of key interaction, ensuring the security of key exchange, and is suitable for key exchange between thin terminals.

附图说明 Description of drawings

下面结合附图对本发明的具体实施方式作进一步说明: The specific embodiment of the present invention will be further described below in conjunction with accompanying drawing:

图1是本发明单点登录系统的密钥交换方法的步骤流程图。 Fig. 1 is a flow chart of the steps of the key exchange method of the single sign-on system of the present invention.

具体实施方式 Detailed ways

参照图1,一种单点登录系统的密钥交换方法,应用于发送方与接收方之间的密钥交换,所述发送方或者接收方为身份认证请求或者服务请求中交互的客户端或者服务器。例如当发送方为客户端时,接收方为服务器;当发送方为服务器时,接收方为客户端。所述发送方与接收方之间共享的共享密钥为sharekey。所述密钥交换包括以下步骤: Referring to FIG. 1 , a key exchange method of a single sign-on system is applied to the key exchange between a sender and a receiver, and the sender or receiver is a client or a client interacting in an identity authentication request or a service request. server. For example, when the sender is a client, the receiver is a server; when the sender is a server, the receiver is a client. The shared key shared between the sender and the receiver is sharekey. The key exchange includes the following steps:

发送方用共享密钥sharekey对要发送的第一数据content进行HMAC操作得到第二数据H(sharekey, content),所述H(sharekey, content)是表示以sharekey为密钥,对消息content进行HMAC操作; The sender uses the shared key sharekey to perform HMAC operation on the first data content to be sent to obtain the second data H(sharekey, content). The H(sharekey, content) means that the sharekey is used as the key to perform HMAC on the message content operate;

发送方对所述第二数据H(sharekey, content)与要发送的密钥exchangkey进行位异或操作⊕得到第三数据H(sharekey, content) ⊕exchangdkey; The sender performs an XOR operation on the second data H(sharekey, content) and the key exchangekey to be sent ⊕ to obtain the third data H(sharekey, content) ⊕exchangdkey;

发送方将第一数据content和第三数据H(sharekey, content) ⊕exchangdkey发送给接收方; The sender sends the first data content and the third data H(sharekey, content) ⊕exchangdkey to the receiver;

接收方根据接收的第一数据content和本地的共享密钥sharekey进行HMAC操作得到第二数据H(sharekey, content); The receiver performs the HMAC operation according to the received first data content and the local shared key sharekey to obtain the second data H(sharekey, content);

接收方对计算得到的第二数据H(sharekey, content)和接收的第三数据H(sharekey, content) ⊕exchangdkey进行位异或操作得到发送方发送的密钥exchangkey。所述过程如下: The receiver performs a bit-exclusive OR operation on the calculated second data H(sharekey, content) and the received third data H(sharekey, content) ⊕exchangdkey to obtain the key exchangekey sent by the sender. The described process is as follows:

H(sharekey, content) ⊕(H(sharekey, content) ⊕exchangdkey) → exchangekey。 H(sharekey, content) ⊕(H(sharekey, content) ⊕exchangdkey) → exchangekey.

所述exchangkey是指由一方创建或得知之后,交换或传递给另外一方的密钥;所述content是指在整个密钥交换过程中参与交互的额外信息,若content中有部分信息是已知的(标记为share_content),那么以上的发送方发送的数据也可以表示为“partial_content, share_content_tips, H(sharekey, partial_content+share_content) ⊕exchangdkey”,其中share_content_tips是表示要用到的共享消息的相关提示信息,“+”表示与操作,与操作左边与右边的信息如何组织可以根据具体情况而定。 The exchangekey refers to the key that is created or known by one party and exchanged or passed to the other party; the content refers to the additional information that participates in the interaction during the entire key exchange process. If some information in the content is known (marked as share_content), then the data sent by the above sender can also be expressed as "partial_content, share_content_tips, H(sharekey, partial_content+share_content) ⊕exchangdkey", where share_content_tips is the relevant prompt information indicating the shared message to be used , "+" means and operation, and how to organize the information on the left and right of the operation can be determined according to the specific situation.

以上是对本发明的较佳实施进行了具体说明,但本发明创造并不限于所述实施例,熟悉本领域的技术人员在不违背本发明精神的前提下还可以作出种种的等同变形或替换,这些等同的变形或替换均包含在本申请权利要求所限定的范围内。 The above is a specific description of the preferred implementation of the present invention, but the invention is not limited to the described embodiments, and those skilled in the art can also make various equivalent deformations or replacements without violating the spirit of the present invention. These equivalent modifications or replacements are all within the scope defined by the claims of the present application.

Claims (3)

1. a key exchange method for single-node login system, is applied to the cipher key change between transmit leg and recipient, there is the shared key that both sides share, it is characterized in that between described transmit leg and recipient, and described cipher key change comprises the following steps:
Transmit leg carries out HMAC operation with shared key to first data that will send and obtains the second data;
Transmit leg carries out an xor operation to described second data with the key that will send and obtains the 3rd data;
First data and the 3rd data are sent to recipient by transmit leg;
Recipient carries out HMAC operation according to the first data received and local shared key and obtains the second data;
Three data of recipient to the second data calculated and reception carry out the key that an xor operation obtains transmit leg transmission.
2. the key exchange method of a kind of single-node login system according to claim 1, is characterized in that: described first data are participate in mutual extraneous information in key exchange process.
3. the key exchange method of a kind of single-node login system according to claim 1, is characterized in that: described transmit leg or recipient are mutual client or server in ID authentication request or service request.
CN201210200320.2A 2012-06-16 2012-06-16 Key exchange method for single sign on system Active CN102739660B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201210200320.2A CN102739660B (en) 2012-06-16 2012-06-16 Key exchange method for single sign on system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201210200320.2A CN102739660B (en) 2012-06-16 2012-06-16 Key exchange method for single sign on system

Publications (2)

Publication Number Publication Date
CN102739660A CN102739660A (en) 2012-10-17
CN102739660B true CN102739660B (en) 2015-07-08

Family

ID=46994444

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201210200320.2A Active CN102739660B (en) 2012-06-16 2012-06-16 Key exchange method for single sign on system

Country Status (1)

Country Link
CN (1) CN102739660B (en)

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104811306B (en) 2014-01-28 2019-07-19 西安西电捷通无线网络通信股份有限公司 Method for authenticating entities, apparatus and system
CN107995214B (en) * 2017-12-19 2021-07-20 深圳市创梦天地科技有限公司 Website login method and related equipment
CN110995703B (en) * 2019-12-03 2021-09-17 望海康信(北京)科技股份公司 Service processing request processing method and device, and electronic device
CN115118454B (en) * 2022-05-25 2023-06-30 四川中电启明星信息技术有限公司 Cascade authentication system and authentication method based on mobile application

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1832397A (en) * 2005-11-28 2006-09-13 北京浦奥得数码技术有限公司 Authorization key, consultation and update method based on common key credentials between interface of electronic equipment
CN102239661A (en) * 2009-08-14 2011-11-09 华为技术有限公司 Method and device for exchanging keys
CN102239654A (en) * 2009-08-14 2011-11-09 华为技术有限公司 Authentication method and device for passive optical network equipment

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7784684B2 (en) * 2002-08-08 2010-08-31 Fujitsu Limited Wireless computer wallet for physical point of sale (POS) transactions

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1832397A (en) * 2005-11-28 2006-09-13 北京浦奥得数码技术有限公司 Authorization key, consultation and update method based on common key credentials between interface of electronic equipment
CN102239661A (en) * 2009-08-14 2011-11-09 华为技术有限公司 Method and device for exchanging keys
CN102239654A (en) * 2009-08-14 2011-11-09 华为技术有限公司 Authentication method and device for passive optical network equipment

Also Published As

Publication number Publication date
CN102739660A (en) 2012-10-17

Similar Documents

Publication Publication Date Title
US10785019B2 (en) Data transmission method and apparatus
US12010216B2 (en) Computer-implemented system and method for highly secure, high speed encryption and transmission of data
CN107342859B (en) Anonymous authentication method and application thereof
WO2018127118A1 (en) Identity authentication method and device
CN107483212A (en) A kind of method of both sides' cooperation generation digital signature
CN101459506A (en) Cipher key negotiation method, system, customer terminal and server for cipher key negotiation
US11528127B2 (en) Computer-implemented system and method for highly secure, high speed encryption and transmission of data
CN104901935A (en) Bilateral authentication and data interaction security protection method based on CPK (Combined Public Key Cryptosystem)
CN111953479B (en) Data processing method and device
CN113612610B (en) Session key negotiation method
CN105812349A (en) Asymmetric secret key distribution and message encryption method based on identity information
CN105577377A (en) Identity-based authentication method and identity-based authentication system with secret key negotiation
CN117201000A (en) Mass data secure communication method, equipment and medium based on temporary key agreement
CN114650181A (en) E-mail encryption and decryption method, system, equipment and computer readable storage medium
CN102739660B (en) Key exchange method for single sign on system
CN115484038A (en) A data processing method and device thereof
CN110365482B (en) Data communication method and device
CN105162585A (en) Efficient privacy protecting session key agreement method
WO2020042023A1 (en) Instant messaging data encryption method and apparatus
CN106571913A (en) Two-party authentication key negotiation method for power wireless private network
Li et al. Itls/idtls: Lightweight end-to-end security protocol for iot through minimal latency
CN111404670A (en) A key generation method, UE and network device
CN115102698A (en) Digital signature method and system for quantum encryption
CN114301612A (en) Information processing method, communication apparatus, and encryption apparatus
CN107172016B (en) Security trust processing method and device

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant