CN114722364B - Authentication method, device and equipment - Google Patents
Authentication method, device and equipment Download PDFInfo
- Publication number
- CN114722364B CN114722364B CN202110001469.7A CN202110001469A CN114722364B CN 114722364 B CN114722364 B CN 114722364B CN 202110001469 A CN202110001469 A CN 202110001469A CN 114722364 B CN114722364 B CN 114722364B
- Authority
- CN
- China
- Prior art keywords
- authentication
- certificate
- elliptic curve
- information
- authentication end
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING OR CALCULATING; COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/31—User authentication
-
- G—PHYSICS
- G06—COMPUTING OR CALCULATING; COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/45—Structures or tools for the administration of authentication
-
- G—PHYSICS
- G06—COMPUTING OR CALCULATING; COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/602—Providing cryptographic facilities or services
-
- G—PHYSICS
- G06—COMPUTING OR CALCULATING; COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/64—Protecting data integrity, e.g. using checksums, certificates or signatures
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- General Physics & Mathematics (AREA)
- Computer Hardware Design (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Health & Medical Sciences (AREA)
- Bioethics (AREA)
- Health & Medical Sciences (AREA)
- Storage Device Security (AREA)
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
Abstract
本发明提供了一种认证方法、装置及设备。该方法包括:获取第一握手消息;第一握手消息包括第二认证端所支持的椭圆曲线类型;根据所支持的椭圆曲线类型的目标椭圆曲线类型,确定第一认证端的公钥;向第二认证端发送第二握手消息,包括目标椭圆曲线类型和所述公钥;采用目标椭圆曲线类型对应的签名算法,与第二认证端进行基于身份的IBS的身份验证。采用该方法,所确定的用于密钥交换的目标椭圆曲线类型,被复用为用于进行IBS身份验证确定签名算法的椭圆曲线类型,使得IBS签名所使用的椭圆曲线类型与TLS握手过程中所使用的椭圆曲线类型为同一椭圆曲线类型,第一认证端与第二认证端之间的身份认证方式,运算过程简单。
The present invention provides an authentication method, device and equipment. The method includes: obtaining a first handshake message; the first handshake message includes an elliptic curve type supported by a second authentication end; determining the public key of the first authentication end according to a target elliptic curve type of the supported elliptic curve type; sending a second handshake message to the second authentication end, including the target elliptic curve type and the public key; using a signature algorithm corresponding to the target elliptic curve type, and performing identity-based IBS identity authentication with the second authentication end. Using this method, the target elliptic curve type determined for key exchange is reused as an elliptic curve type for determining a signature algorithm for IBS identity authentication, so that the elliptic curve type used for the IBS signature is the same elliptic curve type as the elliptic curve type used in the TLS handshake process, and the identity authentication method between the first authentication end and the second authentication end has a simple operation process.
Description
Technical Field
The present invention relates to the field of network security technologies, and in particular, to an authentication method, apparatus, and device.
Background
Extensible authentication protocols (Extensible Authentication Protocol, EAP) were first defined in RFC2284 in 1998, and have evolved to more than 20 EAP-based authentication modes.
The X509 certificate is used in the EAP-transport layer security protocol (Transport Layer Security, TLS) to realize Identity authentication of both communication parties, but too large a certificate will cause the bottleneck problem of EAP-TLS authentication in the internet of things scenario, and the EAP-TLS-based digital signature (Identity Based Signature, IBS) is a digital signature technology based on Identity-based cryptosystem (Identity-Based Cryptograph, IBC) technology by using an original public key instead of the X509 certificate, and can be used for Identity authentication of the user. The IBS has the same function as the traditional digital signature, and the difference is that the authentication party directly uses the identity ID of the authenticated party to verify the authenticity of the signature when using the IBS, so that a complex certificate system is not needed, and the problem of overlarge certificates is solved.
The existing IBS signature scheme is implemented by adopting elliptic curve cryptography (Elliptic curve cryptography, ECC), however, in the general technical scheme, the elliptic curve type used by TLS handshake and the elliptic curve type used by IBS signature are independent, which causes the problem of complex operation process in the authentication process.
Disclosure of Invention
The technical scheme of the invention aims to provide an authentication method, an authentication device and authentication equipment, and solves the problem that an authentication mode in the prior art is adopted and an operation process is complex.
The embodiment of the invention provides an authentication method which is applied to a first authentication end, wherein the method comprises the following steps:
the method comprises the steps of obtaining a first handshake message sent by a second authentication end, wherein the first handshake message comprises at least one elliptic curve type supported by the second authentication end;
determining a public key for key negotiation of the first authentication end according to a target elliptic curve type in at least one elliptic curve type;
sending a second handshake message to the second authentication end, wherein the second handshake message comprises the target elliptic curve type and the public key;
and adopting a signature algorithm corresponding to the target elliptic curve type to perform identity verification of an identity-based digital signature IBS with the second authentication end.
Optionally, the authentication method, wherein performing identity verification of the identity-based digital signature IBS with the second authentication terminal by adopting a signature algorithm corresponding to the target elliptic curve type, includes:
Sending second certificate indication information to the second authentication end according to the first certificate indication information in the first handshake message;
Wherein the second certificate indication information includes:
certificate information comprising identity information of the first authentication end, public parameter information of the first authentication end and public parameter information of a key generation center to which the first authentication end belongs;
Certificate verification information comprising a signature value for signing the certificate information by adopting a signature algorithm corresponding to the type of the target elliptic curve;
and the certificate request information comprises request information for requesting to adopt a signature algorithm corresponding to the target elliptic curve type for identity verification.
Optionally, the authentication method, wherein the public parameter information of the first authentication end includes a public key of the first authentication end for key negotiation, the signature algorithm, and a hash value of public parameters of the signature algorithm.
Optionally, the authentication method, wherein the first certificate indication information includes:
signature algorithm information for indicating a signature algorithm supported by the second authentication terminal;
The first certificate type information is used for indicating the certificate type which can be processed by the second authentication end;
and the second certificate type information is used for indicating the certificate type which can be provided by the second authentication end.
Optionally, the authentication method, wherein the second certificate indication information further includes:
Third certificate type information indicating a certificate type in a certificate payload;
and fourth certificate type information, which is used for indicating the certificate type required to be provided by the second authentication end.
Optionally, the authentication method, wherein sending second certificate indication information to the second authentication end includes:
encrypting the second certificate indication information by using a handshake key, wherein the handshake key is obtained by calculation according to the first handshake message and the second handshake message;
and sending the encrypted second certificate indication information to the second authentication end.
Optionally, the authentication method, wherein the method further comprises:
acquiring third certificate indication information sent by the second authentication end;
And adopting a signature algorithm corresponding to the target elliptic curve type to perform signature verification on the third certificate indication information.
The embodiment of the invention also provides an authentication method applied to the second authentication end, wherein the method comprises the following steps:
The method comprises the steps of sending a first handshake message to a first authentication end, wherein the first handshake message comprises at least one elliptic curve type supported by a second authentication end;
The second handshake message comprises a target elliptic curve type selected by the first authentication end according to at least one elliptic curve type and a public key for key negotiation of the first authentication end determined according to the target elliptic curve type;
And adopting a signature algorithm corresponding to the target elliptic curve type to perform identity verification of an identity-based digital signature IBS with the first authentication end.
Optionally, the authentication method, wherein performing identity verification of the identity-based digital signature IBS with the first authentication terminal by adopting a signature algorithm corresponding to the target elliptic curve type, includes:
acquiring second certificate indication information sent by the first authentication end;
Adopting a signature algorithm corresponding to the target elliptic curve type to perform signature verification on the second certificate indication information;
Wherein the second certificate indication information includes:
certificate information comprising identity information of the first authentication end, public parameter information of the first authentication end and public parameter information of a key generation center to which the first authentication end belongs;
Certificate verification information comprising a signature value for signing the certificate information by adopting a signature algorithm corresponding to the type of the target elliptic curve;
and the certificate request information comprises request information for requesting to adopt a signature algorithm corresponding to the target elliptic curve type for identity verification.
Optionally, the authentication method, wherein the public parameter information of the first authentication end includes a public key of the first authentication end for key negotiation, the signature algorithm, and a hash value of public parameters of the signature algorithm.
Optionally, in the authentication method, the first handshake information includes first certificate indication information, where the first authentication end sends the second authentication indication information according to the first certificate indication information;
the first certificate indication information includes:
signature algorithm information for indicating a signature algorithm supported by the second authentication terminal;
The first certificate type information is used for indicating the certificate type which can be processed by the second authentication end;
and the second certificate type information is used for indicating the certificate type which can be provided by the second authentication end.
Optionally, the authentication method, wherein the second certificate indication information further includes:
Third certificate type information indicating a certificate type in a certificate payload;
and fourth certificate type information, which is used for indicating the certificate type required to be provided by the second authentication end.
Optionally, the authentication method, wherein a signature algorithm corresponding to the target elliptic curve type is adopted to perform identity verification of an identity-based digital signature IBS with the first authentication end, further includes:
And sending third certificate indication information to the first authentication end, so that the first authentication end adopts a signature algorithm corresponding to the target elliptic curve type to carry out signature verification on the third certificate indication information.
The embodiment of the invention also provides an authentication end device, which is a first authentication end, and comprises a transceiver and a processor, wherein:
The transceiver is used for acquiring a first handshake message sent by a second authentication end, wherein the first handshake message comprises at least one elliptic curve type supported by the second authentication end;
The processor is configured to determine a public key for key negotiation of the first authentication end according to a target elliptic curve type in at least one elliptic curve type;
The transceiver is further configured to send a second handshake message to the second authentication end, where the second handshake message includes the target elliptic curve type and the public key;
The processor is further configured to perform identity verification of the identity-based digital signature IBS with the second authentication end by adopting a signature algorithm corresponding to the target elliptic curve type.
The embodiment of the invention also provides an authentication end device, which is a second authentication end, and comprises a transceiver and a processor, wherein:
the transceiver is used for sending a first handshake message to a first authentication end, wherein the first handshake message comprises at least one elliptic curve type supported by a second authentication end, and
The second handshake message comprises a target elliptic curve type selected by the first authentication end according to at least one elliptic curve type and a public key for key negotiation of the first authentication end determined according to the target elliptic curve type;
The processor is used for carrying out identity verification of the identity-based digital signature IBS with the first authentication terminal by adopting a signature algorithm corresponding to the target elliptic curve type.
The embodiment of the invention also provides an authentication device applied to the first authentication end, wherein the device comprises:
the system comprises a first message acquisition module, a second message acquisition module and a second authentication module, wherein the first message acquisition module is used for acquiring a first handshake message sent by a second authentication end, and the first handshake message comprises at least one elliptic curve type supported by the second authentication end;
the first processing module is used for determining a public key for key negotiation of the first authentication end according to a target elliptic curve type in at least one elliptic curve type;
the first message sending module is used for sending a second handshake message to the second authentication end, wherein the second handshake message comprises the target elliptic curve type and the public key;
and the second processing module is used for carrying out identity verification of the identity-based digital signature IBS with the second authentication end by adopting a signature algorithm corresponding to the target elliptic curve type.
The embodiment of the invention also provides an authentication device applied to the second authentication end, wherein the device comprises:
the system comprises a first authentication end, a second message sending module, a first message sending module and a second message sending module, wherein the first authentication end is used for receiving a first handshake message from the first authentication end;
The second handshake message comprises a target elliptic curve type selected by the first authentication end according to at least one elliptic curve type and a public key for key negotiation of the first authentication end determined according to the target elliptic curve type;
and the third processing module is used for carrying out identity verification of the digital signature IBS based on the identity with the first authentication end by adopting a signature algorithm corresponding to the target elliptic curve type.
The embodiment of the invention also provides authentication equipment which is characterized by comprising a processor, a memory and a program stored in the memory and capable of running on the processor, wherein the authentication method is realized when the program is executed by the processor.
The embodiment of the invention also provides a readable storage medium, wherein the readable storage medium stores a program, and the program realizes the steps in the authentication method according to any one of the above when being executed by a processor.
At least one of the above technical solutions of the invention has the following beneficial effects:
According to the authentication method, the determined target elliptic curve type for key exchange is multiplexed into the elliptic curve type for performing IBS authentication to determine a signature algorithm, so that the elliptic curve type used by IBS signature and the elliptic curve type used in a TLS handshake process are the same elliptic curve type, and the operation process is simple in an identity authentication mode between a first authentication end and a second authentication end.
Drawings
FIG. 1 is a flow chart of an authentication method according to an embodiment of the present invention;
FIG. 2 is a schematic diagram of an authentication procedure for EAP-TLS-IBS;
FIG. 3 is a flow chart of another embodiment of an authentication method according to an embodiment of the present invention;
Fig. 4 is a schematic structural diagram of an authentication device according to an embodiment of the present invention;
Fig. 5 is a schematic structural diagram of another authentication apparatus according to an embodiment of the present invention;
fig. 6 is a schematic structural diagram of an authentication device according to an embodiment of the present invention;
fig. 7 is a schematic structural diagram of another authentication device according to an embodiment of the present invention;
fig. 8 is a schematic structural diagram of an authentication device according to an embodiment of the present invention;
fig. 9 is a schematic structural diagram of another implementation of the authentication device according to the embodiment of the present invention.
Detailed Description
In order to make the technical problems, technical solutions and advantages to be solved more apparent, the following detailed description will be given with reference to the accompanying drawings and specific embodiments.
In order to solve the problem that the authentication mode and the operation process in the prior art are complex, the embodiment of the invention provides an authentication method, which multiplexes the elliptic curve type used by the IBS signature and the elliptic curve type used in the TLS handshake process into the same elliptic curve type so as to solve the problem that the authentication mode and the operation process in the prior art are complex.
An embodiment of the present invention provides an authentication method, as shown in fig. 1, where the authentication method is applied to a first authentication end, and the method includes:
S110, acquiring a first handshake message sent by a second authentication end, wherein the first handshake message comprises at least one elliptic curve type supported by the second authentication end;
s120, determining a public key for key negotiation of the first authentication end according to a target elliptic curve type in at least one elliptic curve type;
S130, sending a second handshake message to the second authentication end, wherein the second handshake message comprises the target elliptic curve type and the public key;
and S140, adopting a signature algorithm corresponding to the target elliptic curve type, and carrying out identity verification of the digital signature IBS based on the identity with the second authentication end.
In the authentication method according to the embodiment of the present invention, in step S110 to step S130, in the key exchange process of TLS handshake between the first authentication end and the second authentication end, the determined target elliptic curve type for key exchange is multiplexed into the elliptic curve type for performing IBS authentication determination signature algorithm in step S140, so that the elliptic curve type used for IBS signature and the elliptic curve type used in TLS handshake process are the same elliptic curve type.
In the embodiment of the present invention, optionally, the second authentication end that sends the first handshake message may be referred to as a client, and the first authentication end that receives the first handshake message may be referred to as a server. It should be noted that, the client and the server may be two-way authentication, and the names of the first authentication end and the second authentication end used as the client and the server may be interchanged.
In the authentication method according to the embodiment of the present invention, step S110 to step S130 are TSL handshake processes, and optionally, the key exchange algorithm of the TSL handshake process is not limited to any one of the following algorithms:
a Diffie-Hellman (DH) key agreement protocol (ECDHE) using elliptic curve type signcryption scheme (EC, elliptic Curve);
only the pre-shared key mode (pre-SHARED KEY, PSK), i.e., PSK-only, is used;
PSK is accompanied by ECDHE.
Taking the key exchange algorithm of ECDHE as an example, optionally, in step S110, the first handshake message sent by the acquired second authentication end (e.g. the client) includes a random number C and an extension parameter, where the extension parameter includes a supported version supported_version, a supported group supported_groups, a signature list signatureschemlist, and a shared key_shared of the second authentication end. Optionally, the supported group supported_groups carries at least one elliptic curve type supported by the second authentication end, and the second authentication end calculates a public key POINT (Ha) for each elliptic curve type supported, optionally, the calculated public key is carried by the shared key_shared.
Alternatively, the public key POINT (Ha) may be determined from a random number C calculation.
Further, after the first authentication end obtains the first handshake message sent by the second authentication end, the first authentication end determines a target elliptic curve type according to at least one elliptic curve type carried in the first handshake message, and determines a public key for key negotiation of the first authentication end according to the determined elliptic curve type.
Optionally, the public key used for key negotiation of the first authentication end is a public key used for Diffie-Hellman (DH) key negotiation.
Specifically, the first authentication end selects an adopted elliptic curve type according to the received first handshake message, determines a corresponding public key POINT (Ha) of the second authentication end through a shared key_shared, and determines a public key POINT (Hb) of the first authentication end for key negotiation according to a private key random_s (or a private key db) of the first authentication end and the public key of the first authentication end.
Optionally, the public key for key negotiation at the second authentication end is calculated in a manner of POINT (Ha) =random_c×base POINT G, and the public key at the first authentication end is calculated in a manner of POINT (Hb) =random_s×base POINT G.
Further, the first authentication end calculates a master key H (X, Y) according to the private key random_s and the public key Ha of the second authentication end, and selects the X coordinate of the master key as a handshake key handlesecret, and encrypts a second handshake message to be transmitted according to the selected encryption mode through the handshake key handlesecret. In the embodiment of the present invention, optionally, the types of elliptic curves carried in the first handshake message and supported by the second authentication end include, but are not limited to, secp r1, secp384r1, secp521r1, x25519, and x448. Wherein, the first authentication end can select one of the elliptic curve types for key agreement.
Based on the TSL handshake process, the constructed EAP-TLS-IBS flow provides a supported signature algorithm through the signature algorithm_algorism information sent by the second authentication end to the first authentication end, and the supportable certificate types are identified through the server side certificate type server_certificate_type and the client side certificate type client_certificate_type.
Specifically, as shown in fig. 2, the authentication procedure of EAP-TLS-IBS mainly includes:
S201, a first authentication end (service end) sends an EAP request to a second authentication end (client end);
s202, a second authentication end sends first authentication information to a first authentication end;
S203, the first authentication end sends second authentication information to the second authentication end;
S204, the second authentication end sends third authentication information to the first authentication end;
S205, authentication ends.
Specifically, the first authentication information includes first handshake information, where information carried by the first handshake information includes:
a supported encryption suite;
supported version supported version_version extensions;
supported group supported_groups extensions, including supported elliptic curve types;
the first certificate indicates information.
Wherein the first certificate indication information includes:
signature_algorism for indicating IBS signature algorithm supported by the second authentication end;
The first certificate type information is used for indicating the certificate type which can be processed by the second authentication end, and can also be called as a service certificate type server_certificate_type;
The second certificate Type information is used for indicating the certificate Type which can be provided by the second authentication end, and can also be called as client certificate Type client_certificate_type.
Based on the first authentication information comprising the information, the first authentication end sends second authentication information to the second authentication end, wherein the second authentication information comprises the second handshake information and carries information:
The version supproted _versions supported by the first authentication end comprises a TLS protocol version number selected from the supported version supported_versions sent by the second authentication end by the first authentication end;
The shared key_shared extension is used for indicating a target elliptic curve type selected according to the elliptic curve type sent by the second authentication end and a public key for key negotiation of the first authentication end calculated according to the selected target elliptic curve type.
Further, the second authentication information further includes second certificate indication information.
In an embodiment of the present invention, the second certificate indication information includes:
Certificate authentication information comprising identity information of the first authentication end, public parameter information of the first authentication end and public parameter information of a key generation center to which the first authentication end belongs;
Certificate checking CERTIFICATE VERIFY information, including signature values for signing the certificate information by adopting a signature algorithm corresponding to the type of the target elliptic curve;
certificate request CERTIFICATE REUQEST includes information for requesting authentication using a signature algorithm corresponding to the target elliptic curve type.
Optionally, in the authentication information, the public parameter information of the first authentication end includes a public key used for key negotiation of the first authentication end, the signature algorithm and a hash value of the public parameter of the signature algorithm.
In step S140, a signature algorithm corresponding to the target elliptic curve type is adopted, and in the process of performing identity verification of the identity-based digital signature IBS with the second authentication end, the first authentication end sends second certificate indication information to the second authentication end according to the first certificate indication information in the first handshake message.
With the above embodiment, the first authentication end may select the key exchange algorithm to be used after receiving the first handshake message, that is, select one of the elliptic curve types in the supported group supported_groups as the target elliptic curve type. In light of the above, the current supported_groups support five types of elliptic curve-based key exchange algorithms, secp r1, secp384r1, secp521r1, x25519, and x448.
On the basis, public keys corresponding to the listed elliptic curve types are prestored in the key_share of the first handshake message sent by the second authentication end. The second handshake message sent by the first authentication end explicitly indicates the selected elliptic curve type in the shared key extension Key share Extension, and the calculated public key for key agreement of the first authentication end is sent to the second authentication end.
After the first authentication end selects the certificate type, the elliptic curve type selected in the key exchange algorithm process is obtained to be used as the signature curve of IBS.
The first authentication end adopts a signature algorithm corresponding to the target elliptic curve type to sign the certificate information, and requests the second authentication end to adopt the signature algorithm corresponding to the target elliptic curve type to be used for the request information of identity verification through CERTIFICATE REUQEST information, and after the second authentication end receives the authentication and CERTIFICATE VERIFY, the second authentication end uses the identity information serverID, certificate information and the signature value of the first authentication end to carry out the signature verification operation, and the signature verification passing indicates the identity verification passing. Moreover, the first authentication end performs the same authentication operation on the second authentication end.
By adopting the embodiment, the key exchange process of the TLS handshake and the elliptic curve type used by the IBS signature are multiplexed into the same elliptic curve type, so that the problem of complex operation process by adopting the authentication mode in the prior art can be solved.
Optionally, in the authentication method, the first authentication end sends the encrypted extension ENCRYPTED EXTENSION information immediately after sending the second handshake information, where the information is the first encrypted data, including the extension data irrelevant to the key negotiation, and is used to indicate to the second authentication end.
Further, the second certificate indication information further includes:
the second certificate indication information further includes:
Third certificate type information server_certificate_type indicating a certificate type in a certificate payload;
and fourth certificate Type information client_certificate_type, which is used for indicating the certificate Type required to be provided by the second authentication end.
After the sending of the second certificate indication information is completed in sequence, the first authentication end sends an end message to the second authentication end, wherein the end message is also the last message in the authentication stage and is used for detecting the integrity of the handshake message. The end message also provides key confirmation binding the identity of the endpoint to the key of the interaction.
Further, after the above-mentioned transmission of the second certificate indication information is completed, the first authentication end transmits Application Data, which is protected by the Application key.
Optionally, the method further comprises:
sending second certificate indication information to the second authentication end, including:
encrypting the second certificate indication information by using a handshake key, wherein the handshake key is obtained by calculation according to the first handshake message and the second handshake message;
and sending the encrypted second certificate indication information to the second authentication end.
Specifically, by using the hash values of the key material and the Client Hello and Server Hello, a handleshake_key can be calculated based on HKDF algorithm, and then server_certificate_type、client_certificate_Type、Encrypted Extension、Certificate、Certificate Verify、CertificateReuqest、Finished messages in the handshake stage are protected by the key.
Optionally, the authentication method according to the embodiment of the present invention further includes:
acquiring third certificate indication information sent by the second authentication end;
And adopting a signature algorithm corresponding to the target elliptic curve type to perform signature verification on the third certificate indication information.
Note that the third certificate indication information includes:
certificate authentication information comprising public parameter information and user information of the second authentication end;
and checking CERTIFICATE VERIFY the certificate information, wherein the certificate information comprises a signature value for signing the certificate information by adopting a signature algorithm corresponding to the type of the target elliptic curve.
Optionally, the public parameter information of the second authentication end comprises a public key used for key negotiation of the second authentication end, the signature algorithm and hash values of public parameters of the signature algorithm.
The first authentication end performs signature verification operation on the Certificate information and the signature value by adopting the signature algorithm corresponding to the target elliptic curve type determined in the mode according to the third Certificate indication information sent by the second authentication end.
By adopting the process, the first authentication end also executes the same identity verification operation on the second authentication end through the signature algorithm corresponding to the same target elliptic curve.
According to the authentication method provided by the embodiment of the invention, the elliptic curve type used by the IBS signature and the elliptic curve type used in the TLS handshake process are multiplexed into the same elliptic curve type, so that the problems of complex operation process in the authentication mode in the prior art can be solved.
In another aspect of the embodiment of the present invention, an authentication method is further provided and applied to a second authentication end, as shown in fig. 3, where the method includes:
s310, sending a first handshake message to a first authentication end, wherein the first handshake message comprises at least one elliptic curve type supported by a second authentication end;
S320, obtaining a second handshake message sent by the first authentication end in response to the first handshake message, wherein the second handshake message comprises a target elliptic curve type selected by the first authentication end according to at least one elliptic curve type and a public key for key negotiation of the first authentication end determined according to the target elliptic curve type;
S330, adopting a signature algorithm corresponding to the target elliptic curve type, and carrying out identity verification of the digital signature IBS based on the identity with the first authentication end.
By adopting the authentication method provided by the embodiment of the invention, in the authentication process of the first authentication end and the second authentication end, the elliptic curve type used by the IBS signature and the elliptic curve type used in the TLS handshake process are multiplexed into the same elliptic curve type, so that the problems of complex operation process in the authentication mode in the prior art can be solved.
In the embodiment of the present invention, optionally, the second authentication end that sends the first handshake message may be referred to as a client, and the first authentication end that receives the first handshake message may be referred to as a server. It should be noted that, the client and the server may be two-way authentication, and the names of the first authentication end and the second authentication end used as the client and the server may be interchanged.
Optionally, in the authentication method, in step S330, performing identity verification of an identity-based digital signature IBS with the first authentication terminal by adopting a signature algorithm corresponding to the target elliptic curve type, including:
acquiring second certificate indication information sent by the first authentication end;
Adopting a signature algorithm corresponding to the target elliptic curve type to perform signature verification on the second certificate indication information;
Wherein the second certificate indication information includes:
certificate information comprising identity information of the first authentication end, public parameter information of the first authentication end and public parameter information of a key generation center to which the first authentication end belongs;
Certificate verification information comprising a signature value for signing the certificate information by adopting a signature algorithm corresponding to the type of the target elliptic curve;
and the certificate request information comprises request information for requesting to adopt a signature algorithm corresponding to the target elliptic curve type for identity verification.
Optionally, the authentication method, wherein the public parameter information of the first authentication end includes a public key of the first authentication end for key negotiation, the signature algorithm, and a hash value of public parameters of the signature algorithm.
Optionally, in the authentication method, the first handshake information includes first certificate indication information, where the first authentication end sends the second authentication indication information according to the first certificate indication information;
the first certificate indication information includes:
signature algorithm information for indicating a signature algorithm supported by the second authentication terminal;
The first certificate type information is used for indicating the certificate type which can be processed by the second authentication end;
and the second certificate type information is used for indicating the certificate type which can be provided by the second authentication end.
Optionally, the authentication method, wherein the second certificate indication information further includes:
Third certificate type information indicating a certificate type in a certificate payload;
and fourth certificate type information, which is used for indicating the certificate type required to be provided by the second authentication end.
Optionally, the authentication method, wherein a signature algorithm corresponding to the target elliptic curve type is adopted to perform identity verification of an identity-based digital signature IBS with the first authentication end, further includes:
And sending third certificate indication information to the first authentication end, so that the first authentication end adopts a signature algorithm corresponding to the target elliptic curve type to carry out signature verification on the third certificate indication information.
In the embodiment of the present invention, the content of each information included in the first authentication indication information, the second authentication indication information, and the third authentication indication information, and the authentication process of the first authentication end and the second authentication end may refer to the above detailed description, and will not be described herein.
The embodiment of the present invention further provides an authentication end device, which is a first authentication end, as shown in fig. 4, and includes a transceiver 410 and a processor 420, where:
The transceiver 410 is configured to obtain a first handshake message sent by a second authentication end, where the first handshake message includes at least one elliptic curve type supported by the second authentication end;
the processor 420 is configured to determine a public key for key negotiation of the first authentication end according to a target elliptic curve type of at least one elliptic curve types;
the transceiver 410 is further configured to send a second handshake message to the second authentication end, where the second handshake message includes the target elliptic curve type and the public key;
the processor 420 is further configured to perform identity verification of the identity-based digital signature IBS with the second authentication terminal by using a signature algorithm corresponding to the target elliptic curve type.
Optionally, the authentication device, wherein the processor 420 performs identity verification of the identity-based digital signature IBS with the second authentication terminal by adopting a signature algorithm corresponding to the target elliptic curve type, including:
Sending second certificate indication information to the second authentication end according to the first certificate indication information in the first handshake message;
Wherein the second certificate indication information includes:
certificate information comprising identity information of the first authentication end, public parameter information of the first authentication end and public parameter information of a key generation center to which the first authentication end belongs;
Certificate verification information comprising a signature value for signing the certificate information by adopting a signature algorithm corresponding to the type of the target elliptic curve;
and the certificate request information comprises request information for requesting to adopt a signature algorithm corresponding to the target elliptic curve type for identity verification.
Optionally, the authentication device, wherein the public parameter information of the first authentication end includes a public key of the first authentication end for key negotiation, the signature algorithm, and a hash value of public parameters of the signature algorithm.
Optionally, the authentication device, wherein the first certificate indication information includes:
signature algorithm information for indicating a signature algorithm supported by the second authentication terminal;
The first certificate type information is used for indicating the certificate type which can be processed by the second authentication end;
and the second certificate type information is used for indicating the certificate type which can be provided by the second authentication end.
Optionally, the authentication device, wherein the second certificate indication information further includes:
Third certificate type information indicating a certificate type in a certificate payload;
and fourth certificate type information, which is used for indicating the certificate type required to be provided by the second authentication end.
Optionally, the authentication device, wherein the processor 420 sends second certificate indication information to the second authentication end, including:
encrypting the second certificate indication information by using a handshake key, wherein the handshake key is obtained by calculation according to the first handshake message and the second handshake message;
and sending the encrypted second certificate indication information to the second authentication end.
Optionally, the authentication device, wherein the processor 420 is further configured to:
acquiring third certificate indication information sent by the second authentication end;
And adopting a signature algorithm corresponding to the target elliptic curve type to perform signature verification on the third certificate indication information.
The embodiment of the present invention further provides an authentication end device, where the authentication end device is a second authentication end, as shown in fig. 5, and includes a transceiver 510 and a processor 520, where:
the transceiver 510 is configured to send a first handshake message to a first authentication peer, the first handshake message including at least one elliptic curve type supported by the second authentication peer, and
The second handshake message comprises a target elliptic curve type selected by the first authentication end according to at least one elliptic curve type and a public key for key negotiation of the first authentication end determined according to the target elliptic curve type;
the processor 520 is configured to perform identity verification of the identity-based digital signature IBS with the first authentication end by using a signature algorithm corresponding to the target elliptic curve type.
Optionally, in the authentication device, the processor 520 performs, with the first authentication terminal, identity verification of an identity-based digital signature IBS by using a signature algorithm corresponding to the target elliptic curve type, including:
acquiring second certificate indication information sent by the first authentication end;
Adopting a signature algorithm corresponding to the target elliptic curve type to perform signature verification on the second certificate indication information;
Wherein the second certificate indication information includes:
certificate information comprising identity information of the first authentication end, public parameter information of the first authentication end and public parameter information of a key generation center to which the first authentication end belongs;
Certificate verification information comprising a signature value for signing the certificate information by adopting a signature algorithm corresponding to the type of the target elliptic curve;
and the certificate request information comprises request information for requesting to adopt a signature algorithm corresponding to the target elliptic curve type for identity verification.
Optionally, the authentication device, wherein the public parameter information of the first authentication end includes a public key of the first authentication end for key negotiation, the signature algorithm, and a hash value of public parameters of the signature algorithm.
Optionally, the authentication device includes first credential indication information in the first handshake information, where the first authentication end sends the second credential indication information according to the first credential indication information;
the first certificate indication information includes:
signature algorithm information for indicating a signature algorithm supported by the second authentication terminal;
The first certificate type information is used for indicating the certificate type which can be processed by the second authentication end;
and the second certificate type information is used for indicating the certificate type which can be provided by the second authentication end.
Optionally, the authentication device, wherein the second certificate indication information further includes:
Third certificate type information indicating a certificate type in a certificate payload;
and fourth certificate type information, which is used for indicating the certificate type required to be provided by the second authentication end.
Optionally, in the authentication device, the processor 520 performs identity verification of the identity-based digital signature IBS with the first authentication terminal by adopting a signature algorithm corresponding to the target elliptic curve type, and further includes:
And sending third certificate indication information to the first authentication end, so that the first authentication end adopts a signature algorithm corresponding to the target elliptic curve type to carry out signature verification on the third certificate indication information.
The embodiment of the invention also provides an authentication device, which is applied to the first authentication end, as shown in fig. 6, and comprises:
A first message obtaining module 610, configured to obtain a first handshake message sent by a second authentication end, where the first handshake message includes at least one elliptic curve type supported by the second authentication end;
A first processing module 620, configured to determine a public key for key negotiation of the first authentication end according to a target elliptic curve type of at least one elliptic curve types;
A first message sending module 630, configured to send a second handshake message to the second authentication end, where the second handshake message includes the target elliptic curve type and the public key;
And the second processing module 640 is configured to perform identity verification of the identity-based digital signature IBS with the second authentication end by adopting a signature algorithm corresponding to the target elliptic curve type.
Optionally, in the authentication device, the second processing module 640 performs identity verification of the identity-based digital signature IBS with the second authentication end by adopting a signature algorithm corresponding to the target elliptic curve type, including:
Sending second certificate indication information to the second authentication end according to the first certificate indication information in the first handshake message;
Wherein the second certificate indication information includes:
certificate information comprising identity information of the first authentication end, public parameter information of the first authentication end and public parameter information of a key generation center to which the first authentication end belongs;
Certificate verification information comprising a signature value for signing the certificate information by adopting a signature algorithm corresponding to the type of the target elliptic curve;
and the certificate request information comprises request information for requesting to adopt a signature algorithm corresponding to the target elliptic curve type for identity verification.
Optionally, the authentication device, wherein the public parameter information of the first authentication end includes a public key of the first authentication end for key negotiation, the signature algorithm, and a hash value of public parameters of the signature algorithm.
Optionally, the authentication device, wherein the first certificate indication information includes:
signature algorithm information for indicating a signature algorithm supported by the second authentication terminal;
The first certificate type information is used for indicating the certificate type which can be processed by the second authentication end;
and the second certificate type information is used for indicating the certificate type which can be provided by the second authentication end.
Optionally, the authentication device, wherein the second certificate indication information further includes:
Third certificate type information indicating a certificate type in a certificate payload;
and fourth certificate type information, which is used for indicating the certificate type required to be provided by the second authentication end.
Optionally, the authentication device sends second certificate indication information to the second authentication end, including:
encrypting the second certificate indication information by using a handshake key, wherein the handshake key is obtained by calculation according to the first handshake message and the second handshake message;
and sending the encrypted second certificate indication information to the second authentication end.
Optionally, the authentication device, wherein the second processing module 640 is further configured to:
acquiring third certificate indication information sent by the second authentication end;
And adopting a signature algorithm corresponding to the target elliptic curve type to perform signature verification on the third certificate indication information.
The embodiment of the invention also provides an authentication device applied to the second authentication end, as shown in fig. 7, the device comprises:
a second message sending module 710, configured to send a first handshake message to a first authentication end, where the first handshake message includes at least one elliptic curve type supported by the second authentication end;
A second message obtaining module 720, configured to obtain a second handshake message sent by the first authentication end in response to the first handshake message, where the second handshake message includes a target elliptic curve type selected by the first authentication end according to at least one elliptic curve type, and a public key for key negotiation of the first authentication end determined according to the target elliptic curve type;
and a third processing module 730, configured to perform identity verification of the identity-based digital signature IBS with the first authentication end by adopting a signature algorithm corresponding to the target elliptic curve type.
Optionally, in the authentication device, the third processing module 730 performs, with the first authentication terminal, identity verification of the identity-based digital signature IBS by using a signature algorithm corresponding to the target elliptic curve type, including:
acquiring second certificate indication information sent by the first authentication end;
Adopting a signature algorithm corresponding to the target elliptic curve type to perform signature verification on the second certificate indication information;
Wherein the second certificate indication information includes:
certificate information comprising identity information of the first authentication end, public parameter information of the first authentication end and public parameter information of a key generation center to which the first authentication end belongs;
Certificate verification information comprising a signature value for signing the certificate information by adopting a signature algorithm corresponding to the type of the target elliptic curve;
and the certificate request information comprises request information for requesting to adopt a signature algorithm corresponding to the target elliptic curve type for identity verification.
Optionally, the authentication device, wherein the public parameter information of the first authentication end includes a public key of the first authentication end for key negotiation, the signature algorithm, and a hash value of public parameters of the signature algorithm.
Optionally, the authentication device includes first credential indication information in the first handshake information, where the first authentication end sends the second credential indication information according to the first credential indication information;
the first certificate indication information includes:
signature algorithm information for indicating a signature algorithm supported by the second authentication terminal;
The first certificate type information is used for indicating the certificate type which can be processed by the second authentication end;
and the second certificate type information is used for indicating the certificate type which can be provided by the second authentication end.
Optionally, the authentication device, wherein the second certificate indication information further includes:
Third certificate type information indicating a certificate type in a certificate payload;
and fourth certificate type information, which is used for indicating the certificate type required to be provided by the second authentication end.
Optionally, in the authentication device, the third processing module 730 performs identity verification of the identity-based digital signature IBS with the first authentication end by adopting a signature algorithm corresponding to the target elliptic curve type, and further includes:
And sending third certificate indication information to the first authentication end, so that the first authentication end adopts a signature algorithm corresponding to the target elliptic curve type to carry out signature verification on the third certificate indication information.
Another aspect of the embodiment of the present invention further provides an authentication device, optionally, the authentication device is a first authentication end, as shown in fig. 8, including a processor 801, and a memory 803 connected to the processor 801 through a bus interface 802, where the memory 803 is used to store a program and data used by the processor 801 when executing an operation, and the processor 801 calls and executes the program and data stored in the memory 803.
The transceiver 804 is connected to the bus interface 802, and is configured to receive and transmit data under the control of the processor 801, specifically, the processor 801 is configured to read a program in the memory 803, and perform the following procedures:
the method comprises the steps of obtaining a first handshake message sent by a second authentication end, wherein the first handshake message comprises at least one elliptic curve type supported by the second authentication end;
determining a public key for key negotiation of the first authentication end according to a target elliptic curve type in at least one elliptic curve type;
sending a second handshake message to the second authentication end, wherein the second handshake message comprises the target elliptic curve type and the public key;
and adopting a signature algorithm corresponding to the target elliptic curve type to perform identity verification of an identity-based digital signature IBS with the second authentication end.
Optionally, the authentication device, wherein the processor 801 performs identity verification of the identity-based digital signature IBS with the second authentication terminal by adopting a signature algorithm corresponding to the target elliptic curve type, including:
Sending second certificate indication information to the second authentication end according to the first certificate indication information in the first handshake message;
Wherein the second certificate indication information includes:
certificate information comprising identity information of the first authentication end, public parameter information of the first authentication end and public parameter information of a key generation center to which the first authentication end belongs;
Certificate verification information comprising a signature value for signing the certificate information by adopting a signature algorithm corresponding to the type of the target elliptic curve;
and the certificate request information comprises request information for requesting to adopt a signature algorithm corresponding to the target elliptic curve type for identity verification.
Optionally, the authentication device, wherein the public parameter information of the first authentication end includes a public key of the first authentication end for key negotiation, the signature algorithm, and a hash value of public parameters of the signature algorithm.
Optionally, the authentication device, wherein the first certificate indication information includes:
signature algorithm information for indicating a signature algorithm supported by the second authentication terminal;
The first certificate type information is used for indicating the certificate type which can be processed by the second authentication end;
and the second certificate type information is used for indicating the certificate type which can be provided by the second authentication end.
Optionally, the authentication device, wherein the second certificate indication information further includes:
Third certificate type information indicating a certificate type in a certificate payload;
and fourth certificate type information, which is used for indicating the certificate type required to be provided by the second authentication end.
Optionally, the authentication device sends second certificate indication information to the second authentication end, including:
encrypting the second certificate indication information by using a handshake key, wherein the handshake key is obtained by calculation according to the first handshake message and the second handshake message;
and sending the encrypted second certificate indication information to the second authentication end.
Optionally, the authentication device, wherein the processor 801 is further configured to:
acquiring third certificate indication information sent by the second authentication end;
And adopting a signature algorithm corresponding to the target elliptic curve type to perform signature verification on the third certificate indication information.
Where in FIG. 8, a bus architecture may comprise any number of interconnected buses and bridges, with one or more processors, represented in particular by processor 801, and various circuits of memory, represented by memory 803, linked together. The bus architecture may also link together various other circuits such as peripheral devices, voltage regulators, power management circuits, etc., which are well known in the art and, therefore, will not be described further herein. The bus interface provides an interface. The transceiver 804 may be a number of elements, i.e. include a transmitter and a receiver, providing a means for communicating with various other apparatus over a transmission medium. The processor 801 is responsible for managing the bus architecture and general processing, and the memory 803 may store data used by the processor 801 in performing operations.
It will be understood by those skilled in the art that all or part of the steps of the above embodiments may be implemented by hardware, or may be implemented by a program indicating relevant hardware, the program including instructions for performing some or all of the steps of the above method, and the program may be stored in a readable storage medium, which may be any form of storage medium.
Another aspect of the embodiment of the present invention further provides an authentication device, optionally, the authentication device is a second authentication end, as shown in fig. 9, and includes a processor 901, and a memory 903 connected to the processor 901 through a bus interface 902, where the memory 903 is used to store a program and data used by the processor 901 when executing an operation, and the processor 901 calls and executes the program and data stored in the memory 903.
Wherein the transceiver 904 is connected to the bus interface 902 for receiving and transmitting data under the control of the processor 901, in particular the processor 901 is arranged to read a program in the memory 903, performing the following procedure:
The method comprises the steps of sending a first handshake message to a first authentication end, wherein the first handshake message comprises at least one elliptic curve type supported by a second authentication end;
The second handshake message comprises a target elliptic curve type selected by the first authentication end according to at least one elliptic curve type and a public key for key negotiation of the first authentication end determined according to the target elliptic curve type;
And adopting a signature algorithm corresponding to the target elliptic curve type to perform identity verification of an identity-based digital signature IBS with the first authentication end.
Optionally, the authentication device, wherein the processor 901 performs identity verification of the identity-based digital signature IBS with the first authentication end by adopting a signature algorithm corresponding to the target elliptic curve type, including:
acquiring second certificate indication information sent by the first authentication end;
Adopting a signature algorithm corresponding to the target elliptic curve type to perform signature verification on the second certificate indication information;
Wherein the second certificate indication information includes:
certificate information comprising identity information of the first authentication end, public parameter information of the first authentication end and public parameter information of a key generation center to which the first authentication end belongs;
Certificate verification information comprising a signature value for signing the certificate information by adopting a signature algorithm corresponding to the type of the target elliptic curve;
and the certificate request information comprises request information for requesting to adopt a signature algorithm corresponding to the target elliptic curve type for identity verification.
Optionally, the authentication device, wherein the public parameter information of the first authentication end includes a public key of the first authentication end for key negotiation, the signature algorithm, and a hash value of public parameters of the signature algorithm.
Optionally, the authentication device includes first credential indication information in the first handshake information, where the first authentication end sends the second credential indication information according to the first credential indication information;
the first certificate indication information includes:
signature algorithm information for indicating a signature algorithm supported by the second authentication terminal;
The first certificate type information is used for indicating the certificate type which can be processed by the second authentication end;
and the second certificate type information is used for indicating the certificate type which can be provided by the second authentication end.
Optionally, the authentication device, wherein the second certificate indication information further includes:
Third certificate type information indicating a certificate type in a certificate payload;
and fourth certificate type information, which is used for indicating the certificate type required to be provided by the second authentication end.
Optionally, the authentication device, wherein the processor 901 performs identity verification of the identity-based digital signature IBS with the first authentication end by adopting a signature algorithm corresponding to the target elliptic curve type, further includes:
And sending third certificate indication information to the first authentication end, so that the first authentication end adopts a signature algorithm corresponding to the target elliptic curve type to carry out signature verification on the third certificate indication information.
Where in FIG. 9, a bus architecture may comprise any number of interconnected buses and bridges, with various circuits of the one or more processors, specifically represented by processor 901, and the memory, represented by memory 903, being linked together. The bus architecture may also link together various other circuits such as peripheral devices, voltage regulators, power management circuits, etc., which are well known in the art and, therefore, will not be described further herein. The bus interface provides an interface. The transceiver 904 may be a number of elements, i.e. comprising a transmitter and a receiver, providing a means for communicating with various other apparatus over a transmission medium. The processor 901 is responsible for managing the bus architecture and general processing, and the memory 903 may store data used by the processor 901 in performing operations.
It will be understood by those skilled in the art that all or part of the steps of the above embodiments may be implemented by hardware, or may be implemented by a program indicating relevant hardware, the program including instructions for performing some or all of the steps of the above method, and the program may be stored in a readable storage medium, which may be any form of storage medium.
In addition, a specific embodiment of the present invention also provides a computer-readable storage medium, on which a computer program is stored, wherein the program, when executed by a processor, implements the steps of the authentication method as described in any one of the above.
In the several embodiments provided in the present application, it should be understood that the disclosed methods and apparatus may be implemented in other ways. For example, the apparatus embodiments described above are merely illustrative, e.g., the division of the units is merely a logical function division, and there may be additional divisions when actually implemented, e.g., multiple units or components may be combined or integrated into another system, or some features may be omitted or not performed. Alternatively, the coupling or direct coupling or communication connection shown or discussed with each other may be an indirect coupling or communication connection via some interfaces, devices or units, which may be in electrical, mechanical or other form.
In addition, each functional unit in the embodiments of the present invention may be integrated in one processing unit, or each unit may be physically included separately, or two or more units may be integrated in one unit. The integrated units may be implemented in hardware or in hardware plus software functional units.
The integrated units implemented in the form of software functional units described above may be stored in a computer readable storage medium. The software functional unit is stored in a storage medium, and includes several instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to perform part of the steps of the transceiving method according to the embodiments of the present invention. The storage medium includes various media capable of storing program codes, such as a usb disk, a removable hard disk, a Read-Only Memory (ROM), a random access Memory (Random Access Memory RAM), a magnetic disk, or an optical disk.
While the foregoing is directed to the preferred embodiments of the present invention, it will be appreciated by those skilled in the art that various modifications and changes can be made without departing from the principles of the present invention, and such modifications and changes should also be considered as being within the scope of the present invention.
Claims (17)
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110001469.7A CN114722364B (en) | 2021-01-04 | 2021-01-04 | Authentication method, device and equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110001469.7A CN114722364B (en) | 2021-01-04 | 2021-01-04 | Authentication method, device and equipment |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114722364A CN114722364A (en) | 2022-07-08 |
| CN114722364B true CN114722364B (en) | 2025-05-16 |
Family
ID=82234479
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110001469.7A Active CN114722364B (en) | 2021-01-04 | 2021-01-04 | Authentication method, device and equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114722364B (en) |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102098157A (en) * | 2009-12-10 | 2011-06-15 | 塔塔咨询服务有限公司 | A system and method for designing secure client-server communication protocols based on certificateless public key infrastructure |
| CN102487379A (en) * | 2010-12-01 | 2012-06-06 | 李洪伟 | Identity-based grid authentication protocol |
Family Cites Families (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7574600B2 (en) * | 2004-03-24 | 2009-08-11 | Intel Corporation | System and method for combining user and platform authentication in negotiated channel security protocols |
| CN108650227B (en) * | 2018-03-30 | 2021-03-30 | 苏州科达科技股份有限公司 | Handshaking method and system based on datagram secure transmission protocol |
| CN109714167B (en) * | 2019-03-15 | 2020-08-25 | 北京邮电大学 | Identity authentication and key agreement method and equipment suitable for mobile application signature |
-
2021
- 2021-01-04 CN CN202110001469.7A patent/CN114722364B/en active Active
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102098157A (en) * | 2009-12-10 | 2011-06-15 | 塔塔咨询服务有限公司 | A system and method for designing secure client-server communication protocols based on certificateless public key infrastructure |
| CN102487379A (en) * | 2010-12-01 | 2012-06-06 | 李洪伟 | Identity-based grid authentication protocol |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114722364A (en) | 2022-07-08 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111953705B (en) | Internet of things identity authentication method and device and power Internet of things identity authentication system | |
| CN108650227B (en) | Handshaking method and system based on datagram secure transmission protocol | |
| CN112887338B (en) | A kind of identity authentication method and system based on IBC identification password | |
| CN110380852B (en) | Two-way authentication method and communication system | |
| CN111756529B (en) | Quantum session key distribution method and system | |
| US6931528B1 (en) | Secure handshake protocol | |
| CN108881224A (en) | Encryption method and related device for power distribution automation system | |
| EP2106090A1 (en) | A method, system and network device for mutual authentication | |
| CN113630248B (en) | Session key negotiation method | |
| CN106060070A (en) | TLS handshake protocol for identity-based cryptosystem | |
| CN101815294B (en) | Access authentication method, equipment and system of P2P (peer-to-peer) network | |
| WO2019178942A1 (en) | Method and system for performing ssl handshake | |
| KR20100050846A (en) | System and method for interchanging key | |
| CN110493272A (en) | Use the communication means and communication system of multiple key | |
| CN114142995B (en) | Key security distribution method and device for block chain relay communication network | |
| CN114760046A (en) | Identity authentication method and device | |
| CN113382002A (en) | Data request method, request response method, data communication system, and storage medium | |
| CN115484038A (en) | A data processing method and device thereof | |
| CN117729056A (en) | Equipment identity authentication method and system | |
| CN108040071B (en) | Dynamic switching method for VoIP audio and video encryption key | |
| CN110690969A (en) | Method and system for completing bidirectional SSL/TLS authentication in cooperation of multiple parties | |
| CN108989022A (en) | A kind of smart item shared key method for building up and system based on block chain | |
| CN114679261B (en) | On-chain anonymous communication method and system based on key derivation algorithm | |
| CN119788436A (en) | Data protection method, device and storage medium | |
| CN109995723B (en) | Method, device and system for DNS information interaction of domain name resolution system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |