[go: up one dir, main page]

CN117896168A - Security authentication method and equipment - Google Patents

Security authentication method and equipment Download PDF

Info

Publication number
CN117896168A
CN117896168A CN202410144361.7A CN202410144361A CN117896168A CN 117896168 A CN117896168 A CN 117896168A CN 202410144361 A CN202410144361 A CN 202410144361A CN 117896168 A CN117896168 A CN 117896168A
Authority
CN
China
Prior art keywords
terminal
server
public key
key
information
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202410144361.7A
Other languages
Chinese (zh)
Inventor
王兴军
孔文辉
李搏
王兴文
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shenzhen Xinxin Ruan Information Technology Co ltd
Shenzhen International Graduate School of Tsinghua University
Original Assignee
Shenzhen Xinxin Ruan Information Technology Co ltd
Shenzhen International Graduate School of Tsinghua University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shenzhen Xinxin Ruan Information Technology Co ltd, Shenzhen International Graduate School of Tsinghua University filed Critical Shenzhen Xinxin Ruan Information Technology Co ltd
Priority to CN202410144361.7A priority Critical patent/CN117896168A/en
Publication of CN117896168A publication Critical patent/CN117896168A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0876Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/045Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply hybrid encryption, i.e. combination of symmetric and asymmetric encryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0869Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Power Engineering (AREA)
  • Storage Device Security (AREA)

Abstract

The invention provides a security authentication method and equipment, wherein the method comprises the following steps: the method comprises the steps that a first terminal generates fingerprint information, a first public key and a first private key corresponding to the first public key, and sends the first public key to a server; the first terminal receives a second public key encrypted based on the first public key and a first random number corresponding to the first terminal, which are sent by a server; the first random number is used for carrying out identity authentication on the first terminal and/or the server; the first terminal generates a first session key based on the second public key and a first private key, and encrypts the fingerprint information by using the first session key; the first terminal sends the encrypted fingerprint information to the server; the fingerprint information is used for carrying out identity authentication on the first terminal. The scheme has the characteristics of good expansibility, high efficiency and high safety, and has high application value in various scenes.

Description

Security authentication method and equipment
Technical Field
The present invention relates to the field of information security technologies, and in particular, to a security authentication method and apparatus.
Background
With the development of information technologies such as 5G, mobile Internet, internet of things and the like, the data security problem is particularly important. For example, in a cloud computing paradigm of an internet of things scenario, a cloud computing center needs to interact with a huge amount of terminal devices, involving a huge amount of data.
Currently, most security authentication schemes are implemented based on public key infrastructure (Public Key Infrastructure, PKI), a powerful framework for secure communications, through digital certificates and asymmetric encryption techniques, to achieve secure authentication and to guarantee data confidentiality. PKI systems are relatively complex, including aspects of certificate issuance, certificate management, key lifecycle management, and the like. Deployment and maintenance of PKI requires expertise and can be overly cumbersome for small organizations.
Disclosure of Invention
Aiming at the problems existing in the prior art, the embodiment of the invention provides a security authentication method and security authentication equipment.
In a first aspect, the present invention provides a security authentication method, including:
The method comprises the steps that a first terminal generates fingerprint information, a first public key and a first private key corresponding to the first public key, and sends the first public key to a server;
The first terminal receives a second public key encrypted based on the first public key and a first random number corresponding to the first terminal, which are sent by a server; the first random number is used for carrying out identity authentication on the first terminal and/or the server;
The first terminal generates a first session key based on the second public key and a first private key, and encrypts the fingerprint information by using the first session key;
The first terminal sends the encrypted fingerprint information to the server; the fingerprint information is used for carrying out identity authentication on the first terminal.
In a second aspect, the present invention provides a security authentication method, including:
The server receives a first public key sent by a first terminal;
The server generates a second public key, a second private key corresponding to the second public key and a first random number corresponding to the first terminal, and sends the second public key encrypted based on the first public key and the first random number corresponding to the first terminal; the first random number is used for carrying out identity authentication on the first terminal and/or the server;
The server receives fingerprint information encrypted by the first terminal based on a first session key, wherein the first session key is generated based on the second public key and a first private key corresponding to the first public key; the fingerprint information is used for carrying out identity authentication on the first terminal.
In a third aspect, the present invention provides a security authentication device comprising:
the processing module is used for generating fingerprint information, a first public key and a first private key corresponding to the first public key;
a sending module, configured to send the first public key to a server;
the receiving module is used for receiving a second public key encrypted based on the first public key and a first random number corresponding to the first terminal, which are sent by the server; the first random number is used for carrying out identity authentication on the first terminal and/or the server;
The processing module is further configured to generate a first session key based on the second public key and the first private key, and encrypt the fingerprint information using the first session key;
The sending module is further used for sending the encrypted fingerprint information to the server; the fingerprint information is used for carrying out identity authentication on the first terminal.
In a fourth aspect, the present invention provides a security authentication device comprising:
The receiving module is used for receiving the first public key sent by the first terminal;
The processing module is used for generating a second public key, a second private key corresponding to the second public key and a first random number corresponding to the first terminal;
A sending module, configured to send, to the first terminal, a first random number corresponding to the first terminal based on the second public key encrypted by the first public key; the first random number is used for carrying out identity authentication on the first terminal and/or the server;
The receiving module is further configured to receive fingerprint information encrypted by the first terminal based on a first session key, where the first session key is generated based on the second public key and a first private key corresponding to the first public key; the fingerprint information is used for carrying out identity authentication on the first terminal.
In a fifth aspect, the present invention also provides an electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, the processor implementing any one of the security authentication methods described above when executing the program.
In a sixth aspect, the present invention also provides a non-transitory computer readable storage medium having stored thereon a computer program which, when executed by a processor, implements a security authentication method as described in any of the above.
In a seventh aspect, the invention also provides a computer program product comprising a computer program which, when executed by a processor, implements a security authentication method as described in any one of the above.
According to the security authentication method and the security authentication equipment provided by the invention, the first terminal generates fingerprint information, the first public key and the first private key corresponding to the first public key, and sends the first public key to the server; a first terminal receives a second public key encrypted based on the first public key and a first random number corresponding to the first terminal, which are sent by a server; the first random number is used for carrying out identity authentication on the first terminal and/or the server, and the security is improved because the identity authentication can be carried out on the terminal and the server; further, the first terminal generates a first session key based on the second public key and the first private key, and encrypts the fingerprint information by using the first session key; the first terminal sends the encrypted fingerprint information to the server; the fingerprint information is used for carrying out identity authentication on the first terminal, and because the first session key is used for communication, the safety of communication between the user terminal and the server can be effectively improved.
Drawings
In order to more clearly illustrate the invention or the technical solutions of the prior art, the following description will briefly explain the drawings used in the embodiments or the description of the prior art, and it is obvious that the drawings in the following description are some embodiments of the invention, and other drawings can be obtained according to the drawings without inventive effort for a person skilled in the art.
FIG. 1 is a schematic flow chart of a security authentication method according to the present invention;
Fig. 2 is a schematic diagram of fingerprint level information of a security authentication method according to the present invention;
FIG. 3 is a schematic diagram of an interaction flow of the security authentication method provided by the present invention;
fig. 4 is a schematic diagram of a terminal identity authentication principle of the security authentication method provided by the invention;
FIG. 5 is a schematic diagram of a server identity authentication principle of the security authentication method according to the present invention;
FIG. 6 is a second schematic diagram of the server identity authentication principle of the security authentication method according to the present invention;
FIG. 7 is a schematic diagram of a public key promise principle of the security authentication method provided by the invention;
FIG. 8 is a key hierarchy diagram of a security authentication method provided by the present invention;
FIG. 9 is a second flow chart of the security authentication method according to the present invention;
FIG. 10 is a schematic diagram of a security authentication device according to the present invention;
FIG. 11 is a second schematic diagram of a security authentication device according to the present invention;
Fig. 12 is a schematic structural view of a terminal provided by the present invention;
Fig. 13 is a schematic structural diagram of a server provided by the present invention.
Detailed Description
For the purpose of making the objects, technical solutions and advantages of the present invention more apparent, the technical solutions of the present invention will be clearly and completely described below with reference to the accompanying drawings, and it is apparent that the described embodiments are some embodiments of the present invention, not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
First, an application scenario according to an embodiment of the present invention is described:
The application scenario of the embodiment of the invention can be a communication system, wherein a communication main body related to the communication system is provided with a server and a distributed terminal, and the communication main body is formed by a communication main body under a typical cloud computing paradigm. The server is responsible for verifying the identity authenticity of the user terminal and carrying out information interaction with the user terminal. The terminal can also verify the identity authenticity of the server, request to access the resource and perform information interaction with the server.
Currently, most security authentication schemes are implemented based on public key infrastructure PKI. PKI systems are relatively complex, including aspects of certificate issuance, certificate management, key lifecycle management, and the like. Deployment and maintenance of PKI requires expertise and can be overly cumbersome for small organizations. And PKI systems may face scalability issues as the size of the network increases. Managing a large number of certificates, key pairs, and user terminals can become complex, especially in large organizations or complex network environments. Finally, if the core components of the PKI system, such as the certificate authority, are subject to attack or malfunction, the entire system may be affected. The security of PKI is based on trust of the issuing authorities. If the user or the system does not trust the issuing authority, the security of the whole system is threatened, the PKI-based scheme usually defaults to the security of the central certificate issuing authority (CERTIFICATE AUTHORITY, CA), and the identity authentication usually only aims at the terminal equipment and ignores the authentication of the CA node, so that the security hidden trouble is also caused.
The following describes the technical solution of the embodiment of the present invention in detail with reference to fig. 1 to 13. The following embodiments may be combined with each other, and some embodiments may not be repeated for the same or similar concepts or processes.
Fig. 1 is a schematic flow chart of a security authentication method provided by the present invention. As shown in fig. 1, the method provided in this embodiment includes:
step 101, a first terminal generates fingerprint information, a first public key and a first private key corresponding to the first public key, and sends the first public key to a server;
Specifically, the generation of the fingerprint information may combine the information of multiple dimensions of the first terminal, and optionally, an appropriate encryption algorithm or key generation algorithm may also be selected to generate the fingerprint information deeply bound to the first terminal. In order to avoid collision, the generation of the first private key may be realized by selecting part of the dimensional information or directly according to fingerprint information through an encryption algorithm, which is not limited in the embodiment of the present invention. The generation of the first private key may be related to or unrelated to the fingerprint information, and if the first private key is generated by using the fingerprint information as the root key, it is ensured that the fingerprint information cannot be reversely deduced from the generated first private key. Alternatively, the first private key may be generated based on other information, such as a random number, which embodiments of the present invention are not limited to.
Optionally, the first public key is generated by the first private key. For example, the first private key is denoted SK i, the first public key is denoted PK i, and i corresponds to the first terminal T i.
102, A first terminal receives a second public key encrypted based on a first public key and a first random number corresponding to the first terminal, which are sent by a server; the first random number is used for carrying out identity authentication on the first terminal and/or the server;
Specifically, the server stores the first public key PK i uploaded by the first terminal, and generates a public-private key pair (i.e., the second public key and the second private key, denoted as (PK' i,SKi)) and a first random number that are specific to the first terminal T i
The first random number in this step may be used for authentication of the server, and the first random number/> may also be used for authentication of the first terminal.
The server encrypts the second public key PK ' i and the first random number by using the first public key PK i and transmits the encrypted second public key PK ' i and the first random number to the first terminal T i, alternatively, the encryption algorithm may be an asymmetric encryption algorithm such as RSA, elliptic curve encryption algorithm, or the like, for example, using PK i as an encryption key, and transmits the encrypted ciphertext to the first terminal T i, so as to realize secure transmission of PK ' i and/> .
Step 103, the first terminal generates a first session key based on the second public key and the first private key, and encrypts fingerprint information by using the first session key;
104, the first terminal sends the encrypted fingerprint information to a server; the fingerprint information is used for carrying out identity authentication on the first terminal.
Specifically, the first terminal T i decrypts the encrypted second public key PK 'i and the first random number received in step 102 using the first private key SK i and encrypts the fingerprint information fp i using the first session key generated by combining the second public key PK' i with the first private key SK i. Then, the first terminal T i uploads the encrypted fingerprint information/>
The fingerprint information may be used for authenticating the first terminal.
Alternatively, the fingerprint information fp i may be encrypted in a symmetric manner, for example, using the advanced encryption standard (Advanced Encryption Standard, AES) algorithm.
Optionally, server decryption retrieves fp i and stores it.
According to the method, a first terminal generates fingerprint information, a first public key and a first private key corresponding to the first public key, and sends the first public key to a server; a first terminal receives a second public key encrypted based on the first public key and a first random number corresponding to the first terminal, which are sent by a server; the first random number is used for carrying out identity authentication on the first terminal and/or the server, and the security is improved because the identity authentication can be carried out on the terminal and the server; further, the first terminal generates a first session key based on the second public key and the first private key, and encrypts the fingerprint information by using the first session key; the first terminal sends the encrypted fingerprint information to the server; the fingerprint information is used for carrying out identity authentication on the first terminal, and because the first session key is used for communication, the safety of communication between the user terminal and the server can be effectively improved.
Optionally, the fingerprint information is generated based on information of at least one hierarchy, as shown in fig. 2, including at least one of: the system comprises an electronic device layer, a network and protocol layer, an plug-in layer and a behavior authentication layer; the information of the electronic device layer is inherent information of the electronic device of the first terminal, the information of the network protocol layer is configuration information of network protocols, the information of the plug-in layer is plug-in and/or driving information installed in the first terminal, and the information of the behavior authentication layer is generated based on interaction behavior of a user and the first terminal or interaction behavior of the terminal and a server. Specifically, the generation of fingerprint information requires the incorporation of at least one hierarchy of information, including at least one of: the system comprises an electronic device layer, a network and protocol layer, an plug-in layer and a behavior authentication layer;
For example, an appropriate key generation algorithm, such as a hash algorithm, may be selected to generate the fingerprint information deep-bound to the first terminal. In order to avoid collision, the generation of the first private key can be realized by selecting information of at least one level or directly according to fingerprint information through any encryption algorithm.
Optionally, the information of the electronic device layer refers to physical data of an electronic device inherent in the first terminal, and includes, for example, information of various hardware devices such as a Central Processing Unit (CPU), a register, a sound card, a network card, a scrambler/descrambler, a decryptor, an underlying register, system clock and clock drift, and permanent cookies.
The information of the network and protocol layer refers to configuration information of various networks and protocol classes of the first terminal, including, but not limited to, a media access control (MEDIA ACCESS control, MAC) address, domain name system (domain NAME SYSTEM, DNS) resolution configuration information, transmission control protocol (Transmission Control Protocol, TCP)/IP configuration information, geographical location information, TCP/IP configuration information, wireless local area network (e.g., IEEE 802.11) configuration information.
The information of the plug-in layer comprises various plug-ins and/or driving information installed in the first terminal for realizing various functions, such as various plug-ins and/or driving information downloaded during networking operation, information of various plug-ins and/or driving installed locally in the first terminal, and version information of an operating system and related software.
The information of the behavior authentication layer is behavior data information generated by various interaction behaviors of a user and a terminal and various interaction behaviors of the terminal and a server, and for example, the behavior data information comprises measurable system performance, calibration errors of a hardware sensor, various log information and user historical browsing record data, and the information of the behavior authentication layer needs to have certain fault tolerance due to various behaviors of the terminal.
In one possible implementation, the server stores the fingerprint information after the first terminal encrypts and uploads the fingerprint information using the first session key. For example, when the server needs to verify the true identity of the first terminal, the weight occupied by each level can be set, and the fingerprint information of the user can be verified as long as the fingerprint information is within a reasonable error range. And secondly, the terminal locally generates a public and private key pair of the terminal, establishes an authentication relationship with the server, and enhances the security of the key through the secure fingerprint information.
Optionally, the first terminal generates a first public key and a first private key corresponding to the first public key, including:
the first terminal generates the first private key by utilizing a first encryption algorithm according to the fingerprint information or the information of at least one level;
and the first terminal generates the first public key by adopting a second encryption algorithm according to the first private key.
In one possible implementation, the first public key and the first private key may be generated, for example, in the following manner:
The first terminal takes the fingerprint information or at least one layer of information as a secret key, takes a preset second random number as a message, and generates the first private key by utilizing a message authentication code algorithm based on a hash function;
And the first terminal obtains the first public key by using an elliptic curve encryption algorithm according to a base point on a preset elliptic curve and the first private key.
Specifically, the first encryption algorithm is, for example, a message authentication code algorithm (Keyed-Hashing for Message Authentication, HMAC) based on a hash function. An authentication code may be generated in combination with a root key and a message, the authentication code being the first private key generated. Specifically, the first terminal may use fingerprint information or at least one level of information as a root key, select a second random number as a message, and then calculate an HMAC value, and use the HMAC value as the generated first private key SK i. The specific calculation process is as follows:
where opad and ipad are specific constants, key is fingerprint information or information of at least one level, message is a second random number,/> indicates an exclusive or operation, || indicates a concatenation operation, and Hash indicates a selected Hash function, which may be SHA-256, SHA-512, or the like.
The generation of the first public key PK i may be achieved by elliptic curve cryptography (Elliptic Curve Cryptography, ECC), and after selecting a suitable elliptic curve and a base point G on the elliptic curve, the base point G is multiplied by the first private key using a point multiplication operation on the elliptic curve to obtain the first public key, i.e. PK iSki g.
Alternatively, the generation (PK i,SKi),(PKi,SKi) may be performed in the same manner, for example, by using both an HMAC algorithm and an elliptic curve encryption algorithm, and the fingerprint information fp i may be encrypted by using symmetric encryption, so that the server can conveniently decrypt the fingerprint information fp i by using PK iSKi
Optionally, the first terminal may further generate identity information according to the fingerprint information or the information of at least one hierarchy by using a third encryption algorithm.
For example, the HMAC algorithm may be used to generate the identity information, where the terminal uses fingerprint information or information of at least one level as a key, and uses a preset random number as a message, and the HMAC algorithm is used to generate the identity information. I.e. the identity information ID i of the first terminal may be generated in the same way as the first private key SK i. Taking fingerprint information fp i or at least one level of information as a key, selecting a preset random number as a message and then calculating an HMAC value as identity information ID i of the first terminal.
In the embodiment, the first private key is generated through the fingerprint information or the information of at least one level, and the first public key is generated based on the first private key, so that the security of the key is improved.
Alternatively, sending the first public key to the server may be achieved by:
Converting the fingerprint information into elements of a finite field, and encrypting the elements of the finite field to obtain a first intermediate number;
Obtaining a second intermediate number by using a fourth encryption algorithm according to the first public key and the first intermediate number;
