[go: up one dir, main page]

CN116455661A - Multi-factor dynamic identity authentication method based on cryptographic algorithm - Google Patents

Multi-factor dynamic identity authentication method based on cryptographic algorithm Download PDF

Info

Publication number
CN116455661A
CN116455661A CN202310491205.3A CN202310491205A CN116455661A CN 116455661 A CN116455661 A CN 116455661A CN 202310491205 A CN202310491205 A CN 202310491205A CN 116455661 A CN116455661 A CN 116455661A
Authority
CN
China
Prior art keywords
terminal
dynamic password
identity authentication
data
key
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202310491205.3A
Other languages
Chinese (zh)
Inventor
王勇
梁效奇
刘蔚
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shanghai Yunjian Information Technology Co ltd
Shanghai University of Electric Power
Original Assignee
Shanghai Yunjian Information Technology Co ltd
Shanghai University of Electric Power
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shanghai Yunjian Information Technology Co ltd, Shanghai University of Electric Power filed Critical Shanghai Yunjian Information Technology Co ltd
Priority to CN202310491205.3A priority Critical patent/CN116455661A/en
Publication of CN116455661A publication Critical patent/CN116455661A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/045Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply hybrid encryption, i.e. combination of symmetric and asymmetric encryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0863Generation of secret information including derivation or calculation of cryptographic keys or passwords involving passwords or one-time passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3236Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions
    • H04L9/3239Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions involving non-keyed hash functions, e.g. modification detection codes [MDCs], MD5, SHA or RIPEMD
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y04INFORMATION OR COMMUNICATION TECHNOLOGIES HAVING AN IMPACT ON OTHER TECHNOLOGY AREAS
    • Y04SSYSTEMS INTEGRATING TECHNOLOGIES RELATED TO POWER NETWORK OPERATION, COMMUNICATION OR INFORMATION TECHNOLOGIES FOR IMPROVING THE ELECTRICAL POWER GENERATION, TRANSMISSION, DISTRIBUTION, MANAGEMENT OR USAGE, i.e. SMART GRIDS
    • Y04S40/00Systems for electrical power generation, transmission, distribution or end-user application management characterised by the use of communication or information technologies, or communication or information technology specific aspects supporting them
    • Y04S40/20Information technology specific aspects, e.g. CAD, simulation, modelling, system security

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

本发明公开了一种基于国密算法的多因子动态身份认证方法,包括:依据国密算法生成公私钥对与对称密钥,利用生成的密钥及SM3国密算法对验证因子进行密码运算;第一认证阶段,终端生成非重复随机数,结合哈希、异或运算生成动态口令,使用对称密码算法加密动态口令,同时使用非对称密码算法加密对称密钥,与加密动态口令一起发送至配电网关进行身份认证;第二认证阶段,配电网关生成新的非重复随机数,对解密后的数据进行哈希、异或运算生成新的动态口令,使用对称密钥加密后发送给智能终端进行身份认证。本发明能够抵抗中间人攻击、重放攻击、冒充攻击等常见攻击,且该方法不需要安装额外硬件或者颁发数字证书,降低了成本并减少运行维护困难。

The invention discloses a multi-factor dynamic identity authentication method based on a national secret algorithm, comprising: generating a public-private key pair and a symmetric key according to the national secret algorithm, and performing cryptographic operations on the verification factor by using the generated key and the SM3 national secret algorithm; In the first authentication stage, the terminal generates a non-repeating random number, generates a dynamic password combined with hash and XOR operations, uses a symmetric cryptographic algorithm to encrypt the dynamic password, and uses an asymmetric cryptographic algorithm to encrypt the symmetric key, and sends it together with the encrypted dynamic password to the configuration The power gateway performs identity authentication; in the second authentication stage, the power distribution gateway generates a new non-repeated random number, performs hash and XOR operations on the decrypted data to generate a new dynamic password, encrypts it with a symmetric key, and sends it to the smart terminal Authenticate. The invention can resist common attacks such as man-in-the-middle attack, replay attack, impersonation attack, etc., and the method does not need to install additional hardware or issue digital certificates, thereby reducing cost and difficulty in operation and maintenance.

Description

一种基于国密算法的多因子动态身份认证方法A Multi-factor Dynamic Identity Authentication Method Based on National Secret Algorithm

技术领域technical field

本发明涉及电力数据传输安全技术领域,尤其涉及一种基于国密算法的多因子动态身份认证方法。The invention relates to the technical field of power data transmission security, in particular to a multi-factor dynamic identity authentication method based on a national secret algorithm.

背景技术Background technique

近年来,电力公司大力推进智能电网的建设,越来越多的电力智能终端被接入到配电网中。然而随着计算机、通信等技术的不断发展,以及电力网与信息网的不断融合,智能终端带来方便快捷、更高效率等优点的同时,也在配电网中引入了更多的安全风险。尤其是在10kV及以下中低压配电网自动化系统中,对于不具备光纤通信条件的馈线、配变等远程终端,由于采用公共无线通信(GPRS、CDMA、TD-SCDMA等)方式,导致配电网面临着外部公网攻击的巨大风险,如非法窃听、恶意篡改、身份欺骗等。因此保证数目繁多的智能配电终端通信安全,进而维护配电网整体的安全稳定是极其重要的。In recent years, power companies have vigorously promoted the construction of smart grids, and more and more smart power terminals have been connected to the distribution network. However, with the continuous development of computer, communication and other technologies, as well as the continuous integration of power grids and information networks, while smart terminals bring convenience, higher efficiency and other advantages, they also introduce more security risks into the distribution network. Especially in the 10kV and below medium and low voltage distribution network automation system, for remote terminals such as feeders and distribution transformers that do not have optical fiber communication conditions, due to the use of public wireless communication (GPRS, CDMA, TD-SCDMA, etc.), power distribution The Internet faces huge risks of external public network attacks, such as illegal eavesdropping, malicious tampering, and identity deception. Therefore, it is extremely important to ensure the communication security of a large number of intelligent power distribution terminals, and then maintain the overall security and stability of the distribution network.

安全高效的身份认证方法在配电网中发挥着越来越重要的作用,是保证配电网终端间或者终端与主站间的数据安全传输的基础与前提。然而,目前已有实现身份认证的方案,普遍存在以下几种问题:(1)需要智能终端或者配电主站配备额外的硬件载体,如TPM可信安全芯片、USB硬件介质等。(2)需要CA认证中心为配电主站和所有智能终端都颁发相应的数字证书,增加了管理和维护的困难。(3)易遭受中间人攻击、冒充攻击等恶意攻击行为,认证安全性较低,给配电网带来了巨大的安全风险。Safe and efficient identity authentication methods are playing an increasingly important role in the distribution network, which is the basis and premise to ensure the safe transmission of data between terminals in the distribution network or between the terminal and the master station. However, there are currently existing solutions for identity authentication, and there are generally the following problems: (1) Intelligent terminals or power distribution master stations are required to be equipped with additional hardware carriers, such as TPM trusted security chips, USB hardware media, etc. (2) The CA certification center is required to issue corresponding digital certificates for the power distribution master station and all intelligent terminals, which increases the difficulty of management and maintenance. (3) It is vulnerable to malicious attacks such as man-in-the-middle attacks and impersonation attacks, and the authentication security is low, which brings huge security risks to the distribution network.

发明内容Contents of the invention

鉴于上述现有存在的问题,提出了本发明。In view of the above existing problems, the present invention is proposed.

因此,本发明提供了一种基于国密算法的多因子动态身份认证方法解决目前需要智能终端或者配电主站配备额外的硬件载体;需要CA认证中心为配电主站和所有智能终端都颁发相应的数字证书,管理和维护困难;易遭受中间人攻击、冒充攻击等恶意攻击行为,认证安全性较低的问题。Therefore, the present invention provides a multi-factor dynamic identity authentication method based on the national secret algorithm to solve the current need for smart terminals or power distribution master stations to be equipped with additional hardware carriers; CA certification centers are required to issue certificates for power distribution master stations and all smart terminals. Corresponding digital certificates are difficult to manage and maintain; they are vulnerable to malicious attacks such as man-in-the-middle attacks and impersonation attacks, and the authentication security is low.

为解决上述技术问题,In order to solve the above technical problems,

本发明提供了一种基于国密算法的多因子动态身份认证方法,包括:The invention provides a multi-factor dynamic identity authentication method based on the national secret algorithm, including:

依据国密算法生成公私钥对与对称密钥,利用生成的密钥及SM3国密算法对验证因子进行密码运算,所述验证因子包括,终端身份标识ID、硬件地址MAC和共享口令值PW;Generate a public-private key pair and a symmetric key according to the national secret algorithm, and use the generated key and the SM3 national secret algorithm to perform cryptographic operations on the verification factor, which includes the terminal identity ID, hardware address MAC and shared password value PW;

第一认证阶段,终端生成非重复随机数,结合哈希、异或运算生成动态口令,使用对称密码算法加密动态口令,同时使用非对称密码算法加密对称密钥,与加密动态口令一起发送至配电网关进行身份认证;In the first authentication stage, the terminal generates a non-repeating random number, generates a dynamic password combined with hash and XOR operations, uses a symmetric cryptographic algorithm to encrypt the dynamic password, and uses an asymmetric cryptographic algorithm to encrypt the symmetric key, and sends it together with the encrypted dynamic password to the configuration The electricity gateway conducts identity authentication;

第二认证阶段,配电网关生成新的非重复随机数,对解密后的数据进行哈希、异或运算生成新的动态口令,使用对称密钥加密后发送给智能终端进行身份认证。In the second authentication stage, the power distribution gateway generates a new non-repeating random number, performs hash and XOR operations on the decrypted data to generate a new dynamic password, encrypts it with a symmetric key, and sends it to the smart terminal for identity authentication.

作为本发明所述的基于国密算法的多因子动态身份认证方法的一种优选方案,其中:所述依据国密算法生成公私钥对与对称密钥中,国密算法为SM2和SM4算法。As a preferred solution of the multi-factor dynamic identity authentication method based on the national secret algorithm in the present invention, wherein: in the generation of the public-private key pair and the symmetric key according to the national secret algorithm, the national secret algorithms are SM2 and SM4 algorithms.

作为本发明所述的基于国密算法的多因子动态身份认证方法的一种优选方案,其中:还包括,在第一认证之前的注册阶段,待注册智能终端将设备信息使用非对称密码算法加密,将加密的注册数据发送至配电网关,配电网关解密数据后验证数据正确性,验证通过后保存注册数据。As a preferred scheme of the multi-factor dynamic identity authentication method based on the national secret algorithm in the present invention, it also includes: in the registration stage before the first authentication, the smart terminal to be registered encrypts the device information using an asymmetric cryptographic algorithm , send the encrypted registration data to the power distribution gateway, and the power distribution gateway decrypts the data and verifies the correctness of the data, and saves the registration data after the verification is passed.

作为本发明所述的基于国密算法的多因子动态身份认证方法的一种优选方案,其中:所述将加密的注册数据发送至配电网关,配电网关解密数据后验证数据正确性,具体包括,As a preferred scheme of the multi-factor dynamic identity authentication method based on the national secret algorithm in the present invention, wherein: the encrypted registration data is sent to the power distribution gateway, and the power distribution gateway verifies the correctness of the data after decrypting the data, specifically include,

配电网关通过SM2国密算法生成密钥对,将自身公钥KP发送给终端,私钥KS安全保存;The power distribution gateway generates a key pair through the SM2 national secret algorithm, sends its own public key K P to the terminal, and the private key K S is safely stored;

终端将自身设备硬件地址MAC、共享口令值PW分别使用SM3国密算法进行运算处理,连同终端身份标识IDi使用网关公钥KP经SM2国密算法加密,并将加密数据发送给配电网关进行注册;The terminal uses the SM3 national secret algorithm to perform calculations on its own device hardware address MAC and the shared password value PW respectively, together with the terminal identity ID i uses the gateway public key K P to encrypt through the SM2 national secret algorithm, and sends the encrypted data to the power distribution gateway to register;

配电网关收到终端注册信息后,使用自身私钥KS进行解密,根据IDi验证列表中是否存在相同的已注册用户,若不存在则回复注册成功消息,并保存IDi及相应的验证因子H(MAC)、H(PW),标记为H′(MAC)、H′(PW);After the power distribution gateway receives the terminal registration information, it uses its own private key KS to decrypt it, and verifies whether the same registered user exists in the list according to the ID i . If it does not exist, it replies with a successful registration message, and saves the ID i and the corresponding verification Factors H(MAC), H(PW), denoted as H'(MAC), H'(PW);

其中,H(x)表示对数据x使用SM3算法进行哈希运算后得到的杂凑值。Wherein, H(x) represents the hash value obtained after hashing the data x using the SM3 algorithm.

作为本发明所述的基于国密算法的多因子动态身份认证方法的一种优选方案,其中:第一认证阶段中,终端生成非重复随机数,结合哈希、异或运算生成动态口令,使用对称密码算法加密动态口令,同时使用非对称密码算法加密对称密钥,与加密动态口令一起发送至配电网关进行身份认证,具体包括,As a preferred scheme of the multi-factor dynamic identity authentication method based on the national secret algorithm in the present invention, wherein: in the first authentication stage, the terminal generates a non-repetitive random number, and generates a dynamic password in combination with hash and XOR operation, and uses The dynamic password is encrypted with a symmetric cryptographic algorithm, and the symmetric key is encrypted with an asymmetric cryptographic algorithm, and sent together with the encrypted dynamic password to the power distribution gateway for identity authentication, specifically including,

终端生成随机数R1,计算以及H(H(MAC)||R1);The terminal generates a random number R 1 , and calculates and H(H(MAC)||R 1 );

调用SM4国密算法并生成对称密钥K,使用密钥K加密计算结果及IDi,并使用网关公钥加密密钥K,将加密信息全部发送给网关;Call the SM4 national secret algorithm and generate a symmetric key K, use the key K to encrypt the calculation result and ID i , and use the gateway public key to encrypt the key K, and send all the encrypted information to the gateway;

其中,表示异或运算,||表示联结运算。in, Represents an XOR operation, and || represents a join operation.

作为本发明所述的基于国密算法的多因子动态身份认证方法的一种优选方案,其中:还包括,第一认证中,配电网关收到加密数据后,使用私钥及对称密钥进行解密得到动态口令,根据动态口令找到对应相应终端及其保存的验证因子,结合验证因子对动态口令进一步验证。As a preferred solution of the multi-factor dynamic identity authentication method based on the national secret algorithm in the present invention, it also includes: in the first authentication, after the power distribution gateway receives the encrypted data, it uses the private key and the symmetric key to perform The dynamic password is obtained by decrypting, and the corresponding terminal and its stored verification factor are found according to the dynamic password, and the dynamic password is further verified in combination with the verification factor.

作为本发明所述的基于国密算法的多因子动态身份认证方法的一种优选方案,其中:第一认证阶段中,配电网关收到加密数据后,使用私钥及对称密钥进行解密得到动态口令,根据动态口令找到对应相应终端及其保存的验证因子,结合验证因子对动态口令进一步验证,具体包括,As a preferred scheme of the multi-factor dynamic identity authentication method based on the national secret algorithm described in the present invention, wherein: in the first authentication stage, after the power distribution gateway receives the encrypted data, it uses the private key and the symmetric key to decrypt the obtained Dynamic password, according to the dynamic password to find the corresponding terminal and its stored verification factor, combined with the verification factor to further verify the dynamic password, specifically including,

配电网关收到加密认证消息后,用自身私钥KS解密得到对称密钥K;After receiving the encrypted authentication message, the power distribution gateway decrypts it with its own private key KS to obtain the symmetric key K;

使用对称密钥K经SM4算法解密数据;Use the symmetric key K to decrypt the data through the SM4 algorithm;

配电网关根据IDi取得对应的H′(PW)与H′(MAC),计算得到 并验证H(H(MAC)||R1)与H(H′(MAC)||R′1)是否相等,若相等则配电网关通过对终端的身份认证。The power distribution gateway obtains the corresponding H'(PW) and H'(MAC) according to the ID i , and calculates And verify whether H(H(MAC)||R 1 ) is equal to H(H'(MAC)||R' 1 ), if they are equal, the power distribution gateway passes the identity authentication of the terminal.

作为本发明所述的基于国密算法的多因子动态身份认证方法的一种优选方案,其中:第二认证阶段中,配电网关生成新的非重复随机数,对解密后的数据进行哈希、异或运算生成新的动态口令,使用对称密钥加密后发送给智能终端进行身份认证,具体包括,As a preferred scheme of the multi-factor dynamic identity authentication method based on the national secret algorithm in the present invention, wherein: in the second authentication stage, the power distribution gateway generates a new non-repeating random number, and hashes the decrypted data , XOR operation to generate a new dynamic password, which is encrypted with a symmetric key and sent to the smart terminal for identity authentication, specifically including,

配电网关通过对终端的认证后,生成随机数R2,计算和H(H′(MAC)||R2),然后经过SM4算法使用密钥K加密数据并发送给终端.After the power distribution gateway passes the authentication of the terminal, it generates a random number R 2 and calculates and H(H′(MAC)||R 2 ), and then use the SM4 algorithm to encrypt the data with the key K and send it to the terminal.

作为本发明所述的基于国密算法的多因子动态身份认证方法的一种优选方案,其中:还包括,第二认证中,智能终端收到加密数据后,使用对称密钥进行解密得到新的动态口令,根据保存的本地数据对新的动态口令进行验证,若验证其正确则通过对配电网关的身份认证。As a preferred scheme of the multi-factor dynamic identity authentication method based on the national secret algorithm in the present invention, it also includes that in the second authentication, after the smart terminal receives the encrypted data, it decrypts it using a symmetric key to obtain a new Dynamic password, verify the new dynamic password according to the saved local data, and pass the identity authentication of the power distribution gateway if it is verified to be correct.

作为本发明所述的基于国密算法的多因子动态身份认证方法的一种优选方案,其中:第二认证中,智能终端收到加密数据后,使用对称密钥进行解密得到新的动态口令,根据保存的本地数据对新的动态口令进行验证,若验证其正确则通过对配电网关的身份认证,具体包括,As a preferred scheme of the multi-factor dynamic identity authentication method based on the national secret algorithm in the present invention, wherein: in the second authentication, after the smart terminal receives the encrypted data, it uses a symmetric key to decrypt to obtain a new dynamic password, Verify the new dynamic password according to the saved local data, and if it is verified to be correct, pass the identity authentication of the power distribution gateway, specifically including,

终端收到加密数据后,调用SM4算法对消息进行解密;After the terminal receives the encrypted data, it calls the SM4 algorithm to decrypt the message;

终端根据存储的R1和H(MAC),计算得到并验证H(H′(MAC)||R2)与H(H(MAC)||R′2)是否相等,若相等则终端通过对配电网关的身份认证。According to the stored R 1 and H(MAC), the terminal calculates And verify whether H(H'(MAC)||R 2 ) is equal to H(H(MAC)||R' 2 ), and if they are equal, the terminal passes the identity authentication of the power distribution gateway.

与现有技术相比,本发明的有益效果:本发明基于SM2、SM3、SM4国密算法,结合终端身份标识IDi、硬件地址MAC、共享口令值PW等因子,使用随机数生成动态口令,具有多重因子验证、认证方法简便、算法安全强度高等优点,能够抵抗冒充攻击、重放攻击、中间人攻击等对配电自动化系统的常见恶意攻击行为。该方法不需要配电主站或智能终端配备额外硬件载体,降低了硬件成本,也不需要安装基于PKI的数字证书,避免了证书管理和维护的困难。在被加密的明文中,用户认证信息均使用异或运算和哈希运算进一步加密,因此实际上还可以抵抗密钥泄露攻击,防止通信过程中的用户认证信息泄露。Compared with the prior art, the present invention has beneficial effects: the present invention is based on SM2, SM3, and SM4 national secret algorithms, combined with factors such as terminal identity ID i , hardware address MAC, and shared password value PW, and uses random numbers to generate dynamic passwords, It has the advantages of multi-factor authentication, simple authentication method, and high algorithm security strength, and can resist common malicious attacks on power distribution automation systems such as impersonation attacks, replay attacks, and man-in-the-middle attacks. This method does not require the power distribution master station or intelligent terminal to be equipped with additional hardware carriers, which reduces hardware costs, and does not require the installation of PKI-based digital certificates, avoiding the difficulties in certificate management and maintenance. In the encrypted plaintext, user authentication information is further encrypted using XOR operations and hash operations, so it can actually resist key disclosure attacks and prevent user authentication information leakage during communication.

附图说明Description of drawings

为了更清楚地说明本发明实施例的技术方案,下面将对实施例描述中所需要使用的附图作简单地介绍,显而易见地,下面描述中的附图仅仅是本发明的一些实施例,对于本领域普通技术人员来讲,在不付出创造性劳动性的前提下,还可以根据这些附图获得其它的附图。其中:In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the following will briefly introduce the accompanying drawings that need to be used in the description of the embodiments. Obviously, the accompanying drawings in the following description are only some embodiments of the present invention. For Those of ordinary skill in the art can also obtain other drawings based on these drawings without any creative effort. in:

图1为本发明一个实施例所述的基于国密算法的多因子动态身份认证方法的整体流程示意图;Fig. 1 is a schematic diagram of the overall process of the multi-factor dynamic identity authentication method based on the national secret algorithm described in one embodiment of the present invention;

图2为本发明一个实施例所述的基于国密算法的多因子动态身份认证方法中动态身份认证方法的注册阶段示意图;Fig. 2 is a schematic diagram of the registration stage of the dynamic identity authentication method in the multi-factor dynamic identity authentication method based on the national secret algorithm described in one embodiment of the present invention;

图3为本发明一个实施例所述的基于国密算法的多因子动态身份认证方法中动态身份认证方法的认证阶段示意图。Fig. 3 is a schematic diagram of the authentication phase of the dynamic identity authentication method in the multi-factor dynamic identity authentication method based on the national secret algorithm according to an embodiment of the present invention.

具体实施方式Detailed ways

为使本发明的上述目的、特征和优点能够更加明显易懂,下面结合说明书附图对本发明的具体实施方式做详细的说明,显然所描述的实施例是本发明的一部分实施例,而不是全部实施例。基于本发明中的实施例,本领域普通人员在没有做出创造性劳动前提下所获得的所有其他实施例,都应当属于本发明的保护的范围。In order to make the above-mentioned purposes, features and advantages of the present invention more obvious and easy to understand, the specific implementation modes of the present invention will be described in detail below in conjunction with the accompanying drawings. Obviously, the described embodiments are part of the embodiments of the present invention, not all of them. Example. Based on the embodiments of the present invention, all other embodiments obtained by ordinary persons in the art without creative efforts shall fall within the protection scope of the present invention.

在下面的描述中阐述了很多具体细节以便于充分理解本发明,但是本发明还可以采用其他不同于在此描述的其它方式来实施,本领域技术人员可以在不违背本发明内涵的情况下做类似推广,因此本发明不受下面公开的具体实施例的限制。In the following description, a lot of specific details are set forth in order to fully understand the present invention, but the present invention can also be implemented in other ways different from those described here, and those skilled in the art can do it without departing from the meaning of the present invention. By analogy, the present invention is therefore not limited to the specific examples disclosed below.

其次,此处所称的“一个实施例”或“实施例”是指可包含于本发明至少一个实现方式中的特定特征、结构或特性。在本说明书中不同地方出现的“在一个实施例中”并非均指同一个实施例,也不是单独的或选择性的与其他实施例互相排斥的实施例。Second, "one embodiment" or "an embodiment" referred to herein refers to a specific feature, structure or characteristic that may be included in at least one implementation of the present invention. "In one embodiment" appearing in different places in this specification does not all refer to the same embodiment, nor is it a separate or selective embodiment that is mutually exclusive with other embodiments.

本发明结合示意图进行详细描述,在详述本发明实施例时,为便于说明,表示器件结构的剖面图会不依一般比例作局部放大,而且所述示意图只是示例,其在此不应限制本发明保护的范围。此外,在实际制作中应包含长度、宽度及深度的三维空间尺寸。The present invention is described in detail in conjunction with schematic diagrams. When describing the embodiments of the present invention in detail, for the convenience of explanation, the cross-sectional view showing the device structure will not be partially enlarged according to the general scale, and the schematic diagram is only an example, which should not limit the present invention. scope of protection. In addition, the three-dimensional space dimensions of length, width and depth should be included in actual production.

同时在本发明的描述中,需要说明的是,术语中的“上、下、内和外”等指示的方位或位置关系为基于附图所示的方位或位置关系,仅是为了便于描述本发明和简化描述,而不是指示或暗示所指的装置或元件必须具有特定的方位、以特定的方位构造和操作,因此不能理解为对本发明的限制。此外,术语“第一、第二或第三”仅用于描述目的,而不能理解为指示或暗示相对重要性。At the same time, in the description of the present invention, it should be noted that the orientation or positional relationship indicated by "upper, lower, inner and outer" in the terms is based on the orientation or positional relationship shown in the accompanying drawings, and is only for the convenience of describing the present invention. The invention and the simplified description do not indicate or imply that the device or element referred to must have a specific orientation, be constructed and operate in a specific orientation, and thus should not be construed as limiting the present invention. In addition, the terms "first, second or third" are used for descriptive purposes only, and should not be construed as indicating or implying relative importance.

本发明中除非另有明确的规定和限定,术语“安装、相连、连接”应做广义理解,例如:可以是固定连接、可拆卸连接或一体式连接;同样可以是机械连接、电连接或直接连接,也可以通过中间媒介间接相连,也可以是两个元件内部的连通。对于本领域的普通技术人员而言,可以具体情况理解上述术语在本发明中的具体含义。Unless otherwise specified and limited in the present invention, the term "installation, connection, connection" should be understood in a broad sense, for example: it can be a fixed connection, a detachable connection or an integrated connection; it can also be a mechanical connection, an electrical connection or a direct connection. A connection can also be an indirect connection through an intermediary, or it can be an internal communication between two elements. Those of ordinary skill in the art can understand the specific meanings of the above terms in the present invention in specific situations.

实施例1Example 1

参照图1,为本发明的一个实施例,提供了一种基于国密算法的多因子动态身份认证方法,包括:Referring to Fig. 1, an embodiment of the present invention provides a multi-factor dynamic identity authentication method based on a national secret algorithm, including:

S1:依据国密算法生成公私钥对与对称密钥,利用生成的密钥及SM3国密算法对验证因子进行密码运算,验证因子包括,终端身份标识ID、硬件地址MAC和共享口令值PW;S1: Generate a public-private key pair and a symmetric key according to the national secret algorithm, and use the generated key and the SM3 national secret algorithm to perform cryptographic operations on the verification factor. The verification factor includes terminal identity ID, hardware address MAC and shared password value PW;

更进一步的,依据国密算法生成公私钥对与对称密钥中,国密算法为SM2和SM4算法。Furthermore, among the public-private key pairs and symmetric keys generated according to the national secret algorithm, the national secret algorithm is the SM2 and SM4 algorithms.

S2:在第一认证之前的注册阶段,待注册智能终端将设备信息使用非对称密码算法加密,将加密的注册数据发送至配电网关,配电网关解密数据后验证数据正确性,验证通过后保存注册数据。S2: In the registration stage before the first authentication, the smart terminal to be registered encrypts the device information using an asymmetric cryptographic algorithm, and sends the encrypted registration data to the power distribution gateway. After the power distribution gateway decrypts the data, it verifies the correctness of the data. Save the registration data.

更进一步的,将加密的注册数据发送至配电网关,配电网关解密数据后验证数据正确性,具体包括,Furthermore, the encrypted registration data is sent to the power distribution gateway, and the power distribution gateway decrypts the data and verifies the correctness of the data, specifically including,

配电网关通过SM2国密算法生成密钥对,将自身公钥KP发送给终端,私钥KS安全保存;The power distribution gateway generates a key pair through the SM2 national secret algorithm, sends its own public key K P to the terminal, and the private key K S is safely stored;

终端将自身设备硬件地址MAC、共享口令值PW分别使用SM3国密算法进行运算处理,连同终端身份标识IDi使用网关公钥KP经SM2国密算法加密,并将加密数据发送给配电网关进行注册;The terminal uses the SM3 national secret algorithm to perform calculations on its own device hardware address MAC and the shared password value PW respectively, together with the terminal identity ID i uses the gateway public key K P to encrypt through the SM2 national secret algorithm, and sends the encrypted data to the power distribution gateway to register;

配电网关收到终端注册信息后,使用自身私钥KS进行解密,根据IDi验证列表中是否存在相同的已注册用户,若不存在则回复注册成功消息,并保存IDi及相应的验证因子H(MAC)、H(PW),标记为H′(MAC)、H′(PW);After the power distribution gateway receives the terminal registration information, it uses its own private key KS to decrypt it, and verifies whether the same registered user exists in the list according to the ID i . If it does not exist, it replies with a successful registration message, and saves the ID i and the corresponding verification Factors H(MAC), H(PW), denoted as H'(MAC), H'(PW);

其中,H(x)表示对数据x使用SM3算法进行哈希运算后得到的杂凑值。Wherein, H(x) represents the hash value obtained after hashing the data x using the SM3 algorithm.

S3:第一认证阶段,终端生成非重复随机数,结合哈希、异或运算生成动态口令,使用对称密码算法加密动态口令,同时使用非对称密码算法加密对称密钥,与加密动态口令一起发送至配电网关进行身份认证;S3: In the first authentication stage, the terminal generates a non-repeating random number, combines hash and XOR operations to generate a dynamic password, uses a symmetric cryptographic algorithm to encrypt the dynamic password, and uses an asymmetric cryptographic algorithm to encrypt the symmetric key, and sends it together with the encrypted dynamic password To the power distribution gateway for identity authentication;

更进一步的,第一认证阶段中,具体包括,Furthermore, in the first certification stage, it specifically includes,

终端生成随机数R1,计算以及H(H(MAC)||R1);The terminal generates a random number R 1 , and calculates and H(H(MAC)||R 1 );

调用SM4国密算法并生成对称密钥K,使用密钥K加密计算结果及IDi,并使用网关公钥加密密钥K,将加密信息全部发送给网关;Call the SM4 national secret algorithm and generate a symmetric key K, use the key K to encrypt the calculation result and ID i , and use the gateway public key to encrypt the key K, and send all the encrypted information to the gateway;

其中,表示异或运算,||表示联结运算。in, Represents an XOR operation, and || represents a join operation.

应说明的是,如表示x与y进行按位异或运算后得到的值;x||y表示x与y按顺序依次连接后得到的数值。It should be noted that, if Indicates the value obtained after the bitwise XOR operation of x and y; x||y indicates the value obtained after connecting x and y in sequence.

更进一步的,第一认证中,配电网关收到加密数据后,使用私钥及对称密钥进行解密得到动态口令,根据动态口令找到对应相应终端及其保存的验证因子,结合验证因子对动态口令进一步验证,具体包括,Furthermore, in the first authentication, after the power distribution gateway receives the encrypted data, it uses the private key and symmetric key to decrypt the dynamic password, and finds the corresponding terminal and its stored verification factor according to the dynamic password, and combines the verification factor with the dynamic password. The password is further verified, specifically including,

配电网关收到加密认证消息后,用自身私钥KS解密得到对称密钥K;After receiving the encrypted authentication message, the power distribution gateway decrypts it with its own private key KS to obtain the symmetric key K;

使用对称密钥K经SM4算法解密数据;Use the symmetric key K to decrypt the data through the SM4 algorithm;

配电网关根据IDi取得对应的H′(PW)与H′(MAC),计算得到 并验证H(H(MAC)||R1)与H(H′(MAC)||R′1)是否相等,若相等则配电网关通过对终端的身份认证。The power distribution gateway obtains the corresponding H'(PW) and H'(MAC) according to the ID i , and calculates And verify whether H(H(MAC)||R 1 ) is equal to H(H'(MAC)||R' 1 ), if they are equal, the power distribution gateway passes the identity authentication of the terminal.

应说明的是,上述第一认证阶段为通过对终端的身份认证或者终止身份认证过程。It should be noted that the above-mentioned first authentication stage is passing the identity authentication of the terminal or terminating the identity authentication process.

S4:第二认证阶段,配电网关生成新的非重复随机数,对解密后的数据进行哈希、异或运算生成新的动态口令,使用对称密钥加密后发送给智能终端进行身份认证。S4: In the second authentication stage, the power distribution gateway generates a new non-repeating random number, performs hash and XOR operations on the decrypted data to generate a new dynamic password, encrypts it with a symmetric key, and sends it to the smart terminal for identity authentication.

更进一步的,具体包括,Further, it specifically includes,

配电网关通过对终端的认证后,生成随机数R2,计算和H(H′(MAC)||R2),然后经过SM4算法使用密钥K加密数据并发送给终端.After the power distribution gateway passes the authentication of the terminal, it generates a random number R 2 and calculates and H(H′(MAC)||R 2 ), and then use the SM4 algorithm to encrypt the data with the key K and send it to the terminal.

更进一步的,还包括,第二认证中,智能终端收到加密数据后,使用对称密钥进行解密得到新的动态口令,根据保存的本地数据对新的动态口令进行验证,若验证其正确则通过对配电网关的身份认证。Further, it also includes, in the second authentication, after the smart terminal receives the encrypted data, it uses a symmetric key to decrypt to obtain a new dynamic password, and verifies the new dynamic password according to the saved local data, and if it is verified to be correct, then Through the identity authentication of the power distribution gateway.

更进一步的,具体包括,Further, it specifically includes,

终端收到加密数据后,调用SM4算法对消息进行解密;After the terminal receives the encrypted data, it calls the SM4 algorithm to decrypt the message;

终端根据存储的R1和H(MAC),计算得到并验证H(H′(MAC)||R2)与H(H(MAC)||R′2)是否相等,若相等则终端通过对配电网关的身份认证。According to the stored R 1 and H(MAC), the terminal calculates And verify whether H(H'(MAC)||R 2 ) is equal to H(H(MAC)||R' 2 ), and if they are equal, the terminal passes the identity authentication of the power distribution gateway.

实施例2Example 2

参照图2-3,为本发明的一个实施例,提供了一种基于国密算法的多因子动态身份认证方法的实际运行场景逻辑。Referring to Figures 2-3, an embodiment of the present invention provides an actual operation scenario logic of a multi-factor dynamic identity authentication method based on a national secret algorithm.

如图2所示,智能终端与配电网关之间的注册阶段示意图,包括:As shown in Figure 2, a schematic diagram of the registration phase between the smart terminal and the power distribution gateway, including:

终端向配电网关发起注册请求。The terminal initiates a registration request to the power distribution gateway.

S101:配电网关通过SM2国密算法生成密钥对,将自身公钥KP发送给终端,将私钥KS安全保存。注意在本方案中EKP(x)含义为使用SM2算法经公钥KP对明文x进行加密运算后得到的加密数据,DKS(x)含义为使用SM2算法经私钥KS对密文x进行解密运算后得到的明文数据。S101: The power distribution gateway generates a key pair through the SM2 national secret algorithm, sends its own public key K P to the terminal, and securely stores the private key K S. Note that in this scheme, E KP (x) means the encrypted data obtained by using the SM2 algorithm to encrypt the plaintext x through the public key K P , and D KS (x) means using the SM2 algorithm to encrypt the ciphertext through the private key K S x is the plaintext data obtained after the decryption operation.

S102:终端收到配电网关的公钥KP后保存。将自身设备硬件地址MAC、共享口令值PW分别使用SM3国密算法处理后得到H(MAC)、H(PW),然后连同终端身份标识IDi使用网关公钥KP经SM2国密算法加密,得R=EKP(IDi,H(MAC),H(PW))发送给配电网关。S102: The terminal saves the public key K P of the power distribution gateway after receiving it. The hardware address MAC of the own device and the shared password value PW are respectively processed using the SM3 national secret algorithm to obtain H(MAC) and H(PW), and then together with the terminal identity ID i , the gateway public key K P is used to encrypt through the SM2 national secret algorithm. Get R=E KP (ID i , H(MAC), H(PW)) and send it to the power distribution gateway.

S103:配电网关收到R后,使用自身私钥KS进行解密,即通过DKS(R)取出IDi、H(MAC)、H(PW),然后根据IDi验证列表中是否存在相同的已注册用户,若不存在则回复注册成功消息,并保存IDi及相应的验证因子,即将H(MAC)、H(PW)分别标记为H′(MAC)、H′(PW)。S103: After the power distribution gateway receives R, it uses its own private key KS to decrypt, that is, takes out ID i , H(MAC), and H(PW) through D KS (R), and then verifies whether the same key exists in the list according to ID i . If the registered user does not exist, the registration success message will be replied, and the ID i and the corresponding verification factor will be saved, that is, H(MAC) and H(PW) will be marked as H'(MAC) and H'(PW) respectively.

如图3所示,智能终端与配电网关之间的认证阶段示意图,包括:As shown in Figure 3, a schematic diagram of the authentication phase between the smart terminal and the power distribution gateway, including:

终端或配电网关发送身份认证请求消息。The terminal or power distribution gateway sends an identity authentication request message.

S201:终端生成随机数R1,计算以及H(H(MAC)||R1)。之后终端调用SM4国密算法并生成对称密钥K,加密计算后得/> 同时使用SM2算法加密对称密钥K得到EKP(K),然后将m,EKP(K)一起发送给配电网关,其中EK(x)含义为使用SM4算法经对称密钥K对明文x进行对称加密运算后得到的加密数据。S201: The terminal generates a random number R 1 and calculates and H(H(MAC)||R 1 ). Afterwards, the terminal invokes the SM4 national secret algorithm and generates a symmetric key K, which is encrypted and calculated to obtain /> At the same time, use the SM2 algorithm to encrypt the symmetric key K to obtain E KP (K), and then send m and E KP (K) to the power distribution gateway together, where E K (x) means using the SM4 algorithm to pair the plaintext with the symmetric key K x is the encrypted data obtained after the symmetric encryption operation.

S202:配电网关收到认证消息后,首先用自身私钥KS解密EKP(K)得到对称密钥K,即K=DKS(EKP(K)),然后使用对称密钥K解密m即DK(m),得到IDi H(H(MAC)||R1)。配电网关根据IDi取得对应的H′(PW)与H′(MAC),计算/>然后验证H(H(MAC)||R1)与H(H′(MAC)||R′1)是否相等,若相等则配电网关通过对终端的身份认证;若不相等则中止认证过程。上述符号DK(m)含义为使用SM4算法经对称密钥K对密文x进行解密运算后得到的明文数据。S202: After receiving the authentication message, the power distribution gateway first decrypts E KP (K) with its own private key K S to obtain the symmetric key K, that is, K=D KS (E KP (K)), and then uses the symmetric key K to decrypt m is D K (m), get ID i , H(H(MAC)||R 1 ). The power distribution gateway obtains the corresponding H'(PW) and H'(MAC) according to the ID i , and calculates /> Then verify whether H(H(MAC)||R 1 ) and H(H'(MAC)||R' 1 ) are equal, if they are equal, the power distribution gateway will pass the identity authentication of the terminal; if they are not equal, the authentication process will be terminated . The above symbol D K (m) means the plaintext data obtained by decrypting the ciphertext x with the symmetric key K using the SM4 algorithm.

S203:配电网关生成随机数R2,计算和H(H′(MAC)||R2),然后经过SM4算法加密后得到/>将M发送给终端。S203: The power distribution gateway generates a random number R 2 and calculates and H(H′(MAC)||R 2 ), and then encrypted by SM4 algorithm to get /> Send M to the terminal.

S204:终端收到M后,接着调用SM4算法对消息M解密即DK(M),得到 和H(H′(MAC)||R2)。然后根据终端存储的R1和H(MAC),计算/> 然后验证H(H′(MAC)||R2)与H(H(MAC)||R′2)是否相等,若相等则终端通过对配电网关的身份认证;若不相等则中止认证过程。S204: After receiving M, the terminal calls the SM4 algorithm to decrypt the message M, that is, D K (M), and obtains and H(H'(MAC)||R 2 ). Then according to R 1 and H(MAC) stored in the terminal, calculate /> Then verify whether H(H'(MAC)||R 2 ) is equal to H(H(MAC)||R' 2 ), if they are equal, the terminal passes the identity authentication of the power distribution gateway; if they are not equal, the authentication process is terminated .

S205:终端计算发送给配电网关,网关调用SM4算法使用对称密钥K解密后得到/>并验证其与/>是否相等,相等则双向身份认证成功,双方可以进行安全的数据通信。S205: Terminal Computing Send it to the power distribution gateway, and the gateway calls the SM4 algorithm and uses the symmetric key K to decrypt it to get /> and verify it with /> Whether they are equal, if they are equal, the two-way identity authentication is successful, and the two parties can carry out secure data communication.

实施例3Example 3

参照表1-2,为本发明的一个实施例,结合上述实施例可知,本发明提供的基于国密算法的多因子动态身份认证方法不需要配电主站或智能终端配备额外硬件载体,降低了硬件成本,也不需要安装基于PKI的数字证书,避免了证书管理和维护的困难。同时对于冒充攻击、重放攻击、中间人攻击等对配电自动化系统的常见恶意攻击行为,本发明所提供的动态身份认证方法具有以下有关安全性方面的理论依据。Referring to Table 1-2, it is an embodiment of the present invention. In combination with the above embodiments, it can be known that the multi-factor dynamic identity authentication method based on the national secret algorithm provided by the present invention does not require additional hardware carriers for power distribution master stations or intelligent terminals, reducing The cost of hardware is reduced, and there is no need to install PKI-based digital certificates, which avoids the difficulties of certificate management and maintenance. At the same time, for common malicious attacks on power distribution automation systems such as impersonation attacks, replay attacks, and man-in-the-middle attacks, the dynamic identity authentication method provided by the present invention has the following theoretical basis for security.

如果攻击者想要冒充配电主站,则必须拥有网关私钥KS才能得到对称密钥K解密消息m。即使攻击者能够暴力破解出m中所包含的数据信息,由于没有验证因子H′(PW),所以无法从消息中提取出正确的随机数R′1,进而生成正确的验证消息M。即使能够窃取到R′1,没有H′(MAC)也无法生成正确的验证消息M,故攻击者不能通过智能终端的验证。If the attacker wants to impersonate the power distribution master station, he must have the gateway private key K S to obtain the symmetric key K to decrypt the message m. Even if the attacker can brute force crack the data information contained in m, since there is no verification factor H′(PW), it is impossible to extract the correct random number R′ 1 from the message, and then generate the correct verification message M. Even if R′ 1 can be stolen, the correct verification message M cannot be generated without H′ (MAC), so the attacker cannot pass the verification of the smart terminal.

如果攻击者想要冒充智能终端,由于没有终端标识IDi及其对应的硬件地址MAC,则无法冒充配电网关中的已注册终端用户。即使攻击者窃取到IDi、MAC,由于没有共享口令值PW的杂凑值H(PW),则无法生成正确的因此配电网关根据会计算出错误的R′1,使得H(H(MAX)||R1)=H(H′(MAX)||R′1)不再成立,故攻击者不能通过配电网关的验证。If an attacker wants to impersonate a smart terminal, since there is no terminal identification ID i and its corresponding hardware address MAC, he cannot impersonate a registered terminal user in the power distribution gateway. Even if the attacker steals ID i and MAC, since there is no hash value H(PW) of the shared password value PW, the correct password cannot be generated Therefore, the power distribution gateway according to Wrong R′ 1 will be calculated, so that H(H(MAX)||R 1 )=H(H′(MAX)||R′ 1 ) is no longer established, so the attacker cannot pass the verification of the power distribution gateway.

由双向身份认证阶段的实施过程可知,智能终端或配电网关发送认证消息时,都引入了随机数R1或者R2,从而使方案具备了动态的验证口令。即使认证消息被攻击者截获,由于无法破译进而只修改随机数的数值,故只能重放过期的固定消息。而正确的认证消息是基于动态口令的非重复数据,因此智能终端或者配电网关很容易就能判断出恶意攻击行为,故本发明提供的动态身份认证方法可以抵抗重放攻击。From the implementation process of the two-way identity authentication stage, we can see that when the intelligent terminal or the power distribution gateway sends the authentication message, the random number R 1 or R 2 is introduced, so that the scheme has a dynamic verification password. Even if the authentication message is intercepted by an attacker, since it cannot be deciphered and only the value of the random number can be modified, only the expired fixed message can only be replayed. The correct authentication message is based on the non-repetitive data of the dynamic password, so the intelligent terminal or the power distribution gateway can easily judge the malicious attack behavior, so the dynamic identity authentication method provided by the present invention can resist replay attacks.

本发明提供的动态身份认证方法中,终端或网关存储的认证信息都使用安全性极高的国密算法进行加密传输,网络中的通信数据均为加密后的密文。因此即使攻击者在通信双方不知情的情况下,充当中间人分别与智能终端和配电网关进行通信,也很难从网络通信数据中解密到明文信息,从而正确回复认证消息,则其也无法获得身份认证之后通信双方的协商密钥。在被加密的明文中,用户认证信息均使用异或运算和哈希运算进一步加密,实际上还可以抵抗密钥泄露攻击,防止通信过程中的用户认证信息泄露,因此本发明提供的动态身份认证方法可以抵抗中间人攻击。In the dynamic identity authentication method provided by the present invention, the authentication information stored in the terminal or the gateway is encrypted and transmitted using a highly secure national secret algorithm, and the communication data in the network are all encrypted ciphertexts. Therefore, even if the attacker acts as an intermediary to communicate with the smart terminal and the power distribution gateway without the knowledge of the two parties, it is difficult to decrypt the plaintext information from the network communication data, so as to correctly reply to the authentication message, and it cannot obtain After identity authentication, the negotiation key of the communication parties. In the encrypted plaintext, user authentication information is further encrypted using XOR operations and hash operations, which can actually resist key leak attacks and prevent user authentication information leakage during communication. Therefore, the dynamic identity authentication provided by the present invention The method is resistant to man-in-the-middle attacks.

参照表1,为本发明的一个实施例,提供了一种基于国密算法的多因子动态身份认证方法,为了验证其有益效果,根据上述描述过程,提供了三种方案的对比结果。Referring to Table 1, an embodiment of the present invention provides a multi-factor dynamic identity authentication method based on the national secret algorithm. In order to verify its beneficial effect, according to the above description process, the comparison results of the three schemes are provided.

由上述表1可知,使用本发明可以避免安装额外的硬件载体或者数字证书,且同样具有抵抗冒充攻击、重放攻击、中间人攻击等恶意攻击的特点,从而验证了本发明的有益效果。It can be seen from the above table 1 that the use of the present invention can avoid installing additional hardware carriers or digital certificates, and also has the characteristics of resisting malicious attacks such as impersonation attacks, replay attacks, and man-in-the-middle attacks, thereby verifying the beneficial effects of the present invention.

应说明的是,以上实施例仅用于说明本发明的技术方案而非限制,尽管参照较佳实施例对本发明进行了详细说明,本领域的普通技术人员应当理解,可以对本发明的技术方案进行修改或者等同替换,而不脱离本发明技术方案的精神和范围,其均应涵盖在本发明的权利要求范围当中。It should be noted that the above embodiments are only used to illustrate the technical solutions of the present invention without limitation, although the present invention has been described in detail with reference to preferred embodiments, those of ordinary skill in the art should understand that the technical solutions of the present invention can be carried out Modifications or equivalent replacements without departing from the spirit and scope of the technical solution of the present invention shall be covered by the claims of the present invention.

Claims (10)

1. A multi-factor dynamic identity authentication method based on a cryptographic algorithm is characterized by comprising the following steps:
generating a public and private key pair and a symmetric key according to a national encryption algorithm, and carrying out password operation on a verification factor by utilizing the generated key and an SM3 national encryption algorithm, wherein the verification factor comprises a terminal identity ID, a hardware address MAC and a shared password value PW;
in the first authentication stage, the terminal generates a non-repeated random number, generates a dynamic password by combining hash and exclusive-or operation, encrypts the dynamic password by using a symmetric cryptographic algorithm, encrypts a symmetric key by using an asymmetric cryptographic algorithm, and sends the symmetric key and the encrypted dynamic password to the power distribution gateway for identity authentication;
and in the second authentication stage, the power distribution gateway generates a new non-repeated random number, hashes and exclusive-or operations are carried out on the decrypted data to generate a new dynamic password, and the new dynamic password is encrypted by using a symmetric key and then sent to the intelligent terminal for identity authentication.
2. The multi-factor dynamic identity authentication method based on the national cryptographic algorithm as claimed in claim 1, wherein the national cryptographic algorithm is SM2 and SM4 in the public-private key pair and the symmetric key generated according to the national cryptographic algorithm.
3. The multi-factor dynamic identity authentication method based on a cryptographic algorithm as in claim 1 or 2, further comprising, in a registration stage before the first authentication, the intelligent terminal to be registered encrypts the device information using an asymmetric cryptographic algorithm, sends the encrypted registration data to the distribution gateway, and verifies the correctness of the data after the distribution gateway decrypts the data, and saves the registration data after the verification passes.
4. The multi-factor dynamic identity authentication method based on the cryptographic algorithm of claim 3, wherein the encrypted registration data is sent to the distribution gateway, the distribution gateway verifies the correctness of the data after decrypting the data, and the method specifically comprises,
the distribution gateway generates a key pair through SM2 national encryption algorithm and uses the public key K thereof P Sent to the terminal, private key K S Safe storage;
the terminal respectively uses SM3 cryptographic algorithm to compute the hardware address MAC and the shared password PW of the self equipment together with the terminal identity ID i Using gateway public key K P Secret calculation by SM2 countryEncrypting by a method, and sending the encrypted data to a distribution gateway for registration;
after receiving the terminal registration information, the distribution gateway uses the private key K S Decryption is performed according to the ID i Verifying whether the same registered user exists in the list, if not, replying to the registration success message, and storing the ID i And corresponding validation factors H (MAC), H (PW), labeled H '(MAC), H' (PW);
wherein H (x) represents a hash value obtained by performing a hash operation on the data x using the SM3 algorithm.
5. The multi-factor dynamic identity authentication method based on the cryptographic algorithm of claim 4, wherein in the first authentication stage, the terminal generates a non-repeated random number, generates a dynamic password by combining hash and exclusive-or operations, encrypts the dynamic password by using a symmetric cryptographic algorithm, encrypts a symmetric key by using the asymmetric cryptographic algorithm, and sends the encrypted dynamic password to the distribution gateway for identity authentication, and specifically comprises,
terminal generating random number R 1 Calculation ofH (H (MAC) R) 1 );
Invoking SM4 national encryption algorithm and generating symmetric key K, encrypting calculation result and ID by using the key K i The gateway public key is used for encrypting the key K, and the encrypted information is completely sent to the gateway;
wherein,,representing an exclusive-or operation, the expression "is used to denote a join operation.
6. The multi-factor dynamic identity authentication method based on the cryptographic algorithm as in claim 4 or 5, further comprising, in the first authentication, after the distribution gateway receives the encrypted data, decrypting the encrypted data using the private key and the symmetric key to obtain a dynamic password, finding out the corresponding terminal and the verification factor stored therein according to the dynamic password, and further verifying the dynamic password in combination with the verification factor.
7. The multi-factor dynamic identity authentication method based on cryptographic algorithm of claim 6, wherein in the first authentication stage, after the distribution gateway receives the encrypted data, the distribution gateway decrypts the encrypted data by using the private key and the symmetric key to obtain a dynamic password, finds the corresponding terminal and the authentication factor stored therein according to the dynamic password, and further authenticates the dynamic password in combination with the authentication factor, specifically comprising,
after receiving the encryption authentication information, the distribution gateway uses its own private key K S Decrypting to obtain a symmetric key K;
decrypting the data via SM4 algorithm using the symmetric key K;
distribution gateway based on ID i Corresponding H '(PW) and H' (MAC) are obtained, and calculated And verifies H (H (MAC) |R 1 ) With H (H '(MAC) R' 1 ) And if the power distribution gateways are equal, the power distribution gateways pass the identity authentication of the terminals.
8. The multi-factor dynamic identity authentication method based on the cryptographic algorithm of claim 1 or 7, wherein in the second authentication stage, the power distribution gateway generates a new non-repeated random number, hashes and exclusive-ors the decrypted data to generate a new dynamic password, encrypts the dynamic password by using a symmetric key, and sends the encrypted dynamic password to the intelligent terminal for identity authentication,
after the distribution gateway passes the authentication of the terminal, a random number R is generated 2 Calculation ofAnd H (H' (MAC) R 2 ) The data is then encrypted using the key K via SM4 algorithm and sent to the terminal.
9. The multi-factor dynamic identity authentication method based on the cryptographic algorithm as in claim 8, further comprising, in the second authentication, after receiving the encrypted data, decrypting the encrypted data by using the symmetric key to obtain a new dynamic password, verifying the new dynamic password according to the stored local data, and if the verification is correct, passing the identity authentication of the distribution gateway.
10. The multi-factor dynamic identity authentication method based on the cryptographic algorithm of claim 9, wherein in the second authentication, after the intelligent terminal receives the encrypted data, the intelligent terminal decrypts the encrypted data by using the symmetric key to obtain a new dynamic password, verifies the new dynamic password according to the stored local data, and if the verification is correct, passes the identity authentication of the distribution gateway,
after receiving the encrypted data, the terminal calls an SM4 algorithm to decrypt the message;
the terminal stores R according to the R 1 And H (MAC), calculatedAnd verifies H (H' (MAC) R 2 ) With H (H (MAC) ||R' 2 ) And if the power distribution gateways are equal, the terminals pass the identity authentication of the power distribution gateways.
CN202310491205.3A 2023-04-29 2023-04-29 Multi-factor dynamic identity authentication method based on cryptographic algorithm Pending CN116455661A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202310491205.3A CN116455661A (en) 2023-04-29 2023-04-29 Multi-factor dynamic identity authentication method based on cryptographic algorithm

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202310491205.3A CN116455661A (en) 2023-04-29 2023-04-29 Multi-factor dynamic identity authentication method based on cryptographic algorithm

Publications (1)

Publication Number Publication Date
CN116455661A true CN116455661A (en) 2023-07-18

Family

ID=87133699

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202310491205.3A Pending CN116455661A (en) 2023-04-29 2023-04-29 Multi-factor dynamic identity authentication method based on cryptographic algorithm

Country Status (1)

Country Link
CN (1) CN116455661A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN118316631A (en) * 2024-06-11 2024-07-09 北京宏思电子技术有限责任公司 Identity authentication realization method and system

Citations (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2003065169A2 (en) * 2002-01-30 2003-08-07 Tecsec, Inc. Access system utilizing multiple factor identification and authentication
CN102195782A (en) * 2011-06-07 2011-09-21 吉林大学 Two-way identity authentication method with integration of identity and password for mailing system
CN110299995A (en) * 2019-07-11 2019-10-01 北京电子科技学院 A kind of two-way authentication cryptographic key negotiation method and system for supporting domestic cryptographic algorithm based on RLWE
WO2020087805A1 (en) * 2018-11-02 2020-05-07 中国科学院沈阳自动化研究所 Trusted authentication method employing two cryptographic values and chaotic encryption in measurement and control network
CN111835752A (en) * 2020-07-09 2020-10-27 国网山西省电力公司信息通信分公司 Lightweight authentication method and gateway based on device identity
CN113486324A (en) * 2021-07-23 2021-10-08 公安部第三研究所 Method for realizing three-factor anonymous identity authentication based on SM2 algorithm
CN113612797A (en) * 2021-08-23 2021-11-05 金陵科技学院 An Improved Kerberos Authentication Protocol Based on National Secret Algorithm
CN114154135A (en) * 2022-02-07 2022-03-08 南京理工大学 Method, system and device for security authentication of Internet of Vehicles communication based on national secret algorithm
CN114386020A (en) * 2021-12-17 2022-04-22 山东量子科学技术研究院有限公司 Method and system for fast secondary identity authentication based on quantum security
CN114553404A (en) * 2022-01-28 2022-05-27 国电南瑞南京控制系统有限公司 Power distribution longitudinal encryption method and system based on quantum encryption

Patent Citations (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2003065169A2 (en) * 2002-01-30 2003-08-07 Tecsec, Inc. Access system utilizing multiple factor identification and authentication
CN102195782A (en) * 2011-06-07 2011-09-21 吉林大学 Two-way identity authentication method with integration of identity and password for mailing system
WO2020087805A1 (en) * 2018-11-02 2020-05-07 中国科学院沈阳自动化研究所 Trusted authentication method employing two cryptographic values and chaotic encryption in measurement and control network
CN110299995A (en) * 2019-07-11 2019-10-01 北京电子科技学院 A kind of two-way authentication cryptographic key negotiation method and system for supporting domestic cryptographic algorithm based on RLWE
CN111835752A (en) * 2020-07-09 2020-10-27 国网山西省电力公司信息通信分公司 Lightweight authentication method and gateway based on device identity
CN113486324A (en) * 2021-07-23 2021-10-08 公安部第三研究所 Method for realizing three-factor anonymous identity authentication based on SM2 algorithm
CN113612797A (en) * 2021-08-23 2021-11-05 金陵科技学院 An Improved Kerberos Authentication Protocol Based on National Secret Algorithm
CN114386020A (en) * 2021-12-17 2022-04-22 山东量子科学技术研究院有限公司 Method and system for fast secondary identity authentication based on quantum security
CN114553404A (en) * 2022-01-28 2022-05-27 国电南瑞南京控制系统有限公司 Power distribution longitudinal encryption method and system based on quantum encryption
CN114154135A (en) * 2022-02-07 2022-03-08 南京理工大学 Method, system and device for security authentication of Internet of Vehicles communication based on national secret algorithm

Non-Patent Citations (3)

* Cited by examiner, † Cited by third party
Title
DU JING(等): "An Improved Uniform Identity Authentication Method Based on SAML in Cloud Environment", 《2018 IEEE THIRD INTERNATIONAL CONFERENCE ON DATA SCIENCE IN CYBERSPACE(DSC)》, 19 June 2018 (2018-06-19) *
李桐(等): "轻量化移动边缘计算双向认证协议", 《信息网络安全》, 10 November 2021 (2021-11-10) *
黄丹丹(等): "基于国密算法的Kerberos身份认证协议改进与分析", 《金陵科技学院学报》, 18 July 2022 (2022-07-18) *

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN118316631A (en) * 2024-06-11 2024-07-09 北京宏思电子技术有限责任公司 Identity authentication realization method and system
CN118316631B (en) * 2024-06-11 2024-08-27 北京宏思电子技术有限责任公司 Identity authentication realization method and system

Similar Documents

Publication Publication Date Title
CN100558035C (en) A two-way authentication method and system
EP2082525B1 (en) Method and apparatus for mutual authentication
CN103095696B (en) A kind of authentication and cryptographic key negotiation method being applicable to power information acquisition system
EP2416524B1 (en) System and method for secure transaction of data between wireless communication device and server
CN100359845C (en) Method for Shared Key Authentication and Session Key Negotiation in Wireless Local Area Network Ad Hoc Network Mode
CN103532713B (en) Sensor authentication and shared key production method and system and sensor
CN101980558B (en) An Encryption Authentication Method on Ad hoc Network Transport Layer Protocol
CN110048849B (en) Multi-layer protection session key negotiation method
CN112165386B (en) Data encryption method and system based on ECDSA
CN109495274A (en) A kind of decentralization smart lock electron key distribution method and system
CN113612797A (en) An Improved Kerberos Authentication Protocol Based on National Secret Algorithm
CN113630248B (en) Session key negotiation method
CN103475464A (en) Power special quantum encryption gateway system
CN110087240B (en) Wireless network security data transmission method and system based on WPA2-PSK mode
CN114024757B (en) Power Internet of Things edge terminal access method and system based on identification password algorithm
CN110535626B (en) Secret communication method and system for identity-based quantum communication service station
CN114826656A (en) Trusted data link transmission method and system
CN111711625A (en) A power system information security encryption system based on distribution terminal
CN117278330B (en) Lightweight networking and secure communication method for electric power Internet of things equipment network
US20020199102A1 (en) Method and apparatus for establishing a shared cryptographic key between energy-limited nodes in a network
CN115499126A (en) Key pair generation method, cooperative signature method, decryption method, device and medium based on decentralized storage of SM2 keys
CN109981271B (en) Network multimedia safety protection encryption method
CN111541690A (en) Security protection method for communication between intelligent terminal and server
CN116388995A (en) Lightweight smart grid authentication method based on PUF
CN115967941A (en) Power 5G terminal authentication method and authentication system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination