Nothing Special   »   [go: up one dir, main page]

CN101883115B - Access authentication method and system thereof - Google Patents

Access authentication method and system thereof Download PDF

Info

Publication number
CN101883115B
CN101883115B CN 201010219560 CN201010219560A CN101883115B CN 101883115 B CN101883115 B CN 101883115B CN 201010219560 CN201010219560 CN 201010219560 CN 201010219560 A CN201010219560 A CN 201010219560A CN 101883115 B CN101883115 B CN 101883115B
Authority
CN
China
Prior art keywords
node
authentication
key
ciphertext
tree
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Expired - Fee Related
Application number
CN 201010219560
Other languages
Chinese (zh)
Other versions
CN101883115A (en
Inventor
梁满贵
齐高亮
张熠
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Jiaotong University
Original Assignee
Beijing Jiaotong University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Jiaotong University filed Critical Beijing Jiaotong University
Priority to CN 201010219560 priority Critical patent/CN101883115B/en
Publication of CN101883115A publication Critical patent/CN101883115A/en
Application granted granted Critical
Publication of CN101883115B publication Critical patent/CN101883115B/en
Expired - Fee Related legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Landscapes

  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention provides an access authentication method which comprises the following steps: physical nodes in a network is organized by a hierarchical mode to form a node tree; in order to realize access authentication, each father node in the identification framework tree respectively generates a key pair aiming at each child node, sends a private key in the key pair to the corresponding child node, and then sends the private key of each ancestor node from the father nodes to each child node of the father nodes; each leaf node of the identification framework tree reserves the private key of each ancestor node close to a certain range as a key sequence, and then requests access authentication by virtue of a cryptograph encrypted by the key sequence; and finally each father node in the identification framework tree related to an access authentication request decrypts the cryptograph of the access authentication request by a public key corresponding to the private key so as to obtain an authentication conclusion. The invention has the beneficial effect that the hierarchical network has obvious hierarchy in access authentication compared with the previous network system.

Description

Access authentication method and system
Technical field
The present invention relates to a kind of access authentication method and system of communication network, be specifically related to a kind of access authentication method and system that is adapted in the hierarchical network framework according to identify label level segmentation encryption and decryption.
Background technology
Along with the fast development of Internet technology and various application services, some original design defectives of existing Internet framework reveal gradually, IP address identity and position double grading just one of them.The double attribute of IP address on semantics in the Internet protocol system is one of basic reason that causes problems.In the conventional the Internet protocol system, the address is the identity information of representation node both, also the positional information of representation node.But the double attribute of IP address has caused the serious route scaling problem in the Internet, so that the Internet is difficult to support mobile and many locals etc.
Therefore, separate with location address (Locator) about identify label (ID), and the research of hierarchical network framework has become the focus of current Internet technology.The LISP agreement of CISCO is exactly a kind of hierarchical network framework under the IP geologic condition, be intended to propose a kind of practicable identify label (ID) and location address (Locator) mapping mechanism, realize IP address identity sign and separating that location address identifies, be Mobile IP, many locals provide strong technical support.
If the network object of hierarchical network framework layering has the feature of object-oriented and recurrence, very important for simplified network agreement and technical complexity, it is the developing direction of future network framework, yet present cryptosystem is the plane formula structure, can not satisfy the needs of hierarchical network framework on the principle, hinder above developing direction.
Summary of the invention
The problem that exists for overcoming prior art the objective of the invention is to propose a kind of access authentication method and system, and this access authentication method is that the characteristic for the hierarchical network framework proposes, and it is applicable to the hierarchical network framework.
According to an aspect of the present invention, a kind of access authentication method is provided, it is characterized in that, with the physical node in a kind of mode organization network of level, form a node tree, this node tree is called identification framework tree, in order to realize that each father node in the described identification framework tree of access authentication generates respectively a key pair for its each child node, and the private key of described cipher key pair issued corresponding child node, and each child node of also issuing described father node from the private key of the ancestor node of described father node; Each leaf node of described identification framework tree keeps the private key of the ancestor node of necessarily closing on scope as key sequence, asks access authentication by utilizing the ciphertext after described key sequence is encrypted; And PKI corresponding to each father node utilization in the described identification framework tree relevant with described access authentication request and private key come described access authentication request ciphertext is decrypted, thereby draw the authentication conclusion; It is described that to utilize the ciphertext after described key sequence is encrypted be sectional encryption, adopt RSA, the EIGamal public key algorithm produces the encryption and decryption key pair of each described segmentation, the segmentation of the ciphertext after described key sequence encrypted is sequentially corresponding one by one with the private key in the described key sequence, and when an authentication request node when setting up new link, authentication response node request authentication to the opposite end of new link, method is that described authentication request node provides the ciphertext of encrypting with the key sequence of oneself to described authentication response node, with the identity to described authentication response node proof oneself, described authentication response node will upwards transmit this ciphertext step by step, until arrive an ancestor node, it has the first paragraph deciphering PKI of described ciphertext, be used for deciphering the first step that realizes authentication, indicate by the identify label of described authentication request node afterwards, each segmentation to one section ground of next section decrypted authentication ciphertext, until arrive described authentication request node till the father node of identification framework tree, if above whole authentication successs of per step, the authentication success of described authentication request node request then, otherwise failure.
According to a further aspect in the invention, a kind of access authentication system is provided, it is characterized in that, the tree that network is formed a level with identification framework tree, described access authentication system is used for realizing that each leaf node of described tree is the access authentication in Basic Net territory, described access authentication system comprises: key generating device, described key generating device is arranged in each father node of described tree, generate respectively a key pair for its each child node, and the private key of described cipher key pair issued corresponding child node, and each child node of issuing described father node from the private key of the ancestor node of described father node; Encryption device, described encryption device are arranged in each leaf node of described tree, and all private keys that will receive from ancestor node are asked access authentication as key sequence by utilizing the ciphertext after described key sequence is encrypted; And decryption device, described decryption device is arranged in and each father node, being arranged in the PKI that the described decryption device utilization of the father node of the described tree relevant with described access authentication request generates by the father node under it comes described access authentication request is decrypted, it is described that to utilize the ciphertext after described key sequence is encrypted be sectional encryption, adopt RSA, the EIGamal public key algorithm produces the encryption and decryption key pair of each described segmentation, the segmentation of the ciphertext after described key sequence encrypted is sequentially corresponding one by one with the private key in the described key sequence, and when an authentication request node when setting up new link, authentication response node request authentication to the opposite end of new link, method is that described authentication request node provides the ciphertext of encrypting with the key sequence of oneself to described authentication response node, with the identity to described authentication response node proof oneself, described authentication response node will upwards transmit this ciphertext step by step, until arrive an ancestor node, it has the first paragraph deciphering PKI of described ciphertext, be used for deciphering the first step that realizes authentication, indicate by the identify label of described authentication request node afterwards, each segmentation to one section ground of next section decrypted authentication ciphertext, until arrive described authentication request node till the father node of identification framework tree, if above whole authentication successs of per step, the authentication success of described authentication request node request then, otherwise failure.
The invention has the beneficial effects as follows, make the hierarchical network ratio network system in the past aspect access authentication, have obvious level.Specifically, following beneficial effect is arranged:
1. because social fractal characteristic, should have fractal characteristic so cover the network of society, the hierarchical network framework is the necessary condition that network has fractal characteristic, and the access authentication method of the level segmentation encryption and decryption that the present invention proposes is the necessary condition of hierarchical network framework.
According in the hierarchical network for the definition of identify label and identification framework tree, the characteristics of the layering that has according to it, the present invention will adopt the encryption and decryption scheme of segmentation, be applied in the middle of the access authentication in hierarchical network Basic Net territory, thereby the authentication of implementation level, due to the following characteristic of hierarchical network identify label and identification framework tree:
(i) level of identify label.ID is abbreviated as in identify label, and a node has an identify label.Identify label is mainly given according to the social membership between the network object.Unique requirement to identify label is the uniqueness of full name identification in this organizational structure of the combination of many levels.Relation between the simple identification is layer level, and is similar with the level of social organization relation.
(ii) level of password.After identification framework tree formed, all nodes that have a child node all will produce the key that is made of PKI and private key pair, and the right quantity of key is decided according to the number of child node.Private key is presented to child node, is used for encrypting and authenticating request bag.PKI keeps by issuing node oneself, is used for decrypted authentication request bag.
(iii) level of authentication request bag.The design of authentication request bag is as follows: Head Cmd[authentication request node ID] [[Target id]] [Time, ID component k, CODEk] ... [Time, ID component 2, CODE2] [CODE 1 for Time, ID component 1].Therefrom can find out and have stronger level.
3. fail safe.Be mainly manifested in following two aspects:
(i) distributed authentication mechanism: will authenticate a plurality of nodes of decentralization of functions in the network architecture, and can avoid focusing on the risk of bringing by certificate server, each relative node needs data volume to be processed also can decrease;
(ii) authentication mechanism of stratification: the design of ID layering, password layered, authentication request bag layered encryption and the layering of authentication realize, can cut down to a certain extent the impact of Password Length, improve security performance, simultaneously, need the cooperation of many levels in the network, just can finish once authentication, strengthen the difficulty of security attack, also improve to a certain extent security performance.
Description of drawings
Fig. 1 is the schematic diagram of identification framework tree;
Fig. 2 is key providing schematic diagram under the public-key cryptosystem;
Fig. 3 is that (thick-line arrow represents the path of authentication request bag to the identifying procedure of A111 when moving to A12 nerve of a covering territory; Thin-line arrow represents to authenticate the return path of corresponding bag);
Fig. 4 is that (thick-line arrow represents the path of authentication request bag to the identifying procedure of A111 when moving to A21 nerve of a covering territory; Thin-line arrow represents the return path of authentication response bag).
Specific embodiments
With the physical node in a kind of mode organization network of level, forming a node tree is effective network organization mode, the present invention is with reference to a kind of concrete node tree of the PNNI protocol definition of atm forum, and this node tree is called as identification framework tree, and Fig. 1 illustrates the example of an identification framework tree.
Identification framework tree for what further specifies, defined notion Basic Net territory at first.The Basic Net territory is a physical node or a physical subnets, and the Basic Net territory has one or more to external port, and energy generation, consumption or forwarding data can independently move the annexation that changes to each other.In the hierarchical network framework, the Basic Net territory is the smallest object that identifies, operates, uses and manage, and whole network does not need to know the interior details in Basic Net territory, only knows that external function and feature get final product.
One or more Basic Nets territory can form one by one group by affiliated relation, be called basic peer-group, a plurality of basic peer-group can form larger one by one group, be called general peer-group, a plurality of general peer-group can also further form more high-rise peer-group, finally, whole network forms a tree, this tree is exactly the identification framework tree of network, the leaf nodes of identification framework tree is the Basic Net territory, and the node corresponding to basic peer-group and general peer-group on upper strata is called logical node.For each node in the identification framework tree (node is the general designation of Basic Net territory or logical node) is given a simple identification, the simple identification of each node and the simple identification of necessarily closing on scope ancestor node thereof form with different levels identifier of an orderly similar IP network domain name form, can be in certain network range this node of unique identification, this identifier is called the identify label of this node, be designated as ID, each simple identification is called as the ID component.In addition, further define following concept:
Network root: the root node of the identification framework tree that whole network is corresponding, i.e. the peer-group node of top layer.
Ancestor node: with the father node of a node in the whole identification framework tree and more the older generation's node be referred to as the ancestor node of this node.
Descendent node: if node A is the ancestor node of Node B, then Node B is exactly the descendent node of node A.
Common ancestor's node: refer in the common ancestor node of node A and Node B, be positioned at the node of lowermost layer in whole identification framework tree.That is to say, one, common ancestor's node are the ancestor node of node A, are again the ancestor node of Node B, its two, all be the ancestor node of node A be again that the residing layer of common ancestor's node is minimum in the node of ancestor node of Node B.
Top layer ancestor node: there is a top layer ancestor node in each Basic Net territory, is the top ancestor node that this Basic Net territory is known, the simple identification of the top layer ancestor node that the top ID component of this Basic Net territory ID is this Basic Net territory.The Basic Net territory determines the hierarchical position of its top layer ancestor node according to the mobile range size of plan, top layer ancestor node selects to have determined this Basic Net territory ID length, Basic Net territory ID is the simple identification by its top layer ancestor node, the simple identification of the ancestor node that top layer ancestor node is following, and the simple identification sequence of the simple identification in this Basic Net territory composition.The Basic Net territory also has a key sequence, and this key sequence is comprised of Basic Net territory key corresponding to ID component, but does not comprise key corresponding to top layer ancestor node ID component, the sequence consensus of the order of key and ID component in the key sequence in Basic Net territory.
Fig. 1 is an example of identification framework tree, and is less for illustrating simple minute number, be 2 even 1, but following discussion is not general.Basic Net territory A111 and A112 form basic peer-group A11, and logical node A11 is the external representative of peer-group A11, and logical node A11 is a software process object that operates among A111 or the A112 usually; In like manner, Basic Net territory A221 and A222 form peer-group A22, and logical node A22 is the external representative of peer-group A22; Logical node A12 and logical node A21 also represent corresponding peer-group.
Logical node A11 and logical node A12 further form general peer-group A1, and logical node A1 is the external representative of general peer-group A1, and logical node A1 operates among A11 or the A12 usually, i.e. a software process object among A111, A112 or the A121; Logical node A1 also represents corresponding peer-group.
At last, logical node A1 and logical node A2 further form general peer-group A, and logical node A operates among A1 or the A2 usually, i.e. a software process object among A111, A112, A121, A211, A221 or the A222.
Among Fig. 1, the literal that marks on each node in the identification framework tree is its simple identification, if network root A is exactly the top layer ancestor node in all Basic Net territories, the identify label of Basic Net territory A121 is A.A1.A12.A121 so, the identify label of Basic Net territory A221 is A.A2.A22.A221, and the identify label of logical node A11 is A.A1.A11.If the scope that A121 moves is limited in the scope of A1, the top layer ancestor node of Basic Net territory A121 can be selected A1 so, and at this moment A121 identify label is simplified becomes A1.A12.A121.
In identification framework tree, the key information of superior node storage downstream site, the superior node that downstream site is only trusted, logical node with downstream site all should have the authentication service function, the certificate server role who serves as the part of equivalence is responsible for the work such as generation and the granting of key, the enciphered message that reads authentication request bag, decrypted authentication request bag, generation authentication response bag.As seen, the access authentication for hierarchical network uses from different for the employed authentication mode of the access authentication of traditional centralized system.Requirement is used distributed authentication mode for the access authentication of hierarchical network, and authentication module is distributed on the different nodes in the identification framework tree.
The form of authentication request bag
Head Cmd[authentication request node ID] [authentication response node ID] [Time, ID component k, CODEk] ... [Time, ID component 2, CODE2] [Time, ID component 1, CODE1]
Wherein, each symbolic significance is as follows:
Head: data packet head mainly comprises the field of the information such as version number, transmission priority, congestion control, error detection, type of data packet of data packet format.
Cmd: command code, get a set point.
The authentication request node ID: the identify label of authentication authorization and accounting requesting node is used for the authentication request bag is directed to top layer ancestor node, and then is directed to the father node of authentication request node.
The authentication response node ID: the identify label of authentication authorization and accounting responsive node is used for the authentication response bag is directed to the authentication response node.
Time: time tag is mainly used in preventing from distorting and Replay Attack.
ID component i: the ID component of authentication request node, i=1,2, ..., k, ID component k be the authentication request node as the simple identification in a Basic Net territory, last ID component 1 is the simple identification of an ancestor node of authentication request node, this ancestor node is the direct child of the top layer ancestor node of authentication request node.
CODEi: be the component of key sequence, i=1,2 ..., k, CODEi is corresponding with ID component i's.
The level of authentication request bag is embodied in: the authentication request bag is sectional encryption.In the authentication request bag: Time and ID component 1 are encrypted by CODE1, and Time and ID component 2 are encrypted by CODE2, by that analogy, always have the k section.
The authentication response packet format
Head, Cmd, [authentication response node ID], [Return Message]
Wherein each symbolic significance is as follows:
Head: data packet head mainly comprises the field of the information such as version number, transmission priority, congestion control, error detection, type of data packet of data packet format.
Cmd: command code, get a set point.
Authentication response node ID: the identify label of authentication response node.
Return Message: receive the response, should comprise the identify label of authentication request end, and authenticate the expression of whether passing through.
Detailed implementation process based on RSA arithmetic
1. the distribution process of key
Illustrate that below with reference to Fig. 2 the key in the forming process of identification framework tree sends out process.Wherein X is private key, and Y is PKI.
(1) root node A is according to its son node number, determines to produce 2 keys pair, is { X1, Y1}{X2, Y2}; And with private key { X1} and { X2} issues respectively its child node A1 and A2.
(2) node A1 is same produces two keys to { X3, Y3} and { X4, Y4} issue respectively its child node A11 and A12 with private key X3 and X4; Oneself keeps PKI Y3 and Y4, uses during in order to deciphering, and will also together issue its child node A11 and A12 from the private key X1 of its ancestor node A.Equally, A2 produces key to { X5, Y5} and { X6, Y6}, and respectively private key X5 and X6 are issued its child node A21 and A22, own reservation PKI Y5 and Y6, and will also issue its child node A21 and A22 from the private key X2 of its ancestor node A.
(3) node A11 produces key to { Y8} issues respectively A111 and A112 with private key X7 and X8 for X7, Y7}{X8, own reservation PKI Y7 and Y8, and will be respectively also issue its child node A111 and A112 from private key X1 and the X3 of its ancestor node A and A1.Equally, A12 produces key to { X9, Y9}, and private key X9 issued its child node A121 keep PKI Y9, and will be respectively also issue its child node A121 from private key X1 and the X4 of its ancestor node A and A1.
(4) node A21 produces key to { X10, Y10} issue A211 with X10, oneself keeps Y10, and A22 is produced key to { X11, Y11}{X12, Y12}, and private key X11 and X12 issued respectively its child node A221 and A222, oneself keeps PKI Y11 and Y12.
Node A111 with its from ancestor node (be A, A1 and A11 at this) receive { X7}, { X3} is with { these three keys of X1} obtain the key sequence of A111 mutually in succession.That is to say, the encryption key distribution process makes each node all obtain key sequence.For example, node A111 obtains by { X7}, { X3} and { these three key sequence { X7}{X3}{X1} that key forms mutually in succession of X1}.
But when if A111 plan is only moved in the scope that does not exceed A1, then the key sequence of A111 can be { X7}{X3} rather than { X7}{X3}{X1}, corresponding identify label is also shortened and become A1.A11.A111 rather than A.A1.A11.A111.In this case, A11 when knowing that A111 only moves in the scope that does not exceed A1, can be not { X1} issues A111, and it also will not keep even issue A111 with the private key of A1.
2. the detailed design of authentication request bag
Be without loss of generality, move near the A121 as example take A111, the detailed design of authentication request bag is described.According to the Distribution Results of top key, Basic Net territory A111 has altogether three private keys and is respectively X7, X3, X1.So, when this node arrives a new network site, such as moving near the A121, when setting up link with A121, just must carry out authentication if will obtain communication service by A121, to the identity of A121 proof oneself, therefore node A111 structure authentication request bag is as follows:
Head,Cmd,[A.A1.A11.A111],[A.A1.A12.A121],[Time,A111,X7][Time,A11,X3][Time,A1,X1]
Ciphertext in this authentication request bag has three ciphertext sections, respectively by key X7, and X3, X1 encrypts and obtains, and is exactly X1 is encrypted formation to simple identification A1 and Time ciphertext such as [Time, A1, X1].
3, detailed realization flow
Be without loss of generality, move as example with A111, detailed realization flow is described.
Move to different network ranges according to Basic Net territory A111 and can be divided into two kinds of situations, be respectively in the territory and inter-domain authentication, concrete certificate scheme mainly contains following two kinds:
Scheme one: the node in the identification framework tree as shown in Figure 1 is moved, when moving to the network range that A12 covers, Basic Net territory A111 forms situation shown in Figure 3, when A111 and A121 set up communication link, just must be through A121, send authentication request bag request authentication by A12 to network, otherwise A111 can't obtain service from network.Identifying procedure as shown in Figure 3, step is as follows:
(1) A111 sends authentication request bag (thick arrow path) through A121, A12 and A1 to A:
Head,Cmd,[A.A1.A11.A111],[A.A1.A12.A121],[Time,A111,X7][Time,A11,X3][Time,A1,X1]
(2) after A receives this authentication request bag, read the Cmd in packet header, know that this is an authentication request bag, identify label A.A1.A11.A111 according to A111, just can confirm oneself to be exactly the top layer ancestor node of authentication request node, decipher first ciphertext section with the public-key cryptography of A1, if successfully deciphering sends to its child node A1 with the authentication request bag.
(3) after A1 receives this authentication request bag, with second ciphertext section of public-key cryptography deciphering of A11, if successfully deciphering sends to its child node A11 with the authentication request bag.
(4) the like, until the father node A11 of authentication request node, after it receives this authentication request bag, the last ciphertext section of public-key cryptography deciphering with A111, if successfully deciphering, then whole authentication success generates the authentication response bag and gets final product response to A121 and A12, and the authentication response packet format is as follows:
Head,Cmd,[A.A1.A12.A121],[Return?Message]
If the top layer ancestor node of this scheme A111 is A1, this can work equally, and difference be A to the thick arrow path of A1 process is no longer directly passed through A111, A12, A1, A11.
Scheme two:
Node in the identification framework tree as shown in Figure 1 is moved, when moving to the network range that A21 covers, Basic Net territory A111 forms situation shown in Figure 4, when A111 and A211 set up communication link, A111 will obtain service from network, just must be through A211, send authentication request bag request authentication (thick arrow path) by A21 to network, the identifying procedure of this kind scheme is as follows:
(1) A111 sends the authentication request bag by A211, A21 and A2 to A:
Head,Cmd,[A.A1.A11.A111],[A.A2.A21.A211],[Time,A111,X7][Time,A11,X3][Time,A1,X1]
(2) after A receives this authentication request bag, read the Cmd in packet header, know that this is an authentication request bag, identify label A.A1.A11.A111 according to A111, just can confirm oneself to be exactly the ancestor node of requesting node, decipher first ciphertext section with the public-key cryptography of A1, if successfully deciphering sends to its child node A1 with the authentication request bag.
(3) after A1 receives this authentication request bag, decipher first ciphertext section with the public-key cryptography of A11, if successfully deciphering sends to its child node A11 with the authentication request bag.
(4) after A11 receives this authentication request bag, decipher first ciphertext section with the public-key cryptography of A111, if successfully deciphering, then whole authentication success generates the authentication response bag and gets final product response to A21 and A211, and packet format is as follows:
Head,Cmd,[A.A2.A21.A211],[Return?Message]
Can adopt the public key algorithms such as RSA, EIGamal to produce the encryption and decryption key pair of each segmentation among the above embodiment.The RSA public key encryption algorithm is to be developed in (Massachusetts Institute Technology) by Ron Rivest, Adi Shamirh and LenAdleman in 1977.RSA is named the name from they three of exploitation.RSA is present the most influential public key encryption algorithm, and it can resist all up to the present known cryptographic attacks, is recommended as the public key data encryption standard by ISO.RSA Algorithm is true based on a foolproof number theory: two large prime numbers are multiplied each other very easy, but it is extremely difficult to want that at that time its product is carried out factorization, and therefore can product is open as encryption key.The EIGamal algorithm not only can be used for digital signature but also can be used for encrypting, and its fail safe depends on the difficulty of calculating discrete logarithm on the finite field.In addition, the transmission course of authentication response bag can be with encryption key at all levels to carrying out sectional encryption, with the fail safe of the transmission course that improves the authentication response bag.

Claims (2)

1. an access authentication method is characterized in that,
With the physical node in a kind of mode organization network of level, form a node tree, this node tree is called identification framework tree, in order to realize access authentication, each father node in the described identification framework tree generates respectively a key pair for its each child node, and the private key of described cipher key pair issued corresponding child node, and each child node of also issuing described father node from the private key of the ancestor node of described father node;
Each leaf node of described identification framework tree keeps the private key of the ancestor node of necessarily closing on scope as key sequence, asks access authentication by utilizing the ciphertext after described key sequence is encrypted;
The PKI that each father node utilization in the described identification framework tree relevant with described access authentication request and private key are corresponding comes described access authentication request ciphertext is decrypted, thereby draws the authentication conclusion,
It is described that to utilize the ciphertext after described key sequence is encrypted be sectional encryption,
Adopt RSA, EIGamal public key algorithm to produce the encryption and decryption key pair of each described segmentation,
The segmentation of the ciphertext after described key sequence encrypted is sequentially corresponding one by one with the private key in the described key sequence, and
When an authentication request node when setting up new link, authentication response node request authentication to the opposite end of new link, method is that described authentication request node provides the ciphertext of encrypting with the key sequence of oneself to described authentication response node, with the identity to described authentication response node proof oneself, described authentication response node will upwards transmit this ciphertext step by step, until arrive an ancestor node, it has the first paragraph deciphering PKI of described ciphertext, be used for deciphering the first step that realizes authentication, indicate by the identify label of described authentication request node afterwards, each segmentation to one section ground of next section decrypted authentication ciphertext, until arrive described authentication request node till the father node of identification framework tree, if above whole authentication success of per step, the authentication success of described authentication request node request then, otherwise failure.
2. an access authentication system is characterized in that, network is formed the tree of a level with identification framework tree, and described access authentication system is for realizing that each leaf node of described tree is the access authentication in Basic Net territory, and described access authentication system comprises:
Key generating device, described key generating device is arranged in each father node of described tree, generate respectively a key pair for its each child node, and the private key of described cipher key pair issued corresponding child node, and each child node of issuing described father node from the private key of the ancestor node of described father node;
Encryption device, described encryption device are arranged in each leaf node of described tree, and all private keys that will receive from ancestor node are asked access authentication as key sequence by utilizing the ciphertext after described key sequence is encrypted; And
Decryption device, described decryption device is arranged in and each father node, being arranged in the PKI that the described decryption device utilization of the father node of the described tree relevant with described access authentication request generates by the father node under it comes described access authentication request is decrypted
It is described that to utilize the ciphertext after described key sequence is encrypted be sectional encryption,
Adopt RSA, EIGamal public key algorithm to produce the encryption and decryption key pair of each described segmentation,
The segmentation of the ciphertext after described key sequence encrypted is sequentially corresponding one by one with the private key in the described key sequence, and
When an authentication request node when setting up new link, authentication response node request authentication to the opposite end of new link, method is that described authentication request node provides the ciphertext of encrypting with the key sequence of oneself to described authentication response node, with the identity to described authentication response node proof oneself, described authentication response node will upwards transmit this ciphertext step by step, until arrive an ancestor node, it has the first paragraph deciphering PKI of described ciphertext, be used for deciphering the first step that realizes authentication, indicate by the identify label of described authentication request node afterwards, each segmentation to one section ground of next section decrypted authentication ciphertext, until arrive described authentication request node till the father node of identification framework tree, if above whole authentication success of per step, the authentication success of described authentication request node request then, otherwise failure.
CN 201010219560 2010-06-25 2010-06-25 Access authentication method and system thereof Expired - Fee Related CN101883115B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN 201010219560 CN101883115B (en) 2010-06-25 2010-06-25 Access authentication method and system thereof

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN 201010219560 CN101883115B (en) 2010-06-25 2010-06-25 Access authentication method and system thereof

Publications (2)

Publication Number Publication Date
CN101883115A CN101883115A (en) 2010-11-10
CN101883115B true CN101883115B (en) 2013-04-17

Family

ID=43055001

Family Applications (1)

Application Number Title Priority Date Filing Date
CN 201010219560 Expired - Fee Related CN101883115B (en) 2010-06-25 2010-06-25 Access authentication method and system thereof

Country Status (1)

Country Link
CN (1) CN101883115B (en)

Families Citing this family (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104756131B (en) * 2012-09-19 2017-07-11 交互数字专利控股公司 Layering certification
CN104468585B (en) * 2014-12-12 2017-10-24 西安电子科技大学 The credible access authentication method of user equipment based on agency
CN105262848B (en) * 2015-06-30 2018-08-28 清华大学 The identity of user internet and generation method and system
CN109257343B (en) * 2018-09-05 2020-11-10 沈阳理工大学 Composite dimension reverse access authentication method based on matrix mapping
CN110213228B (en) * 2019-04-25 2021-09-07 平安科技(深圳)有限公司 Method, device, storage medium and computer equipment for authenticating communication
CN112187454B (en) * 2020-09-14 2022-12-02 国网浙江省电力有限公司 Key management method and system based on block chain
CN112333701B (en) * 2020-10-23 2021-12-10 中国科学技术大学 Cross-domain authentication method based on identity in large-scale Internet of things scene

Family Cites Families (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP4370721B2 (en) * 2000-04-06 2009-11-25 ソニー株式会社 Information recording apparatus, information reproducing apparatus, information recording method, information reproducing method, key update terminal apparatus, generation management key update method, information recording medium, and program providing medium
US7539313B1 (en) * 2000-09-13 2009-05-26 Nortel Networks Limited System and method for key management across geographic domains
US7350077B2 (en) * 2002-11-26 2008-03-25 Cisco Technology, Inc. 802.11 using a compressed reassociation exchange to facilitate fast handoff
CN101075870B (en) * 2006-05-16 2010-08-25 华为技术有限公司 Method for generating and distributing movable IP Key
CN100536436C (en) * 2007-05-28 2009-09-02 广州杰赛科技股份有限公司 Wireless self-organized network distribution authentication multi-layer tree route method
CN101557587B (en) * 2009-04-08 2011-01-26 哈尔滨工程大学 Management method of hierarchical tree key in wireless sensor network (WSN)

Also Published As

Publication number Publication date
CN101883115A (en) 2010-11-10

Similar Documents

Publication Publication Date Title
CN101883115B (en) Access authentication method and system thereof
CN109981641A (en) A kind of safe distribution subscription system and distribution subscription method based on block chain technology
CN108012232A (en) VANETs location privacy protection querying methods under mist computing architecture
CN105577383A (en) Management of cryptographic keys
CN115118756B (en) Method and device for designing safe interaction protocol in energy internet scene
JP2004208262A (en) Apparatus and method of ring signature based on id employing bilinear pairing
CN110278086A (en) Compatibility method, device, terminal, system and storage medium based on CPK and PKI
Li et al. An identity-based data integrity auditing scheme for cloud-based maritime transportation systems
Ullah et al. A conditional privacy preserving heterogeneous signcryption scheme for internet of vehicles
Chavali et al. A review of privacy-preserving authentication schemes for future internet of vehicles
CN116723511B (en) Position management method and system for realizing privacy protection in Internet of vehicles and Internet of vehicles
CN109257167B (en) Resource allocation method for protecting privacy in fog calculation
Parameswarath et al. Privacy-Preserving User-Centric Authentication Protocol for IoT-Enabled Vehicular Charging System Using Decentralized Identity
CN109412809A (en) SDN information access control method based on authenticatable hierarchical attribute encryption
Yao et al. Metaverse-AKA: A Lightweight and PrivacyPreserving Seamless Cross-Metaverse Authentication and Key Agreement Scheme
Cahyadi et al. An improved efficient authentication scheme for vehicular ad hoc networks with batch verification using bilinear pairings
Wang et al. Identity-based cross-domain authentication by blockchain via pki environment
Mededjel et al. A blockchain application prototype for the internet of things
Lin Secure cloud Internet of vehicles based on blockchain and data transmission scheme of map/reduce
CN112468983A (en) Low-power-consumption access authentication method for intelligent equipment of power internet of things and auxiliary device thereof
Hajny et al. Privacy-enhanced data collection scheme for smart-metering
Roy et al. A modified RSA cryptography algorithm for security enhancement in vehicular ad hoc networks
Xu et al. Achieving Data Security, Access Control and Authentication of Controllers in Hierarchical Software Defined Networking with Attribute Based Encryption
Borges et al. A Decentralized Authentication Model for Internet of Vehicles Using SSI.
Rui et al. Trusted group construction mechanism based on trusted management

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20130417

Termination date: 20190625

CF01 Termination of patent right due to non-payment of annual fee