HK1087269A1 - Method for setting and using mapping password - Google Patents
Method for setting and using mapping password Download PDFInfo
- Publication number
- HK1087269A1 HK1087269A1 HK06107323.7A HK06107323A HK1087269A1 HK 1087269 A1 HK1087269 A1 HK 1087269A1 HK 06107323 A HK06107323 A HK 06107323A HK 1087269 A1 HK1087269 A1 HK 1087269A1
- Authority
- HK
- Hong Kong
- Prior art keywords
- cipher
- information
- password
- mapping
- security
- Prior art date
Links
Landscapes
- Storage Device Security (AREA)
Abstract
The invention makes the cipher message form long period that solves the security problem of periodical cipher and avoids all kinds attack method related to cipher. Meanwhile the length of cipher can not be greatly increased. The digital signature based on mapping cipher can provide security identification, and ensure the integrity and notrepudiation of message. The information security object is main body of information security, and is not related to communication mode and terminal.
Description
Technical Field
This scheme belongs to information technology safety field, relates to information security service: identity authentication, information integrity authentication, and non-repudiation.
Background
The currently used security techniques:
1. common simple safety measures:
common simple security methods include authentication such as identity certificates, seal marks or handwritten signatures, and the like, and the authentication methods are usually physical authentication, are easy to forge and difficult to distinguish by using manual identification, and are inconvenient for information exchange; and authentication such as user ID and simple password is easy to lose secret and is counterfeited.
2. Biometric systems (fingerprint, iris, etc. authentication). High-cost equipment and a trusted terminal are needed, and information exchange is not convenient, because the information is easy to copy and replace after being transmitted, so that the information becomes unreliable.
3. Magnetic card, authentication token, smart card.
Magnetic cards are easy to copy and are being eliminated due to their poor safety characteristics, although they are used in large quantities at present. Various authentication tokens and smart cards are relatively difficult to copy, various IC cards are gradually popularized and used, expensive access equipment and a large number of trusted terminals are needed, and the popularization progress is slow.
4. Internet security protocol (IPSec). Internet security protocol (IPSec) is a network layer-based information security technology in the open system interconnection osi (open system interconnection) model. The open systems interconnection OSI model divides the communication model hierarchy into seven layers: a physical layer, a data link layer, a network layer, a transport layer, a session layer, a presentation layer, and an application layer. Internet security protocol (IPSec) ensures confidentiality, integrity, and authenticity of data communications over public IP networks through encryption and authentication at the network layer. The above protocol layers may be used transparently.
5. Secure Socket Layer (SSL). This is a transport layer based information security technology in the Internet interconnection. Secure Socket Layer (SSL) ensures the confidentiality, integrity and authenticity of data communications by establishing a secure channel between two communicating parties. Secure Socket Layer (SSL) is now widely used on the internet.
6. Application layer based information security techniques.
(1) Public Key Infrastructure (PKI) based digital signatures.
The message digest is calculated for the message, then the public key cryptosystem is utilized to encrypt the message digest by using the private key to obtain the digital signature, when the digital signature needs to be verified, the public key is used to decrypt the digital signature and then is compared with the message digest obtained by calculating the message, and if the digital signature is the same as the message digest, the verification is correct. Only a person who grasps the private key can calculate the digital signature through encryption, and the authentication, the data integrity and the non-repudiation of the data are realized through the uniqueness of the digital signature. Digital signature applications typically have a Public Key Infrastructure (PKI) and a Time Stamp Service (TSS). Public Key Infrastructure (PKI) is the service and process of managing user certificates for public key cryptosystems. The digital signature is the current actual safety standard and is an encryption method which is difficult to crack by the current calculation method, speed and time. With the development of current hardware and software, the hardware speed is continuously accelerated, the distributed computing method is widely applied, and the digital signature standard needs to be modified after several years. The digital signature can be theoretically cracked from three aspects:
(a) provided is a password attack method. The big prime number taken by the RSA algorithm is usually in a certain range, and the corresponding password can be found out only by traversing the prime number in a certain range by an exhaustion method. This approach is currently not practical.
(b) Provided is a digital signature attack method. The message digest is calculated for a certain message, because the length of the signature is determined, the message digest can be calculated for all digital signatures with specific length by using the exhaustion method, and then the 'digital signature' meeting the verification requirement can be obtained.
(c) A digital signature replay attack method. The method comprises the steps of collecting a used digital signature, decrypting to obtain a message digest code, reserving a piece of information which is longer than the signature length and can be changed freely in a message needing to be signed, such as the serial number of a product or other numbers, changing variable information continuously, calculating a message digest of the message by using an exhaustion method, and realizing the replay of the digital signature by always finding a message digest which is the same as the message digest code obtained by decrypting as long as the variable information has enough length because a message digest algorithm has the pseudorandom property. One might think that computing the message digest for a large number of files and finding the same digest is a difficult matter, but if the product number is appended to the end of the file, it can be changed to computing the message digest for many small pieces of information, the problem is much simplified!
Furthermore, algorithmic attack methods may also exist. Most of the current public key cryptosystems adopt the RSA algorithm, the security of the RSA algorithm is based on the difficulty of big number decomposition, but people can find a method to easily decompose the product of two big prime numbers in one day.
(2) Secure/universal internet mail extensions (S/MIME).
This is a specification protocol for securing e-mail, which describes a protocol for adding cryptographic security services by MIME encapsulation of digitally signed and encrypted objects. This protocol is based on digital signatures, which are substantially the same security as digital signatures.
(3) Secure Electronic Transaction (SET).
Secure electronic transactions are protocols that provide a secure framework for shopping and payment in open network Internet e-commerce transactions. It is based on digital signature technology and introduces and uses dual signatures. Because of the use of double signatures, the security is higher than that of single digital signatures (particularly difficult to implement replay attacks), but the use is more complicated and is not widely used at present.
7. A combined authentication method.
The combined authentication method is to combine a plurality of security methods together for use, such as password authentication while using a digital certificate.
8. A one-time digital signature technology and a step-by-step binding processing technology.
The one-time digital signature technology is that the message digest is calculated and the message authentication checksum of the one-time password based on the sufficient password length or the one-time number password group is used as the one-time hash function, namely the message digest, and for the message digest with the specific length, enough collisions exist in the used password space, so that the collision space is close to or larger than the message digest space, and the purpose of reducing the password security from the attack of the message digest code through an exhaustion method cannot be achieved.
The step binding processing technology is that an information task can be divided into a plurality of steps, each step is completed according to an appointed sequence, and each step is associated with different passwords.
The one-time digital signature technology uses a one-time password, which is theoretically secure, similar to a one-time password system, but the password amount is too large to manage. The concept of client and service security is discussed for the first time.
Techniques close to or related to this approach:
1. a one time pad system.
The one-time pad system transforms the plaintext sequence into the ciphertext sequence with the same length by using the key sequence with the same length, usually uses the Kaiser substitution method to encrypt the binary data by using the common exclusive-or algorithm, and the plaintext sequence and the corresponding key sequence can be restored to the plaintext sequence with the same length by knowing the ciphertext sequence and the corresponding key sequence. The one-time pad system is a cipher system which can not be broken in theory, and the plaintext, the secret key and the ciphertext sequence are equal in length. Because the algorithm is public, two of the three sequences of plaintext, secret key and ciphertext can be known, and the third sequence can be derived.
2. Block ciphers and stream ciphers (sequence ciphers).
Block cipher is to encrypt a data block with a cipher. The cipher is used periodically for each block. Stream ciphers use a cipher to generate a pseudorandom keystream (usually mixed with encrypted data) that is then used to encrypt the data stream.
3. And (4) message digest.
A message digest is an algorithm that combines inputs of arbitrary length to produce a pseudorandom output of fixed length, also called a hash.
4. Message Authentication Checksums (HMACs) based on one-way hash functions (hash functions).
Both parties use the same key, put the message and the key together, calculate the digest with a hash function, check the digest to verify the integrity of the message.
Reference documents:
1. code engineering practice guideline
The authors: (Mei) Steve Burnet & Stephen Paine
Translation: von Teng-Shafeng Li-pan-equi translation of Yongbin all over the world
And (3) publishing: qinghua university Press
2. Application cryptography: protocol, algorithm and C Source program
The authors: (Mei) Bruce Schneier
Translation: wu Shi Zhong Zhu Shi Xiong culture equal translation
And (3) publishing: mechanical industry Press
3. Cryptography and computer network security
The authors: cynanchum paniculatum Han
And (3) publishing: qinghua university Press, Guangxi science and technology Press
4. 'information security authentication and encryption method thereof' (patent application No. 03134683.9)
The authors: liuren (Liuren)
Disclosure of Invention
The technical problem to be solved is as follows:
the technical problem to be solved by the scheme is mainly that the safety service of the information in the open environment comprises safety identity authentication and safety information exchange, the integrity and non-repudiation of the information are ensured, and the technology can also be applied to the closed environment. The open environment refers to a state in which a place where information is temporarily stored or passed through during communication is not hidden, and information is easily obtained, copied, or changed by the outside. Such as internet, telephone lines, telecommunications, public terminals, etc., all belong to the open environment. Whereas a closed environment is one in which information is not readily exposed, copied and altered relative to an open environment.
Currently, in general, authentication or encryption methods based on passwords or certificates are used in the field of information security, and are characterized in that the methods are repeatedly and periodically used for convenience of use, so that secrets and results thereof are easy to cause various attacks such as theft, password attack, replay attack and the like. On the other hand, many encryption algorithms adopt high-strength encryption technology, so that many encryption operations need to be performed on the client terminal, but due to the openness of the interconnection system, many client terminals cannot be effectively protected, and the client terminals are easy to be invaded and become unreliable. How to make the client terminal and the communication convenient, safe and reliable becomes an important issue of open system security. The most used security technologies in Internet are Internet security protocol (IPSec), Secure Socket Layer (SSL), and digital signature based on Public Key Infrastructure (PKI), the latter is a security technology based on application layer, and is higher in open system interconnection OSI model, and is safer than the former, and most other application layer security methods are various protocols based on digital signature based on Public Key Infrastructure (PKI). However, any digital signature or protocol that can be authenticated by a third party offline in non-real time is not very secure, and since offline authentication is possible, which means that an attacker can try authentication indefinitely, theoretically, the attacker can always find out a result that meets the requirements by an exhaustive method. The one-time digital signature technology is based on the client and service safety technology, is an online authentication digital signature technology, basically overcomes the problems and the defects, but uses a one-time password, so that the password is too large, which brings great inconvenience and needs to be frequently replaced. The one-time password used in the one-time digital signature technology has an infinite usage period and is very safe to use, but has too large password amount and is inconvenient to use, and a compromise method can be made to increase the periodicity of the password use to the safe-to-use condition without too large password amount? For protocols that reside in application layer security, can security issues due to the untrusted client terminal be resolved by raising the security hierarchy?
Technical scheme
A mapping cryptographic method.
Definition of the mapping:
let X, Y be two non-empty sets, if there is a rule such that for each element in X, there is a uniquely determined element in Y corresponding to it by rule, then a mapping from X to Y is said to be
f:X→Y
Mapping is the process where one variable corresponds to another variable by some rule, the starting variable being an independent variable and the corresponding variable being a dependent variable.
The mapping password is divided into two parts, one part is used as a corresponding rule change relation of the mapping and can be called as a strain password and is marked as a set B, and the other part is used as a password source and is marked as a set Y.
A new information set is obtained by applying a certain model or a certain corresponding rule to partial elements of the password source, and is marked as a set M. Is recorded by mapping method as
fmy:M →Y
Note that the above mapping relationship is a mapping of the new model set M to the cipher source Y, and according to the definition of the mapping, that is, for each determined new model set M element, a uniquely determined element can be found from the cipher source Y according to a certain rule and corresponds to the uniquely determined element. That is, the correspondence of the elements of the new set M to the cryptographic source elements may be a multi-law, many-to-one correspondence. The new set M is a new set formed by various transformations of the cipher source set through various rules. For example, the new set M may be a new set formed by a model constructed based on a cryptographic source set, or a set of new elements generated by various rules such as a one-way hash function for each element of the cryptographic source. The relationship can be expressed in another form as follows
M=∑Mi,fmi:Y→Mi
For any independent variable, the independent variable is corresponding to a certain logic position in the model of the new set M by combining the corresponding rule of the strain cipher, so as to correspond to a certain determined element in the set M, and then the independent variable and the certain determined element are combined into the new cipher together by a certain rule (usually a one-way rule, such as a one-way hash function). Assuming that the set of arguments is X and the set of new passwords is N, the mapping may be recorded as follows:
fL:X→M,fB: (X, M) → N combine to form a composite map:
fB:(X,fL(X))→N
through the two mapping processes, given the strain cipher and cipher source of the mapping cipher and given corresponding rules, for any one independent variable, a uniquely determined new cipher can be found to correspond to the strain cipher and the cipher source, namely the mapping cipher method.
The above discussion is somewhat complicated why is a new cipher generated without the combination of arguments and cipher by a one-way hash function or the like? Because of the one-way nature of the one-way hash function, it is also difficult to compute the original password. However, if the method is simplified, the direct rule combination relationship among the independent variable, the original password and the new password is changed, on one hand, the password use is periodic and integrated, and on the other hand, the new password is easy to expose after being used, and the direct rule relationship of the original password is easy to guess. In fact, the above situation can be obtained by simplifying the corresponding rule of the mapping password method.
The mapping password relationship is that the independent variable points to or corresponds to the relevant elements formed by the corresponding password source model through a certain rule or algorithm related to the strain password to form new password information. The corresponding relation is not directly generated into a new password through an algorithm, but is only corresponding to a password source according to a certain preset relevant element of a model and combined through a certain rule to form the new password.
The cipher source is a logic ordered set of cipher information elements with pseudo-randomness, and the elements can be recombined to form new information through a set model. The cryptographic source does not directly have any algorithmic relationship to the secret information to be encrypted or the encrypted cleartext. Only the new cipher formed by recombination directly participates in the encryption operation. For the set model, there may be various models, such as rearranging the password source elements into an ordered arrangement of a certain length according to numbers, or arranging the password source elements into a cube according to a physical model.
The strain code is information associated with a corresponding rule or algorithm, new code information cannot be directly obtained from the strain code, and the strain code is one of the elements of the changed corresponding relationship. The strain cipher may be further divided into multiple parts according to the multi-layer correspondence, for example, the strain cipher part is used as a new mapping cipher relation, so that multiple correspondences may be formed.
In practical applications, the strain code and the code source may have some or all of the same parts, i.e. some or all of the intersection, in order to save storage. The source of the strain cipher is divided into the number of uses.
The arguments of the map cipher relationship may be various variables, random variables, or ordered variables.
Take a simple example of a mapped password. The cipher is 1024 bits in length, with the strained cipher being 256 bits in length and the cipher source being 768 bits, if a 128-bit new cipher is generated, using an ordered permutation model that is rearranged by number, then there will beDifferent permutations, if the algorithm is good and random, the using period of the password should be equal to P768 128Close to, or larger. The independent variable uses the serial number, from 1, its corresponding algorithm can use the one-way function, can form the corresponding relation of the pseudo-random in combination with the strain cipher, the pseudo-random corresponds to the corresponding serial number, if the number of times of use is less than P768 128Then, the security effect is similar to that of a one-time pad (since any algorithm can be broken, it is not secure to use only a one-way function but not a strain cipher, the longer the strain cipher is, the more the possibility is, the more the corresponding relationship is complex), and the data size that can be encrypted is P768 128128 bits! But in practice, because each bit has only 1 and 0, there must be many identical permutations, and if a conservative mapping method is used, only each byte is used as the mapping element of the cipher, 1024 bits are 128 bytes, the length of the strained cipher is 256 bits is 32 bytes, and 768 bits of the cipher source are 768 bytesThe new cipher with 96 bytes and 128 bits is 16 bytes, and by using the ordered permutation model of permutation according to the number, the cipher has the advantages of high cipher quality and low cipher costIn a different arrangement, the amount of data that can be encrypted is P96 1616 bytes! If the service cycle is large enough, as long as the independent variables are different and are not reused, the use safety is not affected much even by using the independent variables for many times. If a one-time pad system is used, the 1024-bit password can only encrypt 1024-bit data, and after the information is disclosed, the password can be cracked through the relationship between the ciphertext and the plaintext. However, if the cipher mapping method is used and then encryption is carried out, and the same encryption algorithm is used, even if a ciphertext and a plaintext are known, only the mapped cipher can be obtained, the mapped cipher is a new cipher established on the basis of a one-way function and a strain cipher, only the related relation of partial information of the original cipher is included, or the related information of partial elements, and the original cipher information cannot be completely decrypted.
The characteristics of the mapping password are as follows:
1. the password length is generally long. The cipher length may typically be more than 1024 bits or even 1M or more.
2. When the password information is used, an argument is used to generate a new password and then encryption is performed.
3. The original password information does not directly participate in encryption operation, and only the new password formed by mapping directly participates in encryption operation. This makes the original password information less susceptible to leakage.
4. A new password, which is usually formed not entirely but only partially from the original password information, forms a certain relationship with the secret information to be encrypted or the encrypted plain code by means of a certain algorithm or rule. Thus, the password information used at each time is basically different, and the password information cannot be estimated by using a common estimation method.
5. Passwords usually have partial information (strain passwords) related to the logical position of the logical model formed by the partial passwords (password sources), which makes it extremely difficult to estimate password information by analyzing the encryption result.
6. For different arguments, it usually corresponds to different new passwords, so that the usage period of the passwords becomes longer. Within a certain range of use times, the available new passwords are very likely to be different (or have different sources), and the use effect can be close to that of the one-time password.
7. The cipher information elements are multiplexed after being combined and changed for a plurality of times.
Mapping cryptography differs from conventional cryptography by:
1. the traditional password technology requires short password length and is easy to use. The cipher information of the map cipher is usually relatively long, and is generally more than 1024 bits.
2. The traditional password technology generally uses the password directly, but the mapping password technology needs to use the independent variable mapping to obtain a new password for use.
3. Conventional passwords are commonly reused periodically each time. Only the one-time pad system uses one-time pad codes, the period is infinite, but the one-time pad system cannot be widely used. The password information of the mapping password technology has long service cycle and is not reused basically in the cycle range.
4. In the traditional cryptographic technology, the cleartext is obtained by encrypting information by using a password through a certain algorithm, that is, all and secret integral information of the information to be encrypted and the encrypted cleartext form a certain relation through a certain algorithm or rule, and the three are integrally associated. However, in the mapping cipher technology, the information to be encrypted and the encrypted plain code only form an association relationship with the part of the cipher information through a rule.
The mapping cipher is different from the stream cipher (sequence cipher):
1. the using method is different: stream ciphers are created by using a cipher to generate a pseudorandom keystream (usually mixed with encrypted data) and then encrypting the data stream, so long as the cipher and the encrypted information are determined, the keystream is also determined, and the whole encrypted information and process can be determined. However, the mapping cipher needs to generate a new cipher by giving an argument and then encrypt the new cipher. The keystream may also be derived from an ordered permutation of the new cipher derived from a plurality of arguments. Stream ciphers can also be considered a special case of map ciphers if the encrypted data is taken as argument: the password model is a whole password, the use period is 1, and no or no password is changed.
2. The cipher usage period of the stream cipher is 1, and the cipher usage period of the mapping cipher is usually relatively large.
3. The stream cipher uses all cipher information to participate in encryption rule operation each time, and the mapping cipher uses different cipher information to participate in encryption rule operation each time.
The mapping password has the following characteristics:
1. the password information is divided into two parts according to the purposes: one part is used as a mapping corresponding rule change relation and can be called a strain password and is marked as a set B, and the other part is used as a password source and is marked as a set Y.
2. The cryptographic source obtains a new set of information by applying a certain model or a certain corresponding rule, and the new set is marked as a set M.
Is recorded by mapping method as
fmy:M→Y
3. For any argument, by combining with a corresponding rule of a strain cipher, the argument corresponds to a certain logical position in a model of a new set M, and thus corresponds to a certain determined element in the set M, and then combines together with the argument (usually a one-way rule, such as a one-way hash function) into a new cipher, where the set of arguments is X, the set of new ciphers is N, and the mapping may be recorded as follows:
fL:X→M,fB: (X, M) → N combine to form a composite map:
fB:(X,fL(X))→N
4. for any independent variable, a uniquely determined new password can be found to correspond to the strain password and the password source given the mapping password and the given corresponding rule.
5. Mapping independent variables, combining with a corresponding rule of a strain cipher, corresponding to a logic model formed by a cipher source, and forming a new cipher by a certain method. It needs to be used in combination with the independent variable.
6. Each time information is encrypted, only a part of the password information is indirectly associated. The cryptographic information used for each encryption is almost different.
7. The period of use of the entire password information is long.
Mapping cipher suite
First, the concept of a number cipher set will be explained.
The cipher group is composed of one or more than two ordered ciphers, one cipher group can complete one information task, and each cipher can complete different functions.
Number cipher group: each cipher suite is assigned a number by which it may be stored, used and indexed.
One-time numbering cipher suite: the ciphers in the number cipher group are randomly generated by different random seeds, are random numbers (in practice, repeatability is realized, and strictly speaking, the random numbers are supposed to be pseudo-random numbers), and have randomness; each password of the password group can only be used for using the valid authentication information once, and each password can be registered for use times and can be invalidated according to the fault-tolerant times. The term "valid authentication information once" means that after one or a group of information is authenticated with one password, the password cannot be used to authenticate other information, but the authenticated information can be subjected to repeated calculation authentication.
In the mapping password, the new password information obtained by mapping the independent variable is a uniquely determined password group, namely the mapping password group, and the password group contains a plurality of ordered passwords. If the argument is taken as the number of the cipher suite, the numbered cipher suite is obtained from the mapped cipher suite.
Dissimilarity between the mapping cipher suite and the one-time numbering cipher suite:
1. the mapping cipher group and the one-time numbering cipher group are both composed of cipher groups, each group having one or more ordered ciphers.
2. The mapping cipher group and the one-time numbering cipher group are both generated by random information and have pseudo-randomness.
3. The mapping cipher sets are associated with arguments and the one-time numbering cipher sets are associated with numbers, which can be used by the associated quantity index if the arguments are treated as numbers, all of which are associated with numbers.
4. The one-time number password group is not changed after being randomly generated and is a relatively static password; the mapping cipher group is usually generated only when used, and is a relatively dynamic cipher, and the original cipher information is also static, but is different from each use, and the use is dynamic.
5. The cipher information of the one-time numbering cipher group is only used for effective authentication information once, while the cipher information of the mapping cipher group can be used for effective authentication information many times, but the same argument is usually used for effective authentication information only once.
6. The usage period of the one-time numbering cipher group is infinite, and the usage period of the mapping cipher group is usually very large.
7. The one-time numbering cipher group can be regarded as a special case of mapping cipher groups, and the mapping rule is only a simple corresponding relation.
The digital signature method based on the mapping cipher group comprises the following steps:
the characteristics of the signature:
1. signature being authentic
2. The signature being non-forgeable
3. Signature is not reusable
4. Signed files are immutable
5. The signature being non-repudiatable
Whether a manual signature or a digital signature should conform to the characteristics of the above signatures.
The one-time digital signature technology is that a message digest is calculated and a message authentication checksum of a one-time hash function based on a one-time password with enough password length or a one-time number password group is used, namely the message digest, and for the message digest with specific length, enough collisions exist in a password space with enough password length, so that the collision space is close to or larger than the message digest space, and the purpose of reducing the security of the password from the attack of a message digest code through an exhaustion method cannot be achieved.
The disposable digital signature technology is mainly characterized in that:
1. the message digest is computed using a one-way hash function, with one-way directionality. The message digest can be calculated only for the message using the password, and it is impossible to calculate the password information from the message digest.
2. With the pseudo-randomness and collision resistance of the one-way hash function. The message digest computed by the one-way hash function is pseudo-random because a good one-way hash function computation is a sufficient process of confusion and diffusion for the message, each small change in the message or cipher causes a large change in the message digest result, a very different and completely different result is obtained in the message digest, all the changed results are pseudo-random, and a small change to the message does not easily result in the same message digest, i.e., collision resistance.
3. Within the cipher space used, there are enough collisions. Because the length of the password is much longer than that of the message digest, according to the pigeon loft principle, a lot of collisions must exist, namely, a lot of different passwords can generate the same message digest, and the passwords and the message digest are in a many-to-one relationship. Therefore, the specific used password cannot be determined according to the message digest and the algorithm, the collision space can be enlarged as long as the password length is increased, and the security of the password cannot be reduced even when the collision space is close to or larger than the message digest space.
4. One time pad characteristics. The one-time password is a password that can be used only once to authenticate information effectively. The one-time password use period is infinite, so that the analysis of the encryption process or the encryption result by using a historical analysis method or tool is useless for guessing the password information.
The one-time digital signature technology is a digital signature technology based on a client and service technology model.
If the one-time password or the one-time number password group used in the one-time digital signature is transformed into a mapped password group generating a sufficient password length, a digital signature based on the mapped password group can be obtained. The mapped cipher set digital signature is expressed as follows:
generating a mapping cipher group with enough cipher length by using an independent variable, applying a one-way hash function rule, calculating a message digest on a message, and obtaining a mapping cipher group digital signature, wherein the mapping cipher group digital signature is associated with the independent variable, and the independent variable is effectively used only once. The cipher generated by mapping the cipher block has sufficient length that: for a message digest of a particular length, there are enough collisions within a cipher space of sufficient cipher length such that the collision space is close to or greater than the message digest space, and it is not possible to reduce the security of the cipher from a message digest code through an exhaustive attack.
The digital signature of the mapping cipher group has the following characteristics:
1. a message digest is computed for the message using a one-way hash function and using the cipher that maps the cipher suite.
2. Because the mapping cipher group uses the independent variable, the digital signature is associated with the independent variable, and the independent variable is only used once, namely, after one or a group of information is authenticated by the mapping cipher group generated by the independent variable, other information can not be authenticated by the mapping cipher group generated by the independent variable.
3. The cipher that maps the cipher suite is of sufficient length, i.e., the cipher space is large enough that for a message digest of a particular length, there are enough collisions that the collision space is close to or greater than the message digest space, and it is not possible to reduce the security of the cipher from the message digest code by exhaustive attack.
4. The digital signature uses a mapping cipher code group, and the cipher information has a long-period use characteristic.
5. Algorithms may be publicly available. The algorithm discloses the use of security that does not affect the mapped cipher suite digital signature.
6. And (4) data integrity authentication. The client and the server share the cipher information of the mapping cipher group in advance and store the cipher information in an encrypted manner, and the server serves as a trusted mechanism. The message producer calculates the digital signature of the mapping cipher group for the message and sends the message, the independent variable and the digital signature together, after the authenticator receives the message, the authenticator just calculates and compares the transmitted digital signatures in the same way, if the digital signatures are consistent, the authenticator can verify that the message is complete and has not been changed, because any third party which is not the shared cipher information can hardly obtain the digital signature which meets the requirements. The information with the mapped cipher-group digital signature cannot be changed nor forged.
7. The digital signature is not reusable. Since the mapped cipher set digital signature is associated with the argument, which is effectively used only once, a single mapped cipher set digital signature can also be effectively authenticated only once for a message, and cannot be used for other authentications. But different digital signatures may be generated with different arguments for the same message.
8. And (4) authenticating by a third party. If both parties of information exchange are client sides, the trusted information authentication cannot be directly carried out, but the trusted information authentication can be carried out through a service side after the information exchange. For example, party a sends a message to party b, but party b cannot be certain that the message is sent by party a, nor can it be determined whether the message is complete. Party a must digitally sign the message and send the message along with the digitally signed message; after receiving the message, the party B can send an authentication request of the message to the server, after receiving the request, the server authenticates the message sent by the party A, signs the message by using a shared password group of the party B and returns the signed message to the party B, and after receiving the message and the signed message, the party B verifies the digital signature to determine the reliability of the message. The short message can be stored in the service side, but the message digest code can be generated for the long message, and then the digital signature is carried out on the message digest code, so that the authentication of the long message can be changed into the authentication of the short message. For example, party A may send a file to party B, and party A may generate a message digest code for the file, digitally sign the message digest, and send the message digest together. Party B also generates message digest code for the file, compares the message digests, and authenticates the digital signature by the server to prove the integrity of the file and the issuance issued by party A.
9. Non-repudiation, i.e., non-repudiation. The service party is a trustworthy subject, and based on the reputation, the trustworthiness of the service party is ensured through a series of measures and systems, the digital signature of any client party needs to be verified by the service party, and once the digital signature is verified to be correct, the client party can be determined to have issued the digital signature.
10. Is different from the traditional Public Key Infrastructure (PKI) based digital signature. The message digest is used in the authentication process, and trusted mechanisms are required to realize identity authentication, message integrity authentication and non-repudiation. The authentication method and the authentication process are different, the digital signature based on the Public Key Infrastructure (PKI) can be authenticated by anyone by taking the public key, and the authentication method is off-line authentication without passing a third party for authentication; the mapping cipher group digital signature must be authenticated only by a trusted service party, and the authentication mode is online authentication. The password information of the Public Key Infrastructure (PKI) is different, the digital signature of the PKI uses a private key and a public key password, the same password information is used every time, and the use period is 1; the use period of the digital signature of the mapping cipher group is generally long, and different cipher information is used each time.
11. Is different from the disposable digital signature. Both digital signatures are based on a customer service technical model, the digital signatures are associated with a variable, and the design and use principles of the digital signatures are basically the same. The two differences are mainly the difference of the password mode: the one-time digital signature uses a one-time password, the password period is infinite, and more password information is needed; the mapping cipher group digital signature uses a mapping cipher group cipher, the using period of the mapping cipher group cipher is generally long, but the cipher information can be multiplexed by mixing. In fact, the one-time numbered cryptogram group can be regarded as a special case of the mapped cryptogram group, and the one-time digital signature can also be regarded as a special case of the mapped cryptogram group digital signature.
Information security technology based on client security and service security:
many of the current security models are classified according to the open System interconnection osi (open System interconnection) model, for example, Internet security protocol (IPSec) is an information security technology for network layer security, Secure Socket Layer (SSL) is an information security technology based on a transport layer in Internet interconnection, and digital signature based on Public Key Infrastructure (PKI) is an information security technology for application layer security. The above protocols are used safely in the communication process of the open system interconnection OSI, but the problem is that the security range of the prior art is beyond the open system interconnection OSI model, and not only the communication process, such as the case that various terminals are not reliable, but also the confidentiality of the communication process is useless. In this case, it is not scientific nor possible to standardize the security model by using the open systems interconnection OSI model. Therefore, it is necessary to further improve the safety margin. Information security technologies based on information security objects are security technologies that reside at a higher level.
Technical models of customers and services: two parties directly exchanging security information are divided into a client side and a service side. The client side is the one that actively initiates the information exchange request, typically the one that services the need. The service party is a party that provides information exchange with respect to the passive response request, and is generally a party that provides information services, and the service party is a trusted subject. The reliable information exchange between each client side individual can be carried out through the service side main body, the reliable information exchange between each client side individual can not be directly carried out, but general information exchange can be carried out, and the information reliability can be verified through the service side. An information task or an information event consists of multiple information exchanges, and the event information cannot be repeated, that is, the same information event does not have completely identical information.
Concept and characteristics of information security objects: the information security object is a main body for storing and processing security information, after the security object is formed, the security information sent by the object must be added with an object security mark, the security information received and processed by the object must be provided with an opposite party security mark, so that the sent or received security information cannot be forged or changed, and meanwhile, the security information must be provided with an event mark. The method is characterized in that:
1. the security object stores and keeps secret the security information of itself, and the secret information is not directly transmitted to the outside.
2. The safety information sent or received by the safety object must have the object safety mark, so that the used safety information can not be forged and changed, the safety mark of the information after the information is forged or the information is changed can not meet the standard, and except for a trust mechanism, only the object can correctly generate the own information safety mark.
3. The security information with the security mark sent or received by the security object must include an event mark, and the event mark can be implemented in the security information or in the security mark. The security information can be copied but not multiplexed, i.e. the security information of one event is not likely to be reused by another event. This makes the security information impossible to replay for different events. And for the same event, the replay is impossible without the same security information.
At first glance, the above features are rather similar to the features of a general digital signature, but there are essential differences: the general digital signature only focuses on the security of the signed digital information, and the information security object abstracts the whole receiving, processing and transmitting security information as a whole, and as a security object, the information security object integrates various security elements, such as password information, an encryption method, an encryption process and the like, all the security elements form a main body which can be used as a black box, and can be put in a secure place for storage, so that the information security object can provide the security information. The security object has the advantages of simplicity, abstraction and centralization of security elements, so that security characteristics can be separated from other various complex systems. For example, due to the application of open system interconnection, a general terminal becomes an untrusted subject, and all security elements can be extracted from the terminal to form a security object. The security object is independent of the communication and terminal used, and various communications and terminals can be used safely as long as the security of the information security object is ensured, even if the communications or terminals are not secure and trusted. Applying the information security object concept to digital signatures based on Public Key Infrastructure (PKI), which are currently widely used, can also enhance security very effectively.
The security token may be implemented by means of a digital signature.
Concept and features of customer security: the client security is a security object and is a main body for sending, receiving and processing security information, after the client security is formed, a client security mark must be added to the security information sent by the client, and the security information received and processed by the client must be provided with a server security mark. However, in practical applications, much information to be exchanged is not marked with security, so that the use of the information should be reduced as much as possible, and the information needs to be determined to be safe through manual judgment before being used. There are many ways to manually judge security inspection, such as full inspection, element inspection, partial spot inspection, mixed inspection, etc., which can be determined according to the security requirements.
Concept of service security: the service security is a main body for the server to send, receive, process and store the security information, the security information sent by the server must be added with a service security mark, the security information received and processed by the server must be provided with a client security mark, and the server does not process the information without the attached security mark. Its characteristics are similar to customer security.
Client security and service security are security objects, and the two are distinguished:
1. the client security can process the security information and can also process the non-security information, but the security information can be converted into the security information after the security information is manually checked and judged. Service security does not handle information without attached security flags.
2. The client can encounter and process unsafe information, the processing process of the client cannot realize automatic processing completely, and the service safety only processes the safe information with the safety mark, so that the automatic processing process can be realized.
3. Since the service party is a trusted subject, the client security is a subject that relies on the service security, and there is no service security and no client security. Service security is a trusted subject whose security is based on its reputation.
The security object is an independent body of security information and does not depend on any communication mode and external environment, but if the security object is invaded or destroyed, the security information can be leaked.
The digital signature security object based on the mapping cipher group and the information exchange process thereof are as follows:
if the client mark, the password information, the generation method of the password group, the digital signature rule and the process of the mapping password group and other security elements are integrated to form an object, and the external information exchange of the object conforms to the characteristics and the requirements of the security object, the client security object based on the digital signature of the mapping password group is obtained.
The client security object based on the digital signature of the mapping cipher group has the following basic characteristics:
1. including a customer identification, i.e., customer number information.
2. Including mapping cryptographic information.
3. Provided is a password information updating method.
4. A method of mapping cipher groups.
5. A cipher block digital signature method is mapped to a message.
6. A method for verifying digital signature of message mapping cipher group.
7. A method for secure acknowledgement of non-secure messages.
8. Messaging or switching methods.
The service security object based on the mapping cipher group digital signature has the following basic characteristics:
1. each customer identification, i.e., customer number information, is encompassed.
2. Including the mapping password information of each client and the information used by the password argument of each client.
3. Customer password information updating method.
4. A method of mapping cipher groups.
5. A cipher block digital signature method is mapped to a message.
6. A method for verifying digital signature of message mapping cipher group.
7. Messaging or switching methods.
8. A method for storing client security information.
9. Other security service attributes (professional service content of the service provider).
10. Other security service methods.
The device composed of the object characteristics is a safe object device for mapping the digital signature of the cipher group, and the device method is characterized in that:
1. the device stores information of the object, including an object number and password information.
2. A method for mapping cipher sets is provided.
3. A method for mapping a message to a cryptographic group digital signature is provided.
4. A method for verifying the digital signature of a message mapping cipher group is disclosed.
5. The device realizes the message mapping cipher group digital signature and verification process.
The secure object information exchange process of mapping the digital signature of the cipher code group comprises the following steps:
firstly, the client security object and the service security object share the password information of the mapping password group in a direct sharing mode. The cryptographic information is a cryptographic sequence with pseudo-random properties generated by the service. Each information task can be divided into a plurality of information exchange processes, the ordered password number required to be included in each password group is determined according to the information exchange number of the most frequently used task, and the large information task can be divided into the small information tasks.
When the client security object and the service security object carry out security information authentication, the information exchange step process of the information task comprises the following steps:
1. when a client security object needs to make a service request, the client security object usually takes an ordered variable as an independent variable, selects an unused independent variable, and calculates a mapping cipher group by using cipher information through a mapping method.
2. The client security object forms a service request message based on the service requirements.
3. The client secure object computes a digital signature over the message with the first password of the password group.
4. The client side sends the security information formed by the client number, the message, the independent variable and the corresponding digital signature to the server side.
5. The service security object receives security information from the client security object.
6. The service security object selects the client number and the independent variable, extracts the client password information, and calculates and generates a corresponding mapping password group.
7. The service security object computes and verifies the client and digital signature on the message using the same password used by the client.
8. If the digital signature is verified to be correct, the message is authentic, and the message is processed and stored correspondingly.
9. The service security object generates a processing result message.
10. The service security object computes a digital signature on the resulting message using the second one of the cipher suites.
11. The server sends the resulting message and the corresponding digital signature to the client.
12. The client security object receives the returned resulting security information from the service security object.
13. And the client security object verifies the message and the digital signature by using the same password, if the verification is incorrect, the client security object requests the result information again until the real result information is obtained.
14. And processing the message after the client security object verifies that the message is correct.
15. The above steps complete a response exchange process of the message, and for the information tasks of a plurality of messages, the above steps 2 to 14 steps can be correspondingly repeated until the information tasks are completed.
Has the advantages that:
in the previous various information security technologies, the use of passwords is either short passwords periodically or one-time passwords with infinite periods, so that the security of the periodic passwords is difficult to solve or huge problems of password information are caused. The method for the safe object based on the digital signature of the mapping cipher block has the advantages that the cipher information forms long periodicity, the safety of the periodic cipher is effectively solved, various cipher-related attack methods are effectively prevented, meanwhile, the cipher information cannot be greatly increased, and the cipher information can meet the requirement of practical use within a certain length. Mapping the digital signature of the cipher block is a simple and easy-to-use digital signature method. In addition, the concept of the security object not only emphasizes the security of information exchange, but also provides a feasible approach for solving the information security of the client, wherein the security of the information exchange, the security of the client identity authentication, the security of the client password information, the security of the encryption process and the like is irrelevant to the communication mode and the terminal.
Detailed Description
Bank system transfer payment safety solution
In this scenario, we determine that the banking party is the service party and the trusted party. Businesses or individuals that interact with banking services act as clients.
A cryptographic mode is first defined. The cipher mode adopts a mapping cipher code group, the cipher information uses ASCII character set, the size is 4096 bits, 1024 bits are used as strain cipher, 3072 bits are used as strain cipherIs a cryptographic source. The cipher block to be mapped is 4 ordered ciphers, and the cipher length of the cipher block is 128 bits (the cipher length is related to the digital signature length, and the practical application needs to be properly adjusted, and the cipher length is usually one time of the digital signature length). In order to increase the security, a 128-bit static password is additionally added as a supplementary password, and a 256-bit static password is added as supplementary secret encryption information. The mapping takes a natural number as an argument. The cipher source model is a 128-bit ordered arrangement of cipher source elements in byte unit, and the number of the arrangement is about 1041We can specify that this is an upper limit on the number of times the different arguments are used (in practice not more than 10 natural numbers, many people change passwords |). The number of permutations is calculated as follows
If the amount of password information used per client security object is 5k, about 5M is about 1000 clients and about 5G is about 100 ten thousand clients, and it is feasible to establish a large-capacity client service system at this ratio.
The cipher mapping rule is as follows: mixing (such as multiplying) the argument with a 128-bit supplementary cipher to obtain a number A, dividing the number by a remainder of 1024 and then adding 1 to obtain a number B not greater than 1024, dividing the remainder of A by 128 and then adding 1 to obtain a number C not greater than 128, in the strain cipher, starting from the position B, cutting a section with the length C, and calculating from the part exceeding 1024 to obtain a section of cipher Y1, and similarly obtaining a cipher section Y2 from a number pair (B +1, C +1), obtaining a cipher section Y3 from a number pair (B +2, C +2), and obtaining a cipher section Y4 from a number pair (B +3, C +3) (actually, the supplementary cipher and the strain cipher form a two-layer mapping relation); y1 is mixed with static password and independent variable to obtain a number K1, the mixing mode can be subjected to secondary operation by using a one-way hash function and then is connected, if the number of K digits is larger than 41, the high-order part is discarded, K1 is used as a permutation number corresponding to a password source model, the first password (obtained by regular permutation and calculation of each byte position of the password) of a mapping password group can be obtained, and other three ordered passwords can also be obtained. The mapping mode may be many, and the above is only one of the mapping modes.
A digital signature pattern. The digital signature is an Arabic numeral character set, and 8 digits are taken. The 128 bit cipher obtained by mapping cipher group, the added 256 bit static cipher and the message are mixed by using one-way hash function to calculate the message digest, usually 160 bit message digest can be obtained, and then the message digest is converted into 8 bit Arabic numerals to obtain the digital signature of mapping cipher group.
Clients can be divided into single object clients and multi-object clients. For a common individual client, only one client security object is needed, and the client security object is a single-object client; for a company or other customer requiring multiple customer security objects, such as a supermarket or department store, the same collection account may require multiple collection counters, or multiple customer security objects may be required for verification of income and expenditure by multiple persons. For multi-object clients, different rights for the client object may be set. The mapping password information of different objects of the same client can be the same, the service side can realize information sharing to save storage space, two-digit numbers can be added behind the client number to serve as the client security object number to identify different objects, and the supplementary password and the static password of each object are different.
Client secure object elements and settings. The client secure object includes the following basic elements:
1. a client object number uniquely identifying the client secure object.
2. Client password information. Comprising 4096 bit mapped cipher information, 128 bit supplementary cipher, 256 bit static cipher.
3. The next unused order argument.
4. Provided is a password information updating method.
5. A method of mapping a password as described above.
6. And calculating a mapping cipher group digital signature method for the message.
7. And verifying the mapping code group digital signature method for the message.
8. Information transfer or exchange method. The object and the outside need information exchange, and various interfaces can be adopted.
9. A method for secure acknowledgement of non-secure messages. The security object requires manual confirmation of the receipt of a message that has not been digitally signed, and may be displayed on a monitor and then manually confirmed.
10. A method for generating a message to be signed. The message can be composed of numbers and a small number of symbols, can be input by a small keyboard generally, and can also be subjected to a security confirmation method through previous non-security information.
Service secure object elements and settings. The client secure object includes the following basic elements:
1. all customer account information. Including customer number, account funds, etc.
2. Information of all client security objects. Including the client security object number, password information, the next unused ordered argument, etc.
3. A new password generation method. Generated randomly by the serving security object, with pseudo-randomness.
4. A client security object information updating method.
5. A method of mapping a password as described above.
6. And calculating a mapping cipher group digital signature method for the message.
7. And verifying the mapping code group digital signature method for the message.
8. Provided is a security information storage method. And recording the transaction information of the client security object.
9. A transfer transaction method.
10. A method for generating a security message.
11. Information transfer or exchange method.
In practical applications, security-independent transactions such as account funds and transfer transaction methods may be separated from the service security object and processed by different functional objects. In this example, for simplicity and convenience, are added to the service security object for processing.
Secure isolation of secure objects. If the security object is set, the security object does not become secure, and security isolation is performed on the security object, so that the security object is separated from an insecure environment, and information exchange is realized by using security information, so that the security object can ensure a security state. Because the secure objects do not depend on any communication method, isolation can be performed by using a custom communication protocol, various other protocols can be used, but it is required to ensure that other dangerous or destructive processes are blocked, and the safest method can even be performed by using physical isolation to manually transfer information.
A password sharing manner. The sharing of the password information can adopt a direct sharing mode, the password sharing is directly carried out after the identity authentication from the client to the bank, and the password information is randomly generated by the service security object and has pseudo-randomness.
A secure transaction mode.
Peer-to-peer transfer mode. Transferring A to account B for 100 Yuan, the transferring process is as follows:
1. a client security object (hereinafter referred to as A) selects the next unused independent variable to calculate the mapping cipher group.
2. And A, transferring the transaction code, the account number and the amount of money of B by fund to form a signature message, and calculating a digital signature on the message by using the first serial number password.
3. A transmits the argument, message, and digital signature to a service security object (hereinafter abbreviated S). Since all information is in the form of an alphanumeric character set, it can be conveniently conveyed using a variety of tools: internet, telephone, SMS, fax, etc., even manual transmission, as long as the tool can transmit Arabic digital information.
4. And S, after receiving the transaction message sent by A, extracting the information of A, calculating the mapping cipher group, verifying the transaction message of A, returning error information of A if the verification is incorrect, and invalidating the independent variable after the same independent variable makes three errors.
5. S, verifying that the transaction message of A is correct, transferring out the fund 100 Yuan of A, deducting the account amount 100 Yuan of A, if successful, marking the result as 1, otherwise, marking the result as 0.
6. And S, generating a result message, calculating a digital signature for the message by using the second serial number password, storing the result and the digital signature, and returning the result message and the digital signature to A or leaving the result message and the digital signature for A to inquire.
7. And A receives the initial transaction result information returned by S, verifies the digital signature by the same password, checks whether the information is correct, and reapplies the transaction result information to S if the information is incorrect until a correct transaction result is obtained.
8. If the transaction fails, A aborts or re-transacts. If successful, A re-computes the digital signature M1 for the transaction message with the third sequence number password.
9. A notifies B the customer of the transaction and gives B the digital signature M1.
10. The client security object (hereinafter referred to as "B") selects the next unused argument to calculate the mapped cipher set.
11. B forms a signed message with the funds transfer transaction code and the amount, computes a digital signature M2 for the message using the first sequence number password.
12. B transmits the argument, the in-flight message and the digital signature M2, together with the digital signature M1 of A, to the service secure object S.
13. And after receiving the transaction message sent by the B, the S respectively extracts A, B information, also calculates a mapping cipher group, verifies the transaction message digital signature M2 of the B and verifies the transaction message digital signature M1 of the A.
14. S, verifying that all transaction messages are correct, transferring the fund 100 Yuan into the account of the B (freezing the amount of the fund 100 Yuan can be carried out and is left for a period of time, for example, self-thawing is carried out after one day), if the transaction is successful, the result mark is 1, and the failure is 0. Regardless of the result, the corresponding password is not reusable.
15. S generates A, B result messages, respectively. And calculating a digital signature for the result message A by using the fourth serial number password A, calculating a digital signature for the result message B by using the second serial number password B, storing the result and the digital signature, and returning the result information to the result B or leaving the result information to A, B for inquiry.
16. A and B can respectively inquire the final transaction result information and verify the digital signature of the message until the real information is obtained.
17. From the digital signature of the final result, both a and B can know exactly whether the transaction result was successful or failed. The transaction process is complete.
The transaction information and the digital signature are submitted by both the A and the B to prevent the account from being wrongly transferred by human error, and the fact that the transfer result is successful or failed cannot be denied by both the A and the B, and the situation that the password is weak can be prevented by using a plurality of passwords.
Semi-automatic payment transfer mode. If shopping in the shopping mall, the above transfer mode is really too troublesome! In fact, the customers similar to the shopping malls are relatively good customers, a transfer mode can be added, the messages and the signatures submitted twice are submitted once, but the transaction funds need to be regularly frozen, so that the transaction process can be simplified, and the safety is still guaranteed. In addition, a special communication channel between the clients needs to be established, and a semi-automatic payment process is realized:
a pays 100 dollars to the B merchant account.
The information to be signed by the client security object A is mainly transaction codes, the account number of the opposite party and the transaction amount in the transfer transaction process, and the information to be signed by the client security object B is mainly the transaction codes and the amount in the transfer transaction process. What both parties need to verify is the digital signature of the resulting message.
1. The client secure object a is in a locked automatic transaction state: selecting the next unused independent variable, calculating the mapping cipher group, wherein the transaction code is an automatic transfer transaction code, the transaction amount can be set or not, and if the amount is set, the amount is set as the standard, and the user waits for receiving the account number and the amount information transmitted by the other party through the special communication channel.
2. The client security object B sends the account number and the amount information to the client security object A through the special communication channel.
3. If the amount of the payment information received by the client security object A is set, comparing the amount of money, if the amount of money is not matched, sending out wrong amount information, and returning the wrong amount information to the client security object B; if the amount is not set, the received amount is used as the standard; if the information is correct, A automatically calculates a digital signature for the payment information by using the first and the third passwords.
4. The client secure object a automatically sends payment information to the service secure object (hereinafter referred to as S) through the communication system of B.
5. And S, after receiving the automatic payment information, extracting the information of A and verifying the signature of the information to ensure the correctness.
6. And S, after the information is correct, implementing transfer transaction, transferring 100 Yuan from the account A to the account B, and simultaneously freezing the transferred fund of the account B, wherein the success of the processing result is 1, and the failure is 0.
7. And S respectively calculates the digital signatures of the transaction result information of the pair A and the pair B, can automatically select the next unused independent variable for the pair B to use, stores the transaction result information and returns the transaction result information to the pair A and the pair B.
8. And A and B receive the transaction result information and verify the transaction result information.
9. A and B keep the information of the transaction result, can display on the monitor, wait to confirm manually, the transaction is finished.
Claims (2)
1. A setting and using method of mapping password is characterized in that:
the password information of the mapping password is divided into two parts according to the purposes: one part is information related to corresponding rules of independent variables, called a strain password and recorded as a set B, and the other part is used as a password source and recorded as a set Y; the method comprises the steps that a new information set is obtained by applying certain model conversion to a password source and is recorded as a set M, and for each determined element in the set M, a unique determined element in a password source Y corresponds to the determined element; for any independent variable, corresponding to a certain logic position in the model of the new set M by combining with a corresponding rule of the strain cipher, so as to correspond to a certain determined element in the set M, and combining the element and the independent variable together into a new cipher through a one-way hash function; encrypting the information using the new password; for any independent variable, a uniquely determined new password can be found to correspond to the given strain password and the password source of the mapping password and the given corresponding rule; the independent variables are required to be combined for use, and different independent variables are used each time; each time information encryption is carried out, only a part of the password information of the mapping password is indirectly associated; the cipher information of the mapping cipher used for each encryption is almost different.
2. The method of claim 1, further comprising: generating a uniquely determined cipher block comprising one or more ordered ciphers, namely a mapped cipher block, by the method according to claim 1 using an argument, and calculating a message digest on the message using a one-way hash function and using the ciphers of the mapped cipher block to obtain a mapped cipher block digital signature; the mapping password group uses the independent variable to enable the digital signature to be associated with the independent variable, the independent variable is only used once effectively, namely, after the mapping password group generated by the independent variable authenticates one or one group of information, the mapping password group generated by the independent variable cannot be used for authenticating other information; the cipher of the mapping cipher group has enough length, namely the cipher space is big enough, so that for the message digest with the specific length, enough collisions exist, so that the collision space is close to or larger than the message digest space, and the cipher security cannot be reduced by attacking the message digest code through an exhaustion method; the mapping cipher group digital signature uses the mapping cipher group, and the cipher information has the characteristic of long using period.
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN 200410051602 CN1713567B (en) | 2004-09-24 | 2004-09-24 | Setting and usage method of mapping cipher |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| HK1087269A1 true HK1087269A1 (en) | 2006-10-06 |
| HK1087269B HK1087269B (en) | 2010-11-12 |
Family
ID=
Also Published As
| Publication number | Publication date |
|---|---|
| CN1713567A (en) | 2005-12-28 |
| CN1713567B (en) | 2010-04-28 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Simmons | A survey of information authentication | |
| Chang et al. | Remote password authentication with smart cards | |
| US6738912B2 (en) | Method for securing data relating to users of a public-key infrastructure | |
| US8589693B2 (en) | Method for two step digital signature | |
| EP0850523B1 (en) | Document authentication system and method | |
| US5664017A (en) | Internationally regulated system for one to one cryptographic communications with national sovereignty without key escrow | |
| US5852665A (en) | Internationally regulated system for one to one cryptographic communications with national sovereignty without key escrow | |
| JP4603252B2 (en) | Security framework and protocol for universal general transactions | |
| US6708893B2 (en) | Multiple-use smart card with security features and method | |
| US20060256961A1 (en) | System and method for authentication seed distribution | |
| US20020176583A1 (en) | Method and token for registering users of a public-key infrastructure and registration system | |
| RU2584500C2 (en) | Cryptographic authentication and identification method with real-time encryption | |
| WO1996033568A1 (en) | Methods and apparatus for authenticating an originator of a message | |
| CN110519046A (en) | Quantum communications service station cryptographic key negotiation method and system based on disposable asymmetric key pair and QKD | |
| CN101216923A (en) | A system and method to enhance the data security of e-bank dealings | |
| CN100566250C (en) | A kind of point to point network identity identifying method | |
| Mohammadi et al. | ECC-based biometric signature: A new approach in electronic banking security | |
| EP1263164B1 (en) | Method and token for registering users of a public-key infrastuture and registration system | |
| EP4379631A1 (en) | Digital wallet device and dual offline transaction method thereof | |
| EP1267516B1 (en) | Method for securing data relating to users of a public-key infrastructure | |
| CN1713567B (en) | Setting and usage method of mapping cipher | |
| JP2513169B2 (en) | User authentication method | |
| Busta | Encryption in theory and practice | |
| HK1087269B (en) | Method for setting and using mapping password | |
| JPS62254543A (en) | Electronic transaction system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PC | Patent ceased (i.e. patent has lapsed due to the failure to pay the renewal fee) |
Effective date: 20140924 |