The content of the invention
For the above-mentioned technical problem in correlation technique, the present invention proposes a kind of single-sign-on based on IKI ID authenticationsMethod, it can solve the problem that above technical problem.
To realize above-mentioned technical purpose, the technical proposal of the invention is realized in this way:
A kind of single-point logging method based on IKI ID authentications, comprises the following steps:
S1 user terminals send access request to server, produce random number r, and service end is sent collectively to together with user terminal mark;
S2 server ends are verified to user terminal mark, and by rear, server end produces random number R, and random with user terminalNumber r is combined, for (R | | r), signed with server end private key, generation signed data Sig1;
Random number R, server end mark, signed data Sig1 are sent to user terminal by S3 server ends;
S4 user terminal authentication servers end is identified, and the public key verifications signed data in server identification is utilized after being verifiedSig1, it is verified rear confirmed service device end identity legitimacy;
S5 user terminals are signed using private key to random number (R | | r), generate signed data Sig2, signed data Sig2 is sent outIt is sent to server end;
S6 server by utilizing user terminal public key verifications signed data Sig2, user terminal identity legitimacy is confirmed after being verified;
S7 server end login authentications equipment checks user's single-sign-on mapping table, finds out user mark in corresponding application systemThe account bound on system, User Token is produced, is re-introduced into application system;
S8 application systems receive the User Token of unified form, login account of the user in the system are obtained, by user at thisThe state of system is set to login, returns to the page that user asks to access, completes access of the user to the application system.
Further, administrative center is identified by IKI and produces the server end mark, user terminal mark, private key and public affairsKey.
Further, the production stage of the server end mark, user terminal mark, private key and public key is:
S101IKI marks administrative center IMC discloses parameter:Public key matrix PKMS, identify administrative center public key PKIDorg, ECC songsLine, basic point G;Wherein public key matrix PKMS is mark administrative center private key SKIDorgTo public key matrix pkm, mark administrative center markKnow IDorgEtc. the signature of parameter;
S102 entities produce entity ID and relevant parameter:Secret value xID, secret value public key PKx are produced using entity security equipment=xID*G, unsymmetrical key is randomly generated to SK using ECC algorithmh、PKh;
The partial parameters that S103 encryptions need to upload:Use mark administrative center public key PKIDorgTo secret value public key PKx and at randomUnsymmetrical key public key PKhEncryption:E(PKIDorg,PKx||PKh);
S104 uploads entity ID, E (PKIDorg,PKx||PKh) and mark validity date extremely mark administrative center IMC;Wherein identifyValidity date is to be necessary to determine whether to upload according to application;
S105 marks administrative center carries out entity ID duplicate checkings, produces entity part private key:IMC determines that entity ID combination marks are effectiveAfter the uniqueness of phase, using PKMS and entity ID, the mark term of validity, entity ID public keys PK is calculatedID, utilize private key matrix skmWith entity ID, mark term of validity computational entity ID private keys SKID, entity encryption key SKE and part signature is obtained after SKE is convertedPrivate key SKS1;
S106 mark administrative center IMC assembling marks:Use mark management organization private key SKIDorgDecrypt E (PKIDorg,PKx||PKh) obtain PKx and PKh, composite entity ID public signature keys:PKS=SKS1*G+PKx;Calculate decryption public key PKE=SKE*G, use SKIDTo (PKS | | PKE | | the effective date | | the Expiration Date | | IDorg| | ID) signature, identified
S107 issues mark and entity key:IMC utilizes PKhSKE is encrypted to obtain E (PKh, SKE), by E (PKh,SKE)With markIt is sent to entity;
S108 entities receive mark and key, combined signature private key:Utilize SKhTo E (PKh, SKE) it is decrypted to obtain SKE, willSKE obtains part signature private key SKS1 after entering line translation, by SKS1 and secret value xID, securely held SKS and SKE.
Further, it is specific to the verification step of server end mark and user terminal mark in step S2 and S4For:
S201 uses public key matrix and entity ID computational entities mark public key;
S202 is using public key verifications mark is identified, if checking is correct, mark effectively gives by otherwise identifying invalid obstructedCross;
The public key that S203 is obtained in mark after being verified is verified to signed data.
Beneficial effects of the present invention:The present invention realizes user terminal and server using IKI safety means as carrier, by markThe two-way authentication at end, the security of single-node login system is improved, give a kind of identity identifying method of high intensity.
Embodiment
Below in conjunction with the accompanying drawing in the embodiment of the present invention, the technical scheme in the embodiment of the present invention is carried out clear, completeSite preparation describes, it is clear that described embodiment is only part of the embodiment of the present invention, rather than whole embodiments.It is based onEmbodiment in the present invention, the every other embodiment that those of ordinary skill in the art are obtained, belong to what the present invention protectedScope.
As shown in figure 5, a kind of single-point logging method based on IKI ID authentications described according to embodiments of the present invention, bagInclude following steps:
S1 user terminals send access request to server, produce random number r, and service end is sent collectively to together with user terminal mark;
S2 server ends are verified to user terminal mark, and by rear, server end produces random number R, and random with user terminalNumber r is combined, for (R | | r), signed with server end private key, generation signed data Sig1;
Random number R, server end mark, signed data Sig1 are sent to user terminal by S3 server ends;
S4 user terminal authentication servers end is identified, and the public key verifications signed data in server identification is utilized after being verifiedSig1, it is verified rear confirmed service device end identity legitimacy;
S5 user terminals are signed using private key to random number (R | | r), generate signed data Sig2, signed data Sig2 is sent outIt is sent to server end;
S6 server by utilizing user terminal public key verifications signed data Sig2, user terminal identity legitimacy is confirmed after being verified;
S7 server end login authentications equipment checks user's single-sign-on mapping table, finds out user mark in corresponding application systemThe account bound on system, User Token is produced, is re-introduced into application system;
S8 application systems receive the User Token of unified form, login account of the user in the system are obtained, by user at thisThe state of system is set to login, returns to the page that user asks to access, completes access of the user to the application system.
In one particular embodiment of the present invention, administrative center is identified by IKI and produces the server end mark, useFamily end mark, private key and public key.
In one particular embodiment of the present invention, server end mark, user terminal mark, private key and public keyProduction stage is:
S101IKI marks administrative center IMC discloses parameter:Public key matrix PKMS, identify administrative center public key PKIDorg, ECC songsLine, basic point G;Wherein public key matrix PKMS is mark administrative center private key SKIDorgTo public key matrix pkm, mark administrative center markKnow IDorgEtc. the signature of parameter;
S102 entities produce entity ID and relevant parameter:Secret value xID, secret value public key PKx are produced using entity security equipment=xID*G, unsymmetrical key is randomly generated to SK using ECC algorithmh、PKh;
The partial parameters that S103 encryptions need to upload:Use mark administrative center public key PKIDorgTo secret value public key PKx and at randomUnsymmetrical key public key PKhEncryption:E(PKIDorg,PKx||PKh);
S104 uploads entity ID, E (PKIDorg,PKx||PKh) and mark validity date extremely mark administrative center IMC;Wherein identifyValidity date is to be necessary to determine whether to upload according to application;
S105 marks administrative center carries out entity ID duplicate checkings, produces entity part private key:IMC determines that entity ID combination marks are effectiveAfter the uniqueness of phase, using PKMS and entity ID, the mark term of validity, entity ID public keys PK is calculatedID, utilize private key matrix skmWith entity ID, mark term of validity computational entity ID private keys SKID, entity encryption key SKE and part signature is obtained after SKE is convertedPrivate key SKS1;
S106 mark administrative center IMC assembling marks:Use mark management organization private key SKIDorgDecrypt E (PKIDorg,PKx||PKh) obtain PKx and PKh, composite entity ID public signature keys:PKS=SKS1*G+PKx;Decryption public key PKE=SKE*G is calculated, is usedSKIDTo (PKS | | PKE | | the effective date | | the Expiration Date | | IDorg| | ID) signature, identified
S107 issues mark and entity key:IMC utilizes PKhSKE is encrypted to obtain E (PKh, SKE), by E (PKh,SKE)With markIt is sent to entity;
S108 entities receive mark and key, combined signature private key:Utilize SKhTo E (PKh, SKE) it is decrypted to obtain SKE, willSKE obtains part signature private key SKS1 after entering line translation, by SKS1 and secret value xID, securely held SKS and SKE.
In one particular embodiment of the present invention, in step S2 and S4, to server end mark and user terminalThe verification step of mark is specially:
S201 uses public key matrix and entity ID computational entities mark public key;
S202 is using public key verifications mark is identified, if checking is correct, mark effectively gives by otherwise identifying invalid obstructedCross;
The public key that S203 is obtained in mark after being verified is verified to signed data.
In order to facilitate understand the present invention above-mentioned technical proposal, below by way of in specifically used mode to the present invention it is above-mentionedTechnical scheme is described in detail.
As shown in figure 1, it is the system involved by a kind of single-point logging method based on IKI ID authentications of the present inventionOrganization Chart, single-node login system framework include user security equipment and are arranged at safety means and the login authentication of server endPrivate key, user's mark and the public key matrix of user, server side security equipment are stored with equipment, wherein user end security equipmentIn be stored with the private key, server identification and public key matrix of server.The user security equipment is the USB- for including IKI chipsKEY or IC-card, server side security equipment are the server password machine comprising PCIe cipher cards or signature sign test server.UserAll include IKI algorithm units in end and server side security equipment, be responsible for reading in user terminal and server side security equipmentMark, the checking mark flow for authenticating ID such as legitimacy and private key signature, public key sign test name.
As shown in Fig. 2 used first according to each based on IKI chip identifications authentication center in above-mentioned single-node login system frameworkThe entity identities (can customize, using name, organization etc., need to ensure its uniqueness) at family produce key and mark for it,Comprise the following steps that:
S101IKI marks administrative center IMC discloses parameter:Public key matrix PKMS, identify administrative center public key PKIDorg, ECC songsLine, basic point G;Wherein public key matrix PKMS is mark administrative center private key SKIDorgTo public key matrix pkm, mark administrative center markKnow IDorgEtc. the signature of parameter;
S102 entities produce entity ID and relevant parameter:Secret value xID, secret value public key PKx are produced using entity security equipment=xID*G, unsymmetrical key is randomly generated to SK using ECC algorithmh、PKh;
The partial parameters that S103 encryptions need to upload:Use mark administrative center public key PKIDorgTo secret value public key PKx and at randomUnsymmetrical key public key PKhEncryption:E(PKIDorg,PKx||PKh);
S104 uploads entity ID, E (PKIDorg,PKx||PKh) and mark validity date extremely mark administrative center IMC;Wherein identifyValidity date is to be necessary to determine whether to upload according to application;
S105 marks administrative center carries out entity ID duplicate checkings, produces entity part private key:IMC determines that entity ID combination marks are effectiveAfter the uniqueness of phase, using PKMS and entity ID, the mark term of validity, entity ID public keys PK is calculatedID, utilize private key matrix skmWith entity ID, mark term of validity computational entity ID private keys SKID, entity encryption key SKE and part signature is obtained after SKE is convertedPrivate key SKS1;
S106 mark administrative center IMC assembling marks:Use mark management organization private key SKIDorgDecrypt E (PKIDorg,PKx||PKh) obtain PKx and PKh, composite entity ID public signature keys:PKS=SKS1*G+PKx;Decryption public key PKE=SKE*G is calculated, is usedSKIDTo (PKS | | PKE | | the effective date | | the Expiration Date | | IDorg| | ID) signature, identified
S107 issues mark and entity key:IMC utilizes PKhSKE is encrypted to obtain E (PKh, SKE), by E (PKh,SKE)With markIt is sent to entity;
S108 entities receive mark and key, combined signature private key:Utilize SKhTo E (PKh, SKE) it is decrypted to obtain SKE, willSKE obtains part signature private key SKS1 after entering line translation, by SKS1 and secret value xID, securely held SKS and SKE.
As shown in Figures 3 and 5, based on above-mentioned single-node login system, user is by user security equipment and user's logging device phaseEven, the login page of server is accessed by user's logging device, prompts user to input PIN code and opens user security equipment, it is defeatedAfter entering PIN code, user security equipment is opened, and now carries out step, realizes single-point logging method of the present invention, toolBody is:
S1 user terminals send access request to server, produce random number r, and service end is sent collectively to together with user terminal mark;
S2 server ends are verified to user terminal mark, and by rear, server end produces random number R, and random with user terminalNumber r are combined (R | | r), are signed with server end private key, generation signed data Sig1;
Random number R, server end mark, signed data Sig1 are sent to user terminal by S3 server ends;
S4 user terminal authentication servers end is identified, and the public key verifications signed data in server identification is utilized after being verifiedSig1, it is verified rear confirmed service device end identity legitimacy;
S5 user terminals are signed using private key to random number (R | | r), generate signed data Sig2, signed data Sig2 is sent outIt is sent to server end;
S6 server by utilizing user terminal public key verifications signed data Sig2, user terminal identity legitimacy is confirmed after being verified;
S7 server end login authentications equipment checks user's single-sign-on mapping table, finds out user mark in corresponding application systemThe account bound on system, User Token is produced, is re-introduced into application system;
S8 application systems receive the User Token of unified form, login account of the user in the system are obtained, by user at thisThe state of system is set to login, returns to the page that user asks to access, completes access of the user to the application system.
In above-mentioned single-point logging method, the verification step to server end mark and user terminal mark is:
S201 uses public key matrix and entity ID computational entities mark public key;
S202 is using public key verifications mark is identified, if checking is correct, mark effectively gives by otherwise identifying invalid obstructedCross;The public key that S203 is obtained in mark after being verified is verified to signed data.
In one particular embodiment of the present invention, the parameter public key matrix PKMS announced when known mark management organization,Now, entity A knows entity B entity ID, markThen the corresponding verification step to server end mark and user terminal mark is specially:
1st, public key matrix PKMS and entity B entity ID are utilizedBComputational entity B mark public keys { PKID}B;
2nd, checking mark validity:With entity B mark public key { PKID}BVerify the mark of entity BIf checking is correct, mark is effectively led toCross, otherwise identify and invalid do not pass through;
3rd, the public key obtained after being verified in mark is verified to signed data.
The foregoing is merely illustrative of the preferred embodiments of the present invention, is not intended to limit the invention, all essences in the present inventionGod any modification, equivalent substitution and improvements made etc., should be included in the scope of the protection with principle.