CN110808829B - SSH authentication method based on key distribution center - Google Patents
SSH authentication method based on key distribution centerDownload PDFInfo
- Publication number
- CN110808829B CN110808829BCN201910922273.4ACN201910922273ACN110808829BCN 110808829 BCN110808829 BCN 110808829BCN 201910922273 ACN201910922273 ACN 201910922273ACN 110808829 BCN110808829 BCN 110808829B
- Authority
- CN
- China
- Prior art keywords
- client
- key
- server
- distribution center
- kdc
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/0819—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
- H04L9/083—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) involving central third party, e.g. key distribution center [KDC] or trusted third party [TTP]
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/06—Network architectures or network communication protocols for network security for supporting key management in a packet data network
- H04L63/062—Network architectures or network communication protocols for network security for supporting key management in a packet data network for key distribution, e.g. centrally by trusted party
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/16—Implementing security features at a particular protocol layer
- H04L63/168—Implementing security features at a particular protocol layer above the transport layer
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y04—INFORMATION OR COMMUNICATION TECHNOLOGIES HAVING AN IMPACT ON OTHER TECHNOLOGY AREAS
- Y04S—SYSTEMS INTEGRATING TECHNOLOGIES RELATED TO POWER NETWORK OPERATION, COMMUNICATION OR INFORMATION TECHNOLOGIES FOR IMPROVING THE ELECTRICAL POWER GENERATION, TRANSMISSION, DISTRIBUTION, MANAGEMENT OR USAGE, i.e. SMART GRIDS
- Y04S40/00—Systems for electrical power generation, transmission, distribution or end-user application management characterised by the use of communication or information technologies, or communication or information technology specific aspects supporting them
- Y04S40/20—Information technology specific aspects, e.g. CAD, simulation, modelling, system security
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer And Data Communications (AREA)
Abstract
Description
Translated fromChinese技术领域technical field
本申请属于电力系统网络安全领域。This application belongs to the field of power system network security.
背景技术Background technique
SSH协议由IETF标准化机构制定,是部署最广泛的网络安全协议之一,它最初被设计成替代通过网络发送不受保护信息的远程登录协议。从那时起,SSH已经成为确保互联网传输的通用工具。由于变电站内部网络安全要求越来越高和其它远程登录协议的不安全性,推荐用户使用SSH远程访问站内设备。Developed by the IETF standardization body, the SSH protocol is one of the most widely deployed network security protocols. It was originally designed to replace the remote login protocol that sends unprotected information over the network. Since then, SSH has become a common tool for securing Internet transmissions. Due to the increasing security requirements of the internal network of the substation and the insecurity of other remote login protocols, it is recommended that users use SSH to remotely access the equipment in the substation.
标准SSH协议使用“第一次使用时信任”(Trust-On-First-Use)机制向客户端认证服务器。具体过程为:当客户端第一次收到服务器发送的主机公钥时,如果客户端缓存中无对应的主机公钥,则选择接受该密钥;当服务器公钥改变时,客户端接收到的公钥与缓存中的公钥不一致,客户端不会自动接收该公钥,同时提示用户进行选择。通过分析“第一次使用信任时”可知,如果客户端事先无存放SSH服务器的公钥,且用户登录时也并未验证服务器公钥,则容易遭受中间人攻击。攻击者容易获取客户端的用户名和密码,此外攻击者还可监视或替换通信双方的会话数据。The standard SSH protocol uses a "Trust-On-First-Use" mechanism to authenticate the server to the client. The specific process is: when the client receives the host public key sent by the server for the first time, if there is no corresponding host public key in the client cache, it chooses to accept the key; when the server public key changes, the client receives The public key of the public key is inconsistent with the public key in the cache, the client will not automatically receive the public key, and prompts the user to make a choice. By analyzing "the first use of trust", if the client does not store the public key of the SSH server in advance, and the user does not verify the server public key when logging in, it is vulnerable to man-in-the-middle attacks. The attacker can easily obtain the user name and password of the client, and the attacker can also monitor or replace the session data of the communicating parties.
