[go: up one dir, main page]

CN111431853A - A centerless instant network identity authentication method and client - Google Patents

A centerless instant network identity authentication method and client Download PDF

Info

Publication number
CN111431853A
CN111431853A CN202010108696.5A CN202010108696A CN111431853A CN 111431853 A CN111431853 A CN 111431853A CN 202010108696 A CN202010108696 A CN 202010108696A CN 111431853 A CN111431853 A CN 111431853A
Authority
CN
China
Prior art keywords
entity
address
encrypted
hash operation
data containing
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202010108696.5A
Other languages
Chinese (zh)
Inventor
徐梦剑
张会彬
李良灿
张�杰
赵永利
李亚杰
赵硕
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing University of Posts and Telecommunications
Original Assignee
Beijing University of Posts and Telecommunications
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing University of Posts and Telecommunications filed Critical Beijing University of Posts and Telecommunications
Priority to CN202010108696.5A priority Critical patent/CN111431853A/en
Publication of CN111431853A publication Critical patent/CN111431853A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0435Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply symmetric encryption, i.e. same key used for encryption and decryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • H04L63/061Network architectures or network communication protocols for network security for supporting key management in a packet data network for key exchange, e.g. in peer-to-peer networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0807Network architectures or network communication protocols for network security for authentication of entities using tickets, e.g. Kerberos
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0876Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Power Engineering (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

本发明公开了一种无中心的即时网络身份认证方法以及客户端,所述方法包括:产生本地的公钥‑私钥对;基于经对称加密算法得到的与对方共享的密钥K,与对方进行公钥交换;接收对方发送的用户标识、经对方私钥加密的包含IP地址的数据的hash运算结果和经交换的公钥加密的包含IP地址的数据后,利用交换的公钥解密出接收的hash运算结果,并利用本地的私钥解密出包含IP地址的数据;基于解密出的包含IP地址的数据进行hash运算,将运算得到的结果与解密出的hash运算结果进行比较,根据比较结果确认对方的合法身份。应用本发明能达到无中心的即时身份认证的目的,且降低网络数据传输过程身份伪造的风险,保护信息系统的安全。

Figure 202010108696

The invention discloses a non-center instant network identity authentication method and a client. The method includes: generating a local public key-private key pair; Perform public key exchange; after receiving the user ID sent by the other party, the hash operation result of the data containing the IP address encrypted by the other party's private key, and the data containing the IP address encrypted by the exchanged public key, decrypt the received data using the exchanged public key. and decrypt the data containing the IP address by using the local private key; perform a hash operation based on the decrypted data containing the IP address, and compare the result obtained by the operation with the decrypted hash operation result. Confirm the legal identity of the other party. The application of the present invention can achieve the purpose of non-center instant identity authentication, reduce the risk of identity forgery in the network data transmission process, and protect the security of the information system.

Figure 202010108696

Description

一种无中心的即时网络身份认证方法以及客户端A Centerless Instant Network Identity Authentication Method and Client

技术领域technical field

本发明涉及通信加密技术领域,特别是指一种无中心的即时网络身份认证方法以及客户端。The invention relates to the technical field of communication encryption, in particular to a centerless instant network identity authentication method and a client.

背景技术Background technique

网络承载整个信息社会的通信,服务质量和信息安全保障至关重要。随着监控窃听和蓄意攻击等事件的不断曝光,网络面临的信息安全风险种类不断增多、范围不断扩大且层次不断深入。网络信息安全问题,首先需要解决信息的网络身份认证问题,而现有的网络身份认证方法大都通过安全认证中心实现对认证过程的保障,密钥的管理等功能。这就对认证中心本身的安全性要求加大,密钥管理成本增加。The network carries the communication of the entire information society, and the guarantee of service quality and information security is very important. With the continuous exposure of incidents such as surveillance eavesdropping and deliberate attacks, the types of information security risks faced by the network are constantly increasing, the scope is expanding, and the levels are deepening. The problem of network information security first needs to solve the problem of network identity authentication of information, and most of the existing network identity authentication methods realize the guarantee of the authentication process and the management of keys through the security authentication center. This increases the security requirements of the certification center itself, and increases the cost of key management.

网络身份认证问题是保障网络信息安全的一个重要问题,好的网络身份认证方法能有效降低网络身份被伪造的风险。现有的网络身份认证方法大多数通过安全认证中心实现对认证过程的保障,密钥的管理等功能。这就对认证中心本身的安全性要求加大,密钥管理成本增加,并且仍然存在着网络数据传输过程身份伪造的风险,威胁着信息系统的安全。The problem of network identity authentication is an important issue to ensure network information security. A good network identity authentication method can effectively reduce the risk of network identity being forged. Most of the existing network identity authentication methods use the security authentication center to realize the guarantee of the authentication process, the management of keys and other functions. This increases the security requirements of the certification center itself, increases the cost of key management, and still has the risk of identity forgery during network data transmission, threatening the security of the information system.

发明内容SUMMARY OF THE INVENTION

有鉴于此,本发明的目的在于提出一种无中心的即时网络身份认证方法以及客户端,能够实现无中心的即时身份认证的目的,且降低网络数据传输过程身份伪造的风险,保护信息系统的安全。In view of this, the purpose of the present invention is to propose a non-central instant network identity authentication method and client, which can realize the purpose of non-central instant identity authentication, reduce the risk of identity forgery in the network data transmission process, and protect the information system. Safety.

基于上述目的,本发明提供一种无中心的即时网络身份认证方法,包括:Based on the above purpose, the present invention provides a non-center instant network identity authentication method, including:

产生本地的公钥-私钥对;Generate a local public-private key pair;

基于经对称加密算法得到的与对方共享的密钥K,与对方进行公钥交换;Based on the key K shared with the other party obtained by the symmetric encryption algorithm, exchange the public key with the other party;

接收对方发送的用户标识、经对方私钥加密的包含IP地址的数据的hash运算结果和经交换的公钥加密的包含IP地址的数据后,利用交换的公钥解密出接收的hash运算结果,并利用本地的私钥解密出包含IP地址的数据;After receiving the user ID sent by the other party, the hash operation result of the data containing the IP address encrypted by the other party's private key, and the data containing the IP address encrypted by the exchanged public key, decrypt the received hash operation result by using the exchanged public key, And use the local private key to decrypt the data containing the IP address;

基于解密出的包含IP地址的数据进行hash运算,将运算得到的结果与解密出的hash运算结果进行比较,根据比较结果在确认对方的合法身份后存储对方的用户标识与IP地址的对应关系。Perform a hash operation based on the decrypted data including the IP address, compare the result obtained by the operation with the decrypted hash operation result, and store the correspondence between the other party's user ID and the IP address according to the comparison result after confirming the other party's legal identity.

其中,所述基于经对称加密算法得到的与对方共享的密钥K,与对方进行公钥交换,具体包括:Wherein, the public key exchange with the other party based on the key K shared with the other party obtained through the symmetric encryption algorithm specifically includes:

实体A向所述对方实体B发送公钥交换请求,所述公钥交换请求中携带所述实体A的用户标识、使用密钥K加密的公钥CertA;Entity A sends a public key exchange request to the counterpart entity B, and the public key exchange request carries the user identity of the entity A and the public key CertA encrypted with the key K;

所述实体A在接收到所述实体B返回的公钥分发信息后,从中获取所述实体B的用户标识、使用密钥K加密的公钥CertB;After receiving the public key distribution information returned by the entity B, the entity A obtains the user identity of the entity B and the public key CertB encrypted with the key K;

所述实体A利用密钥K解密出CertB,并将CertB与实体B的用户标识对应保存。The entity A decrypts the CertB by using the key K, and stores the CertB corresponding to the user ID of the entity B.

其中,所述接收对方发送的用户标识、经对方私钥加密的包含IP地址的数据的hash运算结果和经交换的公钥加密的包含IP地址的数据后,利用交换的公钥解密出接收的hash运算结果,并利用本地的私钥解密出包含IP地址的数据,具体包括:Wherein, after the user identification sent by the receiving party, the hash operation result of the data containing the IP address encrypted by the private key of the other party, and the data containing the IP address encrypted by the exchanged public key, the received public key is decrypted using the exchanged public key. The hash operation result is used to decrypt the data containing the IP address using the local private key, including:

所述实体A向所述实体B发送认证请求,所述认证请求中携带所述实体A的用户标识、经所述实体A的私钥SkeyA加密的包含所述实体A的IP地址的数据的hash运算结果和经CertB加密的包含所述实体A的IP地址的数据;The entity A sends an authentication request to the entity B, and the authentication request carries the user identity of the entity A, the hash of the data containing the IP address of the entity A encrypted by the private key SkeyA of the entity A The result of the operation and the data containing the IP address of the entity A encrypted by CertB;

所述实体B接收到所述认证请求后,利用CertA解密出由私钥SkeyA加密的包含所述实体A的IP地址的数据的hash运算结果,利用私钥SkeyB解密出经CertB加密的包含所述实体A的IP地址的数据;之后,向所述实体A返回认证响应信息;After receiving the authentication request, the entity B uses CertA to decrypt the hash operation result of the data containing the IP address of the entity A encrypted by the private key SkeyA, and uses the private key SkeyB to decrypt the encrypted data containing the data of the IP address of entity A; after that, return authentication response information to entity A;

所述实体A在接收到所述实体B返回的认证响应信息后,从中获取所述实体B的用户标识、经所述实体B的私钥SkeyB加密的包含所述实体B的IP地址的数据的hash运算结果和经CertA加密的包含所述实体B的IP地址的数据;After receiving the authentication response information returned by the entity B, the entity A obtains the user ID of the entity B, the data containing the IP address of the entity B encrypted by the private key SkeyB of the entity B. The result of the hash operation and the data encrypted by CertA containing the IP address of the entity B;

所述实体A利用CertB解密出由私钥SkeyB加密的包含所述实体B的IP地址的数据的hash运算结果,并利用私钥SkeyA解密出经CertA加密的包含所述实体B的IP地址的数据。The entity A uses CertB to decrypt the hash operation result of the data containing the IP address of the entity B encrypted by the private key SkeyB, and uses the private key SkeyA to decrypt the data containing the IP address of the entity B encrypted by CertA. .

其中,所述基于解密出的包含IP地址的数据进行hash运算,将运算得到的结果与解密出的hash运算结果进行比较,具体包括:Wherein, the hash operation is performed based on the decrypted data including the IP address, and the result obtained by the operation is compared with the decrypted hash operation result, which specifically includes:

所述实体A基于解密出的包含IP地址的数据进行hash运算,将运算得到的结果与解密出的hash运算结果进行比较。The entity A performs a hash operation based on the decrypted data including the IP address, and compares the result obtained by the operation with the decrypted hash operation result.

进一步,在所述实体A基于解密出的包含IP地址的数据进行hash运算,将运算得到的结果与解密出的hash运算结果进行比较后,还包括:Further, after the entity A performs a hash operation based on the decrypted data comprising the IP address, and compares the result obtained by the operation with the decrypted hash operation result, it also includes:

若比较结果为一致,所述实体A向所述实体B返回认证确认信息,所述认证确认信息中携带所述实体A的用户标识、经SkeyA加密的包含所述实体A的IP地址的数据的hash运算结果和经CertB加密的包含所述实体A的IP地址的数据;If the comparison result is consistent, the entity A returns authentication confirmation information to the entity B, and the authentication confirmation information carries the user ID of the entity A and the data encrypted by SkeyA including the IP address of the entity A. The result of the hash operation and the data containing the IP address of the entity A encrypted by CertB;

所述实体B接收到所述认证确认信息后,从中获取所述实体A的用户标识、经SkeyA加密的包含所述实体A的IP地址的数据的hash运算结果和经CertB加密的包含所述实体A的IP地址的数据后,利用CertA解密出由私钥SkeyA加密的包含所述实体A的IP地址的数据的hash运算结果,并利用私钥SkeyB解密出经CertB加密的包含所述实体A的IP地址的数据;After receiving the authentication confirmation information, the entity B obtains the user identity of the entity A, the hash operation result of the data containing the IP address of the entity A encrypted by SkeyA, and the encrypted data containing the entity A encrypted by CertB. After the data of the IP address of A, use CertA to decrypt the hash operation result of the data containing the IP address of the entity A encrypted by the private key SkeyA, and use the private key SkeyB to decrypt the encrypted data containing the entity A by CertB. IP address data;

所述实体B基于解密出的包含IP地址的数据进行hash运算,将运算得到的结果与解密出的hash运算结果进行比较,并在确认比较结果一致后,确认通信双方均完成身份认证。The entity B performs a hash operation based on the decrypted data including the IP address, compares the result obtained by the operation with the decrypted hash operation result, and confirms that both parties of the communication have completed identity authentication after confirming that the comparison results are consistent.

本发明还提供一种客户端,包括:The present invention also provides a client, comprising:

密钥对产生模块,用于产生本地的公钥-私钥对;The key pair generation module is used to generate a local public key-private key pair;

公钥交换模块,用于基于经对称加密算法得到的与对方共享的密钥K,与对方进行公钥交换;The public key exchange module is used to exchange the public key with the other party based on the key K shared with the other party obtained through the symmetric encryption algorithm;

身份认证模块,用于接收对方发送的用户标识、经对方私钥加密的包含IP地址的数据的hash运算结果和经交换的公钥加密的包含IP地址的数据后,利用交换的公钥解密出接收的hash运算结果,并利用本地的私钥解密出包含IP地址的数据;进而基于解密出的包含IP地址的数据进行hash运算,将运算得到的结果与解密出的hash运算结果进行比较,根据比较结果在确认对方的合法身份后存储对方的用户标识与IP地址的对应关系。The identity authentication module is used for receiving the user ID sent by the other party, the hash operation result of the data containing the IP address encrypted by the private key of the other party, and the data containing the IP address encrypted by the exchanged public key, and then decrypted using the exchanged public key. The received hash operation result is used to decrypt the data containing the IP address by using the local private key; then the hash operation is performed based on the decrypted data containing the IP address, and the result obtained by the operation is compared with the decrypted hash operation result. The comparison result stores the correspondence between the user ID and the IP address of the other party after confirming the legal identity of the other party.

本发明的技术方案中,通信双方产生本地的公钥-私钥对;基于经对称加密算法得到的与对方共享的密钥K,与对方进行公钥交换;接收对方发送的用户标识、经对方私钥加密的包含IP地址的数据的hash运算结果和经交换的公钥加密的包含IP地址的数据后,利用交换的公钥解密出接收的hash运算结果,并利用本地的私钥解密出包含IP地址的数据;基于解密出的包含IP地址的数据进行hash运算,将运算得到的结果与解密出的hash运算结果进行比较,根据比较结果在确认对方的合法身份后存储对方的用户标识与IP地址的对应关系。从而通信双方通过发送2个公钥交换数据包和3个认证数据包以及对数据包进行相应处理达到无中心的即时身份认证的目的;且可在保证数据通信方初始会话时的身份认证的安全性的前提下,实现绝对安全的即时“一次一密”,并节约认证中心管理公钥的成本,降低网络数据传输过程身份伪造的风险,保护信息系统的安全。In the technical scheme of the present invention, both parties in communication generate a local public-private key pair; based on the key K shared with the other party obtained through a symmetric encryption algorithm, exchange the public key with the other party; receive the user ID sent by the other party, After the hash operation result of the data containing the IP address encrypted by the private key and the data containing the IP address encrypted by the exchanged public key, use the exchanged public key to decrypt the received hash operation result, and use the local private key to decrypt the data containing the IP address. IP address data; perform hash operation based on the decrypted data containing the IP address, compare the result obtained by the operation with the decrypted hash operation result, and store the other party's user ID and IP address according to the comparison result after confirming the legal identity of the other party address correspondence. Therefore, both parties of the communication can achieve the purpose of non-central instant identity authentication by sending 2 public key exchange data packets and 3 authentication data packets and processing the data packets accordingly; On the premise of security, real-time "one-time-one pad" can be realized with absolute security, and the cost of public key management by the certification center can be saved, the risk of identity forgery in the network data transmission process can be reduced, and the security of the information system can be protected.

附图说明Description of drawings

为了更清楚地说明本发明实施例或现有技术中的技术方案,下面将对实施例或现有技术描述中所需要使用的附图作简单地介绍,显而易见地,下面描述中的附图仅仅是本发明的一些实施例,对于本领域普通技术人员来讲,在不付出创造性劳动的前提下,还可以根据这些附图获得其他的附图。In order to explain the embodiments of the present invention or the technical solutions in the prior art more clearly, the following briefly introduces the accompanying drawings that need to be used in the description of the embodiments or the prior art. Obviously, the accompanying drawings in the following description are only These are some embodiments of the present invention. For those of ordinary skill in the art, other drawings can also be obtained according to these drawings without creative efforts.

图1为本发明实施例提供的一种无中心的即时网络身份认证方法流程图;1 is a flowchart of a method for instant network identity authentication without a center provided by an embodiment of the present invention;

图2为本发明实施例提供的一种通信双方进行网络身份认证的方法流程图;2 is a flowchart of a method for performing network identity authentication between two communicating parties according to an embodiment of the present invention;

图3为本发明实施例提供的一种客户端的内部结构框图。FIG. 3 is a block diagram of an internal structure of a client according to an embodiment of the present invention.

具体实施方式Detailed ways

为使本发明的目的、技术方案和优点更加清楚明白,以下结合具体实施例,并参照附图,对本发明进一步详细说明。In order to make the objectives, technical solutions and advantages of the present invention clearer, the present invention will be further described in detail below with reference to specific embodiments and accompanying drawings.

需要说明的是,除非另外定义,本发明实施例使用的技术术语或者科学术语应当为本公开所属领域内具有一般技能的人士所理解的通常意义。本公开中使用的“第一”、“第二”以及类似的词语并不表示任何顺序、数量或者重要性,而只是用来区分不同的组成部分。“包括”或者“包含”等类似的词语意指出现该词前面的元件或者物件涵盖出现在该词后面列举的元件或者物件及其等同,而不排除其他元件或者物件。“连接”或者“相连”等类似的词语并非限定于物理的或者机械的连接,而是可以包括电性的连接,不管是直接的还是间接的。“上”、“下”、“左”、“右”等仅用于表示相对位置关系,当被描述对象的绝对位置改变后,则该相对位置关系也可能相应地改变。It should be noted that, unless otherwise defined, the technical or scientific terms used in the embodiments of the present invention shall have the usual meanings understood by those with ordinary skill in the art to which the present disclosure belongs. As used in this disclosure, "first," "second," and similar terms do not denote any order, quantity, or importance, but are merely used to distinguish the various components. "Comprises" or "comprising" and similar words mean that the elements or things appearing before the word encompass the elements or things recited after the word and their equivalents, but do not exclude other elements or things. Words like "connected" or "connected" are not limited to physical or mechanical connections, but may include electrical connections, whether direct or indirect. "Up", "Down", "Left", "Right", etc. are only used to represent the relative positional relationship, and when the absolute position of the described object changes, the relative positional relationship may also change accordingly.

本发明的发明人考虑到,通过基于对称加密算法和非对称加密算法SM2算法结合的方法,实现一种无中心的即时网络身份认证方法,可在保证数据通信方初始会话时的身份认证的安全性的前提下,实现绝对安全的即时“一次一密”,并节约认证中心管理公钥的成本,降低网络数据传输过程身份伪造的风险,保护信息系统的安全。The inventor of the present invention considers that a method based on the combination of the symmetric encryption algorithm and the asymmetric encryption algorithm SM2 algorithm can realize a non-center instant network identity authentication method, which can ensure the security of the identity authentication during the initial session of the data communication party. On the premise of security, real-time "one-time-one pad" can be realized with absolute security, and the cost of public key management by the certification center can be saved, the risk of identity forgery in the network data transmission process can be reduced, and the security of the information system can be protected.

此处简单介绍一个对称加密算法AES算法:Here is a brief introduction to a symmetric encryption algorithm AES algorithm:

高级加密标准(Advanced Encryption Standard,AES),是美国联邦政府采用的一种区块加密标准。这个标准用来替代原先的DES,已经被多方分析且广为全世界所使用。经过五年的甄选流程,AES由美国国家标准与技术研究院(NIST)于2001年11月26日发布于FIPS PUB 197,并在2002年5月26日成为有效的标准;AES算法为对称加密算法,其加密解密用的是同样的密钥K。Advanced Encryption Standard (AES) is a block encryption standard adopted by the US federal government. This standard is used to replace the original DES, which has been analyzed by many parties and is widely used all over the world. After a five-year selection process, AES was published by the National Institute of Standards and Technology (NIST) in FIPS PUB 197 on November 26, 2001, and became a valid standard on May 26, 2002; the AES algorithm is symmetric encryption The same key K is used for encryption and decryption.

此处简单介绍一下SM2算法:Here is a brief introduction to the SM2 algorithm:

随着密码技术和计算技术的发展,常用的1024位RSA算法面临严重的安全威胁,我们国家密码管理部门经过研究,设计出了SM2椭圆曲线算法来替换RSA算法。SM2椭圆曲线加密算法是我国基于国际公开的ECC加密算法而自主设计的一种加密算法,其标准由国家密码管理局于2010年12月17日发布。SM2标准包括总则,数字签名算法,密钥交换协议,公钥加密算法四个部分,分别用于实现数字签名,密钥协商和数据加密等功能;SM2算法为非对称加密算法,数据发送方和接收方各自拥有公私钥对:(CertA,SkeyA)和(CertB,SkeyB)。With the development of cryptography and computing technology, the commonly used 1024-bit RSA algorithm faces serious security threats. After research, our national password management department has designed the SM2 elliptic curve algorithm to replace the RSA algorithm. The SM2 elliptic curve encryption algorithm is an encryption algorithm independently designed by my country based on the international public ECC encryption algorithm. Its standard was released on December 17, 2010 by the State Cryptography Administration. The SM2 standard includes four parts: general principles, digital signature algorithm, key exchange protocol, and public key encryption algorithm, which are respectively used to realize functions such as digital signature, key negotiation and data encryption; SM2 algorithm is an asymmetric encryption algorithm, and the data sender and The receivers have their own public and private key pairs: (CertA, SkeyA) and (CertB, SkeyB).

下面结合附图详细说明本发明实施例的技术方案。The technical solutions of the embodiments of the present invention will be described in detail below with reference to the accompanying drawings.

本发明提供的一种无中心的即时网络身份认证方法,流程如图1所示,包括如下步骤:A non-central instant network identity authentication method provided by the present invention, as shown in Figure 1, includes the following steps:

步骤S101:产生本地的公钥-私钥对。Step S101: Generate a local public-private key pair.

具体地,对于作为通信双方的实体A和实体B在相互进行无中心的即时网络身份认证时,产生本地的公钥-私钥对的过程,如图2所示,包括如下子步骤:Specifically, the process of generating a local public key-private key pair when entity A and entity B as two communicating parties perform non-central instant network identity authentication with each other, as shown in Figure 2, includes the following sub-steps:

子步骤S200:实体A生成即时密钥对(CertA,SkeyA),实体B生成即时密钥对(CertB,SkeyB);Sub-step S200: entity A generates an instant key pair (CertA, SkeyA), and entity B generates an instant key pair (CertB, SkeyB);

其中,CertA、SkeyA分别为实体A生成的公、私钥;CertB、SkeyB分别为实体B生成的公、私钥。Among them, CertA and SkeyA are the public and private keys generated by entity A, respectively; CertB and SkeyB are the public and private keys generated by entity B, respectively.

步骤S102:基于经对称加密算法得到的与对方共享的密钥K,与对方进行公钥交换。Step S102: Based on the key K shared with the other party obtained through the symmetric encryption algorithm, exchange the public key with the other party.

本步骤中,进行公钥交换的过程,如图2所示,具体包括如下子步骤:In this step, the process of public key exchange, as shown in Figure 2, specifically includes the following sub-steps:

子步骤S201:实体A向所述对方实体B发送公钥交换请求;Sub-step S201: entity A sends a public key exchange request to the counterpart entity B;

具体地,本子步骤中,实体A向所述对方实体B发送公钥交换请求:Specifically, in this sub-step, entity A sends a public key exchange request to the counterpart entity B:

Request,ID_A,SN,EK(CertA);Request,ID_A,SN,EK( CertA );

所述公钥交换请求中可以携带所述实体A的用户标识ID_A、使用密钥K加密的公钥CertA,即EK(CertA),以及实体A随机产生的会话序列号SN。The public key exchange request may carry the user identity ID_A of the entity A, the public key CertA encrypted with the key K, that is, E K (CertA), and the session sequence number SN randomly generated by the entity A.

其中,密钥K是实体A与实体B事先通过对称加密算法生成的共享密钥;所述对称加密算法可以是现有技术的一种对称加密算法,比如,高级加密标准AES算法。The key K is a shared key generated by entity A and entity B through a symmetric encryption algorithm in advance; the symmetric encryption algorithm may be a symmetric encryption algorithm in the prior art, such as the Advanced Encryption Standard AES algorithm.

子步骤S202:实体B获取CertA。Sub-step S202: Entity B acquires CertA.

具体地,本子步骤中,实体B接收到公钥交换请求后,对接收的请求进行基于IP地址、端口号和网络协议的数据过滤后,获取ID_A、EK(CertA);Specifically, in this sub-step, after receiving the public key exchange request, entity B performs data filtering based on the IP address, port number and network protocol on the received request, and obtains ID_A, E K (CertA);

进而,实体B利用共享的密钥K解密EK(CertA),获取CertA后,将ID_A与CertA对应存储。Furthermore, entity B decrypts E K (CertA) using the shared key K, obtains CertA, and stores ID_A and CertA in correspondence with them.

子步骤S203:实体B向实体A返回公钥分发信息。Sub-step S203: Entity B returns public key distribution information to entity A.

具体地,本子步骤中,实体B向实体A返回公钥分发信息:Specifically, in this sub-step, entity B returns public key distribution information to entity A:

Dispense,ID_B,SN+1,EK(CertB);Dispense, ID_B, SN+1, E K (CertB);

所述公钥分发信息中可以携带所述实体B的用户标识ID_B、使用密钥K加密的公钥CertB,即EK(CertB),以及SN+1。The public key distribution information may carry the user identity ID_B of the entity B, the public key CertB encrypted with the key K, that is, E K (CertB), and SN+1.

子步骤S204:实体A获取CertB。Sub-step S204: Entity A acquires CertB.

具体地,本子步骤中,实体A在接收到所述实体B返回的公钥分发信息后,对接收的公钥分发信息进行基于IP(Internet Protocol,网际互连协议)地址、端口号和网络协议的数据过滤后,获取所述实体B的用户标识ID_B、EK(CertB);Specifically, in this sub-step, after receiving the public key distribution information returned by the entity B, entity A performs an IP (Internet Protocol, Internet Protocol) address, port number and network protocol based on the received public key distribution information. After the data is filtered, obtain the user ID_B, E K (CertB) of the entity B;

进而,实体A利用共享的密钥K解密EK(CertB),获取CertB后,将ID_B与CertB对应存储,从而完成实体A与实体B的公钥的相互交换。Furthermore, entity A decrypts E K (CertB) using the shared key K, and after obtaining CertB, ID_B and CertB are stored correspondingly, thereby completing the mutual exchange of public keys of entity A and entity B.

步骤S103:接收对方发送的用户标识、经对方私钥加密的包含IP地址的数据的哈希(hash)运算结果和经交换的公钥加密的包含IP地址的数据后,利用交换的公钥解密出接收的hash运算结果,并利用本地的私钥解密出包含IP地址的数据。Step S103: After receiving the user ID sent by the other party, the hash operation result of the data containing the IP address encrypted by the private key of the other party, and the data containing the IP address encrypted by the exchanged public key, decrypt using the exchanged public key The received hash operation result is obtained, and the data containing the IP address is decrypted using the local private key.

本步骤的具体过程,如图2所示,包括如下子步骤:The specific process of this step, as shown in Figure 2, includes the following sub-steps:

子步骤S205:实体A向实体B发送认证请求。Sub-step S205: Entity A sends an authentication request to entity B.

具体地,本子步骤中,所述实体A向所述实体B发送认证请求:Specifically, in this sub-step, the entity A sends an authentication request to the entity B:

Request,ID_A,SN+2,ECertB(IP_A||SN+2||X),ESkeyA(H(IP_A||SN+2||X));Request,ID_A,SN+2,E CertB (IP_A||SN+2||X),E SkeyA (H(IP_A||SN+2||X));

所述认证请求中可以携带所述实体A的用户标识ID_A、经所述实体A的私钥SkeyA加密的包含所述实体A的IP地址(IP_A)的数据的hash运算结果ESkeyA(H(IP_A||SN+2||X))和经CertB加密的包含所述实体A的IP地址(IP_A)的数据ECertB(IP_A||SN+2||X),以及SN+2。The authentication request may carry the user identity ID_A of the entity A, the hash operation result E SkeyA (H(IP_A) of the data containing the IP address (IP_A) of the entity A encrypted by the private key SkeyA of the entity A. ||SN+2||X)) and CertB encrypted data E CertB (IP_A||SN+2||X) containing the IP address of said entity A (IP_A), and SN+2.

其中,ESkeyA(H(IP_A||SN+2||X))具体为将IP_A||SN+2||X的hash运算结果,通过SkeyA进行加密得到的加密结果;ECertB(IP_A||SN+2||X)具体为将IP_A||S+N 2通过CertB进行加密得到的加密结果;其中,||代表数据连接运算,X是保留关键字。Among them, E SkeyA (H(IP_A||SN+2||X)) is the encryption result obtained by encrypting the hash operation result of IP_A||SN+2||X by SkeyA; E CertB (IP_A|| SN+2||X) is the encryption result obtained by encrypting IP_A||S+N 2 by CertB; wherein || represents a data connection operation, and X is a reserved keyword.

子步骤S206:实体B对接收的所述认证请求中的加密数据进行解密。Sub-step S206: Entity B decrypts the received encrypted data in the authentication request.

具体地,本子步骤中,实体B接收到所述认证请求后,利用CertA解密出由私钥SkeyA加密的包含所述实体A的IP地址的数据的hash运算结果H(IP_A||SN+2||X),利用私钥SkeyB解密出经CertB加密的包含所述实体A的IP地址的数据IP_A||SN+2||X。Specifically, in this sub-step, after the entity B receives the authentication request, it uses CertA to decrypt the hash operation result H(IP_A||SN+2| of the data containing the IP address of the entity A encrypted by the private key SkeyA |X), using the private key SkeyB to decrypt the data IP_A||SN+2||X encrypted by CertB and including the IP address of the entity A.

子步骤S207:实体B根据解密信息进行实体A的身份认证。Sub-step S207: Entity B performs identity authentication of entity A according to the decryption information.

具体地,本子步骤中,实体B基于解密出的包含IP地址的数据IP_A||SN+2||X进行hash运算,将运算得到的结果与解密出的hash运算结果H(IP_A||SN+2||X)进行比较;根据比较结果在确认对方的合法身份后存储对方的用户标识与IP地址的对应关系。也就是说,在比较结果一致的情况下,确认对方的合法身份,并存储对方实体A的用户标识ID_A与对方实体A的IP地址IP_A的对应关系;否则,身份认证不通过。Specifically, in this sub-step, entity B performs a hash operation based on the decrypted data IP_A||SN+2||X containing the IP address, and compares the result obtained by the operation with the decrypted hash operation result H(IP_A||SN+ 2||X) to compare; according to the comparison result, after confirming the legal identity of the other party, the corresponding relationship between the user ID and the IP address of the other party is stored. That is, if the comparison results are consistent, the legal identity of the counterparty is confirmed, and the correspondence between the user identifier ID_A of the counterparty entity A and the IP address IP_A of the counterparty entity A is stored; otherwise, the identity authentication fails.

子步骤S208:实体B向所述实体A返回认证响应信息。Sub-step S208: Entity B returns authentication response information to the entity A.

具体地,实体B在确认实体A的合法身份后,于本子步骤中,向所述实体A返回认证响应信息:Specifically, after confirming the legal identity of entity A, entity B returns authentication response information to entity A in this sub-step:

Dispense,ID_B,SN+3,ECertA(IP_B||SN+3||X),ESkeyB(H(IP_B||SN+3||X));Dispense,ID_B,SN+3,E CertA (IP_B||SN+3||X),E SkeyB (H(IP_B||SN+3||X));

所述认证响应信息中可以携带所述实体B的用户标识ID_B、经所述实体B的私钥SkeyB加密的包含所述实体B的IP地址(IP_B)的数据的hash运算结果ESkeyB(H(IP_B||SN+3||X))和经CertA加密的包含所述实体B的IP地址的数据ECertA(IP_B||SN+3||X),以及SN+3。The authentication response information may carry the user identity ID_B of the entity B, the hash operation result E SkeyB (H(H( IP_B||SN+3||X)) and CertA-encrypted data E CertA (IP_B||SN+3||X) containing the IP address of said entity B, and SN+3.

其中,ESkeyB(H(IP_B||SN+3||X))具体为将IP_B||SN+3||X的hash运算结果,通过SkeyB进行加密得到的加密结果;ECertA(IP_B||SN+3||X)具体为将IP_B||SN+3||X通过CertA进行加密得到的加密结果;其中,||代表数据连接运算,X是保留关键字。Among them, E SkeyB (H(IP_B||SN+3||X)) is the encryption result obtained by encrypting the hash operation result of IP_B||SN+3||X by SkeyB; E CertA (IP_B|| SN+3||X) is the encryption result obtained by encrypting IP_B||SN+3||X by CertA; wherein || represents a data connection operation, and X is a reserved keyword.

子步骤S209:实体A对接收的所述认证响应信息中的加密数据进行解密。Sub-step S209: Entity A decrypts the encrypted data in the received authentication response information.

具体地,本子步骤中,所述实体A在接收到所述实体B返回的认证响应信息后,对认证响应信息进行基于IP地址、端口号和网络协议的数据过滤;之后,从中获取所述实体B的用户标识ID_B、经所述实体B的私钥SkeyB加密的包含所述实体B的IP地址的数据的hash运算结果ESkeyB(H(IP_B||SN+3||X))和经CertA加密的包含所述实体B的IP地址的数据ECertA(IP_B||SN+3||X)。Specifically, in this sub-step, after receiving the authentication response information returned by the entity B, the entity A performs data filtering based on the IP address, port number and network protocol on the authentication response information; and then obtains the entity from the authentication response information. User identification ID_B of B, the hash operation result E SkeyB (H(IP_B||SN+3||X)) of the data containing the IP address of the entity B encrypted by the private key SkeyB of the entity B, and the data obtained by CertA Encrypted data E CertA (IP_B||SN+3||X) containing the IP address of said entity B.

进而,所述实体A利用CertB解密出由私钥SkeyB加密的包含所述实体B的IP地址的数据的hash运算结果H(IP_B||SN+3||X),并利用私钥SkeyA解密出经CertA加密的包含所述实体B的IP地址的数据IP_B||SN+3||X。Further, the entity A uses CertB to decrypt the hash operation result H(IP_B||SN+3||X) of the data containing the IP address of the entity B encrypted by the private key SkeyB, and uses the private key SkeyA to decrypt the result H(IP_B||SN+3||X) CertA-encrypted data IP_B||SN+3||X containing the IP address of said entity B.

步骤S104:基于解密出的包含IP地址的数据进行hash运算,将运算得到的结果与解密出的hash运算结果进行比较,根据比较结果在确认对方的合法身份后存储对方的用户标识与IP地址的对应关系。Step S104: perform hash operation based on the decrypted data including the IP address, compare the result obtained by the operation with the decrypted hash operation result, and store the user ID and IP address of the other party according to the comparison result after confirming the legal identity of the other party. Correspondence.

如图2所示,本步骤中具体可以包括如下子步骤:As shown in Figure 2, this step may specifically include the following sub-steps:

子步骤S210:实体A根据解密信息进行实体B的身份认证。Sub-step S210: Entity A performs identity authentication of entity B according to the decryption information.

具体地,本子步骤中,实体A基于解密出的包含IP地址的数据IP_B||SN+3||进行hash运算,将运算得到的结果与解密出的hash运算结果H(IP_B||SN+3||X)进行比较;根据比较结果在确认对方实体B的合法身份后存储对方的用户标识ID_B与对方的IP地址IP_B的对应关系。也就是说,在比较结果一致的情况下,确认对方的合法身份,并存储ID_B与IP_B的对应关系;Specifically, in this sub-step, entity A performs a hash operation based on the decrypted data IP_B||SN+3|| containing the IP address, and compares the result obtained by the operation with the decrypted hash operation result H(IP_B||SN+3 ||X) to compare; according to the comparison result, after confirming the legal identity of the counterparty entity B, store the correspondence between the counterparty's user identification ID_B and the counterparty's IP address IP_B. That is to say, when the comparison results are consistent, confirm the legal identity of the other party, and store the corresponding relationship between ID_B and IP_B;

在实体A确认实体B的合法身份后,还可执行如下子步骤向实体B返回认证确认信息:After entity A confirms the legal identity of entity B, it can also perform the following sub-steps to return authentication confirmation information to entity B:

子步骤S211:实体A向实体B返回认证确认信息。Sub-step S211: Entity A returns authentication confirmation information to entity B.

具体地,本子步骤中,实体A向实体B返回认证确认信息:Specifically, in this sub-step, entity A returns authentication confirmation information to entity B:

Acknowledge,ID_A,SN+4,ECertB(IP_A||SN+4||X),ESkeyA(H(IP_A||SN+4||X))Acknowledge,ID_A,SN+4,E CertB (IP_A||SN+4||X),E SkeyA (H(IP_A||SN+4||X))

所述认证确认信息中携带所述实体A的用户标识ID_A、经SkeyA加密的包含所述实体A的IP地址的数据的hash运算结果ESkeyA(H(IP_A||SN+4||X))和经CertB加密的包含所述实体A的IP地址的数据ECertB(IP_A||SN+4||X),以及SN+4。The authentication confirmation information carries the user identity ID_A of the entity A and the hash operation result of the data containing the IP address of the entity A encrypted by SkeyA E SkeyA (H(IP_A||SN+4||X)) and CertB-encrypted data E CertB (IP_A||SN+4||X) containing the IP address of said entity A, and SN+4.

其中,ESkeyA(H(IP_A||SN+4||X))具体为将IP_A||SN+4||X的hash运算结果,通过SkeyA进行加密得到的加密结果;ECertB(IP_A||SN+4||X)具体为将IP_A||SN+4||X通过CertB进行加密得到的加密结果;其中,||代表数据连接运算,X是保留关键字。Among them, E SkeyA (H(IP_A||SN+4||X)) is the encryption result obtained by encrypting the hash operation result of IP_A||SN+4||X by SkeyA; E CertB (IP_A|| SN+4||X) is an encryption result obtained by encrypting IP_A||SN+4||X by CertB; wherein || represents a data connection operation, and X is a reserved keyword.

子步骤S212:实体B对接收的认证确认信息中的加密数据进行解密。Sub-step S212: Entity B decrypts the encrypted data in the received authentication confirmation information.

具体地,本子步骤中,实体B接收到所述认证确认信息后,从中获取所述实体A的用户标识ID_A、经SkeyA加密的包含所述实体A的IP地址的数据的hash运算结果ESkeyA(H(IP_A||SN+4||X))和经CertB加密的包含所述实体A的IP地址的数据ECertB(IP_A||SN+4||X)后,利用CertA解密出由私钥SkeyA加密的包含所述实体A的IP地址的数据的hash运算结果H(IP_A||SN+4||X),并利用私钥SkeyB解密出经CertB加密的包含所述实体A的IP地址的数据IP_A||SN+4||X。Specifically, in this sub-step, after the entity B receives the authentication confirmation information, it obtains the user identification ID_A of the entity A, the hash operation result E SkeyA of the data containing the IP address of the entity A encrypted by SkeyA ( After H(IP_A||SN+4||X)) and the data E CertB (IP_A||SN+4||X) encrypted by CertB containing the IP address of the entity A, use CertA to decrypt the data obtained by the private key The hash operation result H(IP_A||SN+4||X) of the data containing the IP address of the entity A encrypted by SkeyA, and using the private key SkeyB to decrypt the data containing the IP address of the entity A encrypted by CertB Data IP_A||SN+4||X.

子步骤S213:实体B基于解密出的数据确认通信双方均完成身份认证。Sub-step S213: Entity B confirms that both parties of the communication have completed identity authentication based on the decrypted data.

具体地,本子步骤中,实体B基于解密出的包含IP地址的数据IP_A||SN+4||X进行hash运算,将运算得到的结果与解密出的hash运算结果H(IP_A||SN+4||X)进行比较;在确认比较结果一致后,确认通信双方均完成身份认证。Specifically, in this sub-step, entity B performs a hash operation based on the decrypted data IP_A||SN+4||X containing the IP address, and compares the result obtained by the operation with the decrypted hash operation result H(IP_A||SN+ 4||X) to compare; after confirming that the comparison results are consistent, confirm that both parties of the communication have completed identity authentication.

基于上述的无中心的即时网络身份认证方法,本发明实施例提供的一种客户端,其内部结构如图3所示,包括:密钥对产生模块301、公钥交换模块302、身份认证模块303。Based on the above-mentioned non-central instant network identity authentication method, a client provided by an embodiment of the present invention has an internal structure as shown in FIG. 3 , including: a key pair generation module 301 , a public key exchange module 302 , and an identity authentication module 303.

密钥对产生模块301用于产生本地的公钥-私钥对;The key pair generation module 301 is used to generate a local public key-private key pair;

公钥交换模块302用于基于经对称加密算法得到的与对方共享的密钥K,与对方进行公钥交换;The public key exchange module 302 is configured to exchange the public key with the other party based on the key K shared with the other party obtained through the symmetric encryption algorithm;

身份认证模块303用于接收对方发送的用户标识、经对方私钥加密的包含IP地址的数据的hash运算结果和经交换的公钥加密的包含IP地址的数据后,利用交换的公钥解密出接收的hash运算结果,并利用本地的私钥解密出包含IP地址的数据;进而基于解密出的包含IP地址的数据进行hash运算,将运算得到的结果与解密出的hash运算结果进行比较,根据比较结果在确认对方的合法身份后存储对方的用户标识与IP地址的对应关系。The identity authentication module 303 is used for receiving the user identification sent by the other party, the hash operation result of the data containing the IP address encrypted by the private key of the counterparty, and the data containing the IP address encrypted by the exchanged public key, and decrypted using the exchanged public key. The received hash operation result is used to decrypt the data containing the IP address by using the local private key; then the hash operation is performed based on the decrypted data containing the IP address, and the result obtained by the operation is compared with the decrypted hash operation result. The comparison result stores the correspondence between the user ID and the IP address of the other party after confirming the legal identity of the other party.

具体地,上述客户端可以设置于上述实体A中实现实体A的相关功能:Specifically, the above client can be set in the above entity A to implement the relevant functions of the entity A:

密钥对产生模块301具体可以向对方(实体B)发送公钥交换请求,所述公钥交换请求中携带本地的用户标识(实体A的用户标识)、使用密钥K加密的本地公钥(实体A的公钥)CertA;并在接收到所述对方(实体B)返回的公钥分发信息后,从中获取对方的用户标识(实体B的用户标识)、使用密钥K加密的对方公钥(实体B的公钥)CertB,进而利用密钥K解密出CertB,并将CertB与对方的用户标识(实体B的用户标识)对应保存。The key pair generation module 301 can specifically send a public key exchange request to the counterparty (entity B), where the public key exchange request carries a local user identity (the user identity of entity A), a local public key ( Entity A's public key) CertA; and after receiving the public key distribution information returned by the counterparty (entity B), obtain the counterparty's user ID (entity B's user ID) and the counterparty's public key encrypted with key K. (public key of entity B) CertB, and then decrypt CertB by using the key K, and store CertB in correspondence with the user ID of the other party (the user ID of entity B).

身份认证模块303具体可以向所述对方发送认证请求,所述认证请求中携带本地的用户标识(实体A的用户标识)、经本地私钥(实体A的私钥)SkeyA加密的包含本地的IP地址(实体A的IP地址)的数据的hash运算结果和经CertB加密的包含本地的IP地址(实体A的IP地址)的数据;并在接收到所述对方返回的认证响应信息后,从中获取所述对方的用户标识(实体B的用户标识)、经所述对方的私钥(实体B的私钥)SkeyB加密的包含所述对方的IP地址(实体B的IP地址)的数据的hash运算结果和经CertA加密的包含所述对方的IP地址(实体B的IP地址)的数据;进而利用CertB解密出由私钥SkeyB加密的包含所述对方的IP地址(实体B的IP地址)的数据的hash运算结果,并利用私钥SkeyA解密出经CertA加密的包含所述对方的IP地址(实体B的IP地址)的数据后,基于解密出的包含IP地址的数据进行hash运算,将运算得到的结果与解密出的hash运算结果进行比较,根据比较结果在确认对方(实体B)的合法身份后存储对方(实体B)的用户标识与IP地址的对应关系。The identity authentication module 303 may specifically send an authentication request to the counterparty, where the authentication request carries the local user ID (the user ID of the entity A), and the local IP address encrypted by the local private key (the private key of the entity A) SkeyA contains the local IP address. The hash operation result of the data of the address (the IP address of the entity A) and the data containing the local IP address (the IP address of the entity A) encrypted by CertB; and after receiving the authentication response information returned by the other party, obtain from it The hash operation of the user ID of the counterparty (the user ID of the entity B), the data containing the IP address of the counterparty (the IP address of the entity B) encrypted by the private key of the counterparty (the private key of the entity B) SkeyB The result and the data encrypted by CertA containing the IP address of the other party (the IP address of the entity B); and then using CertB to decrypt the data encrypted by the private key SkeyB and containing the IP address of the other party (the IP address of the entity B) After decrypting the data containing the IP address of the other party (the IP address of entity B) encrypted by CertA using the private key SkeyA, perform hash operation based on the decrypted data containing the IP address, and obtain The result is compared with the decrypted hash operation result, and the correspondence between the user ID and IP address of the other party (entity B) is stored after confirming the legal identity of the other party (entity B) according to the comparison result.

进一步,身份认证模块303还可用于在确认对方(实体B)的合法身份后,向对方(实体B)返回认证确认信息,所述认证确认信息中携带本地的用户标识、经SkeyA加密的包含本地的IP地址的数据的hash运算结果和经CertB加密的包含本地的IP地址的数据。Further, the identity authentication module 303 can also be used to return authentication confirmation information to the counterparty (entity B) after confirming the legal identity of the counterparty (entity B). The hash operation result of the data of the IP address and the data containing the local IP address encrypted by CertB.

进一步,上述密钥对产生模块301还可用于接收到公钥交换请求后,从中获取对方的用户标识、利用共享的密钥K加密的对方的公钥;进而利用共享的密钥K解密得到对方的公钥后,将对方的用户标识和对方的公钥对应存储;之后,向对方返回所述公钥分发信息。Further, the above-mentioned key pair generation module 301 can also be used to obtain the other party's user identity and the other party's public key encrypted by the shared key K after receiving the public key exchange request; and then use the shared key K to decrypt to obtain the other party After the public key of the other party is stored, the user ID of the other party and the public key of the other party are stored correspondingly; after that, the public key distribution information is returned to the other party.

进一步,身份认证模块303还可用于对接收的所述认证请求中的加密数据进行解密:利用对方公钥解密出由对方私钥加密的包含对方的IP地址的数据的hash运算结果,利用本地私钥解密出经对方使用交换的公钥加密的包含对方的IP地址的数据;进而根据解密的信息进行对方的身份认证:基于解密出的包含IP地址的数据进行hash运算,将运算得到的结果与解密出的hash运算结果进行比较;根据比较结果在确认对方的合法身份后存储对方的用户标识与IP地址的对应关系。Further, the identity authentication module 303 can also be used to decrypt the encrypted data in the received authentication request: decrypt the hash operation result of the data containing the IP address of the opponent encrypted by the opponent's private key using the opponent's public key, and use the local private key to decrypt the hash operation result of the data encrypted by the opponent's private key. The key decrypts the data containing the IP address of the other party encrypted by the other party using the exchanged public key; and then performs the identity authentication of the other party according to the decrypted information: based on the decrypted data containing the IP address, hash operation is performed, and the result obtained by the operation is The decrypted hash operation results are compared; according to the comparison results, after confirming the legal identity of the other party, the corresponding relationship between the user ID and the IP address of the other party is stored.

进一步,身份认证模块303还可用于对接收的认证确认信息中的加密数据进行解密,基于解密出的数据确认通信双方均完成身份认证。Further, the identity authentication module 303 can also be used to decrypt the encrypted data in the received authentication confirmation information, and confirm that both parties of the communication have completed identity authentication based on the decrypted data.

进一步,上述客户端中还可包括:共享密钥生成模块304。Further, the above client may further include: a shared key generation module 304 .

共享密钥生成模块304用于基于对称加密算法生成与所述对方共享的密钥K。The shared key generation module 304 is configured to generate a key K shared with the counterparty based on a symmetric encryption algorithm.

上述客户端中的各模块的功能具体实现方法可参考如图1或图2所示流程中的各步骤中详述的方法,此处不再赘述。For the specific implementation method of the functions of the modules in the above-mentioned client, reference may be made to the methods detailed in each step in the process shown in FIG. 1 or FIG. 2 , and details are not repeated here.

上述实施例的装置用于实现前述实施例中相应的方法,并且具有相应的方法实施例的有益效果,在此不再赘述。The apparatuses in the foregoing embodiments are used to implement the corresponding methods in the foregoing embodiments, and have the beneficial effects of the corresponding method embodiments, which will not be repeated here.

本发明的技术方案中,通信双方产生本地的公钥-私钥对;基于经对称加密算法得到的与对方共享的密钥K,与对方进行公钥交换;接收对方发送的用户标识、经对方私钥加密的包含IP地址的数据的hash运算结果和经交换的公钥加密的包含IP地址的数据后,利用交换的公钥解密出接收的hash运算结果,并利用本地的私钥解密出包含IP地址的数据;基于解密出的包含IP地址的数据进行hash运算,将运算得到的结果与解密出的hash运算结果进行比较,根据比较结果在确认对方的合法身份后存储对方的用户标识与IP地址的对应关系。从而通信双方通过发送2个公钥交换数据包和3个认证数据包以及对数据包进行相应处理达到无中心的即时身份认证的目的;且可在保证数据通信方初始会话时的身份认证的安全性的前提下,实现绝对安全的即时“一次一密”,并节约认证中心管理公钥的成本,降低网络数据传输过程身份伪造的风险,保护信息系统的安全。In the technical scheme of the present invention, both parties in communication generate a local public-private key pair; based on the key K shared with the other party obtained through a symmetric encryption algorithm, exchange the public key with the other party; receive the user ID sent by the other party, After the hash operation result of the data containing the IP address encrypted by the private key and the data containing the IP address encrypted by the exchanged public key, use the exchanged public key to decrypt the received hash operation result, and use the local private key to decrypt the data containing the IP address. IP address data; perform hash operation based on the decrypted data containing the IP address, compare the result obtained by the operation with the decrypted hash operation result, and store the other party's user ID and IP address according to the comparison result after confirming the legal identity of the other party address correspondence. Therefore, both parties of the communication can achieve the purpose of non-central instant identity authentication by sending 2 public key exchange data packets and 3 authentication data packets and processing the data packets accordingly; On the premise of security, real-time "one-time-one pad" can be realized with absolute security, and the cost of public key management by the certification center can be saved, the risk of identity forgery in the network data transmission process can be reduced, and the security of the information system can be protected.

本实施例的计算机可读介质包括永久性和非永久性、可移动和非可移动媒体可以由任何方法或技术来实现信息存储。信息可以是计算机可读指令、数据结构、程序的模块或其他数据。计算机的存储介质的例子包括,但不限于相变内存(PRAM)、静态随机存取存储器(SRAM)、动态随机存取存储器(DRAM)、其他类型的随机存取存储器(RAM)、只读存储器(ROM)、电可擦除可编程只读存储器(EEPROM)、快闪记忆体或其他内存技术、只读光盘只读存储器(CD-ROM)、数字多功能光盘(DVD)或其他光学存储、磁盒式磁带,磁带磁磁盘存储或其他磁性存储设备或任何其他非传输介质,可用于存储可以被计算设备访问的信息。The computer readable medium of this embodiment includes both permanent and non-permanent, removable and non-removable media and can be implemented by any method or technology for information storage. Information may be computer readable instructions, data structures, modules of programs, or other data. Examples of computer storage media include, but are not limited to, phase-change memory (PRAM), static random access memory (SRAM), dynamic random access memory (DRAM), other types of random access memory (RAM), read only memory (ROM), Electrically Erasable Programmable Read Only Memory (EEPROM), Flash Memory or other memory technology, Compact Disc Read Only Memory (CD-ROM), Digital Versatile Disc (DVD) or other optical storage, Magnetic tape cartridges, magnetic tape magnetic disk storage or other magnetic storage devices or any other non-transmission medium that can be used to store information that can be accessed by a computing device.

所属领域的普通技术人员应当理解:以上任何实施例的讨论仅为示例性的,并非旨在暗示本公开的范围(包括权利要求)被限于这些例子;在本发明的思路下,以上实施例或者不同实施例中的技术特征之间也可以进行组合,步骤可以以任意顺序实现,并存在如上所述的本发明的不同方面的许多其它变化,为了简明它们没有在细节中提供。Those of ordinary skill in the art should understand that the discussion of any of the above embodiments is only exemplary, and is not intended to imply that the scope of the present disclosure (including the claims) is limited to these examples; under the spirit of the present invention, the above embodiments or There may also be combinations between technical features in different embodiments, steps may be carried out in any order, and there are many other variations of the different aspects of the invention as described above, which are not provided in detail for the sake of brevity.

另外,为简化说明和讨论,并且为了不会使本发明难以理解,在所提供的附图中可以示出或可以不示出与集成电路(IC)芯片和其它部件的公知的电源/接地连接。此外,可以以框图的形式示出装置,以便避免使本发明难以理解,并且这也考虑了以下事实,即关于这些框图装置的实施方式的细节是高度取决于将要实施本发明的平台的(即,这些细节应当完全处于本领域技术人员的理解范围内)。在阐述了具体细节(例如,电路)以描述本发明的示例性实施例的情况下,对本领域技术人员来说显而易见的是,可以在没有这些具体细节的情况下或者这些具体细节有变化的情况下实施本发明。因此,这些描述应被认为是说明性的而不是限制性的。Additionally, well known power/ground connections to integrated circuit (IC) chips and other components may or may not be shown in the figures provided in order to simplify illustration and discussion, and in order not to obscure the present invention. . Furthermore, devices may be shown in block diagram form in order to avoid obscuring the present invention, and this also takes into account the fact that the details of the implementation of these block diagram devices are highly dependent on the platform on which the invention will be implemented (i.e. , these details should be fully within the understanding of those skilled in the art). Where specific details (eg, circuits) are set forth to describe exemplary embodiments of the invention, it will be apparent to those skilled in the art that these specific details may be used without or with changes The present invention is carried out below. Accordingly, these descriptions are to be regarded as illustrative rather than restrictive.

尽管已经结合了本发明的具体实施例对本发明进行了描述,但是根据前面的描述,这些实施例的很多替换、修改和变型对本领域普通技术人员来说将是显而易见的。例如,其它存储器架构(例如,动态RAM(DRAM))可以使用所讨论的实施例。Although the present invention has been described in conjunction with specific embodiments thereof, many alternatives, modifications, and variations to these embodiments will be apparent to those of ordinary skill in the art from the foregoing description. For example, other memory architectures (eg, dynamic RAM (DRAM)) may use the discussed embodiments.

本发明的实施例旨在涵盖落入所附权利要求的宽泛范围之内的所有这样的替换、修改和变型。因此,凡在本发明的精神和原则之内,所做的任何省略、修改、等同替换、改进等,均应包含在本发明的保护范围之内。Embodiments of the present invention are intended to cover all such alternatives, modifications and variations that fall within the broad scope of the appended claims. Therefore, any omission, modification, equivalent replacement, improvement, etc. made within the spirit and principle of the present invention shall be included within the protection scope of the present invention.

Claims (10)

1. A centerless instant network identity authentication method is characterized by comprising the following steps:
generating a local public-private key pair;
performing public key exchange with the other side based on a secret key K shared with the other side and obtained by a symmetric encryption algorithm;
after receiving a user identifier sent by an opposite party, a hash operation result of data containing an Internet Protocol (IP) address encrypted by a private key of the opposite party and data containing the IP address encrypted by an exchanged public key, decrypting the received hash operation result by using the exchanged public key and decrypting the data containing the IP address by using a local private key;
and performing hash operation on the decrypted data containing the IP address, comparing the operation result with the decrypted hash operation result, and storing the corresponding relation between the user identification of the opposite side and the IP address after the legal identity of the opposite side is confirmed according to the comparison result.
2. The method according to claim 1, wherein the exchanging a public key with the other party based on the secret key K shared with the other party obtained through the symmetric encryption algorithm specifically includes:
an entity A sends a public key exchange request to an opposite entity B, wherein the public key exchange request carries a user identifier of the entity A and a public key CertA encrypted by using a key K;
after receiving the public key distribution information returned by the entity B, the entity A acquires the user identification of the entity B and a public key CertB encrypted by using a secret key K;
and the entity A decrypts the certB by using the key K and correspondingly stores the certB and the user identification of the entity B.
3. The method according to claim 2, wherein after receiving the user identifier sent by the other party, the hash operation result of the data containing the IP address encrypted by the private key of the other party, and the data containing the IP address encrypted by the exchanged public key, decrypting the received hash operation result by using the exchanged public key, and decrypting the data containing the IP address by using the local private key, specifically comprises:
the entity A sends an authentication request to the entity B, wherein the authentication request carries a user identifier of the entity A, a hash operation result of data which is encrypted by a private key SkyA of the entity A and contains an IP address of the entity A, and data which is encrypted by certB and contains the IP address of the entity A;
after receiving the authentication request, the entity B decrypts a hash operation result of the data which is encrypted by the private key SkyA and contains the IP address of the entity A by using the certA, and decrypts the data which is encrypted by the certB and contains the IP address of the entity A by using the private key SkyB; then, returning authentication response information to the entity A;
after receiving the authentication response information returned by the entity B, the entity A acquires the user identification of the entity B, a hash operation result of data containing the IP address of the entity B and encrypted by a private key SkeyB of the entity B, and data containing the IP address of the entity B and encrypted by Certa;
the entity A decrypts the hash operation result of the data containing the IP address of the entity B encrypted by the private key SkeyB by using the certB, and decrypts the data containing the IP address of the entity B encrypted by the certA by using the private key SkeyA.
4. The method according to claim 3, wherein performing a hash operation based on the decrypted data including the IP address, and comparing a result of the hash operation with a result of the decrypted hash operation specifically comprises:
and the entity A performs hash operation on the decrypted data containing the IP address, and compares the operation result with the decrypted hash operation result.
5. The method according to claim 4, wherein after the entity a performs a hash operation based on the decrypted data containing the IP address, and compares a result of the hash operation with a result of the decrypted hash operation, the method further comprises:
if the comparison result is consistent, the entity A returns authentication confirmation information to the entity B, and the authentication confirmation information carries the user identification of the entity A, the hash operation result of the data which is encrypted by SkyA and contains the IP address of the entity A, and the data which is encrypted by CertB and contains the IP address of the entity A;
after receiving the authentication confirmation information, the entity B acquires the user identifier of the entity a, the hash operation result of the data containing the IP address of the entity a encrypted by SkeyA and the data containing the IP address of the entity a encrypted by CertB, decrypts the hash operation result of the data containing the IP address of the entity a encrypted by the private key SkeyA by using CertA, and decrypts the data containing the IP address of the entity a encrypted by CertB by using the private key SkeyB;
and the entity B performs hash operation on the decrypted data containing the IP address, compares the operation result with the decrypted hash operation result, and confirms that both communication parties complete identity authentication after the comparison result is consistent.
6. The method according to any of claims 1 to 5, wherein the symmetric encryption algorithm is in particular the advanced encryption standard, AES, algorithm.
7. A client, comprising:
the key pair generation module is used for generating a local public key-private key pair;
the public key exchange module is used for carrying out public key exchange with the other party on the basis of the secret key K shared with the other party and obtained by the symmetric encryption algorithm;
the identity authentication module is used for decrypting the received hash operation result by using the exchanged public key and decrypting the data containing the IP address by using a local private key after receiving the user identification sent by the opposite party, the hash operation result of the data containing the IP address encrypted by the private key of the opposite party and the data containing the IP address encrypted by the exchanged public key; and then carrying out hash operation based on the decrypted data containing the IP address, comparing the operation result with the decrypted hash operation result, and storing the corresponding relation between the user identification of the opposite side and the IP address after the legal identity of the opposite side is confirmed according to the comparison result.
8. The apparatus of claim 7,
the public key exchange module is specifically used for sending a public key exchange request to the other party, wherein the public key exchange request carries a local user identifier and a local public key CertA encrypted by using a secret key K; and after receiving the public key distribution information returned by the opposite party, acquiring the user identification of the opposite party and the public key CertB of the opposite party encrypted by using the key K, further decrypting the CertB by using the key K, and correspondingly storing the CertB and the user identification of the opposite party.
9. The apparatus of claim 8,
the identity authentication module is specifically used for sending an authentication request to the opposite side, wherein the authentication request carries a local user identifier, a hash operation result of data which is encrypted by a local private key SkyA and contains a local IP address, and data which is encrypted by a certB and contains the local IP address; after receiving authentication response information returned by the opposite party, acquiring a user identifier of the opposite party, a hash operation result of data containing the IP address of the opposite party and encrypted by a private key SkeyB of the opposite party and data containing the IP address of the opposite party and encrypted by Certa from the authentication response information; and then decrypting a hash operation result of the data containing the IP address of the opposite party encrypted by the private key SkyB by using the certB, decrypting the data containing the IP address of the opposite party encrypted by the certA by using the private key SkyA, performing a hash operation based on the decrypted data containing the IP address, comparing the operation result with the decrypted hash operation result, and storing the corresponding relation between the user identification of the opposite party and the IP address after the legal identity of the opposite party is confirmed according to the comparison result.
10. The apparatus of any of claims 7-9, further comprising:
and the shared key generation module is used for generating a key K shared with the other side based on a symmetric encryption algorithm.
CN202010108696.5A 2020-02-21 2020-02-21 A centerless instant network identity authentication method and client Pending CN111431853A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010108696.5A CN111431853A (en) 2020-02-21 2020-02-21 A centerless instant network identity authentication method and client

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010108696.5A CN111431853A (en) 2020-02-21 2020-02-21 A centerless instant network identity authentication method and client

Publications (1)

Publication Number Publication Date
CN111431853A true CN111431853A (en) 2020-07-17

Family

ID=71551551

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010108696.5A Pending CN111431853A (en) 2020-02-21 2020-02-21 A centerless instant network identity authentication method and client

Country Status (1)

Country Link
CN (1) CN111431853A (en)

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101272240A (en) * 2007-03-21 2008-09-24 华为技术有限公司 A method, system and communication device for generating a session key
CN102710624A (en) * 2012-05-24 2012-10-03 广东电网公司电力科学研究院 Customizable network identity authentication method based on SM2 algorithm
CN102769606A (en) * 2011-12-27 2012-11-07 中原工学院 A network digital identity authentication method based on gene certificate
CN103354498A (en) * 2013-05-31 2013-10-16 北京鹏宇成软件技术有限公司 Identity-based file encryption transmission method
US9455958B1 (en) * 2013-01-30 2016-09-27 Palo Alto Networks, Inc. Credentials management in large scale virtual private network deployment
CN108600272A (en) * 2018-05-10 2018-09-28 阿里巴巴集团控股有限公司 A kind of block chain data processing method, device, processing equipment and system

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101272240A (en) * 2007-03-21 2008-09-24 华为技术有限公司 A method, system and communication device for generating a session key
CN102769606A (en) * 2011-12-27 2012-11-07 中原工学院 A network digital identity authentication method based on gene certificate
CN102710624A (en) * 2012-05-24 2012-10-03 广东电网公司电力科学研究院 Customizable network identity authentication method based on SM2 algorithm
US9455958B1 (en) * 2013-01-30 2016-09-27 Palo Alto Networks, Inc. Credentials management in large scale virtual private network deployment
CN103354498A (en) * 2013-05-31 2013-10-16 北京鹏宇成软件技术有限公司 Identity-based file encryption transmission method
CN108600272A (en) * 2018-05-10 2018-09-28 阿里巴巴集团控股有限公司 A kind of block chain data processing method, device, processing equipment and system

Similar Documents

Publication Publication Date Title
CN107959567B (en) Data storage method, data acquisition method, device and system
US9544135B2 (en) Methods of and systems for facilitating decryption of encrypted electronic information
CN110932851B (en) A key protection method for multi-party cooperative operation based on PKI
US10425234B2 (en) Systems and methods for perfect forward secrecy (PFS) traffic monitoring via a hardware security module
CN104917741B (en) A kind of plain text document public network secure transmission system based on USBKEY
CN108881224A (en) Encryption method and related device for power distribution automation system
CN101800738B (en) System and method for implementing secure access and storage of intranet data by mobile devices
CN101917710A (en) Method, system and related device for mobile internet encryption communication
CN108881960B (en) Intelligent camera safety control and data confidentiality method based on identification password
CN112564906A (en) Block chain-based data security interaction method and system
CN103036872A (en) Method, equipment and system for encryption and decryption of data transmission
CN109525388B (en) Combined encryption method and system with separated keys
CN112383391A (en) Data security protection method based on data attribute authorization, storage medium and terminal
CN113037478A (en) Quantum key distribution system and method
CN116248290A (en) Identity authentication method and device and electronic equipment
CN119475404A (en) E-commerce platform privacy data encryption, decryption, desensitization method and system
CN110572825A (en) A wearable device authentication device and authentication encryption method
CN112671729B (en) Internet of vehicles oriented anonymous key leakage resistant authentication method, system and medium
CN110401531A (en) A Cooperative Signature and Decryption System Based on SM9 Algorithm
CN108881300A (en) A kind of file encryption that supporting mobile phone terminal security cooperation and sharing method and system
CN114969801A (en) Data authorization access method, device and medium based on block chain
CN118199976A (en) A secure communication method and device
CN111431853A (en) A centerless instant network identity authentication method and client
CN107689867B (en) A key protection method and system in an open environment
CN114448600A (en) Key management method and system suitable for zero trust network

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20200717