Obtaining certification information according to the elements of the finite field, the second intermediate number and the first private key;
and transmitting the first public key, the first intermediate number and the proving information to the server.
Specifically, the first terminal directly uploads the first public key and simultaneously binds the first public key and fingerprint information of the first terminal, namely the first public key of the first terminal and the fingerprint information are in one-to-one correspondence.
The first public key PK i and the fingerprint information fp i are bound together, for example using a zero knowledge proof based method, while the first public key PK i and the first public key pi are known to upper . Specifically, the first terminal first processes the fingerprint information fp i to become the element M on the finite field , and encrypts the element M using an elliptic curve algorithm, that is, m=mg, where M may be implemented using other encryption algorithms, such as a discrete logarithm encryption algorithm, a lattice encryption algorithm, or the like, in other embodiments, which are not limited by the embodiments of the present invention.
The first terminal T i calculates the second intermediate number, for example, a hash algorithm may be used: c=hash (PK i, M), then based on the element M of the finite field, the second intermediate number c and the first private key SK i, a attestation message, e.g. pi=m+csk i, is computed and the first terminal uploads the triplet message (PK i, M, pi) to the server.
In the embodiment, the first public key and the fingerprint information can be bound by the zero knowledge proof method, so that the implementation scheme is simple, the efficiency is high, and the safety is high.
Optionally, the method further comprises:
The first terminal receives a service key sent by the server, wherein the service key is encrypted based on the second session key and provided with a time stamp; the timestamp comprises valid time information of the service key; the service key is used for a target service of the first terminal; the second session key is generated based on the first public key and a second private key corresponding to the second public key.
Specifically, the first public key PK i of only the first terminal T i is transmitted in the clear in the communication channel between the first terminal and the server, and even if the attacker obtains PK i, the attacker cannot obtain other confidential information (such as a private key) only through PK i, and the server can use the second session key to send encrypted data to the first terminal, for example, for secure communication through symmetric encryption. For example, the server encrypts the time-stamped service key using the second session key and issues it to the first terminal T i. The service key is a private key for a certain target service. The time stamp may include valid time information of the service key.
In the embodiment, the service key is encrypted by the second session key and then sent, so that the security is high.
Illustratively, as shown in FIG. 3, the method includes the steps of:
Step 1, a first terminal uploads a first public key to a server;
step 2, the server generates a second public key, a second private key corresponding to the second public key and a first random number corresponding to the first terminal;
step 3, the server sends the second public key and the first random number encrypted based on the first public key to the first terminal;
Step 4, the first terminal decrypts the encrypted second public key and the first random number based on the first private key to obtain the second public key and the first random number;
step 5, the first terminal uploads the fingerprint information encrypted based on the first session key to the server; the first session key is derived based on the second public key and the first private key;
Step 6, the server decrypts the encrypted fingerprint information based on the second session key and stores the encrypted fingerprint information; the second session key is obtained based on the first public key and the second private key;
and step 7, the server encrypts the service key based on the second session key and then sends the encrypted service key to the first terminal.
Optionally, as shown in fig. 4, the method further includes:
and after receiving the verification request of the server, the first terminal sends the encrypted fingerprint information and/or the encrypted first random value to the server.
Specifically, in order to protect the legal right of the legal first terminal T i, i.e. resist against a false T' i attack, the server may determine the identity of the first terminal by continuously verifying the fingerprint information fp i of T i, the server may request the first terminal T i to upload the encrypted value of fp i owned by the first terminal T i, such as the hash value of fp i, and match the decrypted encrypted value with the fingerprint information stored before the server, if the matching is successful, the identity verification of the first terminal T i is passed. In addition to verifying the fingerprint information fp i of the first terminal T i to determine the identity of the first terminal, the verification of the identity of T i may also be performed by the first random number , as a complement to the verification of the fingerprint information fp i, for example, the first terminal sends a hash value of the first random number/> , the server decrypts it and then matches it with the first random number generated before, and if the matching is successful, the identity verification of the first terminal T i is passed.
In the embodiment, the identity verification of the first terminal can be realized through the fingerprint information or the first random number, so that the implementation scheme is simple, the efficiency is higher, and the safety is higher.
Optionally, the method further comprises:
The first terminal sends a verification request to the server;
the first terminal receives an encrypted first random number sent by the server based on the verification request;
and the first terminal performs identity verification on the server based on the encrypted first random number.
Specifically, the server is a main body in the communication process, stores a large amount of confidential information of the terminal, in many existing schemes, the absolute reality and the security of the server are assumed, if the server is counterfeited, the server can pose a serious threat to the rights and the security of a plurality of terminals T i, and in the embodiment of the invention, the terminal can verify the identity of the server through the first random number and the first secret and the second public key, so that the security problem is avoided.
As shown in fig. 5, for verifying the identity of the server by using the first random number , for example, a heartbeat verification method may be used, where each first terminal requests the server to send out an encrypted version of the first random number/> (which may be referred to as a heartbeat) sent out before, if/> each first terminal verifies according to/> sent out by the server, if/> sent out by the server is consistent with the encrypted version received before the first terminal by/> , the score is not obtained, the score calculated by each first terminal is not obtained, and if the score calculated by each first terminal is greater than a preset threshold, the server passes the verification, otherwise the verification fails. The number n of first terminals and the preset threshold value may be set according to security requirements. The greater n and preset threshold settings the greater the security. It is assumed here that the capacity of a fake server is/> of the real server and that the probability of a fake server successfully passing verification is approximately/>
Optionally, the first terminal receives the first secret sent by the server; the first secret is used for carrying out identity verification on the server;
The first terminal obtains second secret by using a Lagrange interpolation mode based on identity information of a plurality of second terminals and the second public key as secret shares; the plurality of second terminals includes the first terminal;
and if the second secret is consistent with the first secret, determining that the authentication of the server is successful.
Specifically, the trapdoor can be buried by a secret sharing method, so that later verification of the server is facilitated. For example, a polynomial f (x) =a 0+a1x++anxn-1 of degree n-1 is constructed, in which a 0 is used as a secret to be recovered by each party for verification of the server, and the coefficient a i (i e {1,2, , n }) is selected by using a method of generating a random number, and a 0 may also be a random number.
The server also needs to publish the encrypted secret a 0a0 G, i.e. the first secret. For example, the second private key SK ' i may take SK ' if(IDi),(IDi,SKi) may be a secret share, alternatively the second public key PK ' i may be encrypted based on SK ' i, for example by multiplying the base point G by the second private key using a point multiplication operation on an elliptic curve to obtain the second public key, i.e., PK ' iSKi g.
Alternatively, the first secret may be broadcast published by the central server. As shown in fig. 6, n first terminals T i select a verification function to enter a verification area, each contributes to a received second public key PK ' i,PKiSKi g, use a lagrangian interpolation polynomial with (ID i,PKi) as a secret share, and recover a second secret a ' 0 after the coefficient a 0 in the original polynomial passes through the base point encryption, if the recovered a ' 0 is consistent with the a 0 published by the previous server, verification is successful, otherwise verification is failed.
In the embodiment, the identity verification of the server can be realized in different modes, so that the safety is improved, and the flexibility is high.
Optionally, step 101 further includes, before:
The first terminal sends a third random number corresponding to the first terminal to the server, wherein the third random number is used for generating a promise value, and the promise value is generated based on first public keys of a plurality of second terminals in a preset range and the corresponding third random number.
Optionally, the method further comprises:
the first terminal generates an updated first private key, obtains difference information based on the updated first private key and the first private key before updating, and sends the encrypted difference information to a server.
Specifically, to improve security of the key, the commitment value may be generated based on a vector commitment method, where the vector commitment is used to lock the key, and tamper is prevented, and any party can perform authentication. The scheme has the advantages that the storage is convenient, and when the private key can be modified, the uploaded content does not reveal the specific content of the new private key.
As shown in fig. 7, the server performs vector commitment on the first public keys of the plurality of first terminals, that is, generates a commitment value , where d i is a random number selected by the first terminal T i and reported to the server, and the subsequent updating of the key or the de-registration of the first terminal can be performed on the commitment value, for example, by using a bilinear mapping method to verify whether the commitment of the public key is correct. Specifically, the key update may include two parts, namely, the first terminal updates the first private key by itself, and the first terminal only needs to encrypt and upload , i.e. the difference information of the first public key, through the first session key, assuming that the first private key updated by the first terminal T i is/> . Similarly, the server may also select a new key, that is, select a new second public key PK' i, encrypt the second session key and send the encrypted second session key to the first terminal, where the first terminal T i interacts with its own first private key to form a new first session key.
Optionally, due to the fact that the system has a log-out account, a part of the first terminal needs to be deleted, and the part only needs to modify the promise value in the vector promise (delete the sub-promise and the sub-proof of the first terminal), so that the first public key of the first terminal is completely invalidated, and the first session key and the like owned by the first public key are also invalidated. In addition, the server and the first terminal need to continuously synchronize time, in this embodiment, the time stamp is updated and detected, and timeliness and correctness of the time stamp are guaranteed.
In the above embodiment, secret information such as a secret key can be updated, so that the security of the system is greatly enhanced.
As shown in fig. 8, the embodiment of the present invention proposes a concept of a key hierarchy, that is, three layers of keys, where the first hierarchy is a root key, such as fingerprint information of a terminal; the second level is a first private key (static master key) of the user terminal and a second public key (dynamic master key) special for the user terminal by the server, wherein the first private key of the user terminal is randomly generated by taking a root key as a seed, the second public key special for the user terminal is generated by the server, and the first private key and the second public key special for the user terminal are combined to form a session key for communication between the server and the terminal; the third level is the service key, i.e. the private key of the server delivering a certain service through the session key generated with the terminal.
The method comprises the following steps:
The terminal generates a first public key and a first private key corresponding to the first public key, and sends the first public key to a server;
the terminal receives a second public key which is sent by the server and is encrypted based on the first public key; the second public key has a corresponding second private key;
the terminal generates a first session key based on the second public key and a first private key, the first session key being used when the terminal sends data to the server.
In summary, the security key system and the identity authentication scheme provided by the embodiment of the invention can effectively improve the security of communication between the user terminal and the server, can well protect the access of data resources only by authorized legal users, and are not dependent on specific hardware architecture and implementation, and have strong expandability. Optionally, a lightweight encryption algorithm is used when encryption is performed. For example, when uploading fingerprint information fp i, a symmetric encryption method can be used, so that encryption and decryption speeds can be greatly increased. When various random number verification challenges are carried out, the hash values of the random numbers are required to be compared by the two parties, and the speed of carrying out hash operation is extremely high. In addition, when the asymmetric encryption is involved, the scheme can adopt elliptic curve encryption, and has higher operation efficiency when the key length is the same as that of RSA, so that the scheme has the characteristics of good expansibility, high efficiency and high safety, and has high application value in various scenes such as copyright protection.
FIG. 9 is a second flow chart of the security authentication method according to the present invention. As shown in fig. 9, the method provided in this embodiment includes:
Step 901, a server receives a first public key sent by a first terminal;
Step 902, the server generates a second public key, a second private key corresponding to the second public key and a first random number corresponding to the first terminal, and sends the second public key encrypted based on the first public key and the first random number corresponding to the first terminal; the first random number is used for carrying out identity authentication on the first terminal and/or the server;
Step 903, the server receives fingerprint information encrypted by the first terminal based on a first session key, where the first session key is generated based on a second public key and a first private key corresponding to the first public key; the fingerprint information is used for carrying out identity authentication on the first terminal.
Optionally, the server generates a second public key and a second private key corresponding to the second public key, including:
the server generates the second private key by using a third encryption algorithm according to the identity information of the terminal;
and the server generates the second public key according to the second private key.
Optionally, the method further comprises:
And the server encrypts and obtains a first secret according to the coefficient of the polynomial generated based on the random number and sends the first secret to the first terminal.
Optionally, the method further comprises:
the server generates a second session key according to the first public key and the second private key;
And the server decrypts and stores the encrypted fingerprint information according to the second session key.
Optionally, the method further comprises:
The server sends a verification request to the first terminal;
The server receives encrypted fingerprint information or a first random number sent by the terminal based on the verification request, and performs identity verification on the first terminal based on the encrypted fingerprint information or the first random number.
The method of the embodiment of the present invention is similar to the method of any of the foregoing method embodiments of the first terminal side, and its implementation principle and technical effects are similar, and are not repeated here.
The security authentication device provided by the present invention will be described below, and the security authentication device described below and the security authentication method described above may be referred to correspondingly to each other.
Fig. 10 is a schematic structural diagram of a security authentication device provided by the present invention. As shown in fig. 10, the security authentication device provided in this embodiment includes:
a processing module 1010, configured to generate fingerprint information, a first public key, and a first private key corresponding to the first public key;
A sending module 1020, configured to send the first public key to a server;
A receiving module 1030, configured to receive a second public key encrypted based on the first public key and a first random number corresponding to the first terminal, which are sent by a server; the first random number is used for carrying out identity authentication on the first terminal and/or the server;
the processing module 1010 is further configured to generate a first session key based on the second public key and the first private key, and encrypt the fingerprint information using the first session key;
The sending module 1020 is further configured to send the encrypted fingerprint information to the server; the fingerprint information is used for carrying out identity authentication on the first terminal.
Optionally, the fingerprint information is generated based on information of at least one hierarchy, the at least one hierarchy comprising at least one of: the system comprises an electronic device layer, a network and protocol layer, an plug-in layer and a behavior authentication layer; the information of the electronic device layer is inherent information of the electronic device of the first terminal, the information of the network protocol layer is configuration information of network protocols, the information of the plug-in layer is plug-in and/or driving information installed in the first terminal, and the information of the behavior authentication layer is generated based on interaction behavior of a user and the first terminal or interaction behavior of the terminal and a server.
Optionally, the processing module 1010 is specifically configured to:
Generating the first private key by using a first encryption algorithm according to the fingerprint information or the information of the at least one hierarchy;
and generating the first public key by adopting a second encryption algorithm according to the first private key.
Optionally, the first encryption algorithm is a message authentication code algorithm based on a hash function, and the processing module 1010 is specifically configured to:
Using the fingerprint information or at least one layer of information as a secret key, using a preset second random number as a message, and generating the first private key by using the message authentication code algorithm based on the hash function;
The second encryption algorithm is an elliptic curve encryption algorithm, and the processing module 1010 is specifically configured to:
and obtaining the first public key by using the elliptic curve encryption algorithm according to a base point on a preset elliptic curve and the first private key.
Optionally, the processing module 1010 is further configured to:
And generating identity information by using a third encryption algorithm according to the fingerprint information or the information of at least one level.
Optionally, the sending module 1020 is specifically configured to:
Converting the fingerprint information into elements of a finite field, and encrypting the elements of the finite field to obtain a first intermediate number;
Obtaining a second intermediate number by using a fourth encryption algorithm according to the first public key and the first intermediate number;
Obtaining certification information according to the elements of the finite field, the second intermediate number and the first private key;
and transmitting the first public key, the first intermediate number and the proving information to the server.
Optionally, the receiving module 1030 is further configured to:
Receiving a service key sent by the server, wherein the service key is encrypted based on the second session key and provided with a time stamp; the timestamp comprises valid time information of the service key; the service key is used for a target service of the first terminal; the second session key is generated based on the first public key and a second private key corresponding to the second public key.
Optionally, the sending module 1020 is further configured to:
And after receiving the verification request of the server, sending the encrypted fingerprint information and/or the encrypted first random value to the server.
Optionally, the sending module 1020 is further configured to:
Sending a verification request to the server;
optionally, the receiving module 1030 is further configured to:
Receiving an encrypted first random number sent by the server based on the verification request;
the processing module 1010 is further configured to:
And authenticating the server based on the encrypted first random number.
Optionally, the receiving module 1030 is further configured to:
receiving a first secret sent by the server;
the processing module 1010 is further configured to:
based on the identity information of a plurality of second terminals and the second public keys as secret shares, obtaining second secret by using a Lagrange interpolation mode; the plurality of second terminals includes the first terminal;
and if the second secret is consistent with the first secret, determining that the authentication of the server is successful.
Optionally, the processing module 1010 is further configured to:
Generating an updated first private key, and obtaining difference information based on the updated first private key and the first private key before updating;
the sending module 1020 is further configured to:
and sending the encrypted difference information to a server.
Optionally, the sending module 1020 is further configured to:
Transmitting a third random number corresponding to the first terminal to the server, wherein the third random number is used for generating a promise value, and the promise value is generated based on first public keys of a plurality of second terminals in a preset range and the corresponding third random number; the plurality of second terminals includes the first terminal.
The device of the embodiment of the present invention is configured to execute the method of any of the foregoing method embodiments on the first terminal side, and its implementation principle and technical effects are similar, and are not repeated here.
FIG. 11 is a schematic diagram of a second embodiment of a security authentication device according to the present invention. As shown in fig. 11, the security authentication device provided in this embodiment includes:
a receiving module 1110, configured to receive a first public key sent by a first terminal;
a processing module 1120, configured to generate a second public key, a second private key corresponding to the second public key, and a first random number corresponding to the first terminal;
A transmitting module 1130, configured to transmit, to the first terminal, a first random number corresponding to the first terminal based on the second public key encrypted by the first public key; the first random number is used for carrying out identity authentication on the first terminal and/or the server;
The receiving module 1110 is further configured to receive fingerprint information encrypted by the first terminal based on a first session key, where the first session key is generated based on the second public key and a first private key corresponding to the first public key; the fingerprint information is used for carrying out identity authentication on the first terminal.
Optionally, the processing module 1120 is specifically configured to:
generating the second private key by using a third encryption algorithm according to the identity information of the terminal;
And generating the second public key according to the second private key.
Optionally, the processing module 1120 is further configured to:
Encrypting according to coefficients of a polynomial generated based on random numbers to obtain first secret;
the sending module 1130 is further configured to send the first secret to the first terminal.
Optionally, the processing module 1120 is further configured to:
generating a second session key according to the first public key and the second private key;
and decrypting and storing the encrypted fingerprint information according to the second session key.
Optionally, the sending module 1130 is further configured to:
Sending a verification request to the first terminal;
The receiving module 1110 is further configured to receive encrypted fingerprint information or a first random number sent by the terminal based on the authentication request;
The processing module 1120 is further configured to: and authenticating the first terminal based on the encrypted fingerprint information or the first random number.
The device of the embodiment of the present invention is configured to execute the method of any of the foregoing method embodiments on the server side, and its implementation principle and technical effects are similar, and are not repeated here.
Fig. 12 illustrates an entity structure diagram of a first terminal, and as shown in fig. 12, the first terminal may include: processor 1210, communication interface (Communications Interface) 1220, memory 1230 and communication bus 1240, wherein processor 1210, communication interface 1220 and memory 1230 communicate with each other via communication bus 1240. Processor 1210 may invoke logic instructions in memory 1230 to perform a security authentication method comprising: the method comprises the steps that a first terminal generates fingerprint information, a first public key and a first private key corresponding to the first public key, and sends the first public key to a server;
The first terminal receives a second public key encrypted based on the first public key and a first random number corresponding to the first terminal, which are sent by a server; the first random number is used for carrying out identity authentication on the first terminal and/or the server;
The first terminal generates a first session key based on the second public key and a first private key, and encrypts the fingerprint information by using the first session key;
The first terminal sends the encrypted fingerprint information to the server; the fingerprint information is used for carrying out identity authentication on the first terminal.
In addition, the logic instructions in the memory 1230 described above may be implemented in the form of software functional units and sold or used as a stand-alone product, stored in a computer-readable storage medium. Based on this understanding, the technical solution of the present invention may be embodied essentially or in a part contributing to the prior art or in a part of the technical solution, in the form of a software product stored in a storage medium, comprising several instructions for causing a computer device (which may be a personal computer, a server, a network device, etc.) to perform all or part of the steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: a usb disk, a removable hard disk, a read-only memory (ROM), a random access memory (RAM, random Access Memory), a magnetic disk, or an optical disk, or other various media capable of storing program codes.
Fig. 13 illustrates an entity structure diagram of a server, and as shown in fig. 13, the first terminal may include: processor 1310, communication interface Communications Interface 1320, memory 1330 and communication bus 1340, wherein processor 1310, communication interface 1320, memory 1330 communicate with each other via communication bus 1340. Processor 1310 may invoke logic instructions in memory 1330 to perform a security authentication method, the method comprising:
The server receives a first public key sent by a first terminal;
The server generates a second public key, a second private key corresponding to the second public key and a first random number corresponding to the first terminal, and sends the second public key encrypted based on the first public key and the first random number corresponding to the first terminal; the first random number is used for carrying out identity authentication on the first terminal and/or the server;
The server receives fingerprint information encrypted by the first terminal based on a first session key, wherein the first session key is generated based on the second public key and a first private key corresponding to the first public key; the fingerprint information is used for carrying out identity authentication on the first terminal.
Further, the logic instructions in the memory 1330 can be implemented in the form of software functional units and can be stored in a computer readable storage medium when sold or used as a stand alone product. Based on this understanding, the technical solution of the present invention may be embodied essentially or in a part contributing to the prior art or in a part of the technical solution, in the form of a software product stored in a storage medium, comprising several instructions for causing a computer device (which may be a personal computer, a server, a network device, etc.) to perform all or part of the steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: a usb disk, a removable hard disk, a read-only memory (ROM), a random access memory (RAM, random Access Memory), a magnetic disk, or an optical disk, or other various media capable of storing program codes.
In another aspect, the present invention also provides a computer program product comprising a computer program, the computer program being storable on a non-transitory computer readable storage medium, the computer program, when executed by a processor, being capable of performing the security authentication method provided by the methods described above, the method comprising: the method comprises the steps that a first terminal generates fingerprint information, a first public key and a first private key corresponding to the first public key, and sends the first public key to a server;
The first terminal receives a second public key encrypted based on the first public key and a first random number corresponding to the first terminal, which are sent by a server; the first random number is used for carrying out identity authentication on the first terminal and/or the server;
The first terminal generates a first session key based on the second public key and a first private key, and encrypts the fingerprint information by using the first session key;
The first terminal sends the encrypted fingerprint information to the server; the fingerprint information is used for carrying out identity authentication on the first terminal; or alternatively, the first and second heat exchangers may be,
The server receives a first public key sent by a first terminal;
The server generates a second public key, a second private key corresponding to the second public key and a first random number corresponding to the first terminal, and sends the second public key encrypted based on the first public key and the first random number corresponding to the first terminal; the first random number is used for carrying out identity authentication on the first terminal and/or the server;
The server receives fingerprint information encrypted by the first terminal based on a first session key, wherein the first session key is generated based on the second public key and a first private key corresponding to the first public key; the fingerprint information is used for carrying out identity authentication on the first terminal.
In yet another aspect, the present invention also provides a non-transitory computer readable storage medium having stored thereon a computer program which, when executed by a processor, is implemented to perform the security authentication method provided by the above methods, the method comprising: the method comprises the steps that a first terminal generates fingerprint information, a first public key and a first private key corresponding to the first public key, and sends the first public key to a server;
The first terminal receives a second public key encrypted based on the first public key and a first random number corresponding to the first terminal, which are sent by a server; the first random number is used for carrying out identity authentication on the first terminal and/or the server;
The first terminal generates a first session key based on the second public key and a first private key, and encrypts the fingerprint information by using the first session key;
The first terminal sends the encrypted fingerprint information to the server; the fingerprint information is used for carrying out identity authentication on the first terminal; or alternatively, the first and second heat exchangers may be,
The server receives a first public key sent by a first terminal;
The server generates a second public key, a second private key corresponding to the second public key and a first random number corresponding to the first terminal, and sends the second public key encrypted based on the first public key and the first random number corresponding to the first terminal; the first random number is used for carrying out identity authentication on the first terminal and/or the server;
The server receives fingerprint information encrypted by the first terminal based on a first session key, wherein the first session key is generated based on the second public key and a first private key corresponding to the first public key; the fingerprint information is used for carrying out identity authentication on the first terminal.
The apparatus embodiments described above are merely illustrative, wherein the elements illustrated as separate elements may or may not be physically separate, and the elements shown as elements may or may not be physical elements, may be located in one place, or may be distributed over a plurality of network elements. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of this embodiment. Those of ordinary skill in the art will understand and implement the present invention without undue burden.
From the above description of the embodiments, it will be apparent to those skilled in the art that the embodiments may be implemented by means of software plus necessary general hardware platforms, or of course may be implemented by means of hardware. Based on this understanding, the foregoing technical solution may be embodied essentially or in a part contributing to the prior art in the form of a software product, which may be stored in a computer readable storage medium, such as ROM/RAM, a magnetic disk, an optical disk, etc., including several instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to execute the method described in the respective embodiments or some parts of the embodiments.
Finally, it should be noted that: the above embodiments are only for illustrating the technical solution of the present invention, and are not limiting; although the invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical scheme described in the foregoing embodiments can be modified or some technical features thereof can be replaced by equivalents; such modifications and substitutions do not depart from the spirit and scope of the technical solutions of the embodiments of the present invention.

Claims (20)

1. A security authentication method, comprising:
The method comprises the steps that a first terminal generates fingerprint information, a first public key and a first private key corresponding to the first public key, and sends the first public key to a server;
The first terminal receives a second public key encrypted based on the first public key and a first random number corresponding to the first terminal, which are sent by a server; the first random number is used for carrying out identity authentication on the first terminal and/or the server;
The first terminal generates a first session key based on the second public key and a first private key, and encrypts the fingerprint information by using the first session key;
The first terminal sends the encrypted fingerprint information to the server; the fingerprint information is used for carrying out identity authentication on the first terminal.
2. The security authentication method of claim 1, wherein the fingerprint information is generated based on at least one hierarchy of information, the at least one hierarchy including at least one of: the system comprises an electronic device layer, a network and protocol layer, an plug-in layer and a behavior authentication layer; the information of the electronic device layer is inherent information of the electronic device of the first terminal, the information of the network protocol layer is configuration information of network protocols, the information of the plug-in layer is plug-in and/or driving information installed in the first terminal, and the information of the behavior authentication layer is generated based on interaction behavior of a user and the first terminal or interaction behavior of the terminal and a server.
3. The security authentication method according to claim 2, wherein the first terminal generates a first public key and a first private key corresponding to the first public key, comprising:
the first terminal generates the first private key by utilizing a first encryption algorithm according to the fingerprint information or the information of at least one level;
and the first terminal generates the first public key by adopting a second encryption algorithm according to the first private key.
4. A security authentication method according to claim 3, wherein the first encryption algorithm is a message authentication code algorithm based on a hash function, and the first terminal generates the first private key using the first encryption algorithm according to the fingerprint information or the at least one level of information, comprising:
The first terminal takes the fingerprint information or at least one layer of information as a secret key, takes a preset second random number as a message, and generates the first private key by utilizing the message authentication code algorithm based on the hash function;
the second encryption algorithm is an elliptic curve encryption algorithm, and the first terminal generates the first public key by adopting the second encryption algorithm according to the first private key, and the second encryption algorithm comprises the following steps:
and the first terminal obtains the first public key by using the elliptic curve encryption algorithm according to a base point on a preset elliptic curve and the first private key.
5. The security authentication method of any of claims 2-4, further comprising:
And the first terminal generates identity information by utilizing a third encryption algorithm according to the fingerprint information or the information of at least one level.
6. The security authentication method according to any one of claims 1 to 4, wherein the sending the first public key to a server comprises:
Converting the fingerprint information into elements of a finite field, and encrypting the elements of the finite field to obtain a first intermediate number;
Obtaining a second intermediate number by using a fourth encryption algorithm according to the first public key and the first intermediate number;
Obtaining certification information according to the elements of the finite field, the second intermediate number and the first private key;
and transmitting the first public key, the first intermediate number and the proving information to the server.
7. The security authentication method of any of claims 1-4, further comprising:
The first terminal receives a service key sent by the server, wherein the service key is encrypted based on a second session key and provided with a time stamp; the timestamp comprises valid time information of the service key; the service key is used for a target service of the first terminal; the second session key is generated based on the first public key and a second private key corresponding to the second public key.
8. The security authentication method of any of claims 1-4, further comprising:
After receiving the verification request of the server, the first terminal sends encrypted fingerprint information and/or an encrypted first random value to the server; the encrypted fingerprint information and/or the encrypted first random value are used for carrying out identity authentication on the first terminal.
9. The security authentication method of any of claims 1-4, further comprising:
The first terminal sends a verification request to the server;
the first terminal receives an encrypted first random number sent by the server based on the verification request;
and the first terminal performs identity verification on the server based on the encrypted first random number.
10. The security authentication method of any of claims 1-4, further comprising:
the first terminal receives a first secret sent by the server;
The first terminal obtains second secret by using a Lagrange interpolation mode based on identity information of a plurality of second terminals and the second public key as secret shares; the plurality of second terminals includes the first terminal;
and if the second secret is consistent with the first secret, determining that the authentication of the server is successful.
11. The security authentication method of any of claims 1-4, further comprising:
the first terminal generates an updated first private key, obtains difference information based on the updated first private key and the first private key before updating, and sends the encrypted difference information to a server.
12. The security authentication method of any of claims 1-4, further comprising:
The first terminal sends a third random number corresponding to the first terminal to the server, wherein the third random number is used for generating a promise value, and the promise value is generated based on first public keys of a plurality of second terminals in a preset range and the corresponding third random number; the plurality of second terminals includes the first terminal.
13. A security authentication method, comprising:
The server receives a first public key sent by a first terminal;
The server generates a second public key, a second private key corresponding to the second public key and a first random number corresponding to the first terminal, and sends the second public key encrypted based on the first public key and the first random number corresponding to the first terminal; the first random number is used for carrying out identity authentication on the first terminal and/or the server;
The server receives fingerprint information encrypted by the first terminal based on a first session key, wherein the first session key is generated based on the second public key and a first private key corresponding to the first public key; the fingerprint information is used for carrying out identity authentication on the first terminal.
14. The security authentication method of claim 13, wherein the server generating a second public key, a second private key corresponding to the second public key, comprises:
the server generates the second private key by using a third encryption algorithm according to the identity information of the terminal;
and the server generates the second public key according to the second private key.
15. The security authentication method according to claim 13 or 14, characterized in that the method further comprises:
And the server encrypts and obtains a first secret according to the coefficient of the polynomial generated based on the random number and sends the first secret to the first terminal.
16. The security authentication method according to claim 13 or 14, characterized in that the method further comprises:
the server generates a second session key according to the first public key and the second private key;
And the server decrypts and stores the encrypted fingerprint information according to the second session key.
17. The security authentication method according to claim 13 or 14, characterized in that the method further comprises:
The server sends a verification request to the first terminal;
The server receives encrypted fingerprint information or a first random number sent by the terminal based on the verification request, and performs identity verification on the first terminal based on the encrypted fingerprint information or the first random number.
18. A first terminal comprising a memory, a processor and a computer program stored on the memory and executable on the processor, wherein the processor implements the security authentication method according to any one of claims 1 to 12 when the program is executed by the processor.
19. A server comprising a memory, a processor and a computer program stored on the memory and executable on the processor, wherein the processor implements the security authentication method of any of claims 13 to 17 when the program is executed by the processor.
20. A non-transitory computer readable storage medium having stored thereon a computer program, wherein the computer program when executed by a processor implements the security authentication method according to any of claims 1 to 12 or the security authentication method according to any of claims 13 to 17.
CN202410144361.7A 2024-01-31 2024-01-31 Security authentication method and equipment Pending CN117896168A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202410144361.7A CN117896168A (en) 2024-01-31 2024-01-31 Security authentication method and equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202410144361.7A CN117896168A (en) 2024-01-31 2024-01-31 Security authentication method and equipment

Publications (1)

Publication Number Publication Date
CN117896168A true CN117896168A (en) 2024-04-16

Family

ID=90645765

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202410144361.7A Pending CN117896168A (en) 2024-01-31 2024-01-31 Security authentication method and equipment

Country Status (1)

Country Link
CN (1) CN117896168A (en)

Similar Documents

Publication Publication Date Title
US11323276B2 (en) Mutual authentication of confidential communication
US11108565B2 (en) Secure communications providing forward secrecy
US10903991B1 (en) Systems and methods for generating signatures
CN111740828B (en) Key generation method, device and equipment and encryption and decryption method
CN108964919B (en) Lightweight anonymous authentication method with privacy protection based on Internet of vehicles
US9065637B2 (en) System and method for securing private keys issued from distributed private key generator (D-PKG) nodes
US8670563B2 (en) System and method for designing secure client-server communication protocols based on certificateless public key infrastructure
CN116707791B (en) Distributed authentication key negotiation method in intelligent vehicle-mounted networking system
US20170244687A1 (en) Techniques for confidential delivery of random data over a network
CN111277412B (en) Data security sharing system and method based on block chain key distribution
CN110999202A (en) Computer-implemented system and method for highly secure, high-speed encryption and transmission of data
AU2015202599B2 (en) Methods and devices for securing keys when key-management processes are subverted by an adversary
Chen et al. Provable secure group key establishment scheme for fog computing
Vangala et al. Blockchain-based robust data security scheme in IoT-enabled smart home
CN118555133B (en) Quantum-resistant security enhancement method of transport layer security protocol
CN111245611B (en) Anti-quantum computation identity authentication method and system based on secret sharing and wearable equipment
CN116318739B (en) Electronic data exchange method and system
CN119051878A (en) Method and system for data encryption transmission
Yin et al. PKI-based cryptography for secure cloud data storage using ECC
CN114584975A (en) Anti-quantum satellite network access authentication method based on SDN
CN117896168A (en) Security authentication method and equipment
KR20220049038A (en) Symmetric key generation, authentication and communication between multiple entities in the network
CN120110747A (en) QKD system authentication method and device based on QRNG and PQC fusion
CN117749413A (en) Secure communication method and secure communication system based on TLCP (transport layer control protocol) business-to-business protocol
CN120200750A (en) Secure communication system and method for vehicle-mounted ad hoc network based on NTRU lattice cryptographic system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination