TW200818835A - Authentication based on asymmetric cryptography utilizing RSA with personalized secret - Google Patents

Abstract

A method for authenticating a user to a computer system is disclosed, comprising using a first input and a second input in producing a digital signature in response to a challenge. The digital signature is valid when the first input matches a personalized secret and the second input matches a trio comprising a public modulus, a public exponent, and a private-key-dependent exponent. Selection of the personalized secret is discretionary and changeable. A crypto-key generation process uses the personalized secret and two primes as input to produce the trio. The public modulus and public exponent of the trio form a public key used in digital signature validation. Also disclosed is a business method that replaces the conventional public-key certificate with an agreement on the user's public key.

Description

200818835 IX. INSTRUCTIONS: [Technical field of invention] The technical field of the patent application belongs to information security "user authentication", especially in various digital devices, systems and network related users. Certification methods and systems. [Prior Art] The cryptosystem uses crypt〇 key for cryptography.

On the difference. In a cryptosystem based on asymmetric cryptography (ASymmetric cryptography), such as the RSA (Rivest, Shamir, Adleman) system, the cryptographic record is a public key (pubhc key) and a private key. The key (p "ivate key" is generated in pairs. The use of "public, private face" determines the two applications. - The use of private records as a - sign the face, generate a digital signature on the number of health, and make = public gold is still - the verification key to verify whether a - value is - the correct sign poor The Cl application uses the public key as the encryption key, and encrypts the plaintext encryption into (1)I using the private gift key as the decryption record to decrypt the ciphertext back to the plaintext. The good user of the text must have his signature gold thread secret, and a secret secret. Although the private key remains confidential. Therefore, the 'private key is a value that should not be leaked. ^^ :, 么开金余, the disclosure of the open gold surplus reveals the golden record and turns out the private ^. Because of this machine (four) demand, from the public The necessary conditions / ten _ difficult, is the security of the asymmetric cryptosystem, the two prime numbers of the modulo operation 'and the modulus of the modulo operation is the reason is the lack of a valid ^ two out, gold loss in the calculation of the difficulty, part of the number In RSA, a pie eight solves the multiplication of the two-beat number back to the original two qualities. There is a specific _ 密密魅生钱_ two secret prime keys; this _^-;; Making progress in privately-selected private funds limits the changes in private records, changes in private records 5 200818835 Λ Back to the process of re-creating the gold record. The background of RSA is described below. The RSA cryptosystem is described in the United States. Patent No. 44〇5823 and a paper published by Rjvest, Shamir and Adleman: “A Method for Obtaining Digital Signatures and Public-Key Cryptosystems, ”

Communications of the ACM, ν〇Ι·21 (1978), pp. 120-126. There are already several international standards that can be used to teach this asymmetric cryptography, including PKcs #i:rsa

Cryptography Standard, Nov. 1993 (ν· 15) & June 2002 (ν· 2·1) and

, EEE std 1363-2000: IEEE Standard Specification for Public-Key • Crypt〇graphy, the two standard documents can be obtained by RSA Lab〇rat〇fies and Wang E = website respectively. The contents of these standard documents include key generation, encryption, decryption, signature generation, signature verification, and other related technologies. The calculation of RSA involves modulo operations. The modulo operation is defined as follows: If X and y are two parameters, and if the positive integer z is divisible (x-y), then the result of the modulo operation of 乂 and 乂 z can be called congruence, with the symbol Expressed as XEy (mocj z); positive integer 2 is called the modulus of the congruence. The process of generating the RSA key proposed by 'PKCS# 1 ν·1·5 is summarized as follows: (1) & select a positive integer e for the encryption exponent (encryption exponent), also known as the public exponent ). (2) Randomly select two different odd prime numbers (tw〇〇dcJ p “jrTle numbers” p and q, so that both P-1 and cj~1 are homogenous to e. (3) Take the public modulus (publjc m〇) Dulus) is the product of p and q, that is, (four) is called. (4) Select a private one, denoted by the symbol 0, so that both P-1 and q-1 can be divisible by dxe_>1. The exponent e and the modulus n are used to encrypt the plaintext integer value (7), and the ciphertext integer value c is obtained by 〇(m〇dn), where m is less than η Γ and the private exponent d and the modulus n are borrowed. Calculated by mECd (m〇dn), the ciphertext value c is decrypted back to 6 200818835 The plaintext value m. f Some are in the Ma system 'for example, ssl/tls(9)C(J|O Sockets, the mixed symmetry cryptography method The encryption and decryption system. In this mixed system, the communication-side--the rsa's open gold mine--a randomly generated force and the other--the corresponding coffee-side will be encrypted secret, A & The code key 'complex cryptography method for secret communication 〇 here - H 'the symmetry secret key shared by the party (symmet "丨c c_〇_called ession key" is a The above program is called the exchange process of ^ and face. For details, please refer to the 丨 咖 _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ Can be used to make - health sign. First of all, the number u, (four) a certain one with a collision impedance characteristic (a con.s. on-resistant hash function) ^M „m^^(message d_) , the table is not hash (M); then, the digital signature of the message M can be calculated by haSh (M) d (mod n), expressed as post (10) (10)). The public exponent e and the modulus n in RSA are used to verify whether a value is a correct signature. Suppose the _ bit verifier _ M II SGN, whose frame represents the number of messages, 丨| represents the link of two messages, and SGN represents a digital signature value attached to Μ. First, the 'verifier uses the selected collision impedance epoch function to calculate the hash(M). Then, use the public record (n, e) to calculate sGNe mocj η, and calculate the result with hash(M). For comparison, if the result of the comparison is equal to a correct signature. The collision resistance epoch function used by the Guardian must be the same as the collision resistance epoch function that generates the signature, that is, the function represented by 符号. The digit line is used early to the heuristic function. The Her-order function is a deterministic function (non-machine 200818835 f_), which means that the recording is (four) green by. To make a static number: the sequence function must have anti-collision characteristics, which means that it is very difficult to find different input values to produce the same output value. The collision impedance epoch function also has a one-way indication 'given ^output value' to find - an input value that makes it out of the value specific to the given output value, which is very difficult. In addition, the mask of 赫f =, /f produces a virtual random round (pseud_dom ου_) capability U=_ask generatiQn funetiQn) ‘The thief only gives the output value of 'I __ is not feasible. In the number, for the ~, the lower build has six different Hex functions with the above characteristics: MD2'MD5'SHA-1 '3HA-256.SHA-384 The output value of the H-order function is called the he-order value (hash) ▽_), also known as ash digest) ' or message digest (messagedigest), or hash value. '... The application of asymmetric cryptography raises a concern. A public 1;: two 'two ΓΓ 验证 ΓΓ ΓΓ 细 验证 验证 验证 验证 验证 验证 验证 验证 验证 验证 验证 验证 验证 验证 验证 验证 验证 验证 验证 验证 验证 验证 验证 验证 验证 验证 验证 验证 验证 验证 验证 验证 验证 验证 验证 验证 验证 验证 验证 验证 验证 验证 验证 验证 验证Forged _ic-key ce_°at: Force: 3; also 疋 疋 唠 唠 唠 唠 唠 唠 唠 , , , , , , , , , , , , , , 唠 唠 唠 唠 唠 唠 唠 唠 唠 唠 唠 唠 唠] digits - (d_l into the image). A public key certificate contains three main parts: - a public record. By verifying that Feng all 'while ensuring that the individual holds the matching private identity can prove this The digital signature of the certificate institution, the user of the public account is trusted by the organization: Mainly: _^certmcati-^ Cheng, the main function is to sign and issue the public key certificate, cancel some of the certificate according to 8 200818835 The announcement of the revoked certificate is also part of the responsibilities of the vouchers. The asymmetric cryptosystem has been around for a while, but it has not been widely used as expected. For example, users still use passcodes (passwords). ) to log in to the system, which does not involve the use of "public and private key pairs." One of the reasons is that the infrastructure that determines whether the credentials are correct is not easy to construct and operate, and the flexibility of changing the private key is insufficient. This makes the work more complicated. Therefore, there is a need to reduce the complexity of the public key system infrastructure. In a specific environment, Digital message may need to be signed by a number of signatures and only by - Authentication low verifier, create multiple signature technologies that meet this requirement details, see Colin Boyd, Digital Multisignatures ,,, in Cryptography and.

Coding (H. J. Becker and F. C. Piper Eds.), Oxford University Press, = 89, PP 241_246. In U.S. Patent No. 6,209,091, two multi-signature systems are described: (1) a multi-signature multi-signature system in which partial signatures are executed sequentially, and (2) an additive multi-signature system in which partial signatures are not sequentially executed. These and other related research results of the signature process no longer use the private key, because the digital signature is obtained by several early calculations, and these partial signatures are calculated by the digital message and the signature subkey. After the signature key is exported by the private key, the private record no longer exists. Because of ^, the privacy of the private key is well protected. Eight by more - re-signature technology derived, RaviGanesan and others created a cryptographic system that separates private keys (printed edge _ _ 3 3 _1 lt; # () 17 0 祚 3 伯 1 (^ ^ see US patents N〇s.5535276, 5557678, 5905799, etc., in which the private record is divided into the first part of the private record and the second part of the private record. Through these two parts of the private record, asymmetric = code The system has two gammas: the first, the secret is divided into two parts and the 2 is separately protected to protect the privacy of the private record. Second, the user can use a short secret m but the actual password. The system is recorded and safely reduced. The first benefit stems from the wisdom of traditional secret protection. The second advantage is that the special part of the job is a short RSA secret reduction is possible __breaking analysis Silk Break 200818835 Solution, see Μ·丄Wiener's paper: “Cryptanalysis of Short RSA Secret

Exponents, IEEE Trans. On Information Theory, May, 1990, vol. 36, no. 3, pp. 553-558·”; Recently, there has been a new development in the analysis of the short RSA privacy index. See Dan Boneh and Glenn Durfee's paper: "Cryptanalysis of RSA with Private Key d Less Than N〇292, Wang E Trans· On Information Theory, July, 2000, V0|· 46, no. 4, pp·1339-1349·”. The technology of multiple signatures and private key segmentation increases the value of RSA theory in the security and user convenience layer. However, the lack of flexibility in the change of private records has not been overcome. In order to change the various parts of the private key The user still needs to rely on the following two methods - to update the update action: - - to obtain the two parts of the private sub-jinlin original reduction of the record and restore the division again; second, to reproduce a pair of "public , private key" and cut the new private record. - However, it is not ideal to reply the original private key, because this action violates the secret, the discerning care and needs - the secret of the prevention of the response is leaked in the reply process; re-generation - The "public, private key" should also be avoided, which would be more complicated than the initial "public, private key pair", because the additional cost of canceling the replaced public key certificate would be added. Therefore, in private key cutting technology, a more efficient and flexible method is needed to perform the updating of various parts of the private key. The digital signature can be applied to user authentication. Suppose a user on the user side asks for a login to the system, and (4) transmits a message - the summary message is used as a challenge to the user. Then, the user responds to the challenge message by calculating a digital signature. When the system verifies the response from the client and the verification result is a correct digital signature, the system allows the user to log in. A detailed description can be found in: "lS〇/旧 C 9798_3:1998,

Information technology-Security techniques-Entity authentication—Part 3:Mechanisms using digital signature techniques·”. This login method has an advantage. Assume that the public and private key pair generator 200818835 is publicly available. The producer came _ should, but leaked! The privacy of the private record. As mentioned earlier, the private deposits are not selected by the user. Therefore, the private key is usually taken, for example, by the user's personal identification number #, for example, a 'c card'. To achieve 14 kinds of hybrids, the main hardware costs, including = = card and card readers and the manufacture of cards, such as time analysis and error analysis attacks, j with wood pairs The private key in the ic card is cracked. Yes, the current general admission process, including implementation of Windows NT and UNIX ΓΓ/t, uses both passcode and symmetric cryptography. The process can be described as follows. =1, ΐ t identification (4) The identification data of the legal user registration must be (the user-passenger code (user-chosen passw〇rd) is used to pick up the mS user terminal, and the user requests to board the person and Enter his knowledge:: engage in 仃: 'This input pass code passes the same Hertz function to generate a new system, the result of the H-order and the pass code are not subject to the system of login. Use a message such as = 'breaking the system randomly generated' as a challenge to pick the user π digest is generated by the correct passcode. This challenge is passed to the new epoch summary as the cryptographic key It is used to encrypt the recipient of the received user. The recipient's system retrieves the claimed result from the authentication database as if it were the same as the original challenge, and then considers the login ^ real === weight for the user The screening method has been widely used, and its handle: 弋:, 甬: ί lacks to be overcome. One of the threats to password security comes from ΐ ίί, the computer still looks normal as usual, but intrusive木木釺;-二?' ^Unauthorized actions, such as records The input of the disc then conveys the surface of the material to the surface of the material. The attacker can steal the technique of the trojan invaders to the machine 200818835. The secret information sub-crime attack method also shows the word of the pass code, medium and comprehensive. Second = in the known passcode guessing of various dictionary attack methods, try to identify all the data for the text:: the same dictionary, the comprehensive dictionary attack method can == two if the attacker can take the pass code can be arranged In the attacker's word and the second weak pass code 'and this type, such as the type, its comprehensive guess is connected, the single-i use ϋΐΐ - a blocking mechanism to close the number of attempts, the face dictionary The attack has a window, Α Α χ 谷 谷 谷 易 易 易 易 易 易 易 易 易 易 易 易 易 易 易 易 易 易 易 易 易 易 易 易 易 易 易 易 易 易 易 易 易 易 易 易 易 易 易 易 易 易 易 易 易Also, the service of the system. User account. In addition, attac^r^ code attack 'is called encryption dictionary attack (enC_〇n _〇 ah esnacK) ' ^Tian Shu Yu··A thief y :_Rate calculations are obtained; therefore, this attacker: ==: The ordinal value is used as a plus The key encrypts the challenge, and w can determine whether the guessed PWD is positive; it should be compared. 'K樘 樘 攻击 attack is very threatening and t's determined attacker can make a special election Human software, to receive directly - as long as _ _2 =: 7 profit _ software, attack code. 夂付谷易, ya does not need to crack the pass of this line of code is still prevalent in the system In the system, there is a need for a known attack against the purple, so that the user can =A: 12 200818835 to familiarize with the conventional passcode system. [Summary] Asymmetric key cryptography and two copies Based on the published patent application, this patent application describes exemplary methods, techniques, devices and systems related to digital user authentication. The first is US Patent Application Publication No. 20060083370, which is entitled "RSA with personalized secret"; the second is US Patent Application Publication No. 20060036857" whose name is "user authentication by Nnking randomly-generated secret with personalized secret" .

This patent application refers to the two published applications rRSA with personalized secret jAT User authentication by linking randomly-generated secret with personalized secret, respectively, which are referred to as the first and second publications respectively. The first publication was also published by the Intellectual Property Office of the Republic of China, and its name was “RSA Cryptography Method and System Using Personalized Secrets”. The publication number was 2〇〇629856. "The methods and techniques described in this patent application may be designed in an authentication system that utilizes the "challenge and response" process to achieve secure communication between the user and the system. This application assumes that a user requests to log in to a system at a user workstation, and that the 'system workstation is a computer system, and is often referred to as a system or a system. It is a personal computer, or a device with cryptographic operations and other computing devices. The "system side" and the user j" are also covered in this article (4). _ A / (4) party used two authentication data pieces to verify the request to board the person - the Department of Computers password jinsheng ^ _ money confession meal, is by a certificate of information, the silk order is described in the first publication. The two recognized public prime numbers are ^^ connected. The password golden gun generation program takes care of the personalized secret and the two as the rounding value to produce a public modulus (a _icmodule), 13 200818835 η

A public exponent, a combination of three elements consisting of a private key correlation index (a piivate-key-dend endent exponent) (at|i〇), as the cryptographic key authentication data piece (crypto -key authenticator). Users need to provide these two authentication materials in order to obtain permission to log in to the computer system. In a consistent case, when a user requests to log in to a computer system, he uses a -first loser and a second loser to generate a digital signature in response to a number from the computer system. challenge. The bribery signature will be valid when the first- and second-identification users share the first- and second-certified data items; according to this inference, the validity of the digital signature It determines whether the winners are eligible for the certification, and also determines whether to authorize or reject the request for login. In this implementation case, the computer keyboard used - the public gold wire verification - a digital signature. In a real face towel, the above-mentioned signature will also be verified at the user end of the response message. In the combination of the public office and the public index in the combination of the public and the three elements of the recording, the public record to the same must be used for the system. In a case towel 'user workstation, the above-mentioned = code money certification dragon piece is obtained in an automated manner; in other words, the user workstation is stylized: the password key three components are transferred from a persistent memory towel. The combination is given a clear indication by =. In this embodiment, the user workstation is more H匕, and the user receives a pass code input value, and the Kim system iii uses the input value of the pass code to generate a digital signature; and the computer system mLS, 'Using a verification data to determine whether the digital signature is valid, if the i line determines the input of the pass code is met - a pre-selected data is -Vi door full = reduced request to board. In this implementation, the verification line __金论 is in: Any of the subscriptions. The user must be assured that the system side uses a correct public key to verify the digital signature. This patent application further proposes a method of replacing the traditionally: a digital public key certificate _丨(9)_丨丨c_key certif丨·c_ to ensure the authenticity of the public key. According to this business method, the user registers at the New Zealand side - the public is received and receives 5 registrations (registration c〇nfjrma_. The registration confirmation confirms the registered public account and explains to the user Ensure that the system is responsible for using this eight-card record to verify the digital signature; if there is a dispute, the user can indicate the registered public account according to the second agreement, and refuse to be the system side accordingly. Any wrong digital signatures received by the error. Also appealed. The private mt case entered - Wei Shen the registration of the book _ book, to contain the guarantee of the system =: if a certain - digital signature is valid The validity of the public age of the registration confirmation can be used to confirm that the validity of the final chapter can not be denied. In the law method, the registration confirmation becomes a term between the user and the system. Law = - The implementation of the above-mentioned business method provides a supplementary procedure, = day: even _ square wire to check the open money. This material to the system and its communication in the 'electricity system' closed public money Same as the one used on the user side. In the line code Γ=Γ, a user selects a pass code and uses the tongma/, a wood 5 type cultivating item to log in to individual users on the network. Should be on the network _ _. Each record in a material f contains a cipher face three components = two or two users selected pass code is related; in the clear brother - The public currency describes the establishment of a simple password generation program: using the 15 200818835 ::: individual - to generate three outputs for the prime number, as the cryptographic key three components of the _ record in this collection. Dehe. The method of relying on the method towel's password and the aggregated authentication data are two different factors. In the system side, the user is allowed to register different disclosures. 'Users can use the same passcode to log in to the certificate' but use the individual public face in the computer system to check the correctness of the digital play to determine if the passcode is used. 33 also describes - the recording, this object package - A face-readable medium 4 /, buckle 7 buckles do not perform the following actions · · Transfer a login = ', · two computer systems; receive a challenge message from the computer system; use the first A = the message of the warfare from the brain-generating system is treated as a conversion process to the computer ^, and the lang address of the 4th chapter and the (4) of the Zhao position is transmitted to the electric system, and the sub-received from the computer system Permitted to use the corresponding system on the computer system to verify the digital signature of the user to use the 疋疋 录 录 验证 : : 把 把 把 把 把 把 把 把 把 把 把 把 把 把 把 把 挪 挪 挪 挪The machine is a personal computer. This I can be used for other pure or devices that make the time, such as a D_ Assis thief PDA, or _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ As with the conventional passcode system, there is a technical difference: in the pass, a .....th order value is stored 'to verify the input of the pass code; and according to the present Special: d : code == the value of the digital signature generated by the value of the signature is the second person who is familiar with the technical field In the end, after reading the best description of the text, you will be able to better understand the objectives of this special office. λ ', the foregoing general description and the following detailed description are examples of the content of this patent, 16 200818835 The purpose of which is to further explain the scope of patents. The above and other examples, embodiments and variations thereof will be explained in more detail in the drawings, the detailed description, and the claims. The following is a description of the purpose, technical content, characteristics and effects achieved by the specific embodiment in conjunction with the attached figure 4 and the accompanying drawings. [Embodiment] The present specification provides a detailed description of the preferred embodiment of the present patent application, and is exemplified by the following examples. The reference number of the towel will be the same as the number shown in the figure. The user authentication described in this patent application is constructed on the basis of a challenge and response process, and the user terminal = system side communication is executed according to the program. This program is a communication protocol (c〇_unjcati〇n pr〇t〇c〇丨), and 匕 describes a step-by-step way to define communication between the two ends. In this program, the user end uses two authentication data pieces (tw〇authentjcat〇(5) from the user to generate a digital signature in response to the challenge from the new end, and the line end utilizes the user. A registered public key (a registered pub|jc kiss) is used as a verification material to verify the validity of the digital signature. In various implementations of the user authentication described in this patent application, At least the following characteristics: First, there is a certain relationship between the public key and the two authentication materials, but the disclosure of the public key will not lead to the leakage of secret information on the two authentication materials; The person can choose a personalized secret independently, such as the pass code selected by the user, as the first authentication data piece; third, the user is allowed to change without changing the registration public key. The second authentication data item; fourth, the user is allowed to have one: the same secret, such as a pass code, as the first authentication data piece, but registered different public money in different systems. Figure, This figure is used to illustrate the basic concept of this challenge and response procedure. In step 110, a user workstation transmits a request to log into the system to a system 2 17 200818835 station; in step 120, the system workstation sends a challenge The message is sent to the user workstation, and the user workstation is required to use two correct authentication data pieces to prepare a response message. In step 130, the user workstation connects (4) to the first input value of the first authentication data piece, and represents a second input value of the second authentication data piece, and using the two input values to generate a digital signature for the challenge message; in step 14, the user workstation uses the first input value to verify the Whether the digital signature is valid; step 13〇 can be repeated until a valid digital signature is generated; in step:; 5(), the user workstation verifies the valid digital signature and a use The identification (a use "identifier" is merged into a response message; in the step lake, the user workstation sends the response message to the secret guard station; Step 17Q towel, the system workstation uses a registered public key (a registered public key) as the verification data to verify the validity of the digital signature, and the public key is obtained according to the user identification; In step 18, the system workstation determines the request to allow or deny the login system based on the verification result of step 170' and notifies the user of the workstation's decision. The first authentication data piece is a personalized secret, which is a user's autonomy choice. , such as the user selected _ passcode. The second authentication dumper is also a cWto-key authenticator, which is a public modulus (_|ic m〇du|e), a public index ( Public exponent), a combination of three elements of a private-key-dependent exponent (trio). Referring to Figure 2, this figure is used to illustrate the conceptual architecture of the method described in this patent application, similar to the aforementioned second publication "User authentication method by linking randomly generated authentication secrets and personalized secrets" One of the architectures mentioned. The main difference between the two is that the method described in the patent publication is not based on asymmetric cryptography. Figure 2 illustrates two basic concepts in an architectural manner to guide the design and embodiments described in this patent application. First, a pair of "public/private key pairs" (a public/private key pair) plays a link role, linking the two authentication data pieces of the user side with the verification of the system side. 18 200818835 ^Information. The public key of the key shot and the private payment _ are established. In the system of the endoscope, the information used for this verification is that the public has a different relationship with the gold, and the digital sign is replaced by the digital sign. In Figure 2, the user 210 is placed on the user side and the system side. 疋 对 对 对 对 对 对 对 对 对 对 对 对 对 对 对 对 对 对 对 对 对 对 对 对 对 公开 公开 公开 公开 公开 公开 公开 公开 公开 ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( The component 22 on the system side is a public gold sentence, and the two lines 230 and 240 on 25Γ=ΓΓΛ indicate that the two verification data pieces are in (4) gold if. The user described in this patent application The calculation of the certification system has occurred. The key __• is not followed by (4) the trr is allowed to maintain the line end of the inspection forest, the more hair, the two certified data pieces held. In Figure 2 In the update program 2, a new first authentication data piece 280 is used to receive the data pieces 250 and 260. The spears are used to update the two certifications. Explain in detail that these and other characteristics = we create - side-user authentication of the pass Ma system, its security is equivalent to the RSA system, but such as the scales of the people from the line and the RSA secret solution (4) & Overcome a reference to Figure 3, which depicts the creation of two certified data pieces as defined in the previous section. Contains a production process of Mimma money, the program has been described in the brother 1 open Shu, it can be executed on the user workstation, such as two 2 'or other implementations like "public, private Generating a program: A personalization device that carries a force. The user workstation includes a machine readable program to store machine executable instructions that direct the user workstation to perform work with =. Step 3: Receive A personalized secret 305, denoted by s, is regarded as the first authentication data piece. Step 33 转换·· is converted into a temporary value 332 via a first supplemental secret 3〇5, denoted by u Step ^The ^ 19 200818835 Use the "RSA Open, Private Record" program to generate a public modulus n (344) and a public index e (346) from two odd prime numbers p (312) and q (314). And a private record d (342). Step 350 · Use the temporary value u (332) in step 330, and the two odd prime numbers p (312) and q (314) in step 34, the private key d (342) in a second conversion formula to generate a private key correlation index v (355). 36〇•• Delete the private key d (342), the two prime numbers p(312) and q (314) from the associated memory, and the temporary value U (332). Step 370 · By step 340 The public modulus n (344) and the public index e (346) obtained in the process are combined with the private voucher correlation index v (355) ' obtained in step 350, and are combined into three components of the password (n, e). , v) (375), the combination of the three-part (n, e, v) of the password is regarded as the second authentication data. Step Fine: The second member is stored in the persistent memory 385. According to Fig. 3, the first authentication data piece does not need to be stored in the persistent memory, and the user can fight for himself. The hash value or similar derivative value of the Weizheng data piece is not required to be stored in the persistent record (4) as the verification time. In the user authentication method described in the patent application, it is verified that the nuclearity of the brewing signature stamp generated by the transmission of the first-certified data item can be "indirectly" confirmed to be correct. Attacking a person strengthens the system _ security, especially money #第—certification when the user chooses the pass code. Yang is disclosed in the public modulo of the combination of the ciphers of the three elements (n, e, v) in Fig. 3! The number of e-compositions - the public key. The user registers the public as a verification static material, and it can also be used as a verification data for the coffee maker, and a 330 is used for the verification of the coffee. The conversion type 'step 350 uses two conversions and one conversion type can be regarded as a pair conversion type, which is represented by f1 and f2. Where -^ can be expressed by the following expression: f2(y,h,k,z),LCM(h -rk_υ + ζ+((-y)咖LcM(h —,,k 20 200818835 1))) In this expression, χ, y, h, k, and Z represent the first authentication data piece s(305) > u(332) ^ fp(312) > q(314)^ fA^ Numerical example of gold record d (342). This is a two-matrix function for the conversion formula. To avoid aliasing, the input variables of f1 and f2 are replaced by new variable symbols. In this expression of f2 , parameter c is a non-negative positive integer, lcm is the smallest public ^tt (LeastCommon, ^ Η iX#t(a coI!ision«resiste^^^ , 1^##^ 1

The second expression of the transformations f1 and f2 is: f1(x) = H(x), where (a) and the parent are as defined above; f2(y' h,k' Z) = CX(j)( Hxk)+z+((-y) coffee, whose towel c is a non-negative positive number, φ疋尤拉φ function, and y, h, 匕, and z are defined as the first expression of f2. 11 as defined above, and μ is a digit message. It is assumed that the digital signature of f1, s, v for this digital message can be calculated by s丨gnature'ha'M-hash mod η, which is also equivalent to mGd n ) x (hash (M) v coffee η)) coffee. The two 曰, ’ has_)_ _ η and hash(M)v - η in this modulus, are used to calculate the Μ ^ ^ split signature. This is considered to be the work of the second _copy number of chapters can be executed in the single-participation or in the joint work. 2 Verification - whether the given value SGN is a correct θ calculated for μ, and the work is verified. The congruence of the haSh(MXSGN)e(modn) is equal. The ίΪΐϊ haSh(M)(four) ordinal function used is not different from the traditional RSA used to calculate the 1 , ', and function in the digital signature. The same Hertz function can also be used for the first conversion, but this is not a necessary condition for f1. In the embodiment of the program of Figure 1, the digital signature is executed on the user workstation. 21 200818835 The workstation can use a single processor or two processors. The first-conversion must also be used on the user's workstation, while the second conversion is no longer used after creating two certified data pieces. As described above, the second authentication data piece is a combination of three components of the password, including a number of public boards, a public index, and a private gold related index. The index of public open modulus and private record is used in the calculation of the digital signature, while the public index is not required for the calculation of the digital signature. The public index is included in the purpose of the authentication data piece in order to verify the validity of the digital signature at the user end. The verification of the user end allows the system to detect the attack at the beginning of the guessing attack, because the digital signature received by the system from the user of the authorization right must be the same. Now, according to Fig. 4, this figure shows a procedure for updating the first and second authentication materials. This private sequence is executed on the user side and includes the following work. Step 41: Receive an old personalized secret 402 'represented by s as the first authentication data piece, and receive a group-password golden input three components from a persistent memory 409 (n (4〇4) , e (4〇6), v (furnished) = combined as the second certified data piece. Step 42: Verify the received and obtained verification data by verifying the validity of the digital signature of the test message Correctness, the = test message here can be generated randomly. Step: If the verification result of the step is correct, then continue to the next step, otherwise you can return to step 41 as needed to repeat the different 2 rounds. Step 440: Receive a new personalized secret, denoted by s, and create a new first-certified data piece, and ask the user to give the care. Step 45〇····f f is the same in step 330 of FIG. The first-conversion formula to calculate two temporary values two = and u,,,). The procedure is as follows: calculate v, = v_ (four)). Step 47. : Using (7), e = generation 2 certified material (n, e, v) and storing in the same persistent memory, it is worth noting that the update procedure in the above keeps the public modulus and the official document. The user side executes it. + There are _ shortcomings in the above update program that need to be overcome: the 22 200818835 V obtained in the step lion must be guaranteed to be 0 χ φ in the second expression of the positive integer Qf2 (_曰m 状 C C C C C C C C C 1) The choice of the positive integer c of the younger brother =, this shortcoming; by a suitable r1(s) difference r 佶 4 ^ 曰 (four) 岔 Meng key correlation index v, can be guaranteed than n (s ,) and Ding, the so-called π (ϊ,) and the difference can be proved: according to the setting of ί1 (χ) = Η (χ) is known, the value of ρ must be cut, in H (S') - H (8) The absolute value of ^- a positive number reading is a known constant 'so the 'can' can choose - a parameter ci χ 10 Μ (ρ·Μ-υ ^ The choice of C will ensure that the old one is positive The result is that the reading phase is difficult to subtract V - the difference produces this change;, ", with: 2 'this - Figure illustrates the change of the implementation of Figure 4. In the process of processing if 5G2 ° to perform more active The processing _ and one passive are stored in a permanent memory that is built into the "two, three, and three elements of the combination of (n, e, V) leaves for the purpose of A heart" In the body, it is set in passive processing ^ The _index V and its updated value V, the information can be used by the limiter update program - part of the work is to confirm that the gamma - certification input = correct input 'in the program of the W, use It is more complicated to perform the above-mentioned confirmation work. The two: the correctness of the === shengzaki chapter, to confirm the input il passive duty, to produce - her chapter; steps 512, 5 Don't: "The dynamic processor receives this request from the persistent memory 5〇9: π pieces (Μ504)' e _, ν(5()8)), and transmits (n, e) to the master Two: 520 520, 525, 528, and 53G, proactive processing, execution, test, test, hash (M), transfer has_) to passive suppression, and = 23 200818835 test message Μ calculate DS1e hash (M) (10) m〇dn, generating a first partial digital signature DS1, in step 535, the passive processor receives (4) from the active processor, and receives the public attack number n ((10)) from the step 514 and the Private key fine index v (508), step. 540 'The passive processor through calculation, Zhong Guqing m〇dn,

Generating the first knife number early DS2, step 542, the passive processor transmits the second part secret signature DS2 to the active processor; in step 545, the active processing reads the first part digit The signature DS1 and the second part of the digital signature absorb and calculate the m-digit signature: sg__SixDS2 mod n; step 55〇, by verifying the congruence equal haS_)E(SGN(M))em〇dn, Verifying the correctness of the digital signature; if the verification result of the frequency 560 4 step 55〇 is “correct”, the active processor continues to perform the work starting from step 57G as shown in FIG. 5_2, if the verification result is an error condition Need to go back to step 510. Figure 5-2 illustrates the combination of the three components of the password record (7) (5〇4), one (5〇6), v (update work of 5 clear, step 57G, the active processor receives a new individual) The secret s' (565) is requested and the user is asked to give a confirmation. In step 575, the active processor calculates the two temporary values (4) (8) and u, using the same first conversion formula f1 in step 330 of FIG. F1 (S,). In step 58, the active processor calculates the difference between the two temporary values, denoted by D, that is, D = u, _u, and transmits to the passive processor. Step, the passive The processing computer calculates v'=VD. In step 59G, the passive processing n lion (n, e, V,) replaces, and some (n, e, v) ' to update the second authentication data piece. Step 595, the initiative The processing is a passive notification process, and informs the user that the update is successful. The term "private record related index" is used to emphasize that the cryptographic key of this part is related to the private key. And the personalization secret has nothing to do with the private key. The solidified secret" and the "private key correlation index" Replacing the "private key", and the private gold loss becomes a "hidden" secret. In the process of generating and updating the authentication data, the choice of personalized secrets is quite flexible. The flexibility of the tons is due to f1. The skin is designed as a collision impedance. The number is 24. The following is assuming that the personalization secret is a pass code selected by the user. In the registered program, the user _ 3 shows the sequence n (four) line code as the first - the authentication data piece 'and generates a combination of the three components of the group password money (n, e, v) as the second authentication data piece. The user registers his identification name, the model name, and the public index e System workstation. Refer to Figure 6-1 for a detailed process description of the implementation of the program. Component 601 is a user workstation used by the user to send a login request to the system workstation. 602 is represented as the workstation of the system. In a network environment, a system identification name must be recognized by the system workstation, and the same, a user identification name must also be used to identify the user. The remote workstation receives from the user a user identification name (605), _ system identification name (; _, line ^ input person PWD_), and a persistent memory provided from the user 2 to pay - group password money three components combination (n, e, v) _); step 615, the user workstation transport - a request for a person to red station, this (four) do not call the identified mosquito; Coffee, the system workstation generates a challenge, the information can be generated in a random manner; in step 625, the system workstation c_times the workstation; the step coffee, the user receives the challenge message C; step 640, Your er | τ 乂 seven C 瞀ψ _ she is annihilated. μ user gamma received _ challenge message burdock: ^ N (C) EhaSh (C) f1 (PWD) Xhash (C) V mod η ; , the donor workstation by verifying the congruence equal hash (C) E((SGN(c)e) η to confirm whether the digital signature is correct; if step 66 ^, continue to perform step 665m π曰... the main m "is the correct entry of the cow (four) 叩ς - the private order' Otherwise, depending on the situation, it is necessary to repeat the step 610 of the second 665, the miscellaneous red squad is: - contains a response message; step _, the user works == suffocation to the system workstation · cattle both For example, the system workstation of η 、 、 、 、 、 、 、 、 、 、 、 、 、 、 、 、 、 、 、 、 、 、 、 、 、 、 、 、 、 、 、 、 、 、 、 、 、 、 、 、 、 、 、 、 Step _, the system workstation verifies that the digital sign in the response message is correct by verifying the same as 2008 200818835 = equal hash (C) E ((SGN(C)e) mod n, where (n, e) For the registered public key, it is the public modulo n and the public exponent e in the combination of the cryptographic key three components (n, e, v) (608); in step 69, the system workstation is based on the verification result Authorization or rejection The request to log in and notify the user workstation; in step 695, the user workstation receives the decision of the denial request and decides to perform subsequent work accordingly. In an embodiment according to the flowchart of Figure 6-1 The user workstation receives the authentication data piece in an automated manner, in other words, the user workstation is

The combination of cipher key three components is received from the persistent memory without any indication from the user. This implementation relies on a passcode system, which is similar to the pass-through and tune-in code system. As far as the makers are concerned, this passcode method is derived from the two authentication data methods described in the previous section. . The passcode method includes the following steps: when requesting to log in to the system, receiving an input as a passcode; using the input to generate a number and signing, using a public record to verify the correctness of the digital signature; If the chapter is verified as correct, then the input is confirmed to be in compliance with the pass and the result of the login request is authorized. ▲ Figure 6-2 illustrates a change in step 64 of the first picture. In this variation, the user workstation 6G1 uses an active processor 651 and a passive process, 652 to perform the steps, and all the steps described in step 640 '6-2 can be used instead of the step 4' It is assumed that the combination of the three elements (n, e, v) (_) is stored in the persistent memory of the passive processing cry. Step 641, the active processor calculates hash(c), which is step 63. Receiving the _chalch message, and then sending the heart to the passive processing, step 642 'the passive processor receives the hash(c); step 643 the dynamic processing ϋ郷 性 记 _ _ three-component planting (n , e, v), and pass the eight open gold record (n, e) to the wire processor; step 644, the wire type receives ae "^ hunting by computing DS1 _sh (c) Qing D) - n produces a The first part of the digital sign is early, step, step 645 'The passive processor generates a second part of the digital signature DS2 by calculating DS2_sh(c)v café 26 200818835, and transmits the calculation result to the initiative Processor 624 'The active processor computes sgn(c)eDs1xDs2 n to generate a digital signature, and iy_ performs the steps _ subsequent operations in the sixth diagram. All of the steps in Figure 6-1 are performed on the active processor except for step 640, and the two processes perform step 64 in the cooperative manner described above.

According to the implementations of Figures 6-1 and 6-2, the input of a pass code, for example, causes the pass code of the key to be input, and does not derive from the derived value of the pass code such as the Hertz value. Verify the correctness of the passcode input. In this embodiment, straight = step 66j is used to confirm whether the input of a passcode meets the pre-selected u-code. If the result of step 662 is erroneous, it means that the key of the pass code is incorrect. Since the cryptographic key authentication data piece is not manually = input, the probability of the pass code being wrong is higher. high. f In the example program illustrated in Figure 6.1, the password is certified.

: In the = low storage device, such as memory card, coffee (_ secret (5) Bus) J disc or 疋 a radio frequency identification tag (RFID tag). The passive processing of the storage 11 652 contains built-in persistent memory, and has the ability to read and calculate part of the digital signature, where the main execution. The passive processor in Figure 6.2 may: ; ^ , 〇 key, must be kept secret and lost." Dealing with poor code: big threat; relative 'passive secret in Figure 6_2, because I sent a sub-I1 gold record and private gold performance related index V, v is only half of the secret 4 ^ lost 34 - half of the secret security threat is relatively low. Reporting hard to push 7 = yes with the public __, however, to public _ (n, e) is to use mt cryptography ~, under this premise, whether it is from the system side or to expose 4 A open gold record (n The sentence does not help to successfully derive v, which is the result of the mf2 defined in the previous paragraph 27 200818835. Here again. 仏 another - semi-secret security, that is, pass ^ -t〇. in public gold The rest of the sound, 7 "pounds in the private order" allows the bee user to change the private gold:::=== code, also does not need to use the process of using Ding Yuyi, Hummer, system work The information is helpful to the system of the pass code. The work face of this line does not get any communication method to challenge the station to use the challenge and response. - The private post-record is safe, then this communication will also It is safe. If you want to use it, the input of the pass code is not directly derived from the derivative code of the pass code, and indirectly, by verifying that the loser produces the seal of the dragon mark. The input of each pass code is correct or not. Therefore, the pass code is ^. In this patent application, the derivative value of the pass code is one. :Change:= Output, this conversion formula uses the pass code as a single input.

Broadly speaking, the private record related index v is a social value of the pass code. However, V is the green input via the f2 conversion type. In addition to the pass code, f2 receives three input values p, q and d during the conversion process: v=f2 (f1 (passcode), p, q, d) = cxLCM(p-1) + d + ((-f1(passcode)) mod LCM(p—q —υ) or ν=_(passcode), P,q,(8)+ d + ((-f1 (pass code))) m〇d _. From the above derivation process, when the values of p, q and d are not known, the pass code is still unknown after revealing the v value. One of the methods for cracking the pass code is poor. A search or dictionary attack, that is, a guessing attack. In order to determine whether a guess is correct, the attacker must be forced to: • Calculate a digital signature and verify that the digital signature is correct, so each guess = All 28 200818835 Needs the calculation under the number n, the ton is good, and the calculation required for its guess is more time-consuming. This is a summary of the security experts who are trying to discover the new method of authentication, the part of the reason It is the right to go to the hang (four) pass code certification branch seems to be not safe enough to prevent the entry. And factor identification _ fine or authenticati〇n) provides a benefit The method mentioned in the case (4) can be said to be double @子_ and there is a special identification method. Usually, a user-selected pass code is used when =, 'and the use of the birth (four) sign is the fingerprint t for another - a paste The two-factor identification of the type violates the privacy of the individual. Its ^ physiCa, ^ Γ人ΓNumb咐 are two identification factors. In this type of method, a wide complete secret, and the real authentication secrets such as cryptography are stored in the entity object. . The method described in this lion's case is to use the private scam, the identification factor, as described in Figure 3, the secret = gold ^ appears (four) recorded the certification of the detained ship and in the subsequent calculation process Will not • strike the implementation of the case described in the text, the password gold certification information is stored in a pack. The first-certified data piece, that is, the pass code, can be stored without being stored in any device. For example, the Hertz value of the passcode or its encrypted value = need to be stored in the persistent memory in order to confirm the correctness of the input, and ^ by confirming the correctness of the digital signature generated by the round entry No to verify the entry of the passcode.曰This combination of two (four) pieces of _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ In this procedure, the number of early attacks, the test of money is shouted: at the maker workstation, the contact county is included in the response message - verification - times ' * at the other end, the system guard station receives it Back 29 200818835 The digital signature in the message was verified again. Thanks to this ingenious design, the system workstation can be challenged by the authorized and infringed person. In order to make the design of _qiao more efficient, it is helpful to make the following changes in the procedure for picking I's response: it is included in the back and the identification is also checked. For this modification, there are several feasible, two θ σ "key elements or - check code as the user's class name - H use the he sequence value as the verification information. According to the above design, the system workstation has this force. The attack is detected at the beginning of any online attack. System workers _ people are not correct. The system is responsible for ensuring that the public essay public voucher is used to meet this need, according to one method, Note _ public face is - relying on

Auth9my 5 ^ ί: & Depends on the U-construction to register the public record of the public record. Because the pure end and the __ _ lang bear the responsibility of the open money, the CA method can be benefited by the first CA method. Unless the system side colludes with the conspiracy, the digital signature of the wrong system is the method that will be inspected. = The lack of security control at the end of the system 'The misconduct at the system side is likely to occur on the North Dan dynasty' This is the main cause of information security incidents that have occurred. As described in the previous article = Knowledge, there are a number of technical defects in the 'source_passcode authentication system'. For example, the administrator or other internal M workers can steal user identification from the system's authentication database. The beer and its corresponding he-order value, and unauthorized access to the user account; such unauthorized access to the available technology, including the offline word industry to pass the special body to receive access Therefore, the user's authentication method described in the patent application is a method of authentication using the passcode 30 200818835, but the authenticity of the publicity of the CA visa is strengthened. It is the complexity of the degree of authenticity and kingness of the traditional (four) certification institution. Information security experts have come to understand that the passcode authentication method proposed in this lack of complexity can simplify this—complexity, slavery = segmentation and the benefits of enhanced security; loss of protected secrets—half = The safety concerns caused by the entire secrets will be less. If = still provides a considerable degree of security, the user does not have to immediately = the second key certificate. Exempt from reporting to the inspection agency ~ == instead of the user can work in the system 2 = ^ Yu, Yam station station refused to shop the plaque = this == a business method to replace the certificate agency Role, the user registers a public key on the system workstation, the end? - item agreement. The system workstation accepts the registration of the public record: 2 (10): j is obligated to know the positive touch of the front face of the digital sign 1 1 use the registered public face # is the test of the number of the sign of the product certificate, then use One cannot deny its validity. ^ 11 law. The publicly recorded contract can be used as a party to resolve disputes by both parties. Hrr is registered on the system side. If the contract is not valid, the user has the right to refuse to be rejected by the system. In addition, the incorrect digital signature; also 'according to the transfer of the contract, the signature of the seal on the contract is correct, the user is obliged to bear the validity of the digital signature. == The book provides - the law to solve the problem of the validity of the signature. The stalker & the guarantee on the book 'users can trust the system to use the correct public 200818835 key' and thus use the voucher to check the openness of the public face, which is usually in the usual business transaction behavior; The three habits of 'constrained by the mi contract material supplier #丝可面面号' Wei Shang, do not have to be affected by the 8 figure 'reward's permission - the gamma 捡 _ _ correct all ==:::=: - a program. When the user is in two places, νΐί, not τ 'this check procedure can be executed simultaneously, therefore, this process is Μ Μ Μ Μ 者 信 、 、 、 、 纽 纽 纽 纽 纽 纽 纽 纽 纽 纽 纽 纽 纽 纽 纽 纽 纽. A / 3⁄4 瑞 归 归 于 于 于 于 于 于 于 于 于 于 于 于 于 于 于 于 于 于 于 于 于 于 于 于 于 于 于 于 于 于 于 于 于 于 于 于 于 于 于 于 于 于 于 于 于 于 于 于 于 于); step 5, cough causes 5 workstations to randomly generate a message, and the random message is identified with the challenger in the challenge message; step 82 (3, the use of the red station to convey the challenge message j corresponds The system identifies a system workstation (802) that is called ;; step _, the department, the charging station uses the user identification name in the challenge message to be received as an index 'from the system-side authentication database (825) The middle search obtains a public gold balance used on the system side; face 835, the system workstation derives a symmetric heart code record used on the system side from the public record; step 840, the system workstation uses the symmetry The password is encrypted as a cryptographic key to encrypt the random message in the challenge message into ciphertext; in step 845, the system workstation includes the essay in a response message; in step 850, the system workstation transmits the response message Give the user workstation; step 852, the user workstation receives the response message, and obtains from the persistent memory a public account used in the user terminal of 32 200818835; in step 855, the user workstation is in use The symmetric cryptographic key used by the terminal; the second 60's workstation decrypts the ciphertext in the received response message with the user-side symmetry password ageing as a first reading; The user workstation decides to read and pay the public key used by the user on the system side and treats it as correct. In the flowchart illustrated in Figure 8, step 835 uses a new one - The symmetric cryptographic surface used on the system side, and the function of the step cadence = Γ length can be used as the phase; second, ^ the library that generates the two authentication data pieces described in Fig. 3, arbitrarily Select the pass code. Even if you enable the successor and the user can change the registered public _. M, ,, k, and the same pass code, he can still be more = book Registered public gold loss needs to be again = 22 two open gold Wei is guaranteed The change is based on the key generation procedure described by the CA to capture the tank eight R VIII / j using the brother 3 diagram. If the new disclosure of the gold surplus == 3 = the change of the public record needs to be re-issued, registration Contract ===Color - Same as the system workstation described above, (4), :f User chooses different passcodes to apply for the patent application, and this is the burden on the memory. Registered is a 3 inch inch 疋 〉 〉 『 『 『 『 『 『 『 『 『 『 『 『 『 『 『 》 》 》 》 》 》 》 》 》 》 》 》 》 》 》 》 》 》 》 》 》 》 》 》 》 》 》 》 》 》 Can eliminate the need of CA, greatly simplify the complexity of the open, so that users can register different public records of the (four) workstations, or register - the phase of the public money on the system workstation ~ The magazine students come from the following two reasons: (1) Deriving the private record in the calculation by the corresponding public money, and (2) simplifying the public age. The user authentication method designed by the pass code of the moth patent application utilizes two recognition factors, (1) the pass code; (2) the public modulus, the public index and the private key correlation index. (4) The information of the Jinweizheng (4) postal average ^ she (10) · (7) (10). When used

When the different volumes of the book were recorded in the numerous systems of Yuzuo Station, the amount of their certification was increased. 'At first glance, this is a disadvantage of using different public accounts. There is an advantage in the different system workstations: when a certain private side is disintegrated, the risk caused by it can be limited to the corresponding system of the book; in addition, The solution provided below allows the user to have multiple public keys but overcomes their shortcomings. / ^ In a network environment with a majority of system security stations, when the user requests to log in, he must present the identification name of the system he wants to log in on the user workstation. The name can be used as an index. Information to search for the password corresponding to it ◎ 'Materials' change & a password record can be linked to a money identification, and such a link can be collected and recorded in a single file, so this file Both the passcode and the passcode can be considered as the input to the user authentication process. This Huahe money identifies the location of the shot and password money and its links, which simplifies the process of inputting the process. It is called "aggregate authentication material". 〇 Collective authentication data is used. The face-to-face touch file can be stored in two portable devices such as usb with (4) USB stG piano deviGe), hate ^emory CardHC password card (丨c crypt〇) or mobile phone (10). Such a device, remembering its passcode, can roam on the network to enter any of its registered systems. Referring to Figure 9, this figure illustrates all the components in a collective authentication profile. As shown in Fig. 9, a collective authentication data piece is a collection of records of a plurality of individual authentication data pieces. The records of each individual authentication data piece are composed of the following three items. (1) A system to be logged in A system identification name of the workstation; (2) a combination of three components of the password; and (3) a recognized name of the user of the digit. Each combination of three components of the password contains three components: (1) One public Modularity; (2) a public index; ($a private key correlation index. The record of each individual authentication data item in the collection indicates that this user has registered one of his users on a certain system workstation. Identifying a call and a public key. In this set, each user's identification name can be unique or repeated, and the public key is also the same. In this illustration, the possession of this set of files is included. The user registers the e-mail account, bank account number, student ID number, and ID number in different systems as his personal user identification name, and the system identification name in each individual record in the collective file. The system-only station is identified, and it is also used as an index message to search for the combination of the three components of the cryptographic key and the corresponding user identification name from the aggregate file. In Figure 9, No. 910, 92〇, 93〇 respectively represent a system identification beer, a combination of two passwords, three components, and a user-sense call, number _ is - individual recognition The records of the data pieces, while the numbers 922, 926, and 926 represent a number of open-opening, a public index, and a private record related index. The village's 2 type miscellaneous pieces are equal. Personal use of the personal data;, ' Μ 〃. Miscellaneous f stipulations of the contract law, will not be public === and the corresponding public record registered in the system has not been, a Μ 欢 署The link is in the same place, but can be changed separately. The data can be easily and easily managed by the user. The user can have a flexible and simple management of the two-in-one. System workstations, and Wen Wang has a convenient way to log into the system. 35 200818835 Figure 10 illustrates an implementation of user authentication in a network environment with a majority of system workstations. The workflow described in this figure is almost the same as the workflow in Figure 6-1. The difference is that a collection of authentication data (1008) is used in Figure 1 and Figure 6-1 is used. A single password key authentication data piece (608). The implementation details of Fig. 10 will be described below. The component 1001 is a user workstation used by a user to log into the system, and the component 1002 is a system workstation that the user wants to log in. Step 1〇1〇, the user workstation receives a user identification name (1005), a system identification name (1007), and a pass code input PWD (1〇〇3) from the user, and further Receiving a collective authentication data piece (1〇〇8) from the storage device provided by the user; in step 1012, the user workstation uses the system to identify the title as an index information, and searching for the phase from the collective authentication data piece. Corresponding cryptographic key combination of three components; in step 1015, the user workstation sends a request for login to the system workstation that determines the calling decision via the system; in step 1020, the system workstation generates a challenge message c, and the challenge message C can Randomly generated; in step 1〇25, the system workstation transmits the challenge message C to the user workstation; in step 1〇4, the user workstation receives the challenge message C and calculates the received message C. A digital signature, the formula is as follows: sgn (C)

Ehash(C)f1(PWD)xhash(C)v mod η; in step 1060, the user workstation verifies the digit sign by verifying the congruence equal hash(C)E((SGN(C)e) mod η Whether the chapter is valid; step 1062 'If the verification result is valid, proceed to step 1〇65, otherwise it is necessary to repeat back to step 1010 as needed; in step 1〇65, the user workstation signs the valid digit and the The user identification number (1〇〇5) is included in a response message; in step 1G7G, the time-station workstation transmits the response message to the system workstation; in step 1080, the system workstation receives the use in the response message. As the index information, the person recognizes and retrieves a registered public key from an authentication database 1075; in step 1085, the system workstation equals hash(c)E by verifying the congruence ((SGN(C)e Mod η, to verify whether the digital signature in the response message is valid, where 36 200818835 (n, e) is the registered public record; step 1〇9〇, the system workstation authorizes or rejects according to the result of the verification The request for login, and this decision is passed The user workstation; step 1095, the user workstation receives the result of the login request, and performs subsequent processing according to the procedure. In this case, the registered public obtained by the system workstation in step 1〇8〇 The key is the same as the public key consisting of the public exponent e in the combination (n, e, v) of the cryptographic key three components obtained by the user workstation in step 1012. In another embodiment obtained by the described process, the collective authentication data piece can be accessed by the user workstation in an automated manner, in other words, the user workstation does not need to be authenticated from the (4) person's instructions. The record of the data piece, the general user may not be able to distinguish this between the implementation and the traditional pass code system

The difference, er, and as detailed in the previous section, is technically quite significant: difference. Also, J is familiar with this technique. It is possible for people to do things that do not deviate from the details of the special account or the changes or changes in the spirit. Such modifications or changes will be reduced to = - As long as it is modified or changed to the same as described in the application of this application, the embodiment described in the patent application is only described in this patent application. The scope, scope, and spirit of the above-described shapes, structures, features, and spirits should be included in the scope of the patent. [Simplified illustration of the drawings] The drawings in the figure are for further application of this patent application.

FlI is described in this patent application as part of it. In the drawing: 曰^t describes the "challenge and response" procedure of this special round, as you use it to communicate with Qian Duan, here: for the card; From the end of the system, and the use of the system - to open the face to test 37 200818835 Figure 2 is a conceptual architecture diagram, illustrating a pair of "open, private __ her key _ link role, link the user's second The authentication is due to the second, the system-side verification data is used, and the step-by-step description is made - an update procedure, #序 allows the user to keep the secret information of the secret information unchanged, and Wang has two authentication factors. The third picture of the Office of the Office describes the two certification factors for the production of the third 第 第 第 来自 来自 来自 来自 来自 来自 来自 ; ; ; ; ; ; ; ; ; ' 此 此 此 此 此 此 此 此 此 此 此 此 此 此 此 此 此 此 此 此 此The two external factors generated by the program of Figure 3, this procedure is also derived from the so-called first disclosure case;

Figures 5-1 ® and 5-2 depict a change in the update procedure described in Figure 4. Figure 6-1 is a flow chart depicting the implementation of the "challenge" described in the figure. Example; ^ $6-6-2 is a flow of paste, describing a specific step in the use of a fixed-active processor and a passive processor in the user's workstation. Change; Figure 7 illustrates the example of the 公开b user's open-book contract, expressing the agreement between the user and the system-side publicity, the purpose of which is to achieve a commercial approach instead of traditional use. Public key certificate (pub丨丨c_key certjfjcate); Section 8 BU Tian describes a public record connection check procedure, which is a reinforcement method for the commercial method of publishing the gold record contract in Figure 7; Figure 9 Tian said the examples of the Synthetic 4 certificate data and its components for user authentication in a network environment with multiple systems; Figure 10 depicts an example implementation, this implementation shed The compliant authentication data of Figure 9. [Major component symbol description] 38 200818835 A 110 step 120 step 130 step 140 step 150 step 160 step 170 step 180 step 210 disclosure, private key pair • 220 public key 230 expresses the association of the elements of the connection line 240 expresses the element The associated link line 250 is the first authentication data piece, that is, the personalized secret, and the second authentication data piece represented by the symbol s, that is, the password first record authentication item Φ 270 update program 280 new first authentication data piece, The second authentication data piece generating program 305, represented by the symbol s', personalizes the secret, and the symbol s indicates 310 step 312 prime number p 314 prime number q 330 step 332 temporary value, and the symbol u indicates 340 to generate RSA public, private gold. The key pair calculation program 342 private key, the 344 public modulus represented by the symbol d, the 346 public index represented by the symbol η, the 350 step 355 private key correlation index represented by the symbol e, the 360 step represented by the symbol v 370 step 375 cryptographic key combination of three components, regarded as the second commemorative tribute 380 step 385 persistent memory 402 personalized secret, with symbol s table The 404 public modulus, the 406 public index represented by the symbol η, the 408 private key correlation index represented by the symbol e, the 409 persistent memory 410 indicated by the symbol v, step 420, step 430, confirming whether the verified digital signature is Valid 39 200818835 , 440 Step 445 new personalization secret, denoted by symbol s' 450 Step 460 Step 470 Step 501 Processor performed work 502 Processor performed work 503 Personalized secret, denoted by symbol s • 504 public The modulus, the 506 public index represented by the symbol η, the 508 private key correlation index represented by the symbol e, and the persistent memory 510 of the combination of the cryptographic key three components represented by the symbol v, step 512, step 514 Step 516 Step 520 Step 525 Step 528 Step 530 Step 535 Step 540 Step 542 Step 545 Step 550 Step 560 Confirm whether the verified digital signature is valid 565 new personalized secret, with symbol s' 570 step 575 step 580 Step 585 Step 590 Step 595 Step 601 Work performed by the user workstation 602 Work performed by the system workstation 603 Passcode , And indicates the user identification symbol called PWD 605 607 608 there called system identification passkey three element combinations of the persistent memory 610 step 615 step 620 step 625 step 630 step 640 step 641 step 40,200,818,835

642, step 643, step 644, step 645, step 646, step 651, processor-executed work 652, processor-executed work 660, step 662, confirming that the verified number is only ternary η, no valid, double early, 665, step 670, step 675, user authentication database 680 Step 685 Step 690 Step 695 Step 8 〇 1 User X performs work performed by the station 802 System workstation performs work 〇 3 System Identification Name 804 User Identification Name 810 Step 815 Step 820 Step 825 User Authentication Database 830 Step 835 Step 840, step 845, step 850, step 852, step 855, step 860, step 865, step 900, collective authentication data piece 910, system identification 920, password combination, three elements, combination 922, public modulus, 924, public index, index ’ The symbol e indicates the 926 private key correlation index, and the symbol v indicates that the 930 user identifies the 940 collective authentication data piece, and the record includes a combination of a system identification number and a password gold record. And a user identifies the title. 1001 user workstation performs work 1002 system workstation performs work 1003 pass code round, 1005 user identification name indicated by symbol PWD 1007 system identification name 41 200818835 '1008 storage device 1010 with collective authentication poor material Step 1012 Step 1015 Step 1020 Step 1025 Step 1040 Step 1060 Step φ 1062 Confirm whether the verified digital signature is valid 1065 Step 1070 Step 1075 User Authentication Database 1080 Step 1085 Step 1090 Step 1095 Step 10 42

Claims (1)

200818835 X. Patent application scope: 1_ A user authentication method based on asymmetric weight proof, which includes: - when a user requests to board a computer system, a first input of a first input fish is provided; /, when the provided first-input and personalization secrets are met, and the second round of entry provided is consistent with the password-certified data, the user is authorized to log into the system. The password certificate contains a public modulus, an index, an index related to the private key; and changes the original personalized secret to a new one without changing the public modulus and the public office. Secret and update the private key correlation index. = Please specialize in ffi 1 to tear down the currency code, the pass code chosen by the individual user. j 1 The method described in the first paragraph of the patent application's further includes: using the personalization and the two singularities in the exhibition, the number of the public, the number of private, and the privacy of the private money The order of °4=1: In the above method, the step-by-step method makes the class, the method described in item 4, the challenge and the _ _ _ _ _ _ _ _ _ _ _ _ _ _ A method of authentication based on asymmetric cryptography, which includes a person. When you are not in the system, you receive a loser as a passcode. Use this input to generate a digital signature; horse, use - The public gold wheel is used to verify the digital signature; and according to the digital tender (four), it is consistent with the 2. 3. 4. 5. 6. 6. 43 200818835 passcode, and the login is authorized according to the result. 8. If the method of claim 7 is used, the method includes changing the pass code if the key is unchanged.汗i 9· The method of claim 7, further comprising: using the passcode and the two prime numbers in a program generated by a password transfer to disclose the public record and a private gold correlation index; Use the input value _ reduce the side reduction to generate the training sign. 1〇·-The method of making money for the foundation of the scholarship, including: The requirement to allow login by verifying the digital signature; and verification to use a public key on a registration contract to overturn the validity of a digital signature that was incorrectly valid. 11. For example, if the patent method (4) is based on the method towel of the 1G item, the step-by-step method includes using the public record on the registration contract to resolve the dispute regarding the validity of the digital signature. 2. If applying for a special fiber (four) method The towel, the step-by-step inspection, the procedure for the publicity of the positive cancer, and the (four) brain L for the rest of the procedure. • The public key check procedure as described in claim 12 of the patent scope includes: • at the user workstation, transmitting a random message to the computer system workstation, / at the computer system workstation, by a system-side Open the gold record to derive the symmetrical password record of the system; ^ The electricity _ (4), the line of the end of the pure gold as an encryption key to encrypt the random message to get a cipher; ""Tian in the computer system workstation, the ciphertext is transmitted to the user workstation. At the user workstation, a user-side symmetric cryptographic key is derived from a user-side secret account; The user workstation decrypts the ciphertext using the symmetry secret key of the user end, and decrypts the ciphertext; and Tian 44 200818835 14. One/at the donor workstation, when the decrypted result conforms to the original random message, It is also a matter of disagreement to decide the amount of money that the publicity of the company knows about the money. A user authentication method based on asymmetric cryptography in a network with multiple computer systems, including: Allowed-bit system--a passcode to log on to different computer systems on the network; = every part of the electric job on the road, _ its _ - the public record is recorded as a digital seal to determine whether the pass code is used; When the pass code is verified to be used, Yun 8 15. The method described in claim 14 of the patent scope allows the user to change the pass code without changing the public key. 16. The method of claim 15, further comprising: using the passcode and separately using a pair of prime numbers, in a program generated by a password, for each computer system, generating individual The public account record, and generate a corresponding private key correlation index; use the pass code and the corresponding private key correlation index to generate a digital signature; and use the corresponding public record to verify this Value signature to allow login. 17·- an object that contains a machine-readable ship device that stores the machine executable phase for user authentication based on asymmetric cryptography, the instructions directing a machine to execute The following actions: using the first input, the first input, and the challenge message from a computer system as an input to the conversion process to generate a digital signature; transmitting the digital signature to the computer system; and receiving a The decision to request a login, which may be allowed to log in or refuse to log in, is to verify a result of the digital signature on the computer system. 18. In the article of claim 17, the instruction further causes the machine to verify the digit and then transmit it to the computer system. Set = in the user's certificate of the gift code system (aqptosy screams, including · when the law is proposed - a login system request, receive an input as a pass to the party using the round to generate a digital signature; Make, - the method of verifying the digital signature by the disclosure of the public; and, by deciding that the round is in compliance with the passcode and authorizing the login based on the result, the decision is based on verifying that the digital signature is correct 2. In case of no knowledge or payment, change the pass code. 21· As in the system described in claim 19, the step further includes: using the pass code and two (four) numbers in the password vouchers A method of opening a gold record with a private record-related index; and a method of generating the digital signature by using the input and the private record related index. 46