CN107454077B - Single sign-on method based on IKI identification authentication - Google Patents

Abstract

The invention relates to a single sign-on method based on IKI identification authentication, which comprises the following steps: sending an access request, generating a random number r, and sending the random number r and the identifier to a server; verifying the identifier, generating a random number R after the identifier passes the verification, combining the random number R with R (R | | R), and signing by using a private key to generate signature data Sig 1; send R, identity, Sig 1; verifying the identifier, verifying Sig1, and confirming identity validity after verification; signing (R | | R) by using a private key to generate signature data Sig2, and sending Sig2 to the server side; verifying the Sig2, confirming identity validity after verification, checking a single sign-on mapping table, finding out an account number bound by the identifier, producing a user token, and directing to an application system; and receiving the user token, obtaining the login account of the user, setting the state of the user as login, returning to the page requesting access, and completing the access. The invention has the beneficial effects that: the security of the single sign-on system is improved, and a high-strength identity authentication method is provided.

Description

Single sign-on method based on IKI identification authentication

Technical Field

The invention relates to the technical field of information security, in particular to a single sign-on method.

Background

With the rapid development of information technology and network technology, more and more application systems are used in enterprises. Such as human resources management systems, financial systems, OA systems, customer relationship management systems, and the like. Because these systems are independent of each other, the user must log in according to the corresponding system identity before using each application system, and for this reason, the user must remember the user name and password of each system, which brings much trouble to the user. In particular, as the number of systems increases, the possibility of errors increases, the possibility of illegal interception and destruction increases, and the security decreases accordingly. For this situation, the concept of single sign-on is now and continuously applied to enterprise applications.

Single sign-on is a unified authentication and authorization mechanism, which refers to the same user accessing protected resources in different applications, and only needs to log on once, i.e. after passing security verification in one application, when accessing protected resources in other applications, re-login verification is not needed. The single sign-on can improve the work efficiency of the system and reduce the error probability of the system.

With the continuous and deep research in the field of single sign-on and the continuous warming up of Web services and application system integration, there are various single sign-on solutions. For example, IBM's WebSphere Single sign-on solution, SUN Java System Access Manager of SUN, Microsoft's Net Pasport and NeegritySiteMiner, BEA's WebLogic, and SAML-based products such as OPENSAL and SourceID, among others. However, the security of the existing products in single sign-on is still insufficient, most schemes transmit sensitive information in a plaintext form in the communication process between servers, and the information is easily stolen, so that important information is leaked. In addition, most schemes do not sign key information in the communication process, and are easy to be attacked by disguise.

An effective solution to the problems in the related art has not been proposed yet.

Disclosure of Invention

Aiming at the technical problems in the related art, the invention provides a single sign-on method based on IKI identification authentication, which can solve the technical problems.

In order to achieve the technical purpose, the technical scheme of the invention is realized as follows:

a single sign-on method based on IKI identification authentication comprises the following steps:

s1, the user end sends out the access request to the server, generates the random number r, and sends the random number r to the server end together with the user end identification;

s2, the server side verifies the user side identification, after the user side identification passes, the server side generates a random number R, the random number R is combined with the user side random number R to be (R | | | R), and the server side private key is used for signing to generate signature data Sig 1;

s3 the server side sends the random number R, the server side identification and the signature data Sig1 to the user side;

s4, the user side verifies the server side identification, the public key in the server identification is used for verifying the signature data Sig1 after the verification is passed, and the identity validity of the server side is confirmed after the verification is passed;

the S5 user side signs the random number (R | | | R) by using a private key to generate signature data Sig2, and the signature data Sig2 is sent to the server side;

the S6 server verifies the signature data Sig2 by using the public key of the user end, and confirms the validity of the identity of the user end after the verification is passed;

s7, the server-side login authentication device checks the single-point login mapping table of the user, finds out the account number bound by the user identifier on the corresponding application system, produces a user token, and redirects the user token to the application system;

and S8, the application system receives the user token with the uniform format, acquires the login account of the user in the system, sets the state of the user in the system as login, and returns the page requested to be accessed by the user to finish the access of the user to the application system.

Further, the server side identification, the user side identification, the private key and the public key are produced through an IKI identification management center.

Further, the server side identifier, the user side identifier, the private key and the public key are produced by the following steps:

s101IKI identifier management center IMC public parameter: public key matrix PKMS, identity management center public key PK_IDorgECC curve, base point G; wherein the public key matrix PKMS is an identification management center private key SK_IDorgFor public key matrix pkm, ID of ID management center_orgIsoparametric signatures;

s102 entity generates entity ID and related parameters: generating secret value xID and secret value public key PKx ═ xID × G by using entity security device, and randomly generating asymmetric key pair SK by using ECC algorithm_h、PK_h；

S103, encrypting part of parameters to be uploaded: use of an identity management center public key PK_IDorgFor secret value public key PKx and random asymmetric key public key PK_hEncryption: e (PK)_IDorg,PKx||PK_h)；

S104 upload entity ID, E (PK)_IDorg,PKx||PK_h) And tag expiration date to tag managementA central IMC; the effective date is identified to determine whether to upload according to application requirements;

s105, identifying the management center to perform entity ID duplicate checking to generate an entity part private key: after the IMC determines the uniqueness of the validity period of the entity ID combination identification, the PKMS, the entity ID and the validity period of the identification are utilized to calculate the entity ID public key PK_IDCalculating the entity ID private key SK by using the private key matrix skm and the entity ID and identification validity period_IDThe entity encrypts a private key SKE and transforms the SKE to obtain a partial signature private key SKS 1;

s106, identification management center IMC assembly identification: using identity authority private key SK_IDorgDecryption E (PK)_IDorg,PKx||PK_h) PKx and PK were obtained_hAnd combining the entity ID signature public key: PKS SKS 1G + PKx; calculating a decryption public key PKE (SKE G), and using SK_IDFor (PKS. RTM. PKE. RTM. ID. RTM_orgI ID) signature to obtain the identification

S107, issuing an identifier and an entity key: utilization of PK by IMC_hEncrypting SKE to obtain E (PK)_hSKE), mixing E (PK)_hSKE) and identification

Sending the data to an entity;

s108, the entity receives the identification and the secret key, and combines the signature private key: using SK_hFor E (PK)_hSKE), obtaining SKE after the SKE is decrypted, obtaining a partial signature private key SKS1 after the SKE is transformed, and safely storing SKS and SKE through SKS1 and a secret value xID.

Further, in steps S2 and S4, the step of verifying the server-side identifier and the user-side identifier specifically includes:

s201, calculating an entity identification public key by using a public key matrix and an entity ID;

s202, the identification is verified by using the identification public key, if the verification is correct, the identification is valid and passes, otherwise, the identification is invalid and does not pass;

and S203, after the verification is passed, the public key in the acquired identifier verifies the signature data.

The invention has the beneficial effects that: the invention takes IKI safety equipment as a carrier, realizes the bidirectional authentication of the client and the server through identification, improves the safety of the single sign-on system and provides a high-strength identity authentication method.

Drawings

In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings needed in the embodiments will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and it is obvious for those skilled in the art to obtain other drawings without creative efforts.

Fig. 1 is a system architecture diagram involved in a single sign-on method based on IKI identity authentication according to an embodiment of the present invention;

FIG. 2 is a flowchart of generating ID and secret key in a single sign-on method based on IKI ID authentication according to an embodiment of the present invention

FIG. 3 is a schematic diagram of a system involved in a single sign-on method based on IKI identity authentication according to an embodiment of the present invention; FIG. 4 is a flowchart of the identification verification in the single sign-on method based on IKI identification authentication according to the embodiment of the present invention;

fig. 5 is a flowchart of a single sign-on method based on IKI identity authentication according to an embodiment of the present invention.

Detailed Description

The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments that can be derived by one of ordinary skill in the art from the embodiments given herein are intended to be within the scope of the present invention.

As shown in fig. 5, a single sign-on method based on IKI identity authentication according to an embodiment of the present invention includes the following steps:

s1, the user end sends out the access request to the server, generates the random number r, and sends the random number r to the server end together with the user end identification;

s2, the server side verifies the user side identification, after the user side identification passes, the server side generates a random number R, the random number R is combined with the user side random number R to be (R | | | R), and the server side private key is used for signing to generate signature data Sig 1;

s3 the server side sends the random number R, the server side identification and the signature data Sig1 to the user side;

s4, the user side verifies the server side identification, the public key in the server identification is used for verifying the signature data Sig1 after the verification is passed, and the identity validity of the server side is confirmed after the verification is passed;

the S5 user side signs the random number (R | | | R) by using a private key to generate signature data Sig2, and the signature data Sig2 is sent to the server side;

the S6 server verifies the signature data Sig2 by using the public key of the user end, and confirms the validity of the identity of the user end after the verification is passed;

s7, the server-side login authentication device checks the single-point login mapping table of the user, finds out the account number bound by the user identifier on the corresponding application system, produces a user token, and redirects the user token to the application system;

and S8, the application system receives the user token with the uniform format, acquires the login account of the user in the system, sets the state of the user in the system as login, and returns the page requested to be accessed by the user to finish the access of the user to the application system.

In a specific embodiment of the present invention, the server-side identifier, the user-side identifier, the private key, and the public key are generated by an IKI identifier management center.

In an embodiment of the present invention, the server identifier, the client identifier, the private key, and the public key are produced by the following steps:

s101IKI identifier management center IMC public parameter: public key matrix PKMS, identity management center public key PK_IDorgECC curve, base point G; wherein the public key matrix PKMS is an identification management center private key SK_IDorgFor the public key matrix pkm,Identification management center identification ID_orgIsoparametric signatures;

s102 entity generates entity ID and related parameters: generating secret value xID and secret value public key PKx ═ xID × G by using entity security device, and randomly generating asymmetric key pair SK by using ECC algorithm_h、PK_h；

S103, encrypting part of parameters to be uploaded: use of an identity management center public key PK_IDorgFor secret value public key PKx and random asymmetric key public key PK_hEncryption: e (PK)_IDorg,PKx||PK_h)；

S104 upload entity ID, E (PK)_IDorg,PKx||PK_h) And marking effective date to the mark management center IMC; the effective date is identified to determine whether to upload according to application requirements;

s105, identifying the management center to perform entity ID duplicate checking to generate an entity part private key: after the IMC determines the uniqueness of the validity period of the entity ID combination identification, the PKMS, the entity ID and the validity period of the identification are utilized to calculate the entity ID public key PK_IDCalculating the entity ID private key SK by using the private key matrix skm and the entity ID and identification validity period_IDThe entity encrypts a private key SKE and transforms the SKE to obtain a partial signature private key SKS 1;

s106, identification management center IMC assembly identification: using identity authority private key SK_IDorgDecryption E (PK)_IDorg,PKx||PK_h) PKx and PK were obtained_hAnd combining the entity ID signature public key: PKS SKS 1G + PKx; calculating a decryption public key PKE (SKE G), and using SK_IDFor (PKS. RTM. PKE. RTM. ID. RTM_orgI ID) signature to obtain the identification

S107, issuing an identifier and an entity key: utilization of PK by IMC_hEncrypting SKE to obtain E (PK)_hSKE), mixing E (PK)_hSKE) and identification

Sending the data to an entity;

s108 the entity receives the identification and the secretKey, combined signature private key: using SK_hFor E (PK)_hSKE), obtaining SKE after the SKE is decrypted, obtaining a partial signature private key SKS1 after the SKE is transformed, and safely storing SKS and SKE through SKS1 and a secret value xID.

In an embodiment of the present invention, in steps S2 and S4, the step of verifying the server-side identifier and the user-side identifier specifically includes:

s201, calculating an entity identification public key by using a public key matrix and an entity ID;

s202, the identification is verified by using the identification public key, if the verification is correct, the identification is valid and passes, otherwise, the identification is invalid and does not pass;

and S203, after the verification is passed, the public key in the acquired identifier verifies the signature data.

In order to facilitate understanding of the above-described technical aspects of the present invention, the above-described technical aspects of the present invention will be described in detail below in terms of specific usage.

As shown in fig. 1, the system architecture diagram related to the single sign-on method based on the IKI identifier authentication according to the present invention includes a user security device, a security device and a sign-on authentication device, where the security device is disposed at a server side, a user security device stores a private key, a user identifier and a public key matrix of a user, and the security device at the server side stores a private key, a server identifier and a public key matrix of a server. The user safety equipment is a USB-KEY or IC card containing an IKI chip, and the server end safety equipment is a server cipher machine or a signature verification server containing a PCIe cipher card. The user end and the server end safety equipment both comprise an IKI algorithm unit which is responsible for reading the identification in the user end and the server end safety equipment and verifying the validity of the identification and identity authentication processes such as private key signature, public key verification signature and the like.

As shown in fig. 2, based on the IKI chip identifier authentication center in the single sign-on system architecture, firstly, according to the entity identity (which can be customized, and uses a name, a unit name, etc., and needs to ensure the uniqueness) of each user, the key and the identifier are generated, and the specific steps are as follows:

s101IKI identity management center IMC discloses parameters: public key matrix PKMS, identity management center public key PK_IDorgECC curve, base point G; wherein the public key matrix PKMS is an identification management center private key SK_IDorgFor public key matrix pkm, ID of ID management center_orgIsoparametric signatures;

s102 entity generates entity ID and related parameters: generating secret value xID and secret value public key PKx ═ xID × G by using entity security device, and randomly generating asymmetric key pair SK by using ECC algorithm_h、PK_h；

S103, encrypting part of parameters to be uploaded: use of an identity management center public key PK_IDorgFor secret value public key PKx and random asymmetric key public key PK_hEncryption: e (PK)_IDorg,PKx||PK_h)；

S104 upload entity ID, E (PK)_IDorg,PKx||PK_h) And marking effective date to the mark management center IMC; the effective date is identified to determine whether to upload according to application requirements;

s105, identifying the management center to perform entity ID duplicate checking to generate an entity part private key: after the IMC determines the uniqueness of the validity period of the entity ID combination identification, the PKMS, the entity ID and the validity period of the identification are utilized to calculate the entity ID public key PK_IDCalculating the entity ID private key SK by using the private key matrix skm and the entity ID and identification validity period_IDThe entity encrypts a private key SKE and transforms the SKE to obtain a partial signature private key SKS 1;

s106, identification management center IMC assembly identification: using identity authority private key SK_IDorgDecryption E (PK)_IDorg,PKx||PK_h) PKx and PK were obtained_hAnd combining the entity ID signature public key: PKS SKS 1G + PKx; calculating a decryption public key PKE (SKE G), and using SK_IDFor (PKS. RTM. PKE. RTM. ID. RTM_orgI ID) signature to obtain the identification

S107, issuing an identifier and an entity key: utilization of PK by IMC_hEncrypting SKE to obtain E (PK)_hSKE), mixing E (PK)_hSKE) and identification

Sending the data to an entity;

s108, the entity receives the identification and the secret key, and combines the signature private key: using SK_hFor E (PK)_hSKE), obtaining SKE after the SKE is decrypted, obtaining a partial signature private key SKS1 after the SKE is transformed, and safely storing SKS and SKE through SKS1 and a secret value xID.

As shown in fig. 3 and 5, based on the single sign-on system, a user connects a user security device with a user login device, accesses a login page of a server through the user login device, prompts the user to input a PIN code to open the user security device, and after the PIN code is input, the user security device is opened, at this time, the following steps are performed, so as to implement the single sign-on method of the present invention, specifically:

s1, the user end sends out the access request to the server, generates the random number r, and sends the random number r to the server end together with the user end identification;

s2, the server side verifies the user side identification, after the user side identification passes the verification, the server side generates a random number R, the random number R is combined with the user side random number R (R | | | R), and the server side private key is used for signing to generate signature data Sig 1;

s3 the server side sends the random number R, the server side identification and the signature data Sig1 to the user side;

s4, the user side verifies the server side identification, the public key in the server identification is used for verifying the signature data Sig1 after the verification is passed, and the identity validity of the server side is confirmed after the verification is passed;

the S5 user side signs the random number (R | | | R) by using a private key to generate signature data Sig2, and the signature data Sig2 is sent to the server side;

the S6 server verifies the signature data Sig2 by using the public key of the user end, and confirms the validity of the identity of the user end after the verification is passed;

s7, the server-side login authentication device checks the single-point login mapping table of the user, finds out the account number bound by the user identifier on the corresponding application system, produces a user token, and redirects the user token to the application system;

and S8, the application system receives the user token with the uniform format, acquires the login account of the user in the system, sets the state of the user in the system as login, and returns the page requested to be accessed by the user to finish the access of the user to the application system.

In the single sign-on method, the step of verifying the server side identifier and the user side identifier comprises the following steps:

s201, calculating an entity identification public key by using a public key matrix and an entity ID;

s202, the identification is verified by using the identification public key, if the verification is correct, the identification is valid and passes, otherwise, the identification is invalid and does not pass; and S203, after the verification is passed, the public key in the acquired identifier verifies the signature data.

In one embodiment of the present invention, when the public key matrix PKMS published by the identity authority is known, entity a knows entity ID and identity of entity B

The corresponding authentication steps for the server side identifier and the user side identifier specifically include:

1. using public key matrix PKMS and entity B entity ID_BComputing entity B identification public key { PK_ID}_B；

2. And (3) verifying the validity of the identifier: identifying public key { PK with entity B_ID}_BVerifying identity of entity B

If the verification is correct, the identification is valid and passes, otherwise, the identification is invalid and does not pass;

3. and after the verification is passed, the public key in the identifier is obtained to verify the signature data.

The above description is only for the purpose of illustrating the preferred embodiments of the present invention and is not to be construed as limiting the invention, and any modifications, equivalents, improvements and the like that fall within the spirit and principle of the present invention are intended to be included therein.

Claims (2)

1. A single sign-on method based on IKI identification authentication is characterized by comprising the following steps:

s1, the user end sends out the access request to the server, generates the random number r, and sends the random number r to the server together with the user end identification;

the S2 server verifies the user end identification, after the user end identification passes, the server generates a random number R, the random number R is combined with the user end random number R to be (R | | | R), and the server carries out signature by using a server private key to generate signature data Sig 1;

s3 server sends the random number R, server identification, signature data Sig1 to user end;

s4, the user side verifies the server identification, the public key in the server identification is used for verifying the signature data Sig1 after the server identification passes the verification, and the identity validity of the server is confirmed after the server identification passes the verification;

the S5 user side signs the random number (R | | | R) by using a private key to generate signature data Sig2 and sends the signature data Sig2 to the server;

the S6 server verifies the signature data Sig2 by using the public key of the user end, and confirms the validity of the identity of the user end after the verification is passed;

s7, the server login authentication device checks the user single sign-on mapping table, finds out the account number of the user end identifier bound on the corresponding application system, produces the user token, and redirects the user token to the application system;

s8, the application system receives the user token with uniform format, obtains the login account of the user in the system, sets the state of the user in the system as login, returns the page requested to be accessed by the user, and completes the access of the user to the application system;

producing the server identification, the user side identification, the private key and the public key through an identification management center;

the server identification, the user side identification, the private key and the public key are produced by the following steps:

s101, identifying public parameters of a management center: public key matrix PKMS, identity management center public key PK_IDorgECC curve, base point G; wherein the public key matrix PKMS is an identification management center private key SK_IDorgFor public key matrix pkm, ID of ID management center_orgThe signature of (2);

s102 entity generates entity ID and related parameters: generating secret value xID and secret value public key PKx ═ xID × G by using entity security device, and randomly generating asymmetric key pair SK by using ECC algorithm_h、PK_h；

S103, encrypting part of parameters to be uploaded: use of an identity management center public key PK_IDorgFor secret value public key PKx and random asymmetric key public key PK_hEncryption: e (PK)_IDorg,PKx||PK_h)；

S104 upload entity ID, E (PK)_IDorg,PKx||PK_h) And the effective date of the mark is sent to the mark management center; the effective date is identified to determine whether to upload according to application requirements;

s105, identifying the management center to perform entity ID duplicate checking to generate an entity part private key: after the IMC determines the uniqueness of the validity period of the entity ID combination identification, the PKMS, the entity ID and the validity period of the identification are utilized to calculate the entity ID public key PK_IDCalculating the entity ID private key SK by using the private key matrix skm and the entity ID and identification validity period_IDThe entity encrypts a private key SKE and transforms the SKE to obtain a partial signature private key SKS 1;

s106, identification of management center assembly identification: using identity authority private key SK_IDorgDecryption E (PK)_IDorg,PKx||PK_h) PKx and PK were obtained_hAnd combining the entity ID signature public key: PKS SKS 1G + PKx; calculating a decryption public key PKE (SKE G), and using SK_IDFor (PKS. RTM. PKE. RTM. ID. RTM_orgI ID) signature to obtain the identification

S107, issuing an identifier and an entity key: utilization of PK by IMC_hEncrypting SKE to obtain E (PK)_hSKE), mixing E (PK)_hSKE) and the identifier SK_ID[ PKS | | PKE | | | effective date | | | expiration date | | ID_org||ID]Sending the data to an entity;

s108, the entity receives the identification and the secret key, and combines the signature private key: using SK_hFor E (PK)_hSKE) is decrypted to obtain SKE, the SKE is transformed to obtain a partial signature private key SKS1,and summing the SKS1 and the secret value xID to obtain a signature private key SKS of xID + SKS1, deleting the secret value xID, and safely storing the SKS and the SKE.

2. The method of claim 1, wherein the steps of verifying the server id and the user side id in steps S2 and S4 are specifically as follows:

s201, calculating an entity identification public key by using a public key matrix and an entity ID;

s202, the identification is verified by using the identification public key, if the verification is correct, the identification is valid and passes, otherwise, the identification is invalid and does not pass;

and S203, after the verification is passed, the public key in the acquired identifier verifies the signature data.

Images