Background
The same enterprise has many apps and website platforms, each platform needs to log in, and quits when quitting, so that the user experience is very poor. To solve this problem, another login experience is needed, so that services in an enterprise can log in once and log out once. Single Sign on (sso) (single Sign on) is that in an environment where multiple systems coexist, a user does not need to log on in other systems after logging on one place, that is, one-time logging on of the user can obtain the trust of all other systems.
at present, enterprises adopt single sign-on frameworks such as CAS, which have low customization, conflict with the security frameworks of the enterprises and have low fault tolerance. The current mall system is a distributed architecture based on SOA, and has a plurality of service backups and related subsystems, and single sign-on can be adopted to realize that all systems can be accessed by one sign-on, thereby avoiding the transmission process of distributed session. The current SSO technology is secure on well-designed SSO systems, but cannot provide security during communication.
CN103873475A discloses a single sign-on system and a single sign-on method thereof, the system comprises a client, a server and a server, wherein the client is used for storing single sign-on user information and submitting a sign-on verification request under the condition that the single sign-on user information is lost; the server is in communication connection with the client, provides single sign-on user information storage, is used for verifying a client identifier AppID in a login verification request submitted by the client, and sends client page information and generated/stored single sign-on user information to the client after the client identifier AppID passes verification so as to generate single sign-on user information after the client is verified; and the authentication end is in communication connection with the server end and provides a user login function. The method verifies that the user needs to get from the server every time of login, occupies connection resources, cannot ensure the security of communication between the user and a provider, and possibly causes sound attacks.
"A novel user identification scheme with key distribution predicting user authentication for distributed computer networks" proposes a single sign-on mechanism that has two disadvantages: 1) the external user can create valid authentication details without registering to any trusted authority, and the details can also access the service. This may lead to attacks by malicious users. 2) The scheme requires clock synchronization because it is based on time stamps. The security in the communication is not very high.
SSO serves as a single authentication window for a user for multiple service providers in a network. The current SSO technology is secure on well-designed SSO systems, but cannot provide security during communication. To perform operations with the RSA algorithm used in current SSO schemes, the present invention uses the MAC algorithm to provide a secure path for communications over the distributed network, providing better security during message passing.
disclosure of Invention
the present invention provides a secure single sign-on method based on a message authentication code, so as to solve the problems proposed in the background art.
In order to achieve the purpose, the invention provides the following technical scheme: a safety single sign-on method based on message authentication code includes the following basic steps:
Step one, TAC initialization. The TAC completes initialization to calculate the secret token of the user and the parameters of the service provider;
And step two, registering the user with the service provider. Many users want to access services from the TAC and need to register with the TAC. In addition, various providers also perform authentication through TAC to provide services;
And step three, the user logs in with the service provider. Authentication is accomplished between the user and the service provider. The service provider first authenticates the user before granting the user access. The user then checks the provider's authentication details before accessing the service.
Preferably, in the first step, the RSA-based encryption system is initialized, which further includes the following specific processes:
Selecting two large prime numbers p, q and calculating p x q;
Determining the key pair (e, d) such that
wherein
Selecting generator g and ElGamal decryption key u, calculating
y=gu mod N (2)
selecting a cryptographic hash function h (·)
TAC publishes (e, g, y, h (-), N, N) to protect the confidentiality of d and u.
preferably, in the second step, the registration phase further includes the following specific processes:
upon receiving a user's request, the TAC gives a fixed length unique identity IDiand a secret token Si。
Si=h(IDi)2dmod N (3)
At the same time, each service provider maintains a pair of keys: signing the signature value σjAnd verifying the signature value vjFor use in secure signature schemes.
preferably, the third step further comprises the following specific processes:
after receiving the login request, the TAC firstly checks the request type; if the request is a user request, verifying the identity information of the user, and sending the secret token, the private key and the shared public key to the user; if the request is the provider request, verifying the identity information of the provider and disclosing the parameters related to the user;
After receiving the token and the key, the user logs in a service provider by using the encrypted token, and the provider checks whether the user is registered in the TAC after receiving a user login request; if the user is not registered, the user is informed to register, and the user request is rejected; if the user is registered, the SSO ID of the user is decrypted, and the validity of the user is checked; if the user is an invalid user, the login request is rejected; if the user is a valid user, the user verifies the identity information of the service provider; if not, the user refuses the request of the service provider, and if not, the service provider grants the access right of the user.
Preferably, in the main process of the third step, the message authentication code MAC is used to provide better performance during communication and improve the security of the system, because the communication between the user and the provider is accomplished only by message passing. It is therefore necessary to check during transmission whether the message reception has changed:
the TAC creates a symmetric key for the user and the service provider. A hash value h1 is calculated from the shared symmetric secret key and the original message and hash value h1 are sent to the provider. The provider then calculates its own hash value h2 from the shared symmetric secret key provided by the TAC. If h1 is h2, the provider concludes that the message was not altered during transmission.
Preferably, in the main process of the third step, the secret token is transferred by using an encryption/decryption technology, and the trusted authority center TAC sends the token, the private key and the shared public key to the user. The key is encrypted by a private key and sent to the provider for authentication, the provider decrypts the key by means of a shared public key, and the shared public key is sent to the service provider by the TAC.
Preferably, in the main process of step three, before accessing the service, the user needs to check the authentication information of the service provider, which includes the following specific processes:
the user sends a request message to the service provider;
Upon receipt by the service provider, the provider computes the key exchange material Z using the Diffie Hellman algorithm,
Z=gk mod N, (4)
Signing the signature v and sending the parameter to the user;
the user checks whether the verification signature value is 1 or not according to the received parameters. If the authentication signature value v is 1, it computes its own Diffie Hellman key exchange material W,
W=gt mod N, (5)
the credential details are encrypted to x and sent to the provider along with the ciphertext CT, but if the verification signature value v is 0, the user terminates the connection;
the provider checks the validity of the user based on the user's credential details. The provider decrypts the text using the session key Kij and authenticates the user by checking the value of C. The value of C is simply the hash function value of the concatenation. If the value of C is positive, the provider grants service access assuming it is a valid user. And sends the session key hash value V to the user. But if the value of C is negative, the provider terminates the connection;
the user checks the value of V. If the value is true, the user thinks they share the same session key to authenticate the provider. If value is false, the user terminates the session.
Compared with the prior art, the invention has the beneficial effects that:
Users and service providers use encryption and decryption techniques during the authentication phase. The user logs in using the encrypted token and decrypts the token using the authentication provider and then checks the user's validity. Providing better security during message delivery, i.e. communication.
Detailed Description
the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
Referring to fig. 1-2, the present invention provides a technical solution: a safety single sign-on method based on message authentication code includes the following basic steps:
step one, TAC initialization. The TAC completes initialization to calculate the secret token of the user and the parameters of the service provider;
and step two, registering the user with the service provider. Many users want to access services from the TAC and need to register with the TAC. In addition, various providers also perform authentication through TAC to provide services;
And step three, the user logs in with the service provider. Authentication is accomplished between the user and the service provider. The service provider first authenticates the user before granting the user access. The user then checks the provider's authentication details before accessing the service.
With reference to fig. 2, in the single sign-on method based on encryption processing provided in this embodiment, the login stage includes the following specific steps:
After receiving the login request, the TAC firstly checks the request type; if the request is a user request, verifying the identity information of the user, and sending the secret token, the private key and the shared public key to the user; if the request is the provider request, verifying the identity information of the provider and disclosing the parameters related to the user;
after receiving the token and the key, the user logs in a service provider by using the encrypted token, and the provider checks whether the user is registered in the TAC after receiving a user login request; if the user is not registered, the user is informed to register, and the user request is rejected; if the user is registered, the SSO ID of the user is decrypted, and the validity of the user is checked; if the user is an invalid user, the login request is rejected; if the user is a valid user, the user verifies the identity information of the service provider; if not, the user refuses the request of the service provider, and if not, the service provider grants the access right of the user.
Although embodiments of the present invention have been shown and described, it will be appreciated by those skilled in the art that changes, modifications, substitutions and alterations can be made in these embodiments without departing from the principles and spirit of the invention, the scope of which is defined in the appended claims and their equivalents.