CN104052608B - Certificate-free remote anonymous authentication method based on third party in cloud application - Google Patents

Abstract

Translated fromChinese

本发明公开了一种云应用中基于第三方的无证书匿名认证方法，主要解决现有技术远程双向认证安全性差的问题。其实现步骤是：1)网络管理者M对系统进行初始化；2)网络管理者M对用户U进行身份注册，并给用户U颁发系统账号；3)网络管理者M对服务提供商S进行身份注册，并给服务提供商S发送合法用户U的部分身份信息；4)用户U使用系统账号以匿名方式向服务提供商S发送服务请求；5)服务提供商S与用户U进行双向认证。本发明既消除了对证书的需求，又无密钥托管的弊端，提高了匿名双向认证的安全性，可用于无线体域网中远程用户进行服务请求时的身份认证。

The invention discloses a third-party certificateless anonymous authentication method in cloud applications, which mainly solves the problem of poor security of remote two-way authentication in the prior art. The implementation steps are: 1) The network manager M initializes the system; 2) The network manager M registers the identity of the user U, and issues a system account to the user U; 3) The network manager M registers the identity of the service provider S. Register and send part of the identity information of the legitimate user U to the service provider S; 4) The user U uses the system account to anonymously send a service request to the service provider S; 5) The service provider S and the user U perform two-way authentication. The invention not only eliminates the need for certificates, but also has no disadvantages of key trusteeship, improves the security of anonymous two-way authentication, and can be used for identity authentication when remote users request services in wireless body area networks.

Description

Translated fromChinese

云应用中基于第三方的无证书远程匿名认证方法A third-party certificateless remote anonymous authentication method in cloud applications

技术领域technical field

本发明属于信息安全技术领域，特别涉及无证书远程匿名认证方法，可用于无线体域网WBAN中远程用户身份认证。The invention belongs to the technical field of information security, in particular to a certificateless remote anonymous authentication method, which can be used for remote user identity authentication in a wireless body area network (WBAN).

背景技术Background technique

云计算是目前IT领域的研究热点之一，被认为是继互联网之后的第四代IT产业革命。云计算是基于互联网和分布式计算技术，将原本各自独立的分散的计算、存储及带宽等资源整合起来形成资源池，向用户屏蔽了存储硬件配置、分布式处理、容灾与备份等细节，将存储资源作为服务通过互联网提供给用户使用。用户按照自己对存储资源的实际需求量向云服务提供商租用池内资源，将用户的计算和存储都转移到云端，省却本地的存储硬件及人员投入，从而减轻用户终端的资源负担。同时，专业云服务提供商一般具有普通用户无法比拟的技术和管理水平，从技术上为用户数据提供更好的冗余备份和灾难恢复。正是云的这些特点使得关于云应用的研究也越来越多。为了实现匿名认证和安全通信，目前已有多种解决方案。Cloud computing is one of the research hotspots in the IT field at present, and is considered to be the fourth generation of IT industrial revolution after the Internet. Cloud computing is based on the Internet and distributed computing technology. It integrates originally independent and scattered resources such as computing, storage and bandwidth to form a resource pool, and shields users from details such as storage hardware configuration, distributed processing, disaster recovery and backup. Provide storage resources as a service to users through the Internet. Users rent resources in the pool from cloud service providers according to their actual demand for storage resources, and transfer the user's computing and storage to the cloud, saving local storage hardware and personnel investment, thereby reducing the resource burden on user terminals. At the same time, professional cloud service providers generally have technical and management levels that ordinary users cannot match, and technically provide better redundant backup and disaster recovery for user data. It is these characteristics of the cloud that make more and more researches on cloud applications. In order to achieve anonymous authentication and secure communication, there are various solutions.

1.基于传统公钥体制实现的远程认证方案：用户和服务器各自拥有公/私钥对及相应的公钥证书，用户利用签名向服务器进行身份认证，并利用用户和服务器之间的共享密钥加密用户身份、用户签名和用户公钥证书，以保证用户匿名性、非否认性。但是由于存在公钥证书管理、证书实时传递和验证使得这类方案计算量太大。1. The remote authentication scheme based on the traditional public key system: the user and the server each have a public/private key pair and the corresponding public key certificate, the user uses the signature to authenticate the server, and uses the shared key between the user and the server Encrypt user identity, user signature and user public key certificate to ensure user anonymity and non-repudiation. However, due to the existence of public key certificate management, real-time transfer and verification of certificates, such schemes are too computationally intensive.

2.基于身份的密码系统—IBC：用户具有基于身份的公/私钥对，并利用基于身份的签名算法生成认证请求。当签名通过验证时，服务器对用户进行授权，克服了公钥体制的证书管理等问题，但是该方法由于引入了密钥托管的问题，同时未考虑匿名性要求，故不能实现匿名认证和提供匿名服务，同时计算量很大。2. Identity-based cryptographic system—IBC: users have identity-based public/private key pairs, and use identity-based signature algorithms to generate authentication requests. When the signature is verified, the server authorizes the user, which overcomes the problems of certificate management in the public key system. However, because this method introduces the problem of key escrow and does not consider the requirement of anonymity, it cannot realize anonymous authentication and provide anonymity. service, and the calculation is heavy at the same time.

3.基于无证书的公钥密码系统—CL-PKC：用户和密钥生成中心各自生成用户部分私钥，由这两部分私钥构成用户完整的私钥，用户利用无证书签名向服务器进行身份认证。这种方法虽然解决了密钥托管的问题，但仍然存在计算复杂度高，不能实现完整的匿名性，且不能抵抗公钥替换攻击和未考虑用户存储空间有限等问题。3. Certificateless public key cryptography system—CL-PKC: the user and the key generation center each generate a part of the user's private key, and these two parts of the private key constitute the user's complete private key, and the user uses a certificateless signature to identify the server. certified. Although this method solves the problem of key escrow, it still has high computational complexity, cannot achieve complete anonymity, cannot resist public key replacement attacks, and does not consider the limited storage space of users.

发明内容Contents of the invention

本发明的目的在于针对上述已有技术的不足，提出云应用中基于第三方的无证书远程匿名认证方法，以解决提高安全强度，实现远程匿名双向认证。The purpose of the present invention is to address the deficiencies of the above-mentioned prior art, and propose a third-party certificateless remote anonymous authentication method in cloud applications, so as to solve the problem of improving security strength and realize remote anonymous two-way authentication.

本发明的技术方案是这样实现的：Technical scheme of the present invention is realized like this:

本发明涉及三个使用云服务的实体：网络管理者M、用户U、服务提供商S。这三个实体在匿名认证系统中充当不同的角色：网络管理者M，负责认证系统的初始化和注册；用户U，负责向认证系统中的服务提供商发送服务请求并接收反馈回来的信息；服务提供商S，负责接收用户请求，收集相关信息并提供相应服务给合法用户。其具体的认证过程包括如下：The present invention involves three entities using cloud services: a network manager M, a user U, and a service provider S. These three entities play different roles in the anonymous authentication system: the network manager M is responsible for the initialization and registration of the authentication system; the user U is responsible for sending service requests to service providers in the authentication system and receiving feedback information; the service provider Provider S is responsible for receiving user requests, collecting relevant information and providing corresponding services to legitimate users. The specific certification process includes the following:

(1)网络管理者M对系统进行初始化：(1) The network manager M initializes the system:

1a)网络管理者M公布系统参数system＝{G₁,G₂,e,l,q,P,Q_c,H₁,H₂}，其中,G₁是一个阶为素数q的循环加法群，G₂是一个阶为素数q的循环乘法群，e是一个双线性对映射，l是安全系数，P是G₁的生成元，Q_c是网络管理者M的公钥，H₁和H₂是两个无碰撞安全杂凑函数，H₁是将长度不等的0/1序列映射到G₁上的元素的杂凑函数，H₂是将长度不等的0/1序列和G₁中的元素映射到整数乘法群上的一个元素的杂凑函数；1a) The network manager M publishes system parameters system={G₁ , G₂ ,e, l, q, P, Q_c , H₁ , H₂ }, where G₁ is a cyclic addition group whose order is a prime number q , G₂ is a cyclic multiplicative group whose order is a prime number q, e is a bilinear pairing map, l is a security factor, P is the generator of G₁ , Q_c is the public key of the network manager M, H₁ and H₂ is two collision-free safe hash functions, H₁ is a hash function that maps 0/1 sequences of different lengths to elements on G₁ , H₂ is a hash function that combines 0/1 sequences of different lengths with G₁ The elements of are mapped to the integer multiplicative group The hash function of an element on ;

1b)网络管理者M从modq的整数乘法群中随机的选择一个整数s作为它的私钥，并计算它的公钥Q_c＝sP，得到自己的公私钥对(s,Q_c)，其中私钥s必须对外保密，公钥Q_c对外公开；1b) Network manager M from the integer multiplicative group of modq randomly select an integer s as its private key, and calculate its public key Q_c = sP to obtain its own public-private key pair (s, Q_c ), where the private key s must be kept secret from the outside world, and the public key Q_c public;

(2)用户U和服务提供商S进行系统注册：(2) User U and service provider S perform system registration:

2a)用户U生成自己的公私钥对，并把它的身份和公钥信息发送给网络管理者M，网络管理者M为用户U颁发系统账号作为用户U在系统中的身份标识；2a) The user U generates its own public-private key pair, and sends its identity and public key information to the network manager M, and the network manager M issues a system account for the user U as the identity of the user U in the system;

2b)服务提供商S将自己的身份信息发送给网络管理者M，网络管理者M计算服务提供商S的第一部分私钥并将这个私钥通过安全信道发送给服务提供商S，服务提供商S收到第一部分私钥后计算自己的第二部分私钥并计算公钥对，得到自己的公私钥对；2b) The service provider S sends its identity information to the network manager M, and the network manager M calculates the first part of the private key of the service provider S and sends the private key to the service provider S through a secure channel, and the service provider After receiving the first part of the private key, S calculates its second part of the private key and calculates the public key pair to obtain its own public-private key pair;

2c)网络管理者M给服务提供商S颁发合法用户U的系统账号；2c) The network manager M issues the system account of the legal user U to the service provider S;

(3)远程匿名认证：(3) Remote anonymous authentication:

3a)用户U生成服务请求消息，并发送给服务提供商S；3a) The user U generates a service request message and sends it to the service provider S;

3b)服务提供商S收到服务请求消息后，检测服务请求时间和用户的有效性，如果有效，则计算会话密钥和消息认证码，并发送应答消息给用户U，如果无效，则拒绝服务；3b) After the service provider S receives the service request message, it detects the service request time and the validity of the user. If it is valid, it calculates the session key and the message authentication code, and sends a response message to the user U. If it is invalid, it refuses the service ;

3c)用户U收到应答消息后，验证服务提供商S的合法性，如果不合法，验证失败，如果合法，则计算会话密钥并验证消息认证码，如果验证成功，则认证结束，否则，认证失败。3c) User U verifies the legitimacy of service provider S after receiving the response message. If it is not legal, the verification fails. If it is legal, it calculates the session key and verifies the message authentication code. If the verification is successful, the authentication ends, otherwise, Authentication failed.

本发明与现有技术相比具有如下优点：Compared with the prior art, the present invention has the following advantages:

(1)实现了匿名性：本发明通过系统账号Acn代替用户U的真实身份完成系统认证，使得用户U在不暴露身份的情况下享受服务，个人信息得到了保护，实现了匿名性，提高了安全性。(1) Anonymity is realized: the present invention replaces the real identity of the user U with the system account Acn to complete the system authentication, so that the user U can enjoy the service without revealing the identity, the personal information is protected, the anonymity is realized, and the user U is improved. safety.

(2)实现了双向认证：本发明在注册阶段实现了用户U和网络管理者M、服务提供商S和网络管理者M之间的双向认证；在远程匿名认证阶段实现了用户U和服务提供商S之间的双向认证。(2) Two-way authentication has been realized: the present invention has realized two-way authentication between user U and network manager M, service provider S and network manager M in the registration stage; realized user U and service provider in remote anonymous authentication stage Two-way authentication between merchants.

(3)安全性高：本发明中用户U和服务提供商S是利用用户U的系统账号Acn和双方的公私钥对进行身份认证，而网络管理者M只知道用户U的系统账号Acn和用户U身份之间的对应关系并没有用户U的私钥，所以网络管理者M不能冒充用户U同服务提供商S完成认证过程，避免了网络管理者M冒充用户U与服务提供商S进行认证。(3) High security: in the present invention, user U and service provider S utilize the system account number Acn of user U and the public and private keys of both parties to carry out identity authentication, while the network manager M only knows the system account number Acn and user U of user U. The corresponding relationship between U identities does not have the private key of user U, so network manager M cannot pretend to be user U to complete the authentication process with service provider S, which prevents network manager M from pretending to be user U to authenticate with service provider S.

附图说明Description of drawings

图1是本发明的实现总流程图；Fig. 1 is the realization overall flowchart of the present invention;

图2是本发明用户的注册子流程图；Fig. 2 is the registration subflow chart of the user of the present invention;

图3是本发明服务提供商的注册子流程图；Fig. 3 is the registration sub-flow chart of service provider of the present invention;

图4是本发明的认证子流程图。Fig. 4 is an authentication sub-flow chart of the present invention.

具体实施方式detailed description

参照图1，本发明的实现步骤如下：With reference to Fig. 1, the realization steps of the present invention are as follows:

步骤1，网络管理者M对系统进行初始化：Step 1, network manager M initializes the system:

(1a)网络管理者M根据安全需要，确定安全系数l和素数q的大小，利用椭圆曲线选择合适的循环加法群G₁和循环乘法群G₂构造双线性对映射e(G₁,G₂)→G₂；(1a) The network manager M determines the size of the safety factor l and the prime number q according to the security needs, and uses the elliptic curve to select the appropriate cyclic addition group G₁ and cyclic multiplication group G₂ to construct a bilinear pairing map e(G₁ ,G₂ ) → G₂ ;

(1b)网络管理者M选择两个无碰撞杂凑函数H₁:{0,1}^*→G₁和其中，H₁是将长度不等的0/1序列映射到循环加法群G₁上的一个元素的杂凑函数，H₂是将长度不等的0/1和循环加法群G₁中的元素映射到modq的整数乘法群上的一个元素的杂凑函数；(1b) The network manager M chooses two collision-free hash functions H₁ : {0,1}^* → G₁ and Among them, H₁ is a hash function that maps 0/1 sequences of different lengths to an element in the cyclic addition group G₁ , and H₂ is a mapping between 0/1 sequences of unequal lengths and elements in the cyclic addition group G₁ Integer multiplication group to modq The hash function of an element on ;

(1c)网络管理者M从modq的整数乘法群中随机选择一个整数s作为它的私钥，计算Q_c＝sP作为它的公钥,P是循环加法群G₁的生成元；(1c) The integer multiplication group of the network manager M from modq Randomly select an integer s as its private key, calculate Q_c =sP as its public key, and P is the generator of the cyclic addition group G₁ ;

(1d)网络管理者M公布系统参数system＝{G₁,G₂,e,l,q,P,Q_c,H₁,H₂}，其中，q是一个素数，G₁是一个阶为素数q的循环加法群，G₂是一个阶为素数q的循环乘法群，e是一个双线性对映射，l是安全系数，P是循环加法群G₁的生成元,Q_c是网络管理者M的公钥。(1d) The network manager M publishes system parameters system={G₁ , G₂ ,e, l, q, P, Q_c , H₁ , H₂ }, where q is a prime number, and G₁ is a The cyclic additive group of prime number q, G2 is a cyclic multiplicative group of order prime q, e is a bilinear pairing map,_l is the safety factor, P is the generator of cyclic additive group_G1 , Q_c is the network management or M's public key.

步骤2，网络管理者M对用户U进行身份注册：Step 2, the network manager M registers the identity of the user U:

参照图2，本步骤的具体实现如下：Referring to Figure 2, the specific implementation of this step is as follows:

(2a)用户U从modq的整数乘法群中随机选取一个整数s_U作为自己的私钥，计算公钥Q_U＝s_UP，得到自己的公私钥对(s_U,Q_U)，用户U把它的身份id_U和它的公钥Q_U发送给网络管理者M，其中，P是循环加法群G₁的生成元；(2a) The integer multiplication group of user U from modq randomly select an integer s_U as its own private key, calculate the public key Q_U = s_U P, and obtain its own public-private key pair (s_U , Q_U ), user U uses its identity id_U and its public key Q_U is sent to the network manager M, where P is the generator of the cyclic addition group_G1 ;

(2b)网络管理者M收到用户U的身份id_U和公钥Q_U，从modq的整数乘法群中随机选取一个整数r₁，计算用户U的系统账号Acn＝r₁P，并生成一个签名σ₁＝r₁-sH₂(id_U,Q_U)，网络管理者M将账号管理信息(σ₁,Acn)发送给用户U，其中，P是循环加法群G₁的生成元，s是网络管理者M的私钥；(2b) The network manager M receives the user U's identity id_U and public key Q_U , from the integer multiplication group of modq Randomly select an integer r₁ in , calculate user U’s system account Acn=r₁ P, and generate a signature σ₁ =r₁ -sH₂ (id_U , Q_U ), the network manager M sends the account management information (σ₁ ,Acn) to the user U, where P is the generator of the cyclic addition group G₁ , and s is the private key of the network manager M;

(2c)用户U收到账号管理信息(σ₁,Acn)后，判断等式Acn＝σ₁P+Q_cH₂(id_U,Q_U)是否成立，如果成立，则存储账号管理信息(σ₁,Acn)，并将系统账号Acn作为自己在认证系统中的身份标识，如果不成立，则放弃本次注册，其中，P是循环加法群G₁的生成元，Q_c是网络管理者M的公钥，id_U是用户U的身份信息，Q_U是用户U的公钥。(2c) After receiving the account management information (σ₁ ,Acn), the user U judges whether the equation Acn=σ₁ P+Q_c H₂ (id_U ,Q_U ) is true, and if it is true, stores the account management information ( σ₁ ,Acn), and use the system account Acn as its own identity in the authentication system. If it is not established, this registration will be abandoned. Among them, P is the generator of the cyclic addition group G₁ , and Q_c is the network manager M id_U is the identity information of user U, and Q_U is the public key of user U.

步骤3，网络管理者M对服务提供商S进行身份注册：Step 3, the network manager M registers the identity of the service provider S:

参照图3，本步骤的具体实现如下：Referring to Figure 3, the specific implementation of this step is as follows:

(3a)服务提供商S将自己的身份id_S发送给网络管理者M，网络管理者M计算服务提供商S的第一部分私钥并将第一部分私钥S₁通过安全信道发送给服务提供商,其中，s是网络管理者M的私钥，身份消息摘要id_S是服务提供商S的身份信息；(3a) The service provider S sends its own identity id_S to the network manager M, and the network manager M calculates the first part of the private key of the service provider S And send the first part of the private key S₁ to the service provider through a secure channel, where s is the private key of the network manager M, and the identity message digest id_S is the identity information of the service provider S;

(3b)服务提供商S收到网络管理者M发送过来的第一部分私钥S₁，判断等式是否成立：如果成立，则服务提供商S验证网络管理者M合法，服务提供商S从modq的整数乘法群中随机选取一个整数s₂作为自己的第二部分私钥，得到自己的完整私钥对(S₁,s₂)，并计算公钥对如果不成立，则服务提供商S验证网络管理者M不合法，放弃本次注册过程，其中，P是循环加法群G₁的生成元，身份消息摘要id_S是服务提供商S的身份信息，Q_c网络管理者M的公钥；(3b) The service provider S receives the first part of the private key S₁ sent by the network manager M, and judges the equation Whether it is established: if it is established, the service provider S verifies that the network manager M is legal, and the service provider S obtains from the integer multiplication group of modq Randomly select an integer s₂ as the second part of the private key, get your own complete private key pair (S₁ , s₂ ), and calculate the public key pair If not, the service provider S verifies that the network manager M is illegal and abandons the registration process, where P is the generator of the cyclic addition group_G1 , and the identity message digest id_S is the identity information of the service provider S, and_Qc is the public key of the network manager M;

(3c)网络管理者M给服务提供商S发送用户U的部分身份信息(σ₁,Acn,Q_U,h)，其中，σ₁是网络管理者M的签名，Acn是用户U的系统账号，Q_U是用户U的公钥，h＝H₂(id_U,Q_U)是用户U的身份id_U和公钥Q_U的消息摘要；(3c) Network manager M sends user U’s partial identity information (σ₁ ,Acn,Q_U ,h) to service provider S, where σ₁ is the signature of network manager M, and Acn is user U’s system account , Q_U is the public key of user U, h=H₂ (id_U , Q_U ) is the message digest of user U’s identity id_U and public key Q_U ;

(3d)服务提供商S收到网络管理者M发送的用户U的部分身份信息(σ₁,Acn,Q_U,h)后，检测等式Acn＝σ₁P+Q_ch是否成立：如果成立，则服务提供商S存储用户U的部分身份信息(σ₁,Acn,Q_U,h)，并将系统账号Acn作为合法用户U的身份标识；如果不成立，则服务提供商S放弃存储，其中，P是循环加法群G₁的生成元。(3d) After the service provider S receives part of the identity information (σ₁ ,Acn,Q_U ,h) of the user U sent by the network manager M, it checks whether the equation Acn=σ₁ P+Q_c h holds true: if is established, the service provider S stores part of the identity information (σ₁ ,Acn,Q_U ,h) of the user U, and uses the system account Acn as the identity of the legal user U; if not established, the service provider S gives up the storage, where P is the generator of the cyclic addition group_G1 .

步骤4，用户U与服务提供商S进行远程匿名认证：Step 4, user U conducts remote anonymous authentication with service provider S:

参照图4，本步骤的具体实现如下：Referring to Figure 4, the specific implementation of this step is as follows:

(4a)用户U从modq的整数乘法群中随机选择r₂，计算自己的一次性消息R₁＝r₂P和一次性保护消息R₂＝r₂Q₁,其中，P是循环加法群G₁的生成元，Q₁为服务提供商S的公钥；(4a) The integer multiplication group of user U from modq Randomly select r₂ in , calculate your own one-time message R₁ = r₂ P and one-time protection message R₂ = r₂ Q₁ , where P is the generator of the cyclic addition group G₁ , and Q₁ is the service provider S's public key;

(4b)用户U根据自己的一次性消息R₁计算自己的消息摘要h＝H₂(σ₁||t_C,R₁)，其中，σ₁是网络管理者M的签名，t_C是请求服务的时间；(4b) User U calculates his own message digest h=H₂ (σ₁ ||t_C , R₁ ) according to his one-time message R₁ , where σ₁ is the signature of network manager M, and t_C is the request the hours of service;

(4c)用户U根据随机选取的整数r₂、自己的私钥s_U和消息摘要h计算信息签名σ₂＝s_U-r₂h；(4c) User U calculates information signature σ₂ =s_U -r₂ h according to randomly selected integer r₂ , his own private key s_U and message digest h;

(4d)用户U计算账号保护消息R₃＝R₁+R₂+Acn，其中，R₁是用户U的一次性消息，R₂是用户U的一次性保护消息，Acn是用户U的系统账号；(4d) User U calculates the account protection message R₃ =R₁ +R₂ +Acn, where R₁ is the one-time message of user U, R₂ is the one-time protection message of user U, and Acn is the system account of user U ;

(4e)用户U用上述得到的一次性保护消息R₂、信息签名σ₂、请求服务的时间t_C和账号保护消息R₃构成服务请求消息M₂＝{R₂,σ₂,t_C,R₃}，并将该服务请求消息M₂发送给服务提供商S；(4e) The user U uses the one-time protection message R₂ obtained above, the information signature σ₂ , the service request time t_C and the account protection message R₃ to form a service request message M₂ ={R₂ ,σ₂ ,t_C , R₃ }, and send the service request message M₂ to the service provider S;

(4f)服务提供商S收到服务请求信息M₂后，检测服务请求时间t_C与本地时间差是否在系统允许范围内，如果在，则服务提供商S用自己的私钥s₂计算自己的一次性消息如果不在，则服务提供商S放弃本次认证，其中，R₂是用户U的一次性保护消息；(4f) After receiving the service request information M₂ , the service provider S checks whether the difference between the service request time t_C and the local time is within the allowable range of the system, and if so, the service provider S uses its own private key s₂ to calculate its own one-time message If not, the service provider S abandons this authentication, where R₂ is the one-time protection message of the user U;

(4g)服务提供商S根据自己的一次性消息R′₁、用户U的一次性保护消息R₂和账号保护消息R₃计算用户U的系统账号Acn＝R₃-R′₁-R₂，并根据系统账号Acn找到用户U的公钥Q_U；(4g) Service provider S calculates user U's system account Acn=R₃ -R'₁ -R₂ according to its own one-time message R'₁ , user U's one-time protection message R₂ and account protection message R₃ , And find the public key Q_U of user U according to the system account Acn;

(4h)服务提供商S根据自己的一次性消息R′₁计算自己的消息摘要h'＝H₂(σ₁||t_C,R′₁)，其中，σ₁是网络管理者M的签名，t_C是请求服务的时间；(4h) The service provider S calculates its own message digest h'=H₂ (σ₁ ||t_C ,R'₁ ) according to its own one-time message R′₁ , where σ₁ is the signature of the network manager M , t_C is the time of requesting service;

(4i)服务提供商S根据自己的一次性消息R′₁和消息摘要h'验证等式σ₂P+R′₁h'＝Q_U是否成立：如果成立，则认为用户U合法，服务提供商S用是网络管理者M的签名σ₁计算自己的消息摘要h₁＝H₂(σ₁||t_C||id_S,R₂)；如果不成立，则服务提供商S放弃本次认证，其中，σ₂是用户U的签名，P是循环加法群G₁的生成元，Q_U是用户U的公钥，t_C是请求服务的时间，id_S是服务提供商的身份信息，R₂是用户U的一次性保护消息；(4i) The service provider S verifies whether the equation σ₂ P+R′₁ h’=Q_U is established according to its own one-time message R′₁ and the message digest h′: if it is established, the user U is considered legal, and the service provides Business S uses the signature σ₁ of the network manager M to calculate its own message digest h₁ =H₂ (σ₁ ||t_C ||id_S ,R₂ ); if not established, the service provider S gives up this authentication , where σ₂ is the signature of the user U, P is the generator of the cyclic addition group G₁ , Q_U is the public key of the user U, t_C is the time of requesting the service, id_S is the identity information of the service provider, R₂ is the one-time protection message of user U;

(4j)服务提供商S用自己的私钥对(S₁,s₂)计算签名其中，h₁是服务提供商S的消息摘要，R₁是用户U的一次性消息；(4j) The service provider S uses its own private key pair (S₁ , s₂ ) to calculate the signature Among them,_h1 is the message summary of service provider S, and R1 is the_one -time message of user U;

(4k)服务提供商S计算自己的会话密钥key＝H₂(h₁,R′₁)，并用会话密钥key加密自己的消息摘要h₁得到消息认证码MAC_key(h₁)，其中，h₁是服务提供商S的消息摘要，R′₁是服务提供商S的一次性消息；(4k) The service provider S calculates its own session key key=H₂ (h₁ ,R′₁ ), and encrypts its own message digest h₁ with the session key key to obtain the message authentication code MAC_key (h₁ ), where , h₁ is the message summary of the service provider S, R′₁ is the one-time message of the service provider S;

(4l)服务提供商S用上述生成的签名σ₃和消息认证码MAC_key(h₁)构成回复消息M₃＝{MAC_key(h₁),σ₃}，并将该回复消息M₃发送给用户U作为对用户U服务请求的回复；(4l) The service provider S uses the generated signature σ₃ and the message authentication code MAC_key (h₁ ) to form a reply message M₃ ={MAC_key (h₁ ),σ₃ }, and sends the reply message M₃ To user U as a reply to user U's service request;

(4m)用户U收到服务提供商S发送的回复消息M₃＝{MAC_key(h₁),σ₃}，计算自己的消息摘要h′₁＝H₂(σ₁||t_C||id_S,R₂)，其中，σ₁是网络管理者M的签名，t_C是请求服务的时间,id_S是服务提供商S的身份信息，R₂是用户U的一次性保护消息；(4m) The user U receives the reply message M₃ ={MAC_key (h₁ ),σ₃ } from the service provider S, and calculates his own message digest h′₁ =H₂ (σ₁ ||t_C || id_S , R₂ ), where σ₁ is the signature of network manager M, t_C is the time of service request, id_S is the identity information of service provider S, and R₂ is the one-time protection message of user U;

(4n)用户U根据自己的消息摘要h′₁验证等式是否成立：如果成立，则用户U计算自己的会话密钥key'＝H₂(h′₁,R₁)；如果不成立，则认为服务提供商S是非法的，放弃本次认证，其中，σ₃是服务提供商S的签名，Q₁、Q₃是服务提供商S的公钥，R₁是用户U的一次性消息；(4n) User U verifies the equation according to his own message digest h′₁ Whether it is established: if it is established, the user U calculates its own session key key'=H₂ (h′₁ ,R₁ ); if not established, the service provider S is considered to be illegal, and this authentication is abandoned, where, σ₃ is the signature of the service provider S, Q₁ and Q₃ are the public key of the service provider S, and R₁ is the one-time message of the user U;

(4o)用户U用自己的会话密钥key'解密消息认证码MAC_key(h₁)，得到服务提供商S的消息摘要h₁，并验证服务提供商S的消息摘要h₁和自己的消息摘要h′₁是否相等，如果相等，则认为验证成功，否则，验证失败。(4o) The user U decrypts the message authentication code MAC_key (h₁ ) with his session key key', obtains the message digest h₁ of the service provider S, and verifies the message digest h₁ of the service provider S and his own message Whether the summary h′₁ is equal, if equal, the verification is considered successful, otherwise, the verification fails.

以上描述仅是本发明的一个具体实例，并不构成对本发明的任何限制。显然对于本领域的专业人员来说，在了解了本发明内容和原理后，都可能在不背离本发明原理、结构的情况下，进行形式和细节上的各种修正和改变，但是这些基于本发明思想的修正和改变仍在本发明的权利要求保护范围之内。The above description is only a specific example of the present invention, and does not constitute any limitation to the present invention. Obviously, for those skilled in the art, after understanding the content and principles of the present invention, it is possible to make various modifications and changes in form and details without departing from the principles and structures of the present invention, but these are based on the present invention. The modification and change of the inventive concept are still within the protection scope of the claims of the present invention.

Claims (8)

Translated fromChinese

1.一种基于第三方的无证书远程匿名认证方法，包括以下步骤：1. A certificateless remote anonymous authentication method based on a third party, comprising the following steps:(1)网络管理者M对系统进行初始化：(1) The network manager M initializes the system:1a)网络管理者M公布系统参数system＝{G₁,G₂,e,l,q,P,Q_c,H₁,H₂}，其中,G₁是一个阶为素数q的循环加法群，G₂是一个阶为素数q的循环乘法群，e是一个双线性对映射，l是安全系数，P是G₁的生成元，Q_c是网络管理者M的公钥，H₁和H₂是两个无碰撞安全杂凑函数，H₁是将长度不等的0/1序列映射到G₁上的元素的杂凑函数，H₂是将长度不等的0/1序列和G₁中的元素映射到整数乘法群上的一个元素的杂凑函数；1a) The network manager M publishes system parameters system={G₁ , G₂ ,e, l, q, P, Q_c , H₁ , H₂ }, where G₁ is a cyclic addition group whose order is a prime number q , G₂ is a cyclic multiplicative group whose order is a prime number q, e is a bilinear pairing map, l is a security factor, P is the generator of G₁ , Q_c is the public key of the network manager M, H₁ and H₂ is two collision-free safe hash functions, H₁ is a hash function that maps 0/1 sequences of different lengths to elements on G₁ , H₂ is a hash function that combines 0/1 sequences of different lengths with G₁ The elements of are mapped to the integer multiplicative group The hash function of an element on ;1b)网络管理者M从mod q的整数乘法群中随机的选择一个整数s作为它的私钥，并计算它的公钥Q_c＝sP，得到自己的公私钥对(s,Q_c)，其中私钥s必须对外保密，公钥Q_c对外公开；1b) The group of integer multiplications of network managers M from mod q randomly select an integer s as its private key, and calculate its public key Q_c = sP to obtain its own public-private key pair (s, Q_c ), where the private key s must be kept secret from the outside world, and the public key Q_c public;(2)用户U和服务提供商S进行系统注册：(2) User U and service provider S perform system registration:2a)用户U生成自己的公私钥对，并把它的身份和公钥信息发送给网络管理者M，网络管理者M为用户U颁发系统账号作为用户U在系统中的身份标识；2a) The user U generates its own public-private key pair, and sends its identity and public key information to the network manager M, and the network manager M issues a system account for the user U as the identity of the user U in the system;2b)服务提供商S将自己的身份信息发送给网络管理者M，网络管理者M计算服务提供商S的第一部分私钥并将这个私钥通过安全信道发送给服务提供商S，服务提供商S收到第一部分私钥后从modq的整数乘法群中随机选取一个整数s₂作为自己的第二部分私钥，得到自己的私钥对(S₁,s₂)，再根据自己的私钥对(S₁,s₂)计算自己的公钥对：其中，P是循环加法群G₁的生成元，消息摘要id_S是服务提供商S的身份信息，得到自己的公私钥对{(S₁,s₂),(Q₁,Q₂,Q₃)}；2b) The service provider S sends its identity information to the network manager M, and the network manager M calculates the first part of the private key of the service provider S and sends the private key to the service provider S through a secure channel, and the service provider After S receives the first part of the private key from the integer multiplication group of modq Randomly select an integer s₂ as the second part of your private key, get your own private key pair (S₁ , s₂ ), and then calculate your own public key pair based on your own private key pair (S₁ , s₂ ) : where P is the generator of the cyclic addition group_G1 , and the message digest id_S is the identity information of the service provider S, get your own public-private key pair {(S₁ ,s₂ ),(Q₁ ,Q₂ ,Q₃ )};2b1)服务提供商S收到第一部分私钥S₁后，从mod q的整数乘法群中随机选取一个整数s₂作为自己的第二部分私钥，得到自己的私钥对(S₁,s₂)；2b1) After the service provider S receives the first part of the private key S₁ , from the integer multiplication group of mod q Randomly select an integer s₂ as the second part of the private key to obtain the private key pair (S₁ , s₂ );2b2)服务提供商S根据自己的私钥对(S₁,s₂)计算自己的公钥对：其中，P是循环加法群G₁的生成元，消息摘要id_S是服务提供商S的身份信息，得到自己的公私钥对{(S₁,s₂),(Q₁,Q₂,Q₃)}；2b2) Service provider S calculates its own public key pair based on its own private key pair (S₁ , s₂ ): where P is the generator of the cyclic addition group_G1 , and the message digest id_S is the identity information of the service provider S, get your own public-private key pair {(S₁ ,s₂ ),(Q₁ ,Q₂ ,Q₃ )};2c)网络管理者M给服务提供商S发送合法用户U的部分身份信息；2c) The network manager M sends part of the identity information of the legal user U to the service provider S;(3)远程匿名认证：(3) Remote anonymous authentication:3a)用户U生成服务请求消息，并发送给服务提供商S：3a) User U generates a service request message and sends it to service provider S:3a1)用户U从mod q的整数乘法群中随机选取一个整数r₂，计算自己的一次性消息R₁＝r₂P和一次性保护消息R₂＝r₂Q₁,其中，P是循环加法群G₁的生成元，Q₁为服务提供商S的公钥；3a1) User U from the integer multiplication group mod q Randomly select an integer r₂ in , and calculate its own one-time message R₁ =r₂ P and one-time protection message R₂ =r₂ Q₁ , where P is the generator of the cyclic addition group G₁ , and Q₁ is the service public key of provider S;3a2)用户U根据自己的一次性消息R₁计算自己的消息摘要h＝H₂(σ₁||t_C,R₁)，其中，σ₁是网络管理者M的签名，t_C是请求服务的时间；3a2) User U calculates his own message digest h=H₂ (σ₁ ||t_C ,R₁ ) according to his one-time message R₁ , where σ₁ is the signature of network manager M, and t_C is the request service time;3a3)用户U根据随机选取的整数r₂、自己的私钥s_U和消息摘要h计算信息签名σ₂＝s_U-r₂h；3a3) The user U calculates the information signature σ₂ =s_U -r₂ h according to the randomly selected integer r₂ , his own private key s_U and the message digest h;3a4)用户U计算账号保护消息R₃＝R₁+R₂+Acn，其中，R₁是用户U的一次性消息，R₂是用户U的一次性保护消息，Acn是用户U的系统账号；3a4) The user U calculates the account protection message R₃ =R₁ +R₂ +Acn, wherein, R₁ is the one-time message of the user U, R₂ is the one-time protection message of the user U, and Acn is the system account of the user U;3a5)用上述得到的一次性保护消息R₂、信息签名σ₂、请求服务的时间t_C和账号保护消息R₃构成服务请求消息M₂＝{R₂,σ₂,t_C,R₃}；3a5) Use the above obtained one-time protection message R₂ , information signature σ₂ , service request time t_C and account protection message R₃ to form a service request message M₂ ={R₂ ,σ₂ ,t_C ,R₃ } ;3b)服务提供商S收到服务请求消息后，检测服务请求时间和用户的有效性，如果有效，则计算会话密钥和消息认证码，并发送回复消息给用户U，如果无效，则拒绝服务；3b) After the service provider S receives the service request message, it detects the service request time and the validity of the user. If it is valid, it calculates the session key and message authentication code, and sends a reply message to the user U. If it is invalid, it refuses the service ;3c)用户U收到回复消息后，验证服务提供商S的合法性，如果不合法，验证失败，如果合法，则计算会话密钥并验证消息认证码，如果验证成功，则认证结束，否则，认证失败。3c) After receiving the reply message, the user U verifies the legitimacy of the service provider S. If it is not legal, the verification fails. If it is legal, the user U calculates the session key and verifies the message authentication code. If the verification is successful, the authentication ends, otherwise, Authentication failed.2.根据权利要求1所述的基于第三方的无证书远程匿名认证方法，其中步骤2a)所述的用户U生成自己的公私钥对，按如下步骤进行：2. The remote anonymous authentication method without a certificate based on a third party according to claim 1, wherein the user U described in step 2a) generates his own public-private key pair, and proceeds as follows:2a1)用户U从mod q的整数乘法群中随机选取一个整数s_U作为自己的私钥；2a1) User U from the integer multiplication group mod q Randomly select an integer s_U as its own private key;2a2)用户U根据私钥计算公钥Q_U＝s_UP，得到自己的公私钥对(s_U,Q_U)；2a2) User U calculates the public key Q_U =s_U P according to the private key, and obtains his own public-private key pair (s_U , Q_U );其中P是循环加法群G₁的生成元。where P is the generator of the cyclic additive group_G1 .3.根据权利要求1所述的基于第三方的无证书远程匿名认证方法，其中步骤2a)所述的网络管理者M为用户U颁发系统账号，是由网络管理者M先从mod q的整数乘法群中随机选取一个整数r₁再计算用户U的系统账号Acn＝r₁P，其中P是循环加法群G₁的生成元。3. The remote anonymous authentication method based on a third party without a certificate according to claim 1, wherein the network manager M in step 2a) issues a system account for the user U, which is an integer from mod q first by the network manager M multiplicative group Randomly select an integer r₁ from , and then calculate the user U's system account Acn=r₁ P, where P is the generator of the cyclic addition group G₁ .4.根据权利要求1所述的基于第三方的无证书远程匿名认证方法，其中步骤2b)所述的网络管理者M计算服务提供商S的第一部分私钥，按如下步骤进行：4. The remote anonymous authentication method based on a third party without a certificate according to claim 1, wherein the network manager M in step 2b) calculates the first part of the private key of the service provider S, and proceeds as follows:2b1)网络管理者M计算消息摘要其中id_S是服务提供商的身份信息；2b1) The network manager M calculates the message digest Where id_S is the identity information of the service provider;2b2)根据消息摘要计算服务提供商S的第一部分私钥：其中s是网络管理者M的私钥。2b2) According to the message digest Calculate the first part of the private key of the service provider S: where s is the private key of network manager M.5.根据权利要求1所述的基于第三方的无证书远程匿名认证方法，其中步骤3b)所述的检测服务请求时间和用户的有效性,按如下步骤进行：5. The certificateless remote anonymous authentication method based on a third party according to claim 1, wherein the detection service request time and user validity described in step 3b) are performed according to the following steps:3b1)服务提供商S检测服务请求时间与本地时间差是否在系统允许范围内，如果在，则认为服务请求时间有效，否则，认为无效；3b1) The service provider S detects whether the difference between the service request time and the local time is within the allowable range of the system. If it is, the service request time is considered valid, otherwise, it is considered invalid;3b2)服务提供商S用自己的私钥s₂计算自己的一次性消息其中R₂是用户U的一次性保护消息；3b2) The service provider S calculates its own one_- time message with its own private key s2 Where R2 is the one_- time protection message of user U;3b3)服务提供商S根据自己的一次性消息R′₁、用户U的一次性保护消息R₂和账号保护消息R₃计算用户U的系统账号Acn＝R₃-R′₁-R₂，并根据系统账号Acn找到用户U的公钥Q_U；3b3) Service provider S calculates user U's system account Acn=R₃ -R'₁ -R₂ according to its own one-time message R'₁ , user U's one-time protection message R₂ and account protection message R₃ , and Find the public key Q_U of user U according to the system account Acn;3b4)服务提供商S根据自己的一次性消息R′₁计算自己的消息摘要h'＝H₂(σ₁||t_C,R′₁)，其中，σ₁是网络管理者M的签名，t_C是请求服务的时间；3b4) The service provider S calculates its own message digest h'=H₂ (σ₁ ||t_C ,R'₁ ) according to its own one-off message R′₁ , where σ₁ is the signature of the network manager M, t_C is the time when the service is requested;3b5)服务提供商S根据自己的一次性消息R′₁和消息摘要h'验证等式σ₂P+R′₁h'＝Q_U是否成立，其中，σ₂是用户U的签名，P是循环加法群G₁的生成元，Q_U是用户U的公钥，如果成立，则认为用户U合法，否则，认为用户U不合法。3b5) The service provider S verifies whether the equation σ₂ P+R′₁ h’=Q_U is established according to its own one-time message R′₁ and message digest h′, where σ₂ is the signature of user U, and P is The generator of the cyclic addition group_G1 , Q_U is the public key of the user U, if established, the user U is considered legal, otherwise, the user U is considered illegal.6.根据权利要求1所述的基于第三方的无证书远程匿名认证方法，其中步骤3b)所述的计算会话密钥和消息认证码，按如下步骤进行：6. The remote anonymous authentication method without a certificate based on a third party according to claim 1, wherein the calculation session key and message authentication code described in step 3b) are carried out as follows:3b1)服务提供商S计算自己的会话密钥key＝H₂(h₁,R′₁)，其中，h₁是服务提供商S的消息摘要，R′₁是服务提供商S的一次性消息；3b1) The service provider S calculates its own session key key=H₂ (h₁ , R′₁ ), where h₁ is the message digest of the service provider S, and R′₁ is the one-time message of the service provider S ;3b2)服务提供商S用会话密钥key加密自己的消息摘要h₁得到消息认证码MAC_key(h₁)。3b2) The service provider S encrypts its own message digest h₁ with the session key key to obtain the message authentication code MAC_key (h₁ ).7.根据权利要求1所述的基于第三方的无证书远程匿名认证方法，其中步骤3c)所述的验证服务提供商S的合法性，按如下步骤进行：7. The remote anonymous authentication method based on a third party without a certificate according to claim 1, wherein the legitimacy of the verification service provider S described in step 3c) is carried out as follows:3c1)用户U计算自己的消息摘要h′₁＝H₂(σ₁||t_C||id_S,R₂)，其中，σ₁是网络管理者M的签名，t_C是请求服务的时间，id_S是服务提供商S的身份信息，R₂是用户U的一次性保护消息；3c1) User U calculates his own message digest h′₁ =H₂ (σ₁ ||t_C ||id_S , R₂ ), where σ₁ is the signature of network manager M, and t_C is the time of service request , id_S is the identity information of the service provider S, and R₂ is the one-time protection message of the user U;3c2)用户U验证等式是否成立，如果等式成立，则认为服务提供商S合法，否则，认为服务提供商S非法，其中，Q₁、Q₃是服务提供商S两个不同的公钥，σ₃是服务提供商S的签名，R₁是用户U的一次性消息，P是循环加法群G₁的生成元，h′₁是用户U的消息摘要。3c2) User U verifies the equation Whether it is established, if the equation is established, the service provider S is considered legal, otherwise, the service provider S is considered illegal, where Q₁ and Q₃ are two different public keys of the service provider S, σ₃ is the service provider The signature of S, R1 is the_one -time message of user U, P is the generator of the cyclic addition group_G1 , and_h′1 is the message digest of user U.8.根据权利要求1所述的基于第三方的无证书远程匿名认证方法，其中步骤3c)所述的计算会话密钥并验证消息认证码，按如下步骤进行：8. The remote anonymous authentication method without a certificate based on a third party according to claim 1, wherein the calculation session key and verification message authentication code described in step 3c) are carried out as follows:3c1)用户U计算自己的会话密钥key'＝H₂(h′₁,R₁)，其中，h′₁是用户U的消息摘要，R₁是用户U的一次性消息；3c1) User U calculates its own session key key'=H₂ (h'₁ , R₁ ), where h'₁ is the message digest of user U, and R₁ is the one-time message of user U;3c2)用户U用自己的会话密钥key'解密消息认证码MAC_key(h₁)，得到服务提供商S的消息摘要h₁，并验证该消息摘要h₁与用户U的消息摘要h′₁是否相等，如果相等，则认为验证成功，否则，验证失败。3c2) The user U decrypts the message authentication code MAC_key (h₁ ) with its own session key key', obtains the message digest h₁ of the service provider S, and verifies the message digest h₁ and the user U's message digest h'₁ Whether they are equal, if they are equal, the verification is considered successful, otherwise, the verification fails.