HK1159349B - A system and method for designing secure client-server communication protocols based on certificateless public key infrastructure - Google Patents
A system and method for designing secure client-server communication protocols based on certificateless public key infrastructure Download PDFInfo
- Publication number
- HK1159349B HK1159349B HK11113388.0A HK11113388A HK1159349B HK 1159349 B HK1159349 B HK 1159349B HK 11113388 A HK11113388 A HK 11113388A HK 1159349 B HK1159349 B HK 1159349B
- Authority
- HK
- Hong Kong
- Prior art keywords
- key
- value
- elliptic curve
- client
- random number
- Prior art date
Links
Abstract
The subject invention relates to a system and method for designing secure client-server communication protocols based on certificateless public key infrastructure. A system and method for facilitating secure client server communication using elliptical curve cryptography and certificateless public key infrastructure has been disclosed. The system includes a secret key generation means which generates a secret key of m-bits based on the elliptic curve diffie hellman algorithm. The system further includes a session key generation means which makes use of said secret key and elliptic curve diffie hellman algorithm to generate a session key. The session key is used to facilitate secured communication between the client and the server.
Description
Technical Field
The present invention relates to the field of communications.
And more particularly to the fields of cryptography and network security.
Definition of terms in the specification
In this specification, the term "primitive" (Primitives) refers to known systems for generating and verifying digital signatures, such as the elliptic curve Diffie-Hellman system and the elliptic curve digital signature system, and also to known systems for verifying the authenticity of information, such as the information randomization system, the jacobian identity verification system, and the like.
In this description, the term "digital Signature" (Signature), or "Signature" (Signature), refers to an authenticity checking mechanism used in information, financial transactions and where it is necessary to detect counterfeiting and tampering.
These definitions are complementary to existing definitions in the technical field.
Background
A client/server network is a distributed application architecture that can share tasks or workloads between service providers (servers) and service requesters (clients). Such network communications are not necessarily secure. To establish secure communications between clients/servers, many researchers and organizations have absorbed methods such as public key-based cryptography, identity-based cryptography, and the like.
A strong authentication key exchange protocol (park) based on passwords was patented by Bollovin and Merritte in 1993. This is a two or more party interactive method, where a key is established based on learning one or more passwords. Later, Stanford university patented a Secure Remote Protocol (SRP) that was used for new password authentication and key exchange mechanisms in untrusted networks. Sun microsystems, then, proposed an Elliptic Curve Cryptography (ECC) technique, well integrated with OpenSSL authorization certificates. Such encoding using elliptic curve based cryptographic sockets may ensure the security of TLS/SSL handshakes.
Other achievements in this field:
U.S. Pat. No. 6477254 issued to SeijiMiyazaki and KazuoTakaragi. This patent provides a method of encrypting and decrypting data, the method comprising an encrypting step and a decrypting step. During encryption, n pairs of keys and public keys in a public key cryptography system are prepared in advance (n is a positive integer). A new key is generated by combining at least one public key. The data is encrypted by using a new key in a public key cryptography system, a (k, n) threshold logic (k is an integer and the value of the k is less than or equal to n) is preset, and the logic item is associated with the new key and n public keys. And performing threshold logical operation through the new key and the n public keys, and storing the encrypted data and the threshold logical operation result. During decryption, a new key is restored according to k keys selected from the n keys and the stored threshold logical operation result, and the restored key is used for carrying out reverse logical operation in a public key cryptography system according to threshold logic, so that the stored data is decrypted. The focus of the us 6477254 patent is on a data encryption and decryption method that separates the data encryption and data decryption steps. The data encryption step further comprises "n" pairs of keys and public keys, and generating a new key using at least two generated public keys.
U.S. Pat. No. 7673141 issued to RogerKilian-Kehr et al. This patent provides a system for secure access to application services. The system of the us 7673141 patent includes a challenge provider that employs a first cryptographic technique to challenge a client attempting to access an application service. The client generates a response using a second cryptographic technique and submits the response to the authentication service. The authentication service authenticates the challenge and the response using a first authentication technique complementary to the first cryptographic technique and a second authentication technique complementary to the second cryptographic technique, respectively, the authentication service granting the client access to the application service only if the authentication is successful.
U.S. patent application No. 2008069338, issued to robertrieye, provides a computer system and a method for combining a location factor with a token (client). The token receives from the server a cryptographic challenge encrypted using a key shared in common by the server and the token. The token decrypts the encrypted challenge using the common shared key and then processes the challenge using a pre-prepared Elliptic Curve Cryptography (ECC) process to obtain a processed challenge. The token returns the signed challenge and an ECC public key to the server as a reply to the challenge. The server receives the signed challenge and verifies that the signed challenge was indeed generated by the token-based ECC public key. In us patent application No. 2008069338, a client receives an encryption challenge from a server, and the challenge is encrypted (public key) by a key commonly known to both the server and the client.
U.S. patent application No. 2009003597 to alexander gantman et al provides a method and apparatus for authentication with a common modulus N agreed to be used by both parties. The steps of the method of U.S. patent application No. 2009003597 include: generating a pseudo-random string from an input value; generating a first public key value based on the modulus N and the pseudorandom string; generating a first private key value corresponding to the first public key value; receiving a second public key value; generating a shared secret key based on the modulus N, the first private key value and the second public key value; this shared key is used to determine an authentication signature and to transmit the authentication signature. The system contemplated by U.S. patent application No. 2009003597 uses a key generation unit to generate a first public key and a first private key. The system also receives a second public key value with the receiver unit and generates a shared key value with a key generation unit.
U.S. patent application No. 2010211779, filed in ganapathys. sundaram, which agrees on a key agreement between a first party and a second party. According to us patent application No. 2010211779, a random key component is generated by a first party (server) and encrypted for transmission to a second party (client). The random key portion is encrypted using the public key of the second party. Correspondingly, the second party receives the random key component sent by the first party and, in addition to receiving the first random key component, generates a second random key component. At the client (second party), both the first key component and the second key component are encrypted to form an encrypted random key component pair. In this way, the generated encrypted random key component pair is transmitted from the second party (client) to the first party (server). Upon receiving the encrypted random key component pair from the second party, the server (first party) sends an encrypted second random key component to the second party, and the key calculated and determined by the first party (server) based on the second random key component is used in all subsequent communications between the client and the server. The focus of us patent application No. 2010211779 is on providing an identity-based encryption scheme.
Lee, issued to lanew, us patent No. 7549044, provides a block-level storage device that has been configured to implement a Digital Rights Management (DRM) system. After receiving the public key from the associated host system, the storage device sends a challenge to the host to prove that it has a corresponding private key to use to establish trust. This trust is established by encrypting a secure session key with the public key. The host system recovers the secure session key with its private key. The storage device may also store ciphertext encrypted according to the content key. In addition, the storage device may encrypt the content key using a secure session key. The focus of U.S. patent No. 7549044 is on providing a digital rights management. In U.S. patent No. 7549044, the secure session key itself is encrypted and then decrypted to ensure secure communication between the storage device and the client.
Chinese patent application No. 1444168, filed as zhua fei. This patent generates an elliptic curve public key certificate based on the probability of an asymmetric encryption method. The method is a public key cryptosystem which starts from the Diffie-Hellman judgment problem on an elliptic curve and is encrypted and decrypted by an anti-collision hash function and a public key certificate. In order to enhance the communication security between the client and the server, the chinese patent application No. 1444168 further uses the principle of collision-resistant hash function, public key encryption system and public key certificate scheme. The present invention differs from the system of chinese patent application No. 1444168 in that it uses a certificateless public key infrastructure. Although the chinese patent application No. 1444168 also uses elliptic curve cryptography, the main difference in practice is that the present invention uses a certificateless public key infrastructure while the chinese patent application No. 1444168 uses a certificatebased public key infrastructure.
A drawback of the system proposed by the prior art and its related prior art patent documents is that all of the above methods are implemented using certificate-based public key cryptography and identity-based cryptography techniques. These cryptographic methods all face expensive and complex key management and key escrow problems in real-life deployments. Recently, certificateless public key cryptography (CL-PKC) was introduced to address these issues not completely addressed. Typically, certificateless public key cryptography uses bilinear pairings and inverses, which degrade system performance.
Therefore, there is a need to develop a low-overhead and time-saving system based on the certificateless public key cryptosystem without using the bilinear pairing principle.
Object of the Invention
The invention aims to provide a safe communication system between a client and a server;
it is another object of the present invention to provide a system for providing robust and secure communication between a client and a server;
it is another object of the present invention to provide a tamper-resistant system;
it is another object of the present invention to provide a lightweight authentication system;
it is another object of the present invention to provide a low overhead system that employs certificateless public key cryptosystem technology;
another object of the present invention is to provide a time efficient system that employs certificateless public key cryptosystem techniques without the use of bilinear pairings;
it is another object of the present invention to provide a system that can function properly at lower bandwidths;
it is another object of the present invention to provide a space-saving system that requires less storage space at runtime;
another object of the present invention is to provide a system for online cash transaction with timely security;
it is another object of the present invention to provide a system capable of preventing replay attacks and express attacks from occurring;
it is another object of the present invention to provide a system that can help reduce information loss; and
it is another object of the invention to provide a system that does not compromise performance even if large amounts of data are transferred.
Disclosure of Invention
The invention provides a system for strengthening communication security of a client/server. The system comprises:
a random number generator for generating random numbers;
-processing means for receiving said random number and generating a processed value;
-a first authentication method for receiving and authenticating said processed value for counterfeit detection, and further generating an authenticated value using said first authentication method;
a calculation method paired with the first verification method, the calculation method being used to generate a first numerical value, and the calculation method being further used to generate a second numerical value corresponding to the first numerical value;
a second verification method having a predetermined primitive, receiving and verifying the second value by using the second verification method, and further generating a public key and a private key corresponding to the public key by using the second verification method;
a key generation method having the predetermined primitive, the key generation method being adapted to receive the public key generated by the second authentication method and generate a key; and
a session key generation method having the predetermined primitive, the session key generation method being adapted to receive the key generated by the key generation method and generate a session key;
the key and the session key may enhance the security of the client/server communication.
Preferably, according to the present invention, the processing method includes employing an encryption method for receiving the random number and encrypting the random number using an elliptic curve encryption method using a public key.
Preferably, according to the present invention, the processing method comprises receiving said random number by a preprocessing method and processing said random number by applying a method of information randomization.
Preferably, according to the present invention, the first authentication method comprises receiving said processed random number using a decryption method, and decrypting said processed random number using a private key using an elliptic curve cryptography method.
Preferably, according to the invention, the first authentication method comprises using a pre-processing method that receives and authenticates the processed value for forgery detection by applying a method of information randomization.
Preferably, according to the invention, the first value is selected from the group consisting of a pair of a public key and a private key and a jacobian identity.
Preferably, in accordance with the present invention, the second value is selected from the group consisting of a digital signature value and a Lie product.
Preferably, in accordance with the present invention, the predetermined primitive is selected from the group consisting of an elliptic curve Diffie-Hellman method, an elliptic curve digital signature method, and a jacobian identity verification system.
Preferably, in accordance with the present invention, the predetermined primitive is selected from the group consisting of an elliptic curve Diffie-Hellman system and an elliptic curve digital signature system.
The invention provides a method for strengthening the communication security of a client/server. The method comprises the following steps:
generating a random number;
processing said random number to generate a processed value;
verifying said processed value to detect counterfeiting;
generating a first value;
generating a second value corresponding to said first value;
verifying said second value using a predetermined primitive;
generating a public key and a corresponding private key;
transmitting said public key while retaining said private key;
receiving the transmitted public key and generating a key using predetermined primitives; and
a session key is generated based on the key and the predetermined primitive.
Typically, according to the present invention, the method of processing said random number to generate a processed value further comprises the steps of: and encrypting the random number by using a public key by adopting an elliptic curve encryption system.
Typically, according to the present invention, the method of processing said random number to generate a processed value further comprises the steps of: the random number is processed using a primitive selected from the group consisting of bit swapping, compression, T-function, and linear feedback shift register.
Typically, the method for verifying the processed value according to the present invention further comprises the steps of: and decrypting the processed numerical value by using a private key by adopting an elliptic curve encryption system.
Typically, the method for verifying the processed value according to the present invention further comprises the steps of: the processed values are verified using a message randomization method.
Typically, according to the present invention, the method for generating said first value further comprises the steps of: generating a pair of public key and private key;
typically, according to the present invention, the method for generating said first value further comprises the steps of: a jacobian identity is generated.
Typically, according to the present invention, the method for generating said second value based on said first value further comprises the steps of: a digital signature value is generated.
Typically, according to the present invention, the method for generating said second value based on said first value further comprises the steps of: a Lie product is generated.
Typically, according to the present invention, the step of verifying said second value using a predetermined primitive further comprises the steps of: the second value is verified using a predetermined primitive selected from the group consisting of a curved Diffie-Hellman method, an elliptic curve digital signature method, and a jacobian identity verification method.
Typically, according to the present invention, the step of receiving the transmitted public key and generating a key based on the predetermined primitive further comprises the steps of: the key is generated based on a predetermined primitive selected from the group consisting of an elliptic curve Diffie-Hellman method and an elliptic curve digital signature method.
Typically, according to the present invention, the step of generating a session key based on the key and the predetermined primitive further comprises the steps of: a session key is generated using the above key and a predetermined primitive selected from the group consisting of an elliptic curve Diffie-Hellman method and an elliptic curve digital signature method.
Drawings
The invention is described with reference to the following figures:
FIG. 1 is a sequence diagram illustrating a first network security protocol, in accordance with the present invention;
FIG. 2 is a sequence diagram illustrating a second network security protocol, in accordance with the present invention; and
fig. 3 is a sequence diagram illustrating a third network security protocol, according to the present invention.
Detailed Description
The drawings illustrate specific embodiments of the invention. The detailed description does not limit the scope and rights of the invention. This description is made only as to preferred embodiments and suggested applications of the present invention.
In accordance with the present invention, it is contemplated that the system and a set of three network security protocols provide for client/server secure communications based on a certificateless Public Key Infrastructure (PKI).
The system at least comprises a server and a client. The server is used to perform a function of generating a key, where the key is a pair of a public key and a private key, and the server is a Key Generation Center (KGC). The system forms the infrastructure required by the client/server architecture and the PKI, which includes a set of hardware, policies, procedures, and similar requirements required for communication.
Certificateless PKI-based communication using a first network security protocol initially uses a server as KGC to distribute public and private keys to clients. The steps for establishing certificateless PKI based communication using the first network security protocol are as shown in fig. 1.
As shown in fig. 1, the client first initiates a communication, sending a preliminary message such as a "client greeting". In response to the client hello message, the server generates a random number (value) having a length of "n" bits using a random number generator. The server then encrypts the generated random number with the client's public key. In the encryption process of the random number, no digital certificate is generated. The server records a private key set and a public key assigned to each client. On the server side, the random number is encrypted using an elliptic curve encryption method. The value encrypted with the client public key is sent to the client. The server challenges the client to decrypt the value in encrypted form to verify the identity of the client. After receiving the encrypted value, the client decrypts the encrypted value by using its private key. The client decrypts this encrypted value with its private key and the elliptic curve Diffie-Hellman algorithm and verifies whether the value comes from a trusted source. After successfully decrypting this encrypted value and recovering its original value, the client proves its trustworthiness to the server. The client generates a pair of public and private keys using elliptic curve cryptography in the step of verifying the value sent by the server (e.g., decrypting the encrypted value sent by the server).
The client generates a signature for the decrypted value by using an elliptic curve digital signature algorithm and sends the signature to the server, and the server verifies the signature by using the elliptic curve digital signature algorithm after receiving the signature sent by the client. After the signature sent by the client is verified, the server generates a pair of a public key and a private key by using an elliptic curve Diffie-Hellman algorithm, and sends the generated public key to the client.
After the client receives the public key sent by the server, the client generates a key with the length of m bits by using an elliptic curve Diffie-Hellman algorithm, and shares the key with the server. The server correspondingly generates a session key of "m" bits using the elliptic curve Diffie-Hellman algorithm. Both the key and the corresponding session key are generated using the elliptic curve Diffie-Hellman algorithm. Reference numeral 100 in fig. 1 indicates the number of steps in which an elliptic curve Diffie-Hellman algorithm is used to generate a session key of "m" bit length. The session key is used for all subsequent communications and transactions between the server and the client. Because the session key is known only to the server and the client, the communication between the client and the server is completely secure.
The method for enhancing the communication security between the server and the client by using the first network security protocol comprises the following steps:
initial setting: the server acts as a Key Generation Center (KGC) and each client has a pair of a public key and a private key generated by the server.
The first step is as follows: the client first initiates a communication, sending a "client greeting" message.
The second step is that: the server generates an n-bit random challenge, or random number (value), using a Pseudo Random Number Generator (PRNG). Further, the server application client's public key encrypts this random number using an Elliptic Curve Encryption (ECE) method. The client application's own private key decrypts the encrypted random number using the ECE method.
The third step: the client generates a public key and a private key on an elliptic curve by using an elliptic curve cryptography method. The length of the public and private keys may be either 256, 384, or 512 bits as recommended by the National Institute of Standards and Technology (NIST). The client generates a signature on the value by using an elliptic curve digital signature algorithm and sends the signature to the server.
The fourth step: the server verifies the signature using an elliptic curve digital signature algorithm and then generates a key pair on the elliptic curve. The server sends the generated public key to the client
The fifth step: the client and the server negotiate a shared key m bits long using the elliptic curve Diffie-Hellman (ECDH) algorithm.
And a sixth step: the client and server negotiate a session key m bits long for encryption using the ECDH algorithm. The client and server have encrypted sockets.
The seventh step: and establishing the safe communication between the client and the server.
In the above protocols, an attacker cannot guess the random challenge value, or random number (value), generated by the protocol. Because the value is transmitted in encrypted form, replay attacks and hacking attacks can be prevented.
The steps for establishing certificateless PKI based communication using the second network security protocol are as shown in fig. 2. Certificateless PKI-based communication using the second network security protocol is slightly different from the first network security protocol in that it does not generate an initial set of a pair of public and private keys for the client and server, but rather the client and server have a unique information preprocessing function that can convert plaintext into random information. When random numbers are sent, one-to-one mapping is adopted to ensure that no modification occurs. For random values, the order of bits representing a particular value is changed or randomized so that the original value is masked.
As shown in fig. 2, the client first initiates a communication, sending a preliminary message such as a "client greeting". In response to the client hello message, the server generates a random number (value) having a length of "n" bits using a random number generator. The server processes the generated random numbers using an information preprocessing function (information randomizing function). Three operations are sequentially executed inside the information preprocessing function. These three operations are bit swapping, T function, and Linear Feedback Shift Register (LFSR). The preprocessing process first performs a bit swap. Bit swapping may increase diffusion. Diffusion refers to the statistical redundancy property of input dissipation to output. The process of bit swapping is reversible and it is easy to restore the original bit order from the swapped bit order.
The bit swap process is followed by a T-function process. The T function is an update function that can linearly combine the same bit and the secondary bit to update each bit. The T function process is followed by an LFSR function, which contains an irreducible period of 232A 32 nd order polynomial of 1. In an LFSR, a given input is switched by a given polynomial over 4 to 15 turns. The output after bit swapping, T function, and LFSR (collectively referred to as preprocessing) is a highly random value.
After submitting the generated values to the preprocessing function, the server sends the preprocessed values and the original values to the client. The preprocessed values are derived from the original values, and the only difference between the preprocessed values and the original values is that the bit order of the preprocessed values is changed. At the client, the preprocessed values are verified using the bit swap, the T-function, and the LFSR function in reverse order, e.g., the LFSR is performed first, followed by the T-function and the bit swap. The sequence of the above processes is reversed from that when the pretreatment is performed. Because all three functions are reversible, the conduction order can be reversed without any data loss and adverse effects. After performing the above functions in reverse order (e.g., LFSR first, followed by T-function and bit swap), the client obtains a verification value. The client compares the original value sent by the server with the verification value obtained by calculation such as LFSR, T function and bit exchange, etc., thereby detecting whether the value is forged or not. After the value sent by the server is verified, if the value sent by the server is real, the client generates a pair of public key and private key by using an elliptic curve Diffie-Hellman algorithm. The client generates a signature for the value sent by the server by using an elliptic curve digital signature algorithm and sends the signature and the public key to the server.
After receiving the signature, the server verifies the signature sent by the client by using an elliptic curve digital signature algorithm and then generates a pair of a public key and a private key by using the elliptic curve digital signature algorithm. Subsequently, the server sends the generated public key to the client. After the client receives the public key sent by the server, the client generates a key with the length of m bits by using an elliptic curve Diffie-Hellman algorithm, and shares the key with the server. The server generates a session key of "m" bits based on the key and the elliptic curve Diffie-Hellman algorithm, respectively. Both the key and the corresponding session key are generated using the elliptic curve Diffie-Hellman algorithm. Reference numeral 200 in fig. 2 denotes the number of steps for generating a session key of "m" bit length based on the key and the elliptic curve Diffie-Hellman algorithm. The session key is used for all subsequent communications and transactions between the server and the client. Because the session key is known only to the server and the client, the communication between the client and the server is completely secure.
The method for enhancing the communication security between the server and the client by using the second network security protocol comprises the following steps:
the first step is as follows: the client first initiates a communication, sending a "client greeting" message.
The second step is that: the server generates an n-bit random challenge, or random number (value), using a Pseudo Random Number Generator (PRNG), and calculates an information preprocessing value of the random number. The client receives the random number and the information preprocessing value. The information pre-processed value is verified.
The third step: the client generates a public key and a private key on the elliptic curve. The length of the public and private keys may be either 256, 384, or 512 bits as recommended by the National Institute of Standards and Technology (NIST). The client generates a signature for the value sent by the server by using an elliptic curve digital signature algorithm and sends the signature and the public key to the server
The fourth step: the server verifies the signature and then generates a key pair on the elliptic curve. And the server sends the generated public key to the client.
The fifth step: the client and the server negotiate a shared key of m bit length using the elliptic curve Diffie-Hellman (ECDH) algorithm.
And a sixth step: the client and server negotiate a session key m bits long for encryption using the ECDH algorithm. The client and server have encrypted sockets.
The seventh step: and establishing the safe communication between the client and the server.
In the above protocol, the random number plaintext is transmitted together with the information preprocessing value, preventing replay attack and hacking attack, and it is interesting that the information preprocessing value has a one-to-one correspondence property, and an attacker can change the random number, but the information preprocessing value cannot be changed.
Certificateless PKI-based communication using the third network security protocol is similar to that using the first network security protocol, but differs in signature generation. The client uses a Jacobi identity authentication server, and the Jacobi identity is a special product based on Lie algebra. The jacobian-identity challenge random number satisfies the relationship RC ═ x | | | | | | z and [ [ x, y ], z ] + [ [ y, z ], x ] + [ [ z, x ], y ] ═ 0.
The steps for establishing certificateless PKI based communication using the third network security protocol are as shown in fig. 3.
As shown in fig. 3, the client first initiates a communication, sending a preliminary message such as a "client greeting". In response to the client hello message, the server generates a random number (value) having a length of "n" bits using a random number generator. The server encrypts the generated random number with the public key of the client. In the encryption process of the random number, no digital certificate is generated. The server records a private key set and a public key assigned to each client. At the server side, the random number is encrypted using elliptic curve cryptography. The value encrypted with the client public key is sent to the client. The server challenges the client to decrypt the encrypted value to verify the identity of the client. After receiving the encrypted value, the client decrypts the encrypted value by using its private key and elliptic curve cryptography, thereby proving it as a trusted party to the server.
The client further computes a jacobian identity over this value. That is, the client splits the decrypted value into three portions. The client further generates a Lie product on the received values.
In accordance with the present invention, assuming that the value is divided into three parts, x, y, x, respectively, then the jacobian identity will be expressed as x | | y | | z. The identity of a random number is verified by the relation [ [ x, y ], z ] + [ [ y, z ], x ] + [ [ z, x ], y ] ═ 0.
According to the invention, when the client generates and sends the Lie product of the value to the server, the server verifies the Lie product sent by the client using the relation [ [ x, y ], z ] + [ [ y, z ], x ] + [ [ z, x ], x ═ 0. After the Lie product sent by the client is verified, the server further generates a pair of a public key and a private key by using an elliptic curve cryptography algorithm. The elliptic curve Diffie-Hellman algorithm forms part of elliptic curve cryptography for generating public and private key pairs; the server then sends the public key to the client. After the client receives the public key sent by the server, the client generates a key with the length of m bits by using an elliptic curve Diffie-Hellman algorithm, and shares the key with the server. The server generates a session key of "m" bits using the key and the elliptic curve Diffie-Hellman algorithm, respectively. Both the key and the corresponding session key are generated using the elliptic curve Diffie-Hellman algorithm. The number of steps to generate a session key of "m" bit length is indicated with reference to numeral 300 in fig. 3. The session key is used for all subsequent communications and transactions between the server and the client. Because the session key is known only to the server and the client, the communication between the client and the server is completely secure.
The method for enhancing the communication security between the server and the client by using the third network security protocol comprises the following steps:
initial setting: the server acts as a Key Generation Center (KGC) and each client has a pair of a public key and a private key generated by the server.
The first step is as follows: the client first initiates a communication, sending a "client greeting" message.
The second step is that: the server generates an n-bit random challenge, or random number (value), using a Pseudo Random Number Generator (PRNG). Further, the server application client's public key encrypts this random number using Elliptic Curve Cryptography (ECC) method. The client application's own private key decrypts the encrypted random number using elliptic curve cryptography.
The third step: the client computes the jacobian identity (RandomNumber ═ x | | | y | | z) and sends the Lie product [ [ x, y ], z ] to the server.
The fourth step: the server verifies that the relation [ [ x, y ], z ] + [ [ y, z ], x ] + [ [ z, x ], y ] ═ 0. The server sends the public key to the client using elliptic curve cryptography.
The fifth step: the client and the server negotiate a shared key m bits long using the elliptic curve Diffie-Hellman (ECDH) algorithm.
And a sixth step: the client and server negotiate a session key m bits long for encryption using the ECDH algorithm. The client and server have encrypted sockets.
The seventh step: and establishing the safe communication between the client and the server.
Advancement of technology
The technical advancement of the invention is as follows:
the invention provides a robust and safe communication system between the client and the server.
The invention provides a tamper-resistant system.
The invention provides a lightweight authentication system.
The invention provides a low-overhead system adopting certificateless public key cryptosystem technology.
The invention provides a time-efficient system that employs certificateless public key cryptosystem techniques without the use of bilinear pairings.
The invention provides a system for a set of protocols to protect against replay attacks and hacking attacks.
The invention provides a set of protocols that can work properly even at low bandwidth.
The invention provides a set of protocols that employ powerful analytic functions to reduce the probability of information loss.
The invention provides a set of protocols that enable a user to conduct secure online cash transactions.
The invention provides a set of protocols whose performance is not adversely affected by the large amount of data transmitted.
The invention is applicable to the following client/server architecture: transport Layer Security (TLS) and User Datagram Protocol (UDP) communications, smart phones, cell phone banks, location-based systems, set-top box devices, access control systems, remote protocol systems, personal digital assistants, wireless devices, alarm systems, mesh topology networks, mobile payment systems, keyless activation systems, mobile communications, and other similar systems.
While considerable emphasis has been placed herein on the features of the invention, it will be appreciated by those skilled in the art that various modifications can be made in the invention and that changes can be made in the preferred embodiments without departing from the principles of the invention. Accordingly, the foregoing description is for the purpose of illustrating the invention and is not to be taken in a limiting sense.
Claims (14)
1. A system for enhancing security of client/server communications, said system comprising:
a random number generator that generates a random number;
a processor that receives the random number and generates a processed value;
a first verifier to receive and verify the processed value for forgery detection, the first verifier further configured to generate a verified value;
a computing device coupled to the first validator, the computing device generating a first value, the computing device further configured to generate a second value corresponding to the first value;
a second verifier possessing a predetermined primitive, the second verifier receiving and verifying the second value, the second verifier further configured to generate a public key and a corresponding private key;
a key generator having the predetermined primitive, the key generator configured to receive the public key generated by the second verifier and generate a key based on the predetermined primitive; and
a session key generator having the predetermined primitive, the session key generator configured to receive the key generated by the key generator and generate a session key corresponding to the key based on the predetermined primitive;
wherein said key and said session key enhance security of client/server communications;
wherein said key and said session key are generated based on the same predetermined primitive; and
wherein the predetermined primitive is selected from the group consisting of an elliptic curve Diffie-Hellman system, an elliptic curve digital signature system, a message randomization system, and a jacobian identity verification system.
2. The system of claim 1, wherein the processor comprises an encryptor that receives the random number and encrypts the random number using an elliptic curve encryption method using a public key.
3. The system of claim 1, wherein the processor includes a preprocessing processor that receives the random number and preprocesses the random number to generate a processed value.
4. The system of claim 1, wherein said first verifier includes a decryptor for receiving said processed value and decrypting said processed value using a private key using elliptic curve cryptography.
5. The system of claim 1, wherein said first validator includes a preprocessor for receiving and validating said processed value for counterfeit detection.
6. The system of claim 1, wherein the first value is selected from the group consisting of a public and private key pair and a jacobian identity.
7. The system of claim 1, wherein the second value is selected from the group consisting of a digital signature value and a Lie product.
8. A method for enhancing security of client/server communications, said method comprising the steps of:
generating a random number using a random number generator;
processing the random number using a processor to generate a processed value;
receiving and verifying the processed value using a first verifier to detect forgery;
generating, using a computing device, a first numerical value;
generating, using the computing device, a second numerical value corresponding to the first numerical value;
verifying the second value using a predetermined primitive using a second verifier;
generating a public key and a corresponding private key using the second verifier;
transmitting the public key and retaining the private key using the second verifier;
receiving the transmitted public key by using a key generator and generating a key based on a predetermined primitive; and
generating a session key based on the key and a predetermined primitive using a session key generator;
wherein said key and said session key are generated based on the same predetermined primitive; and
wherein the predetermined primitive is selected from the group consisting of an elliptic curve Diffie-Hellman system, an elliptic curve digital signature system, a message randomization system, and a jacobian identity verification system.
9. The method of claim 8, wherein the random number is processed using a processor to generate a processed value, the processor further configured to process the random number using a predetermined primitive selected from the group consisting of an elliptic curve Diffie-Hellman method, an elliptic curve digital signature method, and an information randomization method.
10. The method of claim 8, wherein the processed value is received and authenticated using the first authenticator to detect forgery, the first authenticator further configured to authenticate the processed value using a predetermined primitive selected from the group consisting of an elliptic curve Diffie-Hellman method, an elliptic curve digital signature method, and an information randomization method.
11. The method of claim 8, wherein the first value is generated using the computing device, the computing device further configured to generate a value selected from the group consisting of a public and private key pair and a jacobian identity.
12. The method of claim 8, wherein the second value corresponding to the first value is generated using the computing device, the computing device further configured to generate a value selected from the group consisting of a digital signature value and a Lie product.
13. The method of claim 8, wherein the key is generated using the key generator, the key generator further configured to generate the key based on a predetermined primitive selected from the group consisting of an elliptic curve Diffie-Hellman method and an elliptic curve digital signature method.
14. The method of claim 8, wherein the session key generator is used to generate the session key based on the key and predetermined primitives, wherein the session key generator is further configured to generate the session key using predetermined primitives selected from the group consisting of an elliptic curve Diffie-Hellman method and an elliptic curve digital signature method.
Applications Claiming Priority (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| IN2849/MUM/2009 | 2009-12-10 | ||
| IN2849MU2009 | 2009-12-10 |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| HK1159349A1 HK1159349A1 (en) | 2012-07-27 |
| HK1159349B true HK1159349B (en) | 2017-08-11 |
Family
ID=
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US12375304B2 (en) | Mutual authentication of confidential communication | |
| US8670563B2 (en) | System and method for designing secure client-server communication protocols based on certificateless public key infrastructure | |
| US12010216B2 (en) | Computer-implemented system and method for highly secure, high speed encryption and transmission of data | |
| CN110020524B (en) | A Two-way Authentication Method Based on Smart Card | |
| Ngo et al. | Dynamic Key Cryptography and Applications. | |
| WO2007103906A2 (en) | Secure data transmission using undiscoverable or black data | |
| EP1905186A2 (en) | Cryptographic authentication, and/or establishment of shared cryptographic keys, using a signing key encrypted with a non-one-time-pad encryption, including (but not limited to) techniques with improved security against malleability attacks | |
| JP2012521109A (en) | Identification method and shared key generation method | |
| CN116633530A (en) | Quantum key transmission method, device and system | |
| CN114785487B (en) | Anti-quantum computing HTTPS communication method and system based on CA and national encryption algorithm | |
| WO2023151427A1 (en) | Quantum key transmission method, device and system | |
| CN110519226B (en) | Quantum communication server secret communication method and system based on asymmetric key pool and implicit certificate | |
| EP1079565A2 (en) | Method of securely establishing a secure communication link via an unsecured communication network | |
| CN117675285A (en) | An identity verification method, chip and device | |
| Darwish et al. | A model to authenticate requests for online banking transactions | |
| JP5393594B2 (en) | Efficient mutual authentication method, program, and apparatus | |
| CN112822015A (en) | Information transmission method and related device | |
| EP3185504A1 (en) | Security management system for securing a communication between a remote server and an electronic device | |
| CN105049433A (en) | Identified card number information transmission verification method and system | |
| CN110855444A (en) | A pure software CAVA identity authentication method based on trusted third party | |
| HK1159349B (en) | A system and method for designing secure client-server communication protocols based on certificateless public key infrastructure | |
| Yoon et al. | An optimized two factor authenticated key exchange protocol in PWLANs | |
| CN120301656A (en) | A file encryption and decryption method and system based on hardware cryptographic device | |
| CN119766474A (en) | Mobile communication method and mobile terminal based on hybrid of quantum-resistant and national secret algorithms | |
| Blomqvist | Kleptography--Overview and a new proof of concept |