标准SSH建立连接的步骤如下:The steps to establish a connection with standard SSH are as follows:
(1)版本协商阶段(1) Version negotiation phase
当TCP连接建立后,通信双方都必须向对方发送自己的版本字符串,其中包括SSH的协议版本号、软件版本号等,一起构成形如:“SSH.<主协议版本号>.<次协议版本号>.<软件版本号>\n”的字符串。版本字符串最长是255字节。先是服务器向客户端发送自己的版本字符串。客户端收到服务器的报文后,检查版本号,当服务器的版本号较高时,客户端发送自己较低的版本号。服务器收到客户端的报文后,检查版本号,把它与自己的进行比较,决定能否兼容,如果不能,则断开TCP连接;如果能,则双方以一个较低的协议版本工作。When the TCP connection is established, both communication parties must send their own version strings to the other party, including the SSH protocol version number, software version number, etc., which together form the form: "SSH.<primary protocol version number>.<secondary protocol version number>.<software version number>\n" string. Version strings can be up to 255 bytes long. First, the server sends its own version string to the client. After receiving the message from the server, the client checks the version number. When the server's version number is higher, the client sends its lower version number. After receiving the message from the client, the server checks the version number, compares it with its own, and decides whether it is compatible. If not, it disconnects the TCP connection; if it can, the two parties work with a lower protocol version.
(2)算法协商阶段(2) Algorithm negotiation phase
版本协商完成后,由服务器向客户端发送数据包,包括以下内容:主机密钥的公钥、服务密钥的公钥、次协议版本标志、能接受的密码算法、认证方式、和一个64bit的Cookie,这个数据包没有加密。客户端选取各种算法的方法如下:依次将支持的算法与服务器发来的算法进行匹配,如果成功,就选择此算法作为双方协商的算法;如果最后都没成功,则表示算法协商失败。After the version negotiation is completed, the server sends a data packet to the client, including the following contents: the public key of the host key, the public key of the service key, the sub-protocol version flag, acceptable cryptographic algorithms, authentication methods, and a 64bit Cookie, this packet is not encrypted. The method for the client to select various algorithms is as follows: match the supported algorithms with the algorithms sent by the server in turn, and if successful, select this algorithm as the algorithm negotiated by both parties; if none succeed in the end, it means that the algorithm negotiation failed.
(3)密钥协商阶段(3) Key negotiation phase
算法协商成功后,双方进入密钥协商阶段。此阶段隐含客户端对服务器认证过程,为了防止伪装服务器欺骗,SSH协议支持对服务器端进行认证,客户端检查主机列表,查看从服务器收到的主机密钥是否在列表中,如果不在列表中,就把它加入其中。After the algorithm negotiation is successful, the two parties enter the key negotiation stage. This stage implies the client-to-server authentication process. In order to prevent spoofing server spoofing, the SSH protocol supports server-side authentication. The client checks the host list to see if the host key received from the server is in the list, if not. , add it to it.
密钥协商的目的是生成双方通信的共享会话密钥,用于后续数据的加密。这个密钥是经过双方协商计算生成的,任意一方都不能单独生成这个密钥。服务器和客户端分别利用DH算法、主机密钥对等参数,计算生成会话密钥和会话ID。The purpose of key agreement is to generate a shared session key for communication between the two parties, which is used for subsequent data encryption. This key is generated through negotiation and calculation between the two parties, and neither party can generate this key alone. The server and the client use the DH algorithm, the host key pair and other parameters to calculate and generate the session key and session ID.
(4)用户认证阶段(4) User authentication stage
此阶段为服务器认证客户端阶段。客户端向服务器发送请求认证报文。认证请求包含用户名、认证方法等相关内容,服务器启动对该客户端用户认证过程。SSH提供口令认证和公钥认证两种认证方法。This phase is the server authentication client phase. The client sends a request authentication message to the server. The authentication request includes user name, authentication method and other relevant content, and the server starts the authentication process for the client user. SSH provides two authentication methods: password authentication and public key authentication.
(5)会话交互阶段(5) Session interaction phase
接下来客户端可以向服务器请求会话,会话请求成功后,双方就进入会话交互模式了。在这个模式下,加密数据双向传递。当客户端请求关闭会话时,服务器允许请求,连接终止,会话交互阶段结束。Next, the client can request a session from the server. After the session request is successful, both parties enter the session interaction mode. In this mode, encrypted data is passed in both directions. When the client requests to close the session, the server grants the request, the connection is terminated, and the session interaction phase ends.
虽然SSH拥有较强的认证机制和较安全的信道传输机制,但是仍有不足,如密钥缺乏管理,对用户认证用的密钥没有规定具体的产生、分发和废除等操作,大多数的实现也都是采取人为手工的方式来完成。不够灵活和方便.安全性也不够;主机欺骗危险,允许客户端第一次连接一台主机(服务器)时可以直接接受其主机密钥而不检查该密钥是否真正属于该主机。Although SSH has a strong authentication mechanism and a relatively secure channel transmission mechanism, there are still deficiencies, such as lack of key management, and no specific operations such as generation, distribution, and abolition of keys used for user authentication. It is also done manually. It is not flexible and convenient enough. The security is not enough; host spoofing is dangerous, allowing the client to directly accept its host key when connecting to a host (server) for the first time without checking whether the key really belongs to the host.
故,需要一种新的技术方案以解决上述问题。Therefore, a new technical solution is needed to solve the above problems.
发明内容Contents of the invention
发明目的:针对标准SSH在建立连接时的认证过程中出现的主机欺骗危险和密钥缺乏管理的缺点,本发明提出一种基于密钥分配中心的SSH认证方法。Purpose of the invention: Aiming at the shortcomings of the risk of host deception and lack of key management in the authentication process of standard SSH when establishing a connection, the present invention proposes an SSH authentication method based on a key distribution center.
技术方案:为达到上述目的,本发明采用如下技术方案:Technical scheme: in order to achieve the above object, the present invention adopts following technical scheme:
一种基于密钥分配中心的SSH认证方法,其特征在于,提供密钥分配中心用于生成客户端和服务器相互认证的会话密钥;包括以下步骤:A kind of SSH authentication method based on key distribution center, it is characterized in that, key distribution center is provided to be used for generating the session key of mutual authentication of client and server; comprise the following steps:
(1)、服务器主动向密钥分配中心发送主密钥申请信息;密钥分配中心将服务器身份信息录入账户数据库中,并生成一个密钥分配中心与服务器共享的主密钥KS-KDC,返回给服务器;(1) The server actively sends master key application information to the key distribution center; the key distribution center enters the server identity information into the account database, and generates a master key KS-KDC shared by the key distribution center and the server, return to the server;
(2)、客户端向密钥分配中心发送一个会话密钥申请;申请内容包括客户端自身身份信息IDC和所要建立连接的服务器身份信息IDS,以及此次申请一次性唯一标识码N1;(2) The client sends a session key application to the key distribution center; the application content includes the client's own identity information IDC and the server identity information IDS to establish a connection, as well as the one-time unique identification code N1 for this application ;
(3)、密钥分配中心在接收到客户端的申请后,匹配客户端和服务器SSH的协议版本、软件版本和算法列表,协商匹配一致后,生成一个会话密钥KCS;密钥分配中心返回客户端的信息中包括:会话密钥KCS和唯一标识码N1;以及由KS-KDC加密的一次性会话密钥KCS和客户端的身份信息IDC;其中,一次性会话密钥KCS和唯一标识码N1以及由KS-KDC加密的一次性会话密钥KCS和客户端的身份信息IDC记为[ECS(TC,IDC)||ES-KDC(KCS,IDC)];(3), the key distribution center, after receiving the application from the client, matches the protocol version, software version and algorithm list of the client and server SSH, and after negotiation and matching, generates a session key KCS ; the key distribution center returns The information of the client includes: the session key KCS and the unique identification code N1 ; and the one-time session key KCS encrypted by KS-KDC and the identity information IDC of the client; wherein, the one-time session key KCS And the unique identification code N1 and the one-time session key KCS encrypted by KS-KDC and the identity information IDC of the client are recorded as [ECS (TC , IDC )||ES-KDC (KCS , IDC )];
(4)、客户端根据收到密钥分配中心发来的申请回复信息,通过主密钥KC-KDC解密获得会话密钥KCS,并向服务器转发[ECS(TC,IDC)||ES-KDC(KCS,IDC)];(4) According to the application reply message received from the key distribution center, the client decrypts the master key KC-KDC to obtain the session key KCS , and forwards [ECS (TC ,IDC ) to the server. ||ES-KDC (KCS , IDC )];
(5)、当服务器接收到[ECS(TC,IDC)||ES-KDC(KCS,IDC)]数据后,先使用服务器自己的主密钥KS-KDC对数据包进行解密获得会话密钥KCS;随后使用该会话密钥解密认证信息,通过比较由客户端发送来的认证信息中的客户端身份信息和[ECS(TC,IDC)||ES-KDC(KCS,IDC)]中的客户端身份信息,实现对客户端身份的验证;如果信息一致,则向客户端发送一个用会话密钥加密的一次性随机数ECS(N2);反之,会话建立失败,连接断开;(5) When the server receives the [ECS (TC , IDC )||ES-KDC (KCS , IDC )] data, it first uses the server's own master key KS-KDC to pair the data packet Decrypt to obtain the session key KCS ; then use the session key to decrypt the authentication information, by comparing the client identity information in the authentication information sent by the client with [ECS (TC ,IDC )||ES -Client identity information inKDC (KCS ,IDC )] to verify the identity of the client; if the information is consistent, send a one-time random number ECS (N2 ); Otherwise, the session establishment fails and the connection is disconnected;
(6)、客户端通过会话密钥解密获得服务器发来的一次性随机数N2,并进行f(N2)加1处理,再将结果用会话密钥加密ECS[f(N2)]返回给服务器。(6). The client decrypts the session key to obtain the one-time random number N2 sent by the server, and adds 1 to f(N2 ), and then encrypts the result with the session key ECS [f(N2 ) ] returned to the server.
(7)、服务器对客户端返回的一次性随机数f(N2)进行认证,如认证通过,则进入正常会话交互模式,至此服务器和客户端允许双向传递加密数据;反之不通过,关闭会话,断开连接。(7) The server authenticates the one-time random number f(N2 ) returned by the client. If the authentication is passed, it enters the normal session interaction mode. So far, the server and the client allow two-way transmission of encrypted data; otherwise, the session is closed ,Disconnect.
进一步的,步骤(2)中,使用随机数作为唯一标识码N1。Further, in step (2), a random number is used as the unique identification code N1 .
进一步的,步骤(3)中,为使会话密钥KCS仅仅限于发送请求的客户端和该客户端希望访问的服务器知道,密钥分配中心为这个会话密钥KCS生成两个副本,分别被客户端和服务器使用。Further, in step (3), in order to make the session key KCS known only to the client that sends the request and the server that the client wishes to access, the key distribution center generates two copies of the session key KCS , respectively Used by both client and server.
进一步的,步骤(2)中,身份信息IDC设为客户端的网络地址。Further, in step (2), the identity information IDC is set as the network address of the client.
进一步的,步骤(4)中,客户端首先通过对唯一标识码的校验,确认收到的应答是由密钥分配中心发出且与之前的会话申请相匹配,然后用客户端的主密钥KC-KDC对密钥分配中心加密的会话密钥进行解密从而获得会话密钥KCS,随后创建认证信息ECS(Tc,IDC),包括客户端信息和时间戳Tc,并用会话密钥对其加密;最后连同从密钥分配中心获得的、被服务器的主密钥加密过的数据包ES-KDC(KCS,IDC)一并发送到服务器端。Further, in step (4), the client first confirms that the received response is issued by the key distribution center and matches the previous session application through the verification of the unique identification code, and then uses the client's master key KC-KDC decrypts the session key encrypted by the key distribution center to obtain the session key KCS , then creates authentication information ECS (Tc, IDC ), including client information and time stamp Tc, and uses the session key to It is encrypted; finally, it is sent to the server together with the data packet ES-KDC (KCS , IDC ) obtained from the key distribution center and encrypted by the server's master key.
有益效果:相对于现有技术,本发明的有益效果包括:Beneficial effects: compared with the prior art, the beneficial effects of the present invention include:
1、使用标准SSH客户端每一个用户在自己的主目录下面都有所有要连接的主机公钥的拷贝。如果用户企图连接很多的主机,那么所有的这些主机的公钥也要占用一部分空间,给管理带来不便。基于密钥分配中心的认证方法,客户端不用保存所有要连接的主机公钥,所用密钥的产生、分发和废除操作均由密钥分配中心完成,且不用人工参与,提高了密钥管理的灵活性和方便性。1. Use a standard SSH client. Each user has a copy of the public keys of all hosts to connect to under their home directory. If the user attempts to connect to many hosts, the public keys of all these hosts will also take up some space, which will bring inconvenience to management. Based on the authentication method of the key distribution center, the client does not need to save all the host public keys to be connected, and the key generation, distribution and revocation operations are all completed by the key distribution center without manual participation, which improves the efficiency of key management Flexibility and convenience.
2、标准SSH的认证过程中允许客户端第一次连接一台主机(服务器)时可以直接接受其主机密钥而不检查该密钥是否真正属于该主机。而使用基于密钥分配中心的SSH认证方法,客户端是通过密钥分配中心获得加密过的会话密钥,由密钥分配中心完成了服务器身份的认证。而且客户端可以通过密钥分配中心返回的唯一标识码,确认获得的密钥和身份信息是由密钥分配中心发出,防止发出的申请被篡改和应答信息的重放。2. During the standard SSH authentication process, the client can directly accept the host key when connecting to a host (server) for the first time without checking whether the key really belongs to the host. However, using the SSH authentication method based on the key distribution center, the client obtains the encrypted session key through the key distribution center, and the key distribution center completes the authentication of the server identity. Moreover, the client can confirm that the obtained key and identity information are issued by the key distribution center through the unique identification code returned by the key distribution center, so as to prevent the application from being tampered with and the response information from being replayed.
附图说明Description of drawings
图1为本发明基于密钥分配中心的SSH认证方法采用的的系统架构图。Fig. 1 is a system architecture diagram adopted by the SSH authentication method based on the key distribution center in the present invention.
图2是本发明中基于密钥分配中心的SSH认证方法建立过程示意图。Fig. 2 is a schematic diagram of the establishment process of the SSH authentication method based on the key distribution center in the present invention.
具体实施方式Detailed ways
下面结合附图对本发明的一种基于内存队列的多种运维指标数据接收的管理方法进一步的详细介绍。A method for managing the reception of various operation and maintenance indicator data based on memory queues in the present invention will be further described in detail below in conjunction with the accompanying drawings.
密钥分配中心(KDC,Key Distribution Center)是一种运行在物理安全服务器上的服务,KDC维护着领域中所有安全主体账户信息数据库。KDC存储了仅安全主体和KDC知道的加密密钥,这个密钥也称长效密钥,即主密钥,用于在安全主体和KDC之间进行交换。KDC是作为发起方和接收方共同信任的第三方,因为它维护着一个存储着该域中所有账户的账户数据库,即它管理着属于每个账户的名称和派生于该账户密码的主密钥。而用于客户端和服务器相互认证的会话密钥就是由KDC生成的。Key Distribution Center (KDC, Key Distribution Center) is a service running on a physical security server, and KDC maintains a database of all security subject account information in the domain. The KDC stores an encryption key that only the security principal and the KDC know. This key is also called a long-term key, that is, the master key, and is used for exchanging between the security principal and the KDC. KDC is a third party trusted by both the initiator and receiver because it maintains an account database that stores all accounts in the domain, that is, it manages the name belonging to each account and the master key derived from the account password . The session key used for mutual authentication between the client and the server is generated by the KDC.
总体架构如图1所示。服务器和客户端分别与密钥分配中心建立信任关系。首先服务器的SSH服务启动时,服务器主动向KDC发送申请密钥信息,申请信息中包括SSH协议版本号、软件版本号和支持的加密算法列表。经过KDC认证后,返回给服务器一个共享主密钥KS-KDC。客户端申请步骤和服务器一致,得到共享密钥KC-KDC。The overall architecture is shown in Figure 1. The server and the client respectively establish a trust relationship with the key distribution center. First, when the SSH service of the server is started, the server actively sends application key information to the KDC. The application information includes the SSH protocol version number, software version number, and a list of supported encryption algorithms. After being authenticated by the KDC, a shared master key KS-KDC is returned to the server. The application procedure of the client is the same as that of the server, and the shared key KC-KDC is obtained.
在客户端和服务器完成密钥申请的基础上,结合图2所示,本发明提供的SSH建立会话的认证过程如下:On the basis of client and server completing key application, in conjunction with shown in Figure 2, the authentication process of SSH establishment session that the present invention provides is as follows:
1、客户端向KDC发送一个会话密钥申请Request。申请内容包括客户端自身身份信息IDC和所要建立连接的服务器身份信息IDS,以及此次申请一次性唯一标识码N1,推荐使用随机数作为唯一标识码。1. The client sends a session key application Request to the KDC. The content of the application includes the identity information IDC of the client itself, the identity information IDS of the server to be connected, and the one-time unique identification code N1 for this application. It is recommended to use a random number as the unique identification code.
2、KDC在接收到客户端的申请后,匹配客户端和服务器SSH的协议版本、软件版本和算法列表,协商匹配一致后,生成一个会话密钥KCS。为了保证这个会话密钥仅仅限于发送请求的客户端和它希望访问的服务器知道,KDC会为这个会话密钥生成两个副本,分别被客户端和服务器使用。然后从账户数据库中提取客户端和服务器的主密钥分别对这两个副本进行对称加密,即EC-KDC[KCS||N1||ES-KDC(KCS,IDC)]和ES-KDC(KCS,IDC)。对于服务器,与会话密钥一起被加密的还包含关于客户端的身份信息,以便对发起连接请求的客户端进行身份认证。2. After receiving the application from the client, the KDC matches the protocol version, software version and algorithm list of the client and server SSH, and generates a session key KCS after negotiation and matching. In order to ensure that the session key is only known to the client sending the request and the server it wants to access, the KDC will generate two copies of the session key, which are used by the client and the server respectively. Then extract the master keys of the client and server from the account database and perform symmetric encryption on the two copies respectively, that is, EC-KDC [KCS ||N1 ||ES-KDC (KCS ,IDC )] and ES-KDC (KCS ,IDC ). For the server, the identity information about the client is also encrypted along with the session key to authenticate the client who initiated the connection request.
3、客户端接收KDC返回的两组信息EC-KDC[KCS||N1||ES-KDC(KCS,IDC)]:一个是通过客户端主密钥加密的一次性会话密钥和唯一标识码N1;另一个是被服务器主密钥加密的数据包,包含一次性会话密钥KCS和关于客户端的身份信息IDC(如网络地址)。3. The client receives two sets of information returned by the KDC EC-KDC [KCS ||N1 ||ES-KDC (KCS ,IDC )]: one is a one-time session encrypted by the client master key The key and the unique identification code N1 ; the other is a data packet encrypted by the server master key, including the one-time session key KCS and the identity information IDC (such as network address) about the client.
4、客户端首先通过对唯一标识码的校验,确认收到的应答是由KDC发出且与之前的会话申请相匹配。然后用自己的主密钥KC-KDC对KDC加密的会话密钥进行解密从而获得会话密钥KCS,随后创建认证信息ECS(Tc,IDC),包括客户端信息和时间戳Tc,并用会话密钥对其加密。最后连同从KDC获得的、被服务器的主密钥加密过的数据包ES-KDC(KCS,IDC)一并发送到服务器端。4. The client first checks the unique identification code to confirm that the received response is sent by the KDC and matches the previous session request. Then use your own master key KC-KDC to decrypt the session key encrypted by KDC to obtain the session key KCS , and then create authentication information ECS (Tc,IDC ), including client information and time stamp Tc, and encrypt it with the session key. Finally, together with the data packet ES-KDC (KCS , IDC ) obtained from the KDC and encrypted by the server's master key, it is sent to the server.
5、当服务器接收到这两组数据后,先使用服务器自己的主密钥KS-KDC对数据包进行解密,既获得了会话密钥KCS,又确认了会话密钥是否来自KDC。随后使用该会话密钥解密认证信息,通过比较由客户端发送来的认证信息中的客户端信息和数据包中的客户端信息,实现对客户端身份的验证。如果信息一致,则向客户端发送一个用会话密钥加密的一次性随机数ECS(N2);反之,会话建立失败,连接断开。5. When the server receives the two sets of data, it first decrypts the data packet with its own master key KS-KDC , which not only obtains the session key KCS , but also confirms whether the session key comes from the KDC. Then use the session key to decrypt the authentication information, and verify the identity of the client by comparing the client information in the authentication information sent by the client with the client information in the data packet. If the information is consistent, a one-time random number ECS (N2 ) encrypted with the session key is sent to the client; otherwise, the session establishment fails and the connection is disconnected.
6、客户端通过会话密钥解密获得服务器发来的一次性随机数N2,并进行f(N2)加1处理,再将结果用会话密钥加密ECS[f(N2)]返回给服务器。6. The client decrypts the session key to obtain the one-time random number N2 sent by the server, and adds 1 to f(N2 ), and then encrypts the result with the session key ECS [f(N2 )] and returns to the server.
7、服务器对客户端返回的一次性随机数f(N2)进行认证,如认证通过,则进入正常会话交互模式,至此服务器和客户端可双向传递加密数据;反之不通过,关闭会话,断开连接。7. The server authenticates the one-time random number f(N2 ) returned by the client. If the authentication is passed, it enters the normal session interaction mode. So far, the server and the client can transmit encrypted data in both directions; otherwise, the session is closed and the session is terminated. Open the connection.
另外,本发明的具体实现方法和途径很多,以上所述仅是本发明的优选实施方式。应当指出,对于本技术领域的普通技术人员来说,在不脱离本发明原理的前提下,还可以做出若干改进和润饰,这些改进和润饰也应视为本发明的保护范围。本实施例中未明确的各组成部分均可用现有技术加以实现。In addition, there are many specific implementation methods and approaches of the present invention, and the above descriptions are only preferred implementation modes of the present invention. It should be pointed out that those skilled in the art can make some improvements and modifications without departing from the principle of the present invention, and these improvements and modifications should also be regarded as the protection scope of the present invention. All components that are not specified in this embodiment can be realized by existing technologies.
Claims (4)
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910922273.4ACN110808829B (en) | 2019-09-27 | 2019-09-27 | SSH authentication method based on key distribution center |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910922273.4ACN110808829B (en) | 2019-09-27 | 2019-09-27 | SSH authentication method based on key distribution center |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN110808829A CN110808829A (en) | 2020-02-18 |
| CN110808829Btrue CN110808829B (en) | 2023-04-18 |
Family
ID=69487861
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201910922273.4AActiveCN110808829B (en) | 2019-09-27 | 2019-09-27 | SSH authentication method based on key distribution center |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN110808829B (en) |
Families Citing this family (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111628872A (en)* | 2020-05-29 | 2020-09-04 | 兰州理工大学 | Security Authentication Method of BACnet Protocol Device |
| CN111800467B (en)* | 2020-06-04 | 2023-02-14 | 河南信大网御科技有限公司 | Remote synchronous communication method, data interaction method, equipment and readable storage medium |
| CN111818082B (en)* | 2020-07-22 | 2022-06-10 | 北京达佳互联信息技术有限公司 | Data transmission method and device based on symmetric encryption |
| CN112800439B (en)* | 2020-12-02 | 2022-02-08 | 中国电子科技集团公司第三十研究所 | Key management protocol design method and system for secure storage |
| CN114513781B (en)* | 2022-02-11 | 2024-08-06 | 青岛民航空管实业发展有限公司 | Identity authentication method and data encryption and decryption method for air traffic control intelligent station |
| FR3135036B1 (en)* | 2022-04-27 | 2025-01-31 | Continental Automotive Gmbh | METHOD FOR AUTHENTICATING A CENTRAL UNIT CONNECTED TO PERIPHERAL UNITS USING A SECURE SERVER |
| FR3135035B1 (en)* | 2022-04-27 | 2025-01-31 | Continental Automotive Gmbh | METHOD FOR AUTHENTICATING A CENTRAL UNIT CONNECTED TO PERIPHERAL UNITS USING A SECURE SERVER |
| CN119722112B (en)* | 2025-03-03 | 2025-06-06 | 江苏天合云商有限公司 | Product traceability management method for global informatization processing and electronic equipment |
Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104023013A (en)* | 2014-05-30 | 2014-09-03 | 上海帝联信息科技股份有限公司 | Data transmission method, server side and client |
Family Cites Families (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20030021417A1 (en)* | 2000-10-20 | 2003-01-30 | Ognjen Vasic | Hidden link dynamic key manager for use in computer systems with database structure for storage of encrypted data and method for storage and retrieval of encrypted data |
| CN100574325C (en)* | 2006-12-26 | 2009-12-23 | 北京大学 | A Web Communication Encryption Method |
| SG11201403482TA (en)* | 2011-12-21 | 2014-07-30 | Ssh Comm Security Oyj | Automated access, key, certificate, and credential management |
| CN103281193B (en)* | 2013-06-03 | 2016-08-17 | 中国科学院微电子研究所 | Identity authentication method and system and data transmission method and device based on identity authentication system |
| CN108111301B (en)* | 2017-12-13 | 2021-06-15 | 中国联合网络通信集团有限公司 | Method and system for implementing SSH protocol based on post-quantum key exchange |
- 2019
- 2019-09-27CNCN201910922273.4Apatent/CN110808829B/enactiveActive
Patent Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104023013A (en)* | 2014-05-30 | 2014-09-03 | 上海帝联信息科技股份有限公司 | Data transmission method, server side and client |
Also Published As
| Publication number | Publication date |
|---|---|
| CN110808829A (en) | 2020-02-18 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110808829B (en) | SSH authentication method based on key distribution center | |
| CN111314056B (en) | Heaven and earth integrated network anonymous access authentication method based on identity encryption system | |
| CN103763356B (en) | A kind of SSL establishment of connection method, apparatus and system | |
| CN113746632B (en) | Multi-level identity authentication method for Internet of things system | |
| KR100953095B1 (en) | Super peer based P2P network system and peer authentication method | |
| CN111756529B (en) | Quantum session key distribution method and system | |
| CN104702611B (en) | A kind of device and method for protecting Secure Socket Layer session key | |
| CN103095696B (en) | A kind of authentication and cryptographic key negotiation method being applicable to power information acquisition system | |
| CN101340436B (en) | Method and apparatus implementing remote access control based on portable memory apparatus | |
| US20060236091A1 (en) | Encryption method for SIP message and encrypted SIP communication system | |
| CN113612797A (en) | An Improved Kerberos Authentication Protocol Based on National Secret Algorithm | |
| TW201701226A (en) | System, method, and apparatus for electronic prescription | |
| CN101009919A (en) | Authentication method based on the end-to-end communication of the mobile network | |
| CN101605137A (en) | Safe distribution file system | |
| CN104468618B (en) | XMPP safety access method based on sensor network | |
| CN114513339A (en) | A security authentication method, system and device | |
| CN106685983A (en) | A data restoration method and device based on SSL protocol | |
| JP2001186122A (en) | Authentication system and authentication method | |
| TWI501614B (en) | Symmetric Dynamic Authentication and Key Exchange System and Its | |
| CN118174921A (en) | Multi-factor SSH login authentication method based on national encryption algorithm and supporting bidirectional authentication | |
| CN109474667B (en) | Unmanned aerial vehicle communication method based on TCP and UDP | |
| CN103401872B (en) | The method prevented and detect man-in-the-middle attack based on RDP improved protocol | |
| CN117354032A (en) | Multiple authentication method based on code server | |
| CN116886288A (en) | Quantum session key distribution method and device | |
| CN103986716B (en) | Establishing method for SSL connection and communication method and device based on SSL connection |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |