CN114417309A - Bidirectional identity authentication method, device, equipment and storage medium - Google Patents

Abstract

The embodiment of the invention discloses a bidirectional identity authentication method, a bidirectional identity authentication device, bidirectional identity authentication equipment and a bidirectional identity authentication storage medium. The method comprises the following steps: receiving a sender identification, a sender random number and a sender signature value; generating a sender identification public key according to the pre-acquired public parameters and the sender identification, and verifying the sender random number and the sender signature value by using the sender identification public key; and if the verification result is successful, generating a receiver time stamp signature value according to a pre-acquired receiver private key, and sending the receiver time stamp signature value and a receiver identifier corresponding to the receiver communication entity to the sender communication entity. The technical scheme of the embodiment of the invention improves the efficiency of the identity authentication of both sides of the communication entity, reduces the management cost of the authentication information in the authentication process, and simultaneously improves the safety of the identity authentication of both sides of the communication entity by combining the identification number, the time and the random number during the bidirectional authentication.

Description

A two-way authentication method, device, device and storage medium

technical field

Embodiments of the present invention relate to the technical field of communication security, and in particular, to a bidirectional authentication method, apparatus, device, and storage medium.

Background technique

With the continuous development of the Internet and the continuous enrichment of applications, information systems such as office applications, secure access, email, and video conferencing based on cloud computing infrastructure have also been popularized. With the continuous renovation of attack methods, hackers impersonate users, steal user identity information, steal user privacy data, and snoop on through brute force cracking, automated agents and other methods. Social engineering information security problems have become increasingly prominent. Authenticity verification has become an important means of implementation to ensure information security.

In typical e-government network applications, device-to-device authentication and user-to-device authentication are very common. However, when performing identity authentication and authentication on users or devices in the existing access process, user names and passwords are usually used for authentication, and there are certain security risks. When the two are authenticated through digital certificate authentication technology, they need to be authenticated by a digital certificate issued by a trusted certificate certification center. However, when most service providers use self-generated certificates for authentication to avoid cumbersome problems, it is difficult to prevent the security risk of man-in-the-middle attacks. Then, the communication data between the two parties can be snooped and stolen without barriers. The efficiency and security of the authentication of the two parties in communication are reduced, the security and ease of use of the identity authentication in the access process of the two parties in the communication cannot be guaranteed, and the completeness of the two-way authentication of the communication entities is reduced.

SUMMARY OF THE INVENTION

The present invention provides a two-way identity verification method, device, equipment and storage medium, so as to verify the identities of both communication entities before they need to communicate, improve the verification efficiency and security of the identity verification of both communication entities, and reduce the verification process The difficulty of managing authentication information reduces the memory required for authentication in the communication entity and reduces the cost of two-way authentication.

In a first aspect, a two-way authentication method provided by an embodiment of the present invention, applied to a recipient communication entity, includes:

Receive the sender's identity, sender's random number, and sender's signature value;

Generate the sender's identity public key according to the pre-obtained public parameters and the sender's identity, and use the sender's identity public key to verify the sender's random number and the sender's signature value;

If the verification result is successful, the receiver timestamp signature value is generated according to the receiver's private key obtained in advance, and the receiver timestamp signature value and the receiver identifier corresponding to the receiver communication entity are sent to the sender communication entity.

Further, using the sender's identification public key to verify the sender's random number and the sender's signature value, including:

Decrypt the sender's signature value through the sender's identification public key to determine the decrypted value;

If the decryption value is the same as the sender's random number, the verification result is determined to be successful;

Otherwise, the verification result is determined to fail.

Further, the receiver timestamp signature value is generated according to the receiver's private key obtained in advance, including:

Obtain the receiver timestamp from the public clock;

Combine the receiver's timestamp with the sender's random number to generate a timestamp random number;

The timestamp random number is signed and encrypted by the receiver's private key obtained in advance, and the receiver timestamp signature value is generated.

Further, after the verification result is determined to be a failure, the method further includes:

Cancels the communication between the receiver communication entity and the sender communication entity.

Further, before receiving the sender identifier, the sender random number and the sender signature value, the method further includes:

According to the receiver identifier corresponding to the receiver communication entity, the key management platform obtains the receiver private key and public parameters corresponding to the receiver communication entity.

In the second aspect, the embodiment of the present invention also provides a two-way authentication method, which is applied to the sender communication entity, including:

When secure communication is required, the sender's random number is generated, and the sender's random number is signed and encrypted by the sender's private key obtained in advance to generate the sender's signature value;

Send the sender's random number, the sender's signature value, and the sender's identity corresponding to the sender's communication entity to the receiver's communication entity;

Generate the receiver's identification public key according to the received receiver's identification and pre-obtained public parameters, and use the receiver's identification public key and the sender's random number to verify the received receiver's timestamp signature value;

The communication between the sender communication entity and the receiver communication entity is established according to the verification result.

Further, using the receiver's identification public key and the sender's random number to verify the received receiver's timestamp signature value, including:

Decrypt the signature value of the receiver's timestamp by using the receiver's identification public key to determine the receiver's timestamp and the decrypted random value;

Get the sender's timestamp from the public clock;

The receiver timestamp and decryption random value are verified according to the sender timestamp and the sender random number.

Further, according to the sender's timestamp and the sender's random number, the receiver's timestamp and the decrypted random value are verified, including:

Determine the time difference between the sender's timestamp and the receiver's timestamp;

If the time difference is less than the preset time threshold, and the decryption random value is the same as the sender's random number, the verification result is determined to be successful;

Otherwise, the verification result is determined to be failed.

Further, establishing the communication between the communication entity of the sender and the communication entity of the receiver according to the verification result, including:

If the verification result is successful, establish the communication between the communication entity of the sender and the communication entity of the receiver;

If the verification result is failure, the communication between the receiver communication entity and the sender communication entity is cancelled.

Further, before the secure communication, it also includes:

According to the sender identifier corresponding to the sender's communication entity, the key management platform obtains the sender's private key and public parameters corresponding to the sender's communication entity.

In a third aspect, an embodiment of the present invention also provides a two-way identity verification device, which is applied to a recipient communication entity, and the two-way identity verification device includes:

The parameter receiving module is used to receive the sender's identity, sender's random number and sender's signature value;

The signature value verification module is used to generate the sender's identification public key according to the pre-obtained public parameters and the sender's identification, and use the sender's identification public key to verify the sender's random number and the sender's signature value;

The first parameter sending module is used to generate the receiver's timestamp signature value according to the receiver's private key obtained in advance if the verification result is successful, and send the receiver's timestamp signature value and the receiver's identity corresponding to the receiver's communication entity Sent to the sender communicating entity.

In a fourth aspect, an embodiment of the present invention further provides a two-way identity verification device, which is applied to a sender communication entity, and the two-way identity verification device includes:

The signature value generation module is used to generate the sender's random number when secure communication is required, and encrypt the sender's random number through the pre-acquired sender's private key signature to generate the sender's signature value;

The second parameter sending module is used to send the random number of the sender, the signature value of the sender, and the sender identifier corresponding to the sender's communication entity to the receiver's communication entity;

The parameter verification module is used to generate the receiver identification public key according to the received receiver identification and pre-acquired public parameters, and use the receiver identification public key and the sender random number to verify the received receiver timestamp signature value ;

The communication establishment module is used for establishing the communication between the communication entity of the sender and the communication entity of the receiver according to the verification result.

In a fifth aspect, an embodiment of the present invention further provides a two-way authentication device, including:

a storage device and one or more processors;

a storage device for storing one or more programs;

When the one or more programs are executed by one or more processors, so that the one or more processors are the recipient communication entity when the two-way authentication device is used, the two-way authentication method as described in the first aspect above is implemented, and the two-way authentication When the device is the sender communication entity, the two-way authentication method as described in the second aspect above is implemented.

In a sixth aspect, an embodiment of the present invention further provides a storage medium containing computer-executable instructions, where the computer-executable instructions, when executed by a computer processor, are used to perform the two-way authentication according to the first aspect or the second aspect. method.

A two-way identity verification method, device, device, and storage medium provided by the embodiments of the present invention, for the recipient communication entity, receive the sender identifier, the sender random number, and the sender signature value; The sender ID generates the sender ID public key, and uses the sender ID public key to verify the sender's random number and the sender's signature value; if the verification result is successful, the recipient's timestamp signature value is generated according to the receiver's private key obtained in advance, and send the receiver's time stamp signature value and the receiver's identity corresponding to the receiver's communication entity to the sender's communication entity. By adopting the above technical solution, when secure communication is required, the receiver communication entity verifies that the sender communication entity needs to communicate through the received sender random number, sender signature value and sender identity of the sender communication entity. The connected communication entity, and then generates the receiver timestamp signature value according to the pre-acquired receiver private key and the time when the receiver communication entity sends information to the sender communication entity, and combines the receiver timestamp signature value with the receiver. The receiver identification corresponding to the communication entity is sent to the sender communication entity, so that the sender communication entity can authenticate the receiver communication entity according to the receiver timestamp signature value including the timestamp information and the receiver identification. It solves the problem of low security if it relies on password authentication technology in traditional two-way authentication, and complicated management and high cost if it relies on certificate authentication technology, it needs to rely on a third-party certificate certification center. Since the two parties do not need to obtain a digital certificate through a third-party certificate certification center, nor do they need to store the certificate information locally, the efficiency of the identity verification between the two parties in the communication entity is improved, and the management cost of the verification information during the verification process is reduced. In the two-way verification, the combination of identification number, time and random number improves the security of the identity verification of both parties in the communication entity.

Description of drawings

In order to illustrate the technical solutions of the embodiments of the present invention more clearly, the following briefly introduces the accompanying drawings used in the embodiments. It should be understood that the following drawings only show some embodiments of the present invention, and therefore do not It should be regarded as a limitation of the scope, and for those of ordinary skill in the art, other related drawings can also be obtained according to these drawings without any creative effort.

1 is a flowchart of a two-way authentication method in Embodiment 1 of the present invention;

2 is a flowchart of a two-way authentication method in Embodiment 2 of the present invention;

3 is a flowchart of a two-way authentication method in Embodiment 3 of the present invention;

4 is a flowchart of a two-way authentication method in Embodiment 4 of the present invention;

5 is a schematic flow chart of verifying the receiver timestamp and the decryption random number according to the sender timestamp and the sender random number in Embodiment 4 of the present invention;

6 is a schematic structural diagram of a two-way authentication device in Embodiment 5 of the present invention;

7 is a schematic structural diagram of a two-way authentication device in Embodiment 6 of the present invention;

8 is a schematic structural diagram of a two-way authentication device in Embodiment 7 of the present invention;

FIG. 9 is a schematic diagram of a bidirectional authentication topology in Embodiment 7 of the present invention.

Detailed ways

In order to make the objectives, technical solutions and advantages of the present invention clearer, the embodiments of the present invention will be described in further detail below with reference to the accompanying drawings. It should be understood that the described embodiments are only some, but not all, embodiments of the present invention. Based on the embodiments of the present invention, all other embodiments obtained by those of ordinary skill in the art without creative efforts shall fall within the protection scope of the present invention.

Where the following description refers to the drawings, the same numerals in different drawings refer to the same or similar elements unless otherwise indicated. The implementations described in the illustrative examples below are not intended to represent all implementations consistent with the present invention. Rather, they are merely examples of apparatus and methods consistent with some aspects of the invention, as recited in the appended claims.

In the description of the present invention, it should be understood that the terms "first", "second", "third", etc. are only used to distinguish similar objects, and are not necessarily used to describe a specific sequence or sequence, nor can understood as indicating or implying relative importance. For those of ordinary skill in the art, the specific meanings of the above terms in the present invention can be understood according to specific situations. Furthermore, in the description of the present invention, unless otherwise specified, "a plurality" means two or more. "And/or", which describes the association relationship of the associated objects, means that there can be three kinds of relationships, for example, A and/or B, which can mean that A exists alone, A and B exist at the same time, and B exists alone. The character "/" generally indicates that the related objects are an "or" relationship.

Example 1

FIG. 1 is a flowchart of a two-way authentication method provided in Embodiment 1 of the present invention. This embodiment can be applied to the identity verification of the receiver communication entity to the sender communication entity, and the self-verification information is sent to the sender communication entity. For its verification, the method can be performed by a two-way authentication device, which can be implemented by software and/or hardware, and the two-way authentication device can be configured on a two-way authentication device. The verification device may be a computer device, and the computer device may be composed of two or more physical entities, or may be composed of one physical entity. Generally speaking, the computer device can be a notebook, a desktop computer, a smart tablet, and the like.

As shown in FIG. 1 , a two-way authentication method provided in Embodiment 1 is applied to a recipient communication entity, and specifically includes the following steps:

S101. Receive an identifier of the sender, a random number of the sender, and a signature value of the sender.

In this embodiment, the communication entity of the receiver can be specifically understood as the communication entity of the communication receiver among the two communication entities that need to perform secure communication. Optionally, the communication entity may be a mobile communication device, a notebook, a desktop computer, and A computer device capable of realizing interactive communication, such as a smart tablet, does not limit the specific type of the communication entity in this embodiment of the present invention. The sender identifier can be understood as the device code corresponding to the communication entity used as the communication initiator in the secure communication. It needs to be clear that for all communication entities under the same government network, each communication entity has its own unique device. Coding, information such as the location and type of the communication entity can be clarified through the device coding. The sender random number can be specifically understood as a random value generated in the communication entity that is the communication initiator. The sender's signature value can be specifically understood as a parameter value obtained by encrypting the sender's random number through a signature technology.

Specifically, when secure communication is required between two communication entities, the receiver communication entity serving as the communication receiver receives the sender identifier, sender random number and sender signature value sent by the sender communication entity.

S102. Generate a sender identification public key according to the pre-acquired public parameters and the sender identification, and use the sender identification public key to verify the sender's random number and the sender's signature value.

In this embodiment, the public parameter can be specifically understood as the parameter value obtained by the communication entity from the key management platform (KeyGeneration Center, KGC) in advance and used to identify the cryptographic algorithm. The common parameters obtained by the KGC are the same for multiple communication entities. The sender's identification public key can be specifically understood as the non-secret half corresponding to the sender's private key of the communication entity, and is used to decrypt the information encrypted by the sender's private key.

Generally, for the government affairs system, the communication entities belonging to the same area are managed by the same KGC, and the acquired public parameters are the same. For other communication entities outside the area, due to the difference in public parameters, two-way authentication cannot be performed unless the corresponding public parameters are exchanged before authentication. Exemplarily, assuming that each communication entity in Shenzhen and Zhuhai is managed by two KGCs, then each communication entity in Shenzhen can perform two-way authentication based on the corresponding KGC public parameters, and one Shenzhen and one It is difficult for communication entities in Zhuhai to perform two-way authentication directly based on the public parameters obtained by each other.

Specifically, according to the identification key algorithm that conforms to the national cryptography standard, combined with the public parameters obtained in advance by the key management platform and the received sender identification, the sender identification public key corresponding to the sender private key corresponding to the sender communication entity is generated. Then use the sender's identification public key to decrypt the received sender's signature value, and compare and verify the decrypted sender's signature value with the sender's random number to obtain the corresponding verification result. Exemplarily, the identification key algorithm in the embodiment of the present invention may be the SM9 identification key algorithm that conforms to the national standard "GM/T 0044-2016SM9 Identification Cryptographic Algorithm", and the identification key specifically adopted by the communication entity in the embodiment of the present invention is The method is not limited.

In the embodiment of the present invention, because the device code of the communication entity is used as the key, there is no need to apply for a trusted electronic certification certificate (Certification Authority, CA) from a third-party certificate certification center, which avoids the storage consumption and performance of the CA certificate. It is easy to manage, and the problem of low efficiency in the identification of a large number of communication entities is avoided, and at the same time, it avoids the fact that in the prior art, both parties of the communication entities do not generate a trusted CA certificate through a trusted third-party certificate certification center, but use a self-generated method. Low security when generating untrusted certificates for verification. It improves the efficiency of key management, reduces the complexity of authentication of both parties in communication, saves the occupation of network resources, avoids multiple interactions with third parties, and improves security.

S103. If the verification result is successful, generate the receiver's timestamp signature value according to the receiver's private key obtained in advance, and send the receiver's timestamp signature value and the receiver's identity corresponding to the receiver's communication entity to the sender's communication entity .

In this embodiment, the private key of the receiver can be specifically understood as the secret half of the key pair used with the public key algorithm in the communication entity of the receiver, which can be used to encrypt the parameters in the communication entity of the receiver, and the encrypted parameters Decryption can only be done through the recipient's private key or its corresponding public key. The receiver's timestamp signature value can be specifically understood as a parameter value obtained by encrypting a string containing both timestamp information and random number information with a signature technique using the receiver's private key. The receiver identifier can be specifically understood as the device code corresponding to the communication entity used as the communication receiver in the secure communication.

Specifically, if the verification is successful, it can be determined that the communication entity of the sender is a communication entity that is located in the same area as the communication entity of the receiver and can perform secure communication. At this time, the communication entity of the receiver needs to obtain a timestamp corresponding to the current time, and Combine the timestamp with the obtained random number of the sender, and then sign and encrypt the combination with the receiver's private key obtained in advance to obtain the corresponding signature value of the receiver's timestamp, and sign the obtained receiver's timestamp. The value and the receiver identification corresponding to the receiver communication entity are sent to the sender communication entity, so that the sender communication entity can verify the identity of the receiver communication entity according to the receiver timestamp signature value and the receiver identification.

In the embodiment of the present invention, the sender's identifier, the sender's random number, and the sender's signature value are received; the sender's identifier public key is generated according to the pre-obtained public parameters and the sender's identifier, and the sender's identifier public key is used to verify the sender's random number and the sender's identifier. If the verification result is successful, the receiver's timestamp signature value is generated according to the receiver's private key obtained in advance, and the receiver's timestamp signature value and the receiver's identity corresponding to the receiver's communication entity are sent to the sender. communication entity. By adopting the above technical solution, when secure communication is required, the receiver communication entity verifies that the sender communication entity needs to communicate through the received sender random number, sender signature value and sender identity of the sender communication entity. The connected communication entity, and then generates the receiver timestamp signature value according to the pre-acquired receiver private key and the time when the receiver communication entity sends information to the sender communication entity, and combines the receiver timestamp signature value with the receiver. The receiver identification corresponding to the communication entity is sent to the sender communication entity, so that the sender communication entity can authenticate the receiver communication entity according to the receiver timestamp signature value including the timestamp information and the receiver identification. It solves the problem of low security if it relies on password authentication technology in traditional two-way authentication, and complicated management and high cost if it relies on certificate authentication technology, it needs to rely on a third-party certificate certification center. Since the two parties do not need to obtain a digital certificate through a third-party certificate certification center, nor do they need to store the certificate information locally, the efficiency of the identity verification between the two parties in the communication entity is improved, and the management cost of the verification information during the verification process is reduced. In the two-way verification, the combination of identification number, time and random number improves the security of the identity verification of both parties in the communication entity.

Embodiment 2

FIG. 2 is a flowchart of a two-way authentication method according to Embodiment 2 of the present invention. The technical solution of the embodiment of the present invention is further optimized on the basis of the above-mentioned optional technical solutions. Decrypt the signature value of the receiver, and verify whether the decrypted signature value is the same as the random number of the sender. If the verification is successful, the public clock will obtain the timestamp of the receiver, and combine the timestamp of the receiver with the random number of the sender. The receiver's private key is encrypted, and then the receiver's timestamp signature value is generated for sending to the sender's communication entity, and the time information is added to the encrypted information for authentication, which improves the accuracy of two-way authentication. The identity verification is performed by the two parties that need to communicate, which reduces the amount of data transmission during the verification process, improves the efficiency of the identity verification of both parties in the communication entity, reduces the management cost of the verification information during the verification process, and ensures the security of the identity verification.

As shown in FIG. 2, a two-way authentication method provided by Embodiment 2 of the present invention specifically includes the following steps:

S201. According to the receiver identifier corresponding to the receiver communication entity, the key management platform obtains the receiver private key and public parameters corresponding to the receiver communication entity.

In this embodiment, the key management platform can be specifically understood to be used to manage the keys of each communication entity in the area where it is located, and each communication entity managed by it should be backed up in it, and the communication entity has a key requirement At the same time, the management key infrastructure from which the corresponding generated private key and public parameters can be obtained.

Specifically, when the recipient communication entity needs to obtain its own corresponding recipient private key and public parameters, it sends its corresponding recipient identifier to the key management platform, and the key management platform detects whether the recipient identifier exists or not. In the platform, if it exists, the corresponding private key of the recipient is generated according to the identifier of the recipient, and the private key of the recipient and the public parameters corresponding to the key management platform are delivered to the corresponding recipient communication entity.

S202. Receive the sender's identifier, the sender's random number, and the sender's signature value.

S203. Generate the sender's identification public key according to the public parameters and the sender's identification, and decrypt the sender's signature value by using the sender's identification public key to determine the decrypted value.

Specifically, the recipient communication entity sends the identification public key application information including the sender's identification to the key management platform, so that the key management platform can generate and send the information according to the identification key algorithm that conforms to the national cryptographic standard, combined with the public parameters and the sender's identification. The public key of the sender's identification is fed back to the receiver's communication entity, and the receiver's communication entity decrypts the sender's signature value encrypted by the sender's private key through the sender's identification public key, and determines the value obtained after decryption as the decrypted value. numerical value.

S204: Determine whether the decrypted value is the same as the random number of the sender, if yes, go to step S205; if not, go to step S206.

Specifically, it is determined by character comparison whether the decrypted value is the same as the random number of the sender. If they are the same, it can be considered that the communication entity of the sender is indeed located in the same area as the communication entity of the receiver and belongs to the communication managed by the same key management platform. entity, a secure communication relationship can be established between the two, and the identity verification of the communication entity of the sender is passed, then step S205 is executed; if they are different, it can be considered that the communication entity of the sender and the communication entity of the receiver may not be located in the same area. If the sender fails to establish a secure communication relationship, and the identity verification of the sender communication entity fails, step S206 is performed at this time.

S205. Determine the verification result as successful, and execute step S208.

S206. Determine the verification result as failure, and execute step S207.

S207, cancel the communication between the receiver communication entity and the sender communication entity.

Specifically, since the receiver communication entity confirms that the sender communication entity is not a communication entity capable of establishing secure communication, the receiver communication entity can directly cancel the communication between the two.

Further, after canceling the communication between the two communication entities, the receiving communication entity can issue an alarm, so that the technician can eliminate the abnormality, reduce the risk of man-in-the-middle attack, and avoid the necessary communication request of the communication entity in different areas from being ignored.

S208. Obtain the recipient's timestamp from the public clock.

In this embodiment, the common clock can be understood as a common clock of each communication entity that needs to use a clock in the same area, and it can be used as a standard to unify the relative time among the communication entities.

Specifically, after it is determined that the verification result is successful, it can be considered that the receiver communication entity has completed the identity verification of the sender communication entity that will communicate with it, and corresponding identity verification information needs to be generated for the sender communication entity to verify its identity. verify. Since the theoretical difference between the verification time of the two should be small, the time of the current moment can be obtained from the public clock and used to construct the recipient timestamp, so as to take the time factor into account in the authentication and improve the accuracy of the authentication.

S209 , combine the receiver's timestamp with the sender's random number to generate a timestamp random number.

Specifically, the field corresponding to the timestamp of the receiver is combined with the field corresponding to the random number of the sender. Exemplarily, the field corresponding to the random number of the sender may be added to the field corresponding to the timestamp of the receiver, and the combined field is determined as time Stamp random numbers.

S210 , using the recipient's private key to sign and encrypt the timestamp random number to generate the recipient's timestamp signature value.

Specifically, an overall signature encryption is performed on the timestamp random number through the receiver's private key and a signature technology, and the encrypted timestamp random number is determined as the receiver's timestamp signature value.

S211. Send the receiver's timestamp signature value and the receiver's identifier corresponding to the receiver's communication entity to the sender's communication entity.

In the technical solution of this embodiment, the sender's signature value is decrypted by using the sender's ID and the sender's ID public key generated from public parameters, and is compared with the sender's random number for verification to clarify the sender's identity. The participation of a third party reduces the amount of data transmission during verification, and improves the efficiency of identity verification between the communicating entities. After the verification is successful, the public clock obtains the recipient's timestamp, and combines the recipient's timestamp with the sender's random number. It is then encrypted by the receiver's private key, and then generates the receiver's timestamp signature value for sending to the sender's communication entity, and adds the time information to the encrypted information for authentication, so that the sender's communication entity can simultaneously The identity verification of the receiver's communication entity with the receiver's identity improves the accuracy of the two-way authentication, further guarantees the security of the identity verification, and reduces the management cost of the verification information during the verification process.

Embodiment 3

FIG. 3 is a flowchart of a two-way authentication method according to Embodiment 3 of the present invention. The technical solution of the embodiment of the present invention is further optimized on the basis of the above-mentioned optional technical solutions, and this embodiment is applicable to the communication entity of the sender In the case of the identity verification of the recipient communication entity, the method can be performed by a two-way identity verification device, which can be implemented by software and/or hardware, and the two-way identity verification device can be configured on the two-way identity verification device. , the two-way authentication device may be a computer device, and the computer device may be composed of two or more physical entities, or may be composed of one physical entity. Generally speaking, the computer device can be a notebook, a desktop computer, a smart tablet, and the like.

As shown in FIG. 3 , a two-way authentication method provided by the third embodiment is applied to the sender communication entity, and specifically includes the following steps:

S301. When secure communication is required, generate a random number of the sender, and encrypt and encrypt the random number of the sender through the pre-acquired private key of the sender to generate a signature value of the sender.

In this embodiment, the sender communication entity can be specifically understood as the communication entity that is the communication initiator among the two communication entities that need to perform secure communication. The sender's random number can be specifically understood as a random value randomly generated by the sender's communication entity and used to assist encryption for authentication. The sender's private key can be understood as the secret half of the key pair used with the public key algorithm in the sender's communication entity. It can be used to encrypt the parameters that need to be sent in the sender's communication entity. The encrypted parameters can only be passed through this The sender's private key or its corresponding public key is decrypted.

Specifically, when secure communication is required, the sender communication entity first identifies the receiver communication entity that needs to communicate, and generates the sender random number by itself, and uses the sender's private key pair obtained from the key management platform in advance. The sender's random number is signed and encrypted, and the encrypted sender's random number is determined as the sender's signature value.

S302. Send the sender's random number, the sender's signature value, and the sender's identifier corresponding to the sender's communication entity to the receiver's communication entity.

Specifically, since there is no pre-acquired sender random number in the receiver communication entity, the identity verification of the sender communication entity cannot be realized only by the sender signature value and the sender identification. Therefore, the sender communication entity needs to The random number, together with the sender's signature value and the sender's identity corresponding to the sender's communication entity, is sent to the receiver's communication entity for authentication.

S303. Generate a public key of the receiver's identification according to the received receiver's identification and pre-acquired public parameters, and verify the received receiver's timestamp signature value by using the receiver's identification public key and the sender's random number.

In this embodiment, the receiver's identification public key can be specifically understood as the non-secret half corresponding to the receiver's private key of the communication entity, which is used to decrypt the information encrypted by the receiver's private key.

Specifically, according to the identification key algorithm that conforms to the national cryptographic standard, combined with the public parameters obtained in advance by the key management platform and the received identification of the receiver, a public identification of the receiver corresponding to the private key of the receiver corresponding to the communication entity of the receiver is generated. key, and then use the receiver's identification public key to decrypt the received receiver's timestamp signature value, and combine the decrypted receiver's timestamp signature value with the sender's random number, and the sender's communication entity when it receives the receiver. The corresponding time when stamping the signature value is compared and verified, and the corresponding verification result is obtained.

S304. Establish communication between the communication entity of the sender and the communication entity of the receiver according to the verification result.

Specifically, when the sender communication entity can receive the receiver identifier and the receiver timestamp signature value sent by the receiver communication entity, it can be considered that the receiver communication entity has completed the identity verification of the sender communication entity. When the sender communication entity determines that the verification result is successful, it can be determined that the two parties are two communication entities that can communicate securely. At this time, the sender communication entity can establish the communication between the sender communication entity and the receiver communication entity. Otherwise, It can be considered that secure communication cannot be performed between the two, and the establishment of the communication between the communication entity of the sender and the communication entity of the receiver is cancelled.

In the embodiment of the present invention, when secure communication is required, a random number of the sender is generated, and the random number of the sender is signed and encrypted by the private key of the sender obtained in advance to generate the signature value of the sender; the random number of the sender, the signature value of the sender are encrypted and the sender identification corresponding to the sender communication entity is sent to the receiver communication entity; the receiver identification public key is generated according to the received receiver identification and the pre-acquired public parameters, and the receiver identification public key and the sender random number are used. Verifying the received receiver timestamp signature value; establishing communication between the sender communication entity and the receiver communication entity according to the verification result. By adopting the above technical solution, when secure communication is required, the sender's random number generated by itself is firstly encrypted with the sender's private key obtained in advance, and then the sender's random number, the sender's signature value obtained after encryption, and the sender's random number are encrypted. The sender identification corresponding to the sender communication entity is sent to the corresponding receiver communication entity that needs to communicate, so that the corresponding receiver communication entity can directly complete the identity verification of the sender communication entity according to the received content, and then after the verification is passed Only then can the receiver ID and receiver timestamp signature value sent by the receiver communication entity be received, and the receiver ID public key corresponding to the receiver's private key is generated by the receiver ID and pre-acquired public parameters. The stamp signature value is decrypted to verify the identity of the recipient communication entity according to the time information and the decrypted random number information, and then establish a secure communication between the two according to the verification result. It solves the problem of low security if it relies on password authentication technology in traditional two-way authentication, and complicated management and high cost if it relies on certificate authentication technology, it needs to rely on a third-party certificate certification center. Since the two parties do not need to obtain a digital certificate through a third-party certificate certification center, nor do they need to store the certificate information locally, the efficiency of the identity verification between the two parties in the communication entity is improved, and the management cost of the verification information during the verification process is reduced. In the two-way verification, the combination of identification number, time and random number improves the security of the identity verification of both parties in the communication entity.

Embodiment 4

FIG. 4 is a flowchart of a two-way authentication method provided in Embodiment 4 of the present invention. The technical solution of the embodiment of the present invention is further optimized on the basis of the above-mentioned optional technical solutions. The receiver timestamp signature value is decrypted, and the receiver timestamp and decryption random value are determined according to the decrypted receiver timestamp signature value. The timestamp and decryption random value are verified, and the communication between the sender's communication entity and the receiver's communication entity is established according to the verification result, and the time information is applied to the encrypted information for authentication, which improves the accuracy of the two-way authentication. In the process of identity verification, only the two parties of the communication need to participate, which reduces the amount of data transmission in the process of verification, improves the efficiency of identity verification between the two parties of the communication entity, and reduces the management cost of verification information in the process of verification.

As shown in FIG. 4 , a two-way authentication method provided by Embodiment 4 of the present invention specifically includes the following steps:

S401. According to the sender identifier corresponding to the sender's communication entity, the key management platform obtains the sender's private key and public parameters corresponding to the sender's communication entity.

Specifically, when the sender communication entity needs to obtain its own corresponding sender private key and public parameters, it sends its corresponding sender identifier to the key management platform, and the key management platform detects whether the sender identifier exists or not. In the platform, if it exists, the corresponding sender's private key is generated according to the sender's identity, and the sender's private key and the public parameters corresponding to the key management platform are delivered to the corresponding sender's communication entity.

S402. When secure communication is required, generate a random number of the sender, and encrypt and encrypt the random number of the sender through the pre-obtained private key of the sender to generate a signature value of the sender.

S403. Send the sender's random number, the sender's signature value, and the sender's identifier corresponding to the sender's communication entity to the receiver's communication entity.

S404. Generate a public key of the receiver identification according to the received identification of the receiver and the public parameters.

The specific sender communication entity sends the identification public key application information including the receiver's identification to the key management platform, so that the key management platform can generate the receiver according to the identification key algorithm that conforms to the national cryptographic standard, combining the public parameters and the receiver's identification. The public key is identified and fed back to the sender communicating entity.

S405: Decrypt the signature value of the receiver's timestamp by using the receiver's identification public key to determine the receiver's timestamp and the decrypted random value.

Specifically, the communication entity of the sender decrypts the signature value of the receiver's timestamp encrypted by the receiver's private key through the receiver's identification public key, and splits the value obtained after decryption into fields to determine the receiver's timestamp and the decryption random number. numerical value.

S406. Obtain the sender's timestamp from the public clock.

Specifically, since the theoretical time difference between the sender's communication entity and the receiver's communication entity for authentication should be small, after decrypting the received signature value of the receiver's timestamp, the current time can be obtained from the public clock. And use it to construct a sender timestamp to characterize the time when the sender communicating entity was authenticated.

S407. Verify the recipient's timestamp and the decrypted random value according to the sender's timestamp and the sender's random number.

Specifically, according to the sender's timestamp and the receiver's timestamp, it is determined whether the current identity verification is the identity verification when the same secure communication was established, and the identity of the receiver's communication entity is determined through the sender's random number and the decrypted random value. Those who combine to determine the verification results.

Further, FIG. 5 is a schematic flowchart of verifying the recipient’s timestamp and the decryption random value according to the sender’s timestamp and the sender’s random number according to Embodiment 4 of the present invention, as shown in FIG. 5 , which specifically includes the following steps: :

S4071. Determine the time difference between the sender's timestamp and the receiver's timestamp.

Specifically, the time value corresponding to the time stamp of the sender and the time difference corresponding to the time stamp of the receiver are calculated, and the absolute value of the difference is determined as the time difference value.

S4072: Determine whether the time difference value is smaller than the preset time threshold, and the decryption random value is the same as the sender's random number, if so, go to step S4073; if not, go to step S4074.

Specifically, if the time difference is less than the preset time threshold, it can be considered that the current identity verification is the identity verification when the same secure communication was established. At the same time, if the decryption random number is the same as the sender random number, it can be considered that the receiver The communication entity is the object to be communicated in this secure communication, and step S4073 is executed at this time; otherwise, it can be considered that this authentication is not the authentication when the same secure communication is established, or the communication entity of the recipient is not required to perform this secure communication. The communication object, at this time, step S4074 is executed.

Optionally, the preset time threshold may be 5 minutes, and may also be adaptively set according to actual needs, which is not limited in this embodiment of the present invention.

S4073, determine that the verification result is successful.

S4074. Determine that the verification result is failure.

S408, determine whether the verification result is successful, if yes, go to step S409; if not, go to step S410.

Specifically, if the verification result is successful, it can be considered that the communication entity of the sender and the communication entity of the receiver are indeed located in the same area and belong to the communication entities managed by the same key management platform, and a secure communication relationship can be established between them, and If the identity verification of the communication entity of the sender is passed, step S409 is executed at this time; if the verification result is failed, it can be considered that the communication entity of the sender and the communication entity of the receiver may not be located in the same area, and the two cannot establish a secure communication relationship, and send If the authentication of the party communication entity fails, step S410 is executed at this time.

S409: Establish communication between the sender communication entity and the receiver communication entity.

S410, cancel the communication between the receiver communication entity and the sender communication entity.

Specifically, since the communication entity of the sender side confirms that the communication entity of the receiver side is not a communication entity that can establish secure communication, the communication entity of the sender side can directly cancel the communication between the two.

Further, after canceling the communication between the two communication entities, the sender communication entity can issue an alarm, so that the technician can eliminate the abnormality, reduce the risk of man-in-the-middle attack, and avoid the necessary communication request of the different area communication entity from being ignored.

In the technical solution of this embodiment, the recipient's time stamp signature value is decrypted by the recipient's ID public key generated by the recipient's ID and public parameters, and the recipient's time stamp and decryption are determined according to the decrypted recipient's time stamp signature value. Random value, according to the sender's timestamp and the sender's random number obtained by the public clock during decryption, the receiver's timestamp and the decrypted random value are verified, and the communication between the sender's communication entity and the receiver's communication entity is established according to the verification result, The time information is added to the encrypted information used for authentication, so that the communication entity of the sender can authenticate the communication entity of the receiver according to the time and the identity of the receiver at the same time, which improves the accuracy of the two-way authentication and further guarantees the authentication. security, while reducing the management cost of verification information in the verification process.

Embodiment 5

6 is a schematic structural diagram of a two-way identity verification device provided in Embodiment 5 of the present invention, which is applied to a recipient communication entity, and the two-way identity verification device includes: a parameter receiving module 51 , a signature value verification module 52 and a first parameter sending module 53.

Among them, the parameter receiving module 51 is used to receive the sender's identity, the sender's random number and the sender's signature value; the signature value verification module 52 is used to generate the sender's identity public key according to the pre-acquired public parameters and the sender's identity, using The sender's identification public key verifies the sender's random number and the sender's signature value; the first parameter sending module 53 is used to generate the receiver's timestamp signature value according to the receiver's private key obtained in advance if the verification result is successful, and send the The receiver's timestamp signature value and the receiver's identity corresponding to the receiver's communication entity are sent to the sender's communication entity.

The technical solution of this embodiment solves the problems of low security if the traditional two-way identity verification relies on the password authentication technology, and the third-party certificate authentication center is required to rely on the certificate authentication technology, which is complicated in management and high in cost. Since the two parties do not need to obtain a digital certificate through a third-party certificate certification center, nor do they need to store the certificate information locally, the efficiency of the identity verification between the two parties in the communication entity is improved, and the management cost of the verification information during the verification process is reduced. In the two-way verification, the combination of identification number, time and random number improves the security of the identity verification of both parties in the communication entity.

Optionally, the signature value verification module 52 includes:

The signature decryption unit is used for decrypting the sender's signature value by using the sender's identification public key to determine the decrypted value.

The verification result determination unit is configured to determine the verification result as success if the decryption value is the same as the random number of the sender; otherwise, determine the verification result as failure.

Optionally, the first parameter sending module 53 includes:

The timestamp obtaining unit is used to obtain the receiver timestamp from the public clock.

The timestamp random number generation unit is used to combine the receiver timestamp with the sender random number to generate a timestamp random number.

The time stamp signature value generating unit is used for signing and encrypting the time stamp random number with the receiver's private key obtained in advance, and generating the receiver's time stamp signature value.

The parameter sending unit is used for sending the receiver's time stamp signature value and the receiver's identity corresponding to the receiver's communication entity to the sender's communication entity.

Optionally, a two-way authentication device, further comprising:

The private key acquisition module is used to obtain the receiver's private key corresponding to the receiver's communication entity by the key management platform according to the receiver's identification corresponding to the receiver's communication entity before receiving the sender's identifier, the sender's random number and the sender's signature value. key and public parameters.

The communication cancellation module is configured to cancel the communication between the communication entity of the receiver and the communication entity of the sender after the verification result is determined as failure.

The two-way authentication device provided by the embodiment of the present invention can execute the two-way authentication method provided by the first embodiment of the present invention and the second embodiment of the present invention, and has functional modules and beneficial effects corresponding to the execution method.

Embodiment 6

FIG. 7 is a schematic structural diagram of a two-way identity verification device provided in Embodiment 6 of the present invention, which is applied to a sender communication entity. The two-way identity verification device includes: a signature value generation module 61 , a second parameter transmission module 62 , and a parameter verification module 63 and a communication establishment module 64.

Wherein, the signature value generation module 61 is used to generate a random number of the sender when secure communication is required, and to encrypt and encrypt the random number of the sender through the pre-acquired private key of the sender to generate a signature value of the sender; the second parameter sending module 62, for sending the random number of the sender, the signature value of the sender and the sender identification corresponding to the sender communication entity to the receiver communication entity; the parameter verification module 63 is used for receiving according to the receiver identification and the pre-acquired identification. The public parameters are used to generate the receiver's identification public key, and the received receiver's timestamp signature value is verified by using the receiver's identification public key and the sender's random number; the communication establishment module 64 is used to establish the sender's communication entity and the sender's communication entity according to the verification result. Communication between recipient communicating entities.

The technical solution of this embodiment solves the problems of low security if the traditional two-way identity verification relies on the password authentication technology, and the third-party certificate authentication center is required to rely on the certificate authentication technology, which is complicated in management and high in cost. Since the two parties do not need to obtain a digital certificate through a third-party certificate certification center, nor do they need to store the certificate information locally, the efficiency of the identity verification between the two parties in the communication entity is improved, and the management cost of the verification information during the verification process is reduced. In the two-way verification, the combination of identification number, time and random number improves the security of the identity verification of both parties in the communication entity.

Optionally, the parameter verification module 63 includes:

The parameter decryption unit is used to decrypt the signature value of the recipient's timestamp by using the recipient's identification public key, and determine the recipient's timestamp and the decrypted random value.

The timestamp obtaining unit is used to obtain the sender timestamp from the public clock.

The timestamp value verification unit is used to verify the receiver timestamp and the decrypted random value according to the sender timestamp and the sender random number.

Optional, timestamp value verification unit, specifically used for:

Determine the time difference between the sender's timestamp and the receiver's timestamp;

If the time difference is less than the preset time threshold, and the decryption random value is the same as the sender's random number, the verification result is determined to be successful;

Otherwise, the verification result is determined to be failed.

Optionally, the communication establishment module 64 is specifically used for:

If the verification result is successful, establish the communication between the communication entity of the sender and the communication entity of the receiver;

If the verification result is failure, the communication between the receiver communication entity and the sender communication entity is cancelled.

Optionally, a two-way authentication device, further comprising:

The private key acquisition module is used to acquire the sender's private key and public parameters corresponding to the sender's communication entity from the key management platform according to the sender's identifier corresponding to the sender's communication entity before the secure communication.

The two-way authentication device provided by the embodiment of the present invention can execute the two-way authentication method provided by the third embodiment of the present invention and the fourth embodiment of the present invention, and has functional modules and beneficial effects corresponding to the execution method.

Embodiment 7

8 is a schematic structural diagram of a two-way authentication device according to Embodiment 7 of the present invention. The two-way authentication device includes: a processor 70 , a storage device 71 , a display screen 72 , an input device 73 and an output device 74 . The number of processors 70 in the data processing device may be one or more, and one processor 70 is taken as an example in FIG. 8 . The number of storage devices 71 in the data processing device may be one or more, and one storage device 71 is taken as an example in FIG. 8 . The processor 70 , the storage device 71 , the display screen 72 , the input device 73 and the output device 74 of the data processing device may be connected by a bus or in other ways. In FIG. 8 , the connection by a bus is taken as an example. In an embodiment, the data processing device may be a computer, a notebook, a smart tablet, or the like.

As a computer-readable storage medium, the storage device 71 can be used to store software programs, computer-executable programs, and modules, such as program instructions/modules (for example, a parameter receiving module) corresponding to the two-way authentication device described in any embodiment of the present application. 51, the signature value verification module 52 and the first parameter transmission module 53, or the signature value generation module 61, the second parameter transmission module 62, the parameter verification module 63 and the communication establishment module 64). The storage device 71 may mainly include a storage program area and a storage data area, wherein the storage program area may store an operating system, an application program required for at least one function; the storage data area may store data created according to the use of the device, and the like. In addition, the storage device 71 may include high-speed random access memory, and may also include non-volatile memory, such as at least one magnetic disk storage device, flash memory device, or other non-volatile solid-state storage device. In some examples, storage device 71 may further include memory located remotely from processor 70, which may be connected to the device through a network. Examples of such networks include, but are not limited to, the Internet, an intranet, a local area network, a mobile communication network, and combinations thereof.

The display screen 72 may be a display screen 72 with a touch function, which may be a capacitive screen, an electromagnetic screen or an infrared screen. Generally speaking, the display screen 72 is used for displaying data according to the instruction of the processor 70, and is also used for receiving touch operations acting on the display screen 72, and sending corresponding signals to the processor 70 or other devices.

The input device 73 can be used for receiving input digital or character information, and generating key signal input related to user setting and function control of the display device, and can also be a camera for acquiring images and a pickup device for acquiring audio data. The output device 74 may include audio devices such as speakers. It should be noted that the specific composition of the input device 73 and the output device 74 can be set according to actual conditions.

The processor 70 executes various functional applications and data processing of the device by running the software programs, instructions and modules stored in the storage device 71 , that is, to implement the above-mentioned two-way authentication method.

The two-way authentication device provided above can be used to execute the two-way authentication method provided by any of the above embodiments, and has corresponding functions and beneficial effects.

Exemplarily, FIG. 9 is an example diagram of a two-way authentication topology provided by an embodiment of the present invention. As shown in FIG. 9 , before the sender communication entity, which is the communication initiator, wishes to perform secure communication, it uses its own identification to send a secret to the KGC. The key management platform applies for the private key, and the KGC obtains the sender's private key generated according to the sender's identity and the public parameters corresponding to the KGC, and generates the sender's signature value based on the sender's random number and the sender's private key generated by itself. , and send the sender's random number, sender's signature value, and sender's identity to the receiver's communication entity. Before receiving the above information, the recipient communication entity applies to the KGC key management platform for a private key through its own identity, and the KGC obtains the recipient's private key generated according to the recipient's identity and the public parameters corresponding to the KGC. After receiving the sender's random number, the sender's signature value and the sender's identity, the receiver's communication entity sends a public key application to the KGC based on the sender's identity. key and send it to the receiver communication entity, so that the receiver communication entity can decrypt the sender's signature value according to the sender's identification public key, and then use the sender's random number and the decrypted sender's signature value to decrypt the sender's signature value. The identity of the communicating entity is verified, and after the verification is successful, the receiver's timestamp is obtained from the shared public clock, and it is combined with the sender's random number and encrypted by the receiver's private key to obtain the receiver's timestamp signature value. The identifier and the receiver's timestamp signature value are sent to the sender's communication entity to complete the identity verification of the sender's communication entity to the receiver's communication entity. After receiving the receiver's identity and the receiver's timestamp signature value, the sender's communication entity applies to the KGC to receive the identity public key according to the receiver's identity. The KGC generates the receiver's identity public key according to the received receiver's identity and public parameters. It is sent to the communication entity of the sender, and the communication entity of the sender can decrypt the signature value of the receiver's timestamp according to the public key of the receiver's identification, and obtain the sender's timestamp from the shared public clock after decryption. The decrypted signature value of the recipient's timestamp is verified by the stamp and the sender's random number, and then a secure communication connection between the sender's communication entity and the receiver's communication entity is constructed according to the verification result.

Embodiment 8

The eighth embodiment of the present invention also provides a storage medium for verifying that contains computer-executable instructions, the computer-executable instructions are used to execute a two-way authentication method when executed by a computer processor, and when applied to a recipient communication entity, the method include:

Receive the sender's identity, sender's random number, and sender's signature value;

Generate the sender's identity public key according to the pre-obtained public parameters and the sender's identity, and use the sender's identity public key to verify the sender's random number and the sender's signature value;

If the verification result is successful, the receiver timestamp signature value is generated according to the receiver's private key obtained in advance, and the receiver timestamp signature value and the receiver identifier corresponding to the receiver communication entity are sent to the sender communication entity.

When applied to a sender communicating entity, the method includes:

When secure communication is required, the sender's random number is generated, and the sender's random number is signed and encrypted by the sender's private key obtained in advance to generate the sender's signature value;

Send the sender's random number, the sender's signature value, and the sender's identity corresponding to the sender's communication entity to the receiver's communication entity;

Generate the receiver's identification public key according to the received receiver's identification and pre-obtained public parameters, and use the receiver's identification public key and the sender's random number to verify the received receiver's timestamp signature value;

The communication between the sender communication entity and the receiver communication entity is established according to the verification result.

Of course, a storage medium containing computer-executable instructions provided by the embodiments of the present invention is not limited to the above-mentioned method operations, and can also execute the two-way authentication method provided by any embodiment of the present invention. related operations.

From the above description of the embodiments, those skilled in the art can clearly understand that the present invention can be realized by software and necessary general-purpose hardware, and of course can also be realized by hardware, but in many cases the former is a better embodiment . Based on such understanding, the technical solutions of the present invention can be embodied in the form of software products in essence or the parts that make contributions to the prior art, and the computer software products can be stored in a computer-readable storage medium, such as a floppy disk of a computer , read-only memory (Read-Only Memory, ROM), random access memory (Random Access Memory, RAM), flash memory (FLASH), hard disk or CD, etc., including several instructions to make a computer device (which can be a personal computer, A server, or a network device, etc.) executes the methods described in the various embodiments of the present invention.

It is worth noting that, in the above embodiments of the search device, the units and modules included are only divided according to functional logic, but are not limited to the above division, as long as the corresponding functions can be realized; in addition, each function The specific names of the units are only for the convenience of distinguishing from each other, and are not used to limit the protection scope of the present invention.

Note that the above are only preferred embodiments of the present invention and applied technical principles. Those skilled in the art will understand that the present invention is not limited to the specific embodiments described herein, and various obvious changes, readjustments and substitutions can be made by those skilled in the art without departing from the protection scope of the present invention. Therefore, although the present invention has been described in detail through the above embodiments, the present invention is not limited to the above embodiments, and can also include more other equivalent embodiments without departing from the concept of the present invention. The scope is determined by the scope of the appended claims.

Claims (14)

1. A two-way authentication method applied to a recipient communication entity, the method comprising:

receiving a sender identification, a sender random number and a sender signature value;

generating a sender identification public key according to a pre-acquired public parameter and the sender identification, and verifying the sender random number and the sender signature value by using the sender identification public key;

and if the verification result is successful, generating a receiver time stamp signature value according to a pre-acquired receiver private key, and sending the receiver time stamp signature value and a receiver identifier corresponding to the receiver communication entity to a sender communication entity.

2. The method of claim 1, wherein said verifying the sender random number and the sender signature value using the sender identification public key comprises:

decrypting the sender signature value through the sender identification public key to determine a decrypted value;

if the decryption value is the same as the sender random number, determining the verification result as successful;

otherwise, the verification result is determined to be a failure.

3. The method of claim 1, wherein generating a receiver timestamp signature value according to a pre-obtained receiver private key comprises:

acquiring a receiver timestamp by a common clock;

performing field combination on the time stamp of the receiver and the random number of the sender to generate a time stamp random number;

and encrypting the timestamp random number signature through a pre-acquired private key of the receiver to generate a signature value of the timestamp of the receiver.

4. The method of claim 2, further comprising, after determining that the verification result is a failure:

canceling the communication between the receiver communication entity and the sender communication entity.

5. The method of claim 1, wherein prior to receiving the sender identification, sender random number, and sender signature value, further comprising:

and according to the receiver identification corresponding to the receiver communication entity, a key management platform acquires a receiver private key and public parameters corresponding to the receiver communication entity.

6. A two-way authentication method applied to a sender communication entity, the method comprising:

when the secure communication is needed, generating a sender random number, and encrypting the sender random number through a sender private key signature obtained in advance to generate a sender signature value;

sending the sender random number, the sender signature value and a sender identification corresponding to the sender communication entity to a receiver communication entity;

generating a receiver identification public key according to the received receiver identification and a public parameter acquired in advance, and verifying the received receiver timestamp signature value by using the receiver identification public key and the sender random number;

and establishing communication between the sender communication entity and the receiver communication entity according to the verification result.

7. The method of claim 6, wherein verifying the received receiver timestamp signature value using the receiver identification public key and the sender nonce comprises:

decrypting the receiver timestamp signature value through the receiver identification public key to determine a receiver timestamp and a decryption random value;

obtaining a sender timestamp by a common clock;

and verifying the time stamp of the receiver and the decryption random number value according to the time stamp of the sender and the random number of the sender.

8. The method of claim 7, wherein verifying the receiver timestamp and the decryption nonce value based on the sender timestamp and the sender nonce comprises:

determining a time difference between the sender timestamp and the receiver timestamp;

if the time difference is smaller than a preset time threshold value and the decryption random number value is the same as the sender random number, determining that the verification result is successful;

otherwise, determining that the verification result is failure.

9. The method of claim 6, wherein establishing communication between the sender communication entity and the receiver communication entity according to the authentication result comprises:

if the verification result is successful, establishing the communication between the sender communication entity and the receiver communication entity;

and if the verification result is failure, canceling the communication between the communication entity of the receiver and the communication entity of the sender.

10. The method of claim 6, further comprising, prior to said conducting secure communications:

and according to the sender identification corresponding to the sender communication entity, a secret key management platform acquires a sender secret key and public parameters corresponding to the sender communication entity.

11. A two-way authentication apparatus for use with a recipient communication entity, the apparatus comprising:

the parameter receiving module is used for receiving the sender identifier, the sender random number and the sender signature value;

the signature value verification module is used for generating a sender identification public key according to the pre-acquired public parameters and the sender identification, and verifying the sender random number and the sender signature value by using the sender identification public key;

and the first parameter sending module is used for generating a receiver time stamp signature value according to a pre-acquired receiver private key and sending the receiver time stamp signature value and a receiver identifier corresponding to the receiver communication entity to the sender communication entity if the verification result is successful.

12. A two-way authentication apparatus for use with a sender-side communication entity, the apparatus comprising:

the signature value generation module is used for generating a sender random number when the secure communication is required, and encrypting the sender random number through a sender private key signature acquired in advance to generate a sender signature value;

a second parameter sending module, configured to send the sender random number, the sender signature value, and a sender identifier corresponding to the sender communication entity to a receiver communication entity;

the parameter verification module is used for generating a receiver identification public key according to the received receiver identification and a public parameter acquired in advance, and verifying the received receiver timestamp signature value by using the receiver identification public key and the sender random number;

and the communication establishing module is used for establishing the communication between the sender communication entity and the receiver communication entity according to the verification result.

13. A bidirectional authentication apparatus characterized in that the bidirectional authentication apparatus comprises: a storage device and one or more processors;

the storage device to store one or more programs;

the one or more programs, when executed by the one or more processors, cause the one or more processors to implement the two-way authentication method of any one of claims 1-5 when the two-way authentication device is a recipient communication entity and to implement the two-way authentication method of any one of claims 6-10 when the two-way authentication device is a sender communication entity.

14. A storage medium containing computer-executable instructions for performing the two-way authentication method of any one of claims 1-5 and 6-10 when executed by a computer processor.

Images