CN118842600A

CN118842600A - Double-factor authentication method and system

Info

Publication number: CN118842600A
Application number: CN202310442049.1A
Authority: CN
Inventors: 刘胜利; 姜茗茗
Original assignee: Shanghai Jiaotong University
Current assignee: Shanghai Jiaotong University
Priority date: 2023-04-23
Filing date: 2023-04-23
Publication date: 2024-10-25

Abstract

The application relates to the technical field of computer security, and discloses a double-factor authentication method and a system, wherein the method is a double-factor authentication technology based on biological information and public key encryption, wherein a public key encryption scheme with semantic security and a hash function with robustness and a predicate relation reserved are used for realizing an authentication process, and the method has the capability of resisting replay attack and malicious server attack. Specifically, the scheme resists replay attacks by the server randomly generating a challenge number and encrypting the transmission using a user public key; and uses two-factor authentication of the biometric authentication factor and the private key authentication factor to resist malicious user attacks. Meanwhile, the scheme uses a robust hash function for preserving predicate relations to protect the biometric information of the user, and uses a semantic security public key encryption scheme to protect the private key information of the user, so that the malicious server attack is resisted. The application obviously improves the safety and the efficiency of authentication and can better meet the needs of users.

Description

Double-factor authentication method and system

Technical Field

The application relates to the technical field of computer security, in particular to an identity authentication technology.

Background

Homomorphic encryption is a special encryption mode, which allows specific calculation of ciphertext, and the obtained result is the same as the corresponding plaintext calculation result. In short, the calculation is performed in the ciphertext domain, and the plaintext is not required to be decrypted. Homomorphic encryption can be used to protect data privacy while allowing data processing in the encrypted state, thereby achieving data sharing and processing security. Homomorphic encryption can be classified into full homomorphic encryption, which can perform any computation, and partial homomorphic encryption, which can only perform a specific type of computation. Homomorphic encryption has been widely used in the fields of cloud computing, internet of things, blockchain, etc.

A two-factor authentication scheme refers to an authentication scheme that uses two different identity authentication factors to verify the identity of a user. Typically, these two factors include the physical characteristics of the user (e.g., fingerprint, facial recognition, iris scan, etc.) and a secret factor (e.g., password, private key, etc.). In a two-factor authentication scheme, the user needs to provide both factors simultaneously in order to pass authentication. Compared to single-factor authentication, the two-factor authentication scheme is safer because an attacker needs to acquire two different factors simultaneously to successfully impersonate the user.

The prior art two-factor authentication scheme is further described below.

See fig. 1 for a user registration phase with a server. In the registration stage, firstly, a user invokes a homomorphic encryption key generation algorithm to generate a pair of public and private keys (pk, sk) ≡he. Keygen (1 ^λ), and a face information feature vector Γ= (Γ ₁,…,Γ_k) of the user is collected. And then invoking a homomorphic encryption algorithm for each bit to get c _i＝(α_i,β_i)←HE.Enc(pk,Γ_i). The ID and ciphertext c ₁,…,c_k, as well as public key pk, are sent to the server, which stores it.

In the authentication phase, the blind squared euclidean distance algorithm is represented by BlindESED algorithm.

Referring to fig. 2, when the user wants to authenticate, the following steps are performed:

Step 1: firstly, sampling the face biological characteristics to obtain Γ '= (Γ' ₁,…,Γ_k '), and sending the ID of the user and C _i′＝(α_i,β_i)←HE.Enc(pk,Γ_i') to a server.

Step 2: after the server receives C _i', r ₀,r₁ is uniformly and randomly generated, and a blind square Euclidean distance calculation algorithm is called to obtain second-order ciphertext S ^*＝(α^*,β^*) to be sent to the user.

Step 3: after the user receives S ^*, the decryption algorithm S ^*←HE.Dec(sk,S^*) is called to the server.

Step 4: the server calculates a threshold s according to s ^*, compares the threshold s with a standard threshold, and judges whether the authentication is passed or not.

However, the above solution has the following technical problems:

cannot resist replay attacks: a malicious user can pass authentication by replaying the first message without knowing the user's face feature vector, so this scheme cannot prevent replay attacks.

The security model is weak: the scheme only considers the 'honest but curious' servers, and cannot prevent the attack of malicious servers. In the second step of the authentication stage, the server may send the ciphertext C stored by the server to the user for decryption instead of S ^*, so that the server may obtain the facial feature vector of the user, thereby breaking the security.

The efficiency is lower: the scheme uses a secondary homomorphic encryption scheme, and encryption and decryption efficiency is low, so that the problem of efficiency can be faced in practical application.

Therefore, the scheme has lower safety and lower efficiency, and cannot well meet the needs of users.

Disclosure of Invention

The application aims to provide a two-factor authentication method and a two-factor authentication system, which are used for solving the problems in the background technology.

The application discloses a double-factor authentication method, which comprises the following steps:

step A: the server calls a key generation algorithm of a public key encryption scheme to generate a pair of first public and private keys, samples a hash function with robustness and a predicate relation, obtains h, sets the h as a system parameter, and stores the first public and private keys and h;

And (B) step (B): in a user registration stage, a user generates a pair of second public and private keys by using a key generation algorithm of a public key, samples own biological characteristics, carries out hash operation on a biological authentication factor w, and sends an identity identifier of the user, a hash value obtained after carrying out hash operation on the biological authentication factor w and the public key generated by the user to the server, and meanwhile, the user stores another private key authentication factor;

Step C: in the user authentication phase, public key encryption with semantic security is used to protect user private key information, two-factor authentication of a biological authentication factor and a private key authentication factor is used, and a hash function with robustness and a predicate relation is reserved to protect biological characteristic information of a user.

In a preferred embodiment, in the step a, the server first invokes a key generation algorithm of the public key encryption scheme to generate a pair of public and private keys (pk _s,sk_s), then samples a robust hash function (RPPH) with a predicate relation reserved to obtain h, sets h as a system parameter PP _2fa, and stores the generated public and private keys (pk _s,sk_s) and h in the server, where pk _s is the public key generated by the server, and is used to encrypt challenges and verify authentication factors of users. sk _s is a server's private key for decrypting the received information.

In a preferred embodiment, in the step B, the user generates a pair of public and private keys (pk _c,sk_c)←PKE.KeyGen(1^λ) by using a key generation algorithm of the public key, samples w++sample (W) of the biometric feature of the user, hashes the biometric authentication factor W to obtain h _w ++h (W), and sends id _c、h_w and pk _c to the server for storage, and simultaneously stores another private key authentication factor sk _c, where id _c represents an identity identifier of the user, W represents the biometric authentication factor of the user, h _w represents a hash value obtained by hashing the biometric authentication factor W, pk _c represents the public key generated by the user, and sk _c represents the private key authentication factor generated by the user.

In a preferred embodiment, the private key authentication factor is stored securely by the user, only the user knows its value and is not available to others.

In a preferred embodiment, the biometric authentication factor of the user is one or any combination of the following: the face image of the user, the fingerprint of the user and the iris of the user.

In a preferred embodiment, in the step C, the user requests a service from the server, the server obtains (id _c,h_w,pk_c) from the database, randomly generates the challenge number r and encrypts with the user public key to obtain the ciphertext C _r and sends the ciphertext C3948 to the user, and the user decrypts the ciphertext C _r by using the private key authentication factor to obtain r ', samples the biological source of the user to obtain the biological authentication factor w ', encrypts (h (w ')+r) by using the public key of the server to obtain the ciphertext C _w, and sends the ciphertext C5734 to the server, decrypts C _w to obtain the plaintext m, and calculates b=rpph.eval (h, h _w, m-r) by using the hash function RPPH with a robust preserving predicate relation to obtain the authentication result b.

In a preferred embodiment, if b=1, the authentication passes, otherwise the authentication fails.

In a preferred embodiment, the step C further comprises the steps of:

The user requests a service from a server and sends a Request message (id _c, request) to the server;

The server firstly acquires a biological authentication factor h _w and a public key pk _c corresponding to a user identity identifier id _c from a database, then randomly generates a challenge number r, encrypts the challenge number r by using the user public key pk _c to obtain an encrypted ciphertext c _r, and transmits the ciphertext c _r to a user;

After receiving the ciphertext c _r, the user firstly decrypts the ciphertext c _r by using the private key authentication factor sk _c of the user to obtain a challenge number r ', then samples the biological source of the user to obtain a biological authentication factor w', then encrypts h (w ')+r' by using the public key of the server to obtain a ciphertext c _w, and sends the ciphertext c _w to the server, wherein h (w ') represents the result obtained by carrying out hash operation on the biological authentication factor w';

The server firstly decrypts the ciphertext c _w by using the private key authentication factor sk _c to obtain a plaintext m, and the server calls an Eval algorithm of the hash function RPPH to calculate an authentication result b by using the system parameter h, the biometric authentication factor hash value h _w, the plaintext m and the challenge number r.

The application also discloses a double-factor authentication system, which comprises:

A memory for storing computer executable instructions; and

A processor for implementing steps in a method as described hereinbefore when executing said computer executable instructions.

The application also discloses a computer readable storage medium having stored therein computer executable instructions which when executed by a processor implement the steps in the method as described above.

In the embodiment of the application, a double-factor authentication scheme based on biological information and public key encryption aims at improving the security and the efficiency of authentication. The scheme uses a semantically secure public key encryption scheme and a robust hash function retaining predicate relationships to implement the authentication process and has the ability to resist replay attacks and malicious server attacks. Specifically, the scheme resists replay attacks by the server randomly generating a challenge number and encrypting the transmission using a user public key; and uses two-factor authentication of the biometric authentication factor and the private key authentication factor to resist malicious user attacks. Meanwhile, the scheme uses a robust hash function for preserving predicate relations to protect the biometric information of the user, and uses a semantic security public key encryption scheme to protect the private key information of the user, so that the malicious server attack is resisted. The efficiency of this scheme is also optimized, which is higher than a scheme using homomorphic encryption. Therefore, the application obviously improves the safety and the efficiency of authentication and can better meet the needs of users.

The numerous technical features described in the description of the present application are distributed among the various technical solutions, which can make the description too lengthy if all possible combinations of technical features of the present application (i.e., technical solutions) are to be listed. In order to avoid this problem, the technical features disclosed in the above summary of the application, the technical features disclosed in the following embodiments and examples, and the technical features disclosed in the drawings may be freely combined with each other to constitute various new technical solutions (these technical solutions are regarded as already described in the present specification) unless such a combination of technical features is technically impossible. For example, in one example, feature a+b+c is disclosed, in another example, feature a+b+d+e is disclosed, and features C and D are equivalent technical means that perform the same function, technically only by alternative use, and may not be adopted simultaneously, feature E may be technically combined with feature C, and then the solution of a+b+c+d should not be considered as already described because of technical impossibility, and the solution of a+b+c+e should be considered as already described.

Drawings

FIG. 1 is a schematic diagram of a prior art authentication user registration phase with a server;

FIG. 2 is a schematic diagram of a user to server authentication phase in prior art authentication;

Fig. 3 is a flow chart of a two-factor authentication method according to a first embodiment of the present application;

fig. 4 is a schematic diagram of a two-factor authentication protocol based on biometric information and public key technology in a two-factor authentication method according to the present application.

Detailed Description

In the following description, numerous specific details are set forth in order to provide a thorough understanding of the present application. It will be understood by those skilled in the art that the claimed application may be practiced without these specific details and with various changes and modifications from the embodiments that follow.

Description of the partial concepts:

authentication factor: evidence provided by the authenticated party that can prove its identity is referred to as an authentication factor. The authentication factor may be a PIN value, a password value, a physical unclonable function value, an inherent biological feature such as a fingerprint, a face, or the like.

Two-factor authentication: two-factor authentication refers to authentication using two different authentication factors. Single factor authentication refers to authentication using a single authentication factor. With the popularization of remote services, the requirements of people on security are gradually increased, and the security strength of single-factor authentication may not meet the requirements. Thus, two-factor authentication is increasingly being considered for application by some authentication schemes. Two-factor authentication is more secure than single-factor authentication. This has the advantage that when one of the two authentication factors is obtained by an adversary, the other can still guarantee the security of the protocol.

Client-server authentication system: there is one user and one server in the system. The user obtains the service by authenticating with the server using the client device. The server authenticates the identity of the user by executing an authentication protocol and provides services to the authenticated user.

Attack behavior of adversaries: two categories can be distinguished based on the nature of adversary attack.

(1) Passive attack: an adversary can observe every message or data sent or received in a communication, but cannot update or modify them, such as eavesdropping, which acts as a passive attack;

(2) Active attack: an adversary may modify, replay, intercept, etc., messages transmitted in the channel.

Safety model

In the client-server authentication system, according to the role of adversaries, in combination with the nature of the above-described attack, adversaries can be subdivided into three types:

(1) Malicious server: aiming at a certain client, a malicious server tries to acquire privacy information of a user related to an authentication factor in some modes of active attack, passive attack and the like;

(2) Honest but curious servers: aiming at a certain client, the honest but curious server normally executes a protocol, tries to learn the privacy information of the other party in the process of normally executing the protocol, but does not initiate malicious active attack;

(3) Malicious users: the malicious user can not only attack passively, but also launch malicious active attack to the server, and even steal part of the authentication factors (but not all the authentication factors) of the target user, thereby realizing the purpose of impersonating the identity of the target user to realize authentication;

from the three enemies, the following two security models and security targets can be obtained in combination:

model 1 enemy may be a malicious server or a malicious user.

Model 2 enemies may be honest but curious servers, or malicious users.

Safety target: when the adversary is a malicious server/honest but curious server, the aim of the double-factor authentication is that the adversary cannot obtain secret information supporting user authentication factors; when the adversary is a malicious user, the objective of the two-factor authentication is that the adversary cannot impersonate other legitimate users to pass the authentication.

Model 1 is stronger than 2, as known from the definition of adversary type.

The following specifically describes a specific application scenario of the present application. The application can be applied to the scenes of electronic commerce, online banking and the like, and the user can obtain the service through the double-factor authentication. The user can pass the authentication only by holding two authentication factors at the same time, and when one authentication factor is stolen by an adversary and the other authentication factor is missing, the authentication cannot be passed. Compared with single-factor authentication, the double-factor authentication can greatly improve the authentication threshold and prevent the unauthorized user from abusing the rights of the authorized user.

After intensive research and analysis, the inventor creatively provides a novel double-factor authentication method and system aiming at the technical problems in the background technology. The application designs a novel efficient two-factor authentication protocol based on biological information and public key technology.

The two factors in the application are expressed as follows: an authentication factor is the biometric information of the userAnother authentication factor is the user's private key sk _c.

The two-factor authentication protocol of the application considers a stronger security model (a server initiates malicious active attack), and the authentication effect to be realized is as follows:

1. the legal user has two authentication factors of the biological characteristic information and the private key, and the user can realize the purpose of authenticating the identity of the user to the server with the help of the two authentication factors;

2. The adversary steals one authentication factor of the user (possibly the biometric authentication factor of the user, or the private key authentication factor of the user, but not both), and the missing other authentication factor can ensure that the adversary cannot impersonate the user to the server to realize authentication.

3. A malicious server may conduct a malicious active attack but still may not obtain any secret information of the user that supports the authentication factor.

Therefore, the double-factor authentication is a safer and more efficient identity authentication mode, and can effectively defend malicious attacks. In practical applications, the authentication protocol may be applied to various scenarios, such as identity authentication in the fields of finance, e-commerce, internet of things, etc.

For the purpose of making the objects, technical solutions and advantages of the present application more apparent, embodiments of the present application will be described in further detail below with reference to the accompanying drawings.

A first embodiment of the present application relates to a two-factor authentication method, the flow of which is shown in fig. 3, the method comprising the steps of:

Step 110: the server calls a key generation algorithm of a public key encryption scheme to generate a pair of first public and private keys, samples a hash function (RPPH) with robustness and retaining predicate relation to obtain h, sets the h as a system parameter, and stores the first public and private keys and h;

Step 120: in a user registration stage, a user generates a pair of second public and private keys by using a key generation algorithm of a public key, samples own biological characteristics, carries out hash operation on a biological authentication factor w, and sends an identity identifier of the user, a hash value obtained after carrying out hash operation on the biological authentication factor w and the public key generated by the user to the server, and meanwhile, the user stores another private key authentication factor;

Step 130: in the user authentication phase, public key encryption with semantic security is used to protect user private key information, two-factor authentication of a biological authentication factor and a private key authentication factor is used, and a hash function with robustness and a predicate relation is reserved to protect biological characteristic information of a user.

Each step is specifically described below.

In step 110, the server first invokes the key generation algorithm of the public key encryption scheme to generate a pair of public and private keys (pk _s,sk_s), then samples a robust hash function (RPPH) with a reserved predicate relationship to obtain h, sets h as a system parameter pp _2fa, and stores the generated public and private keys (pk _s,sk_s) and h in the server as a basis for a subsequent two-factor authentication scheme.

Where pk _s is a server-generated public key used to encrypt challenges and verify authentication factors of users. sk _s is a server's private key for decrypting the received information.

In step 120, during the user registration phase, the user generates a pair of public and private keys (pk _c,sk_c)←PKE.KeyGen(1^λ) by using the key generation algorithm of the public key, samples w++sample (W) of the biometric feature of the user, hashes the biometric authentication factor W to obtain h _w ++h (W), and sends id _c、h_w and pk _c to the server for storage, i.e. the server updates database db=db { (id _c,h_w,pk_c) }, while the user secretly stores another private key authentication factor sk _c.

W represents a biometric authentication factor of the user, and may refer to biometric information such as a face image, fingerprint, iris, etc. of the user. In the user registration stage, the user needs to sample the own biological source to obtain a biological authentication factor w, then hash the w to obtain h _w, and send id _c、h_w and pk _c to a server for storage.

H _w is a hash value obtained by performing a hash operation on the biometric authentication factor w. Specifically, h _w = h (w), where h is a hash function. id _c refers to the identity of the user. pk _c is a public key generated by user id _c for encrypting and transmitting biometric authentication factors to the server.

Sk _c is a user-generated private key authentication factor used to decrypt the number of challenges sent by the server during authentication to generate a response. The private key authentication factor is stored in secret by the user, and only the user knows the value of the private key authentication factor, so that other people cannot obtain the private key authentication factor.

Step 130: user authentication phase: the user requests a service from the server and sends a Request message (idc) to the server. The server obtains (id _c,h_w,pk_c) from the database, randomly generates the challenge number r, encrypts the challenge number r with the user public key to obtain the ciphertext c _r, and sends the ciphertext c _r to the user to prevent replay attacks. The user decrypts c _r using the private key authentication factor to obtain r ', samples the own biometric source to obtain a biometric authentication factor w ', encrypts (h (w ')+r) using the public key of the server to obtain ciphertext c _w, and transmits the ciphertext to the server. The server decrypts c _w to get m, calculates b=rpph.eval (h, h _w, m-r) using a robust predicate-relation preserving hash function RPPH to get authentication result b. If b=1, authentication passes, otherwise authentication fails.

Wherein, (idc, request) refers to a Request message sent when a user requests a service from a server, wherein id _c represents an identity of the user, and Request represents Request content of the user. r refers to the number of challenges the server randomly generates in the following detailed step 134 for preventing replay attacks. c _r is the ciphertext of the challenge number r generated by the server using the public key encryption of the user. In the following specific step 234, the server randomly generates a challenge number r, which is then encrypted using the user's public key to obtain c _r, which is sent to the user. The user needs to decrypt by using the own private key authentication factor to obtain a real challenge number r' for authentication in the subsequent step. This approach can resist replay attacks because the malicious attacker cannot learn the real challenge number r and thus cannot reuse the previous authentication request. c _w is the ciphertext of the biometric authentication factor h (w ') +r encrypted by the server using the public key, where h (w') is the biometric authentication factor obtained by the user sampling and hashing his own biometric source in step 120 above, and r is the challenge number uniformly and randomly generated by the server in the following specific step 134. m refers to plaintext obtained after decryption by the user's private key authentication factor, specifically, m=dec (sk _c,c_w). b is a boolean value indicating the authentication result, if b is 1, it indicates that the authentication is passed, otherwise it indicates that the authentication is failed.

The step embodies the characteristics of 'protecting user private key information by using a semantic safe public key encryption scheme so as to resist malicious server attack', 'resisting malicious user attack by using double-factor authentication of a biological authentication factor and a private key authentication factor', and 'protecting biological characteristic information of a user by using a hash function with robustness and a reserved predicate relation'.

Optionally, the present step further comprises the sub-steps of:

Step 132: the user requests a service from the server and sends a Request message (id _c, request) to the server;

Step 134: the server first obtains the biometric authentication factor h _w and the public key pk _c corresponding to the user identifier id _c from the database, then randomly generates a challenge number r, encrypts the challenge number r by using the user public key pk _c to obtain the encrypted ciphertext c _r, and sends the ciphertext c _r to the user for the user to use in the next authentication process. The purpose of this step is to prevent replay attacks while protecting the challenge number r against malicious server attacks using a semantically secure public key encryption scheme.

Step 136: after receiving the ciphertext c _r, the user firstly decrypts the ciphertext c _r by using the private key authentication factor sk _c to obtain a challenge number r ', then samples the biological source to obtain a biological authentication factor w', then encrypts h (w ')+r' by using the public key of the server to obtain a ciphertext c _w, and sends the ciphertext c _w to the server.

Where h (w ') represents the result of hash operation of the biometric authentication factor w'. In step 120, the user hashes the biometric authentication factor w to obtain h _w, and in step 136, the user hashes the sampled biometric authentication factor w ' to obtain h (w '), adds the h (w ') to the challenge number r, and encrypts the challenge number r with the public key of the server to obtain ciphertext c _w.

The step embodies a 'public key encryption scheme using semantic security to protect user private key information, thereby resisting malicious server attacks'. In this step, the user decrypts the challenge number using its own private key authentication factor, and the challenge number is sent to the user in a form encrypted by the public key at the server side. Since public key encryption is semantically secure, i.e. encrypted ciphertext does not leak any information about plaintext, a malicious server cannot learn a user private key authentication factor, and thus cannot attack by replacing the challenge number.

Furthermore, the step also shows that 'the malicious user attack is resisted by using the double-factor authentication of the biological authentication factor and the private key authentication factor', wherein the user uses the private key authentication factor to decrypt and sample the biological source to obtain the biological authentication factor, and the two factors are combined together to authenticate, so as to ensure that the authentication request comes from a legal user.

Step 138: the server first decrypts ciphertext c _w using private key authentication factor sk _c to obtain plaintext m. Then, the server invokes the Eval algorithm of hash function RPPH, and calculates an authentication result b using system parameter h and biometric authentication factor hash value h _w, plaintext m and challenge number r. If b=1, authentication passes; otherwise, the authentication fails. This step protects the biometric information of the user using a robust predicate-relation preserving hash function, thereby avoiding the risk of the biometric information being compromised.

The technical effects are as follows:

According to the technical scheme, the two-factor authentication scheme based on biological information and public key encryption aims at improving the security and the efficiency of authentication. The scheme uses a semantically secure public key encryption scheme and a robust hash function retaining predicate relationships to implement the authentication process and has the ability to resist replay attacks and malicious server attacks. Specifically, the scheme resists replay attack by the server randomly generating the challenge number in the second step and encrypting the transmission using the user public key; and uses two-factor authentication of the biometric authentication factor and the private key authentication factor to resist malicious user attacks. Meanwhile, the scheme uses a robust hash function for preserving predicate relations to protect the biometric information of the user, and uses a semantic security public key encryption scheme to protect the private key information of the user, so that the malicious server attack is resisted. The efficiency of this scheme is also optimized, which is higher than a scheme using homomorphic encryption.

In order to better understand the technical solution of the present application, the following description is given with reference to a specific example, in which details are listed mainly for the purpose of understanding, and are not intended to limit the scope of protection of the present application.

In this example, a specific configuration of the two-factor authentication protocol based on the biometric information and the public key technique is as described in fig. 4.

The definition of a Robust predicate-preserving hash Property-PRESERVING HASH (RPPH) is explained below.

Definition 1: [ predicate-relation-preserving hash Property-PRESERVING HASH (RPPH) ] for a two-input predicate relation P: {0,1} ⁿ×{0,1}ⁿ → {0,1, ∈ }, robust preserved predicate-relationship hash familyIs a family of efficiently computable functions, and has the following two algorithms, with compressibility, correctness and robustness.

RPPH algorithm:

sample (λ) →h: this is a polynomial time algorithm that yields a random hash function h;

Eval (h, y ₁,y₂) →0/1: this is a deterministic polynomial-time algorithm, given the input And y ₁,y₂∈{0,1}^m outputs a single bit.

Compressibility of RPPH: the length n of the hash input needs to be larger than the output length m.

Correctness of PPH: for a pair ofThe following holds:

RPPH robustness: to any polynomial adversary Is formally established

In this example, the inventors consider predicate relationships for hamming distances. For the following0 < T < n, two-input Hamming distance predicate relationship HAM _n,t,(x₁,x₂) is defined as

Among other things, an efficient construction of RPPH for hamming distance predicate relationships is given in reference [2]([2]Justin Holmgren,Minghao Liu,LaKyah Tyner,Daniel Wichs:Nearly Optimal Property Preserving Hashing.CRYPTO(3)2022:473-502).

A specific construction is shown in fig. 4, where H is a hash function.

In other words RPPH is a robust preserving predicate-relationship hash function family that can efficiently compute hash functions and has compressibility, correctness, and robustness. Specifically, the RPPH family consists of two algorithms: sample and Eval. The Sample algorithm is a polynomial time algorithm that is used to generate a random hash function h. The Eval algorithm is a deterministic polynomial time algorithm that outputs a single bit given the inputs H e H and y ₁,y₂{0,1}^m. Meanwhile, RPPH has compressibility, namely the length n of hash input needs to be larger than the output length m; correctness, namely, for any input x ₁,x₂∈{0,1}ⁿ, the output correctness of the algorithm is ensured; robustness, i.e. against arbitrary polynomial adversariesThe robustness of the output of the algorithm is guaranteed. In this example, RPPH is applied to the Hamming distance predicate relationship HA and is implemented by the efficient construction method in reference [2 ].

The two-factor authentication scheme based on biological information and public key technology of this example uses RPPH and public key encryption two tools, specifically as follows:

Step 210: initializing a system: see the 2fa.setup algorithm in fig. 4. The server calls a key generation algorithm of the public key to generate a pair of public and private keys (pk _s,sk_s)←PKE.KeyGen(1^λ), samples RPPH to obtain h+.RPPH.sample (1 ^λ), sets system parameters as pp _2fa =h, and stores (pk _s,sk_s) and h.

That is, in step 210, the server first invokes the key generation algorithm of the public key encryption scheme to generate a pair of public and private keys (pk _s,sk_s), then samples the robust hash function (RPPH) with the predicate-relation reserved to obtain h, sets h as the system parameter pp _2fa, and stores the generated public and private keys (pk _s,sk_s) and h in the server as the basis of the subsequent two-factor authentication scheme.

Step 220: a user registration stage: see the 2fa.Enroll algorithm in FIG. 4. The user id _c calls a key generation algorithm of the public key to generate a pair of public and private keys (pk _c,sk_c)←PKE.KeyGen(1^λ), then samples w++sample (W) of own biological source, and hashes the biological authentication factor W to obtain h _w ++h (W). Id _c,h_w and pk _c are sent to the server for storage, i.e. the server let DB = DB { (id _c,h_w,pk_c) }, the user secret stores another private key authentication factor sk _c.

That is, in the user registration stage, the user generates a pair of public and private keys (pk _c,sk_c)←PKE.KeyGen(1^λ) using a key generation algorithm of the public key, samples w≡sample (W) of his own biometric feature, hashes the biometric authentication factor W to obtain h _w ≡h (W), and sends id _c、h_w and pk _c to the server for storage, that is, the server updates database db=db { (id _c,h_w,pk_c) }, while the user secretly stores another private key authentication factor sk _c.

Step 230: user authentication phase: see FIG. 4Protocol.

And a user authentication stage, wherein the user requests the service from the server and sends a Request message (idc, request) to the server. The server obtains (id _c,h_w,pk_c) from the database, randomly generates the challenge number r, encrypts the challenge number r with the user public key to obtain the ciphertext c _r, and sends the ciphertext c _r to the user to prevent replay attacks. The user decrypts c _r using the private key authentication factor to obtain r ', samples the own biometric source to obtain a biometric authentication factor w ', encrypts (h (w ')+r) using the public key of the server to obtain ciphertext c _w, and transmits the ciphertext to the server. The server decrypts c _w to get m, calculates b=rpph.eval (h, h _w, m-r) using a robust predicate-relation preserving hash function RPPH to get authentication result b. If b=1, authentication passes, otherwise authentication fails.

Wherein, (idc, request) refers to a Request message sent when a user requests a service from a server, wherein id _c represents an identity of the user, and Request represents Request content of the user. r refers to the number of challenges the server randomly generates in the following detailed step 234 for preventing replay attacks. c _r is the ciphertext of the challenge number r generated by the server using the public key encryption of the user. In the following specific step 234, the server randomly generates a challenge number r, which is then encrypted using the user's public key to obtain c _r, which is sent to the user. The user needs to decrypt by using the own private key authentication factor to obtain a real challenge number r' for authentication in the subsequent step. This approach can resist replay attacks because the malicious attacker cannot learn the real challenge number r and thus cannot reuse the previous authentication request. c _w is the ciphertext of the biometric authentication factor h (w ') +r encrypted by the server using the public key, where h (w') is the biometric authentication factor obtained by the user sampling and hashing his own biometric source in step 220 above, and r is the challenge number uniformly and randomly generated by the server in the following specific step 234. m refers to plaintext obtained after decryption by the user's private key authentication factor, specifically, m=dec (sk _c,c_w). b is a boolean value indicating the authentication result, if b is 1, it indicates that the authentication is passed, otherwise it indicates that the authentication is failed.

Step 230 further includes steps 232-238, which are specifically as follows:

Step 232: the user requests a service from the server and sends a Request message (id _c, request) to the server;

Step 234: after receiving the Request message (id _c, request), the server first re-acquires (id _c,h_w,pk_c) from its database DB, then uniformly randomly generates the challenge number r≡ _${0,1}^λ, encrypts with the user's public key to obtain c _r←Enc(pk_c, r), and sends it to the user.

That is, the server first acquires the biometric authentication factor h _w and the public key pk _c corresponding to the user id _c from the database, then randomly generates a challenge number r, encrypts it using the user public key pk _c to obtain the encrypted ciphertext c _r, and the server transmits the ciphertext c _r to the user for the user's subsequent authentication process. The purpose of this step is to prevent replay attacks while protecting the challenge number r against malicious server attacks using a semantically secure public key encryption scheme.

Step 236: after receiving the message c _r, the user decrypts the message c _r by using the private key authentication factor to obtain r' ≡Dec (sk _c,c_r) and samples the biological source to obtain the biological authentication factorEncryption (h (w ')+r) using the public key of the server yields c _w←Enc(pk_s, (h (w ')+r '), and c _w is sent to the server.

That is, after receiving the ciphertext c _r, the user first decrypts the ciphertext c _r using the private key authentication factor sk _c to obtain the challenge number r ', then samples the own biological source to obtain the biometric authentication factor w', then encrypts h (w ')+r' using the public key of the server to obtain the ciphertext c _w, and sends the ciphertext c _w to the server.

Where h (w ') represents the result of hash operation of the biometric authentication factor w'. In step 220, the user hashes the biometric authentication factor w to obtain h _w, and in step 236, the user hashes the sampled biometric authentication factor w 'to obtain h (w'), adds the h (w ') to the challenge number r, and encrypts the h (w') with the public key of the server to obtain ciphertext c _w.

Step 238: after receiving c _w, the server firstly decrypts to obtain m+.Dec (sk _c,c_w), and then runs b+.RPPH.Eval (h, h _w, m-r) to obtain the authentication result b. If b=1, authentication passes; otherwise, the authentication fails.

That is, the server first decrypts ciphertext c _w using private key authentication factor sk _c, resulting in plaintext m. Then, the server invokes the Eval algorithm of hash function RPPH, and calculates an authentication result b using system parameter h and biometric authentication factor hash value h _w, plaintext m and challenge number r. If b=1, authentication passes; otherwise, the authentication fails. This step protects the biometric information of the user using a robust predicate-relation preserving hash function, thereby avoiding the risk of the biometric information being compromised.

The technical effects are as follows:

As described above, the scheme based on homomorphic encryption in the prior art has the following technical problems: cannot resist replay attacks; cannot resist malicious server attacks; and is less efficient. Compared with the prior art, the technical scheme of the application can resist replay attack, can resist malicious servers to attack, and has higher efficiency. The method comprises the following steps:

1. the safety is high: the security of the authentication protocol of the present application is specifically described in four cases:

The server challenges in the second step with a freshness number r (i.e., challenge number r), so that each challenge is different. If the adversary wants to pass the authentication, the adversary must make a correct response to the freshness number, so that the adversary cannot replay the message to pass the authentication;

The adversary only obtains the user's private key authentication factor, but does not have another authentication factor of the user-biometric characteristics, nor the server's secret information: in this case, since the adversary does not have the biometric information of the user, even if the random number r given by the server is decrypted by the private key, the value of h _w cannot be forged or guessed, and thus the ciphertext c _w that can pass the authentication cannot be given;

The adversary only obtains the biometric authentication factor of the user, but does not have another authentication factor of the user-the private key, nor the secret information of the server: in this case, since the adversary does not have the private key of the user, according to the security definition of the public key encryption scheme with semantic security, the adversary cannot correctly decrypt the value of the random number r, and cannot give the ciphertext c _w that can pass the authentication;

For a malicious server, the server has secret information, but no private key and biological information of the user: in this case, since the server does not have the private key of the user. Therefore, even if the server performs an active attack and a passive attack, the server cannot obtain the secret information of the target user from the active attack and the passive attack according to the security of the public key encryption scheme with semantic security and the unidirectionality of RPPH.

Therefore, compared with the existing homomorphic encryption-based scheme, the method and the device can resist attacks by malicious servers.

Secondly, efficient: compared with the prior scheme based on homomorphic encryption, the authentication method has higher efficiency.

The proposed construction is based on a semantically secure Public Key Encryption (PKE) scheme with a robust hash function (RPPH) preserving predicate relationships, PKE is instantiated in many ways, such as ElGamal encryption scheme, RPPH can be instantiated based on efficiently codec-able error correction codes and collision-resistant hash functions, such as the construction in reference 2(Justin Holmgren,Minghao Liu,LaKyah Tyner,Daniel Wichs:Nearly Optimal Property Preserving Hashing.CRYPTO(3)2022:473-502). The scheme of the prior reference 2(Jong-Hyuk Im,Seong-Yun Jeon,Mun-Kyu Lee:Practical Privacy-Preserving Face Authentication for Smartphones Secure Against Malicious Clients.IEEE Trans.Inf.Forensics Secur.15:2386-2401(2020)) relates to secondary homomorphic encryption, and has low efficiency.

Third, scalability: can be further extended to two-way authentication: the authentication method of the application realizes the authentication of the server to the user, and is one-way authentication. In the second step of the protocol, the server may sign the message it sent and the user verifies the message signature. Therefore, the authentication of the user to the server can be realized, and further, the authentication of the two parties is realized.

In addition, the embodiment of the application also provides a two-factor authentication system, which comprises a memory for storing computer executable instructions and a processor; the processor is configured to implement the steps of the method embodiments described above when executing computer-executable instructions in the memory. The Processor may be a central processing unit (Central Processing Unit, abbreviated as "CPU"), other general purpose Processor, digital signal Processor (DIGITAL SIGNAL Processor, abbreviated as "DSP"), application SPECIFIC INTEGRATED Circuit, application Specific Integrated Circuit (ASIC), etc. The aforementioned memory may be a read-only memory (ROM), a random access memory (random access memory RAM), a Flash memory (Flash), a hard disk, a solid state disk, or the like. The steps of the method disclosed in the embodiments of the present application may be directly embodied in a hardware processor for execution, or may be executed by a combination of hardware and software modules in the processor.

It should be noted that in the present patent application, relational terms such as first and second, and the like are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Moreover, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element. In the present patent application, if it is mentioned that an action is performed according to an element, it means that the action is performed at least according to the element, and two cases are included: the act is performed solely on the basis of the element and is performed on the basis of the element and other elements. Multiple, etc. expressions include 2,2 times, 2, and 2 or more, 2 or more times, 2 or more.

All references mentioned in this disclosure are to be considered as being included in the disclosure of the application in its entirety so that modifications may be made as necessary. Further, it is understood that various changes or modifications of the present application may be made by those skilled in the art after reading the above disclosure, and such equivalents are intended to fall within the scope of the application as claimed.

Claims

1. A two-factor authentication method, comprising:

2. The method of claim 1, wherein in the step a, the server first invokes a key generation algorithm of a public key encryption scheme to generate a pair of public and private keys (pk _s,sk_s), then samples a robust hash function (RPPH) with a reserved predicate relationship to obtain h, and sets h as a system parameter pp _2fa, and stores the generated public and private keys (pk _s,sk_s) and h in the server, where pk _s is a public key generated by the server for encrypting challenges and verifying authentication factors of users, and sk _s is a private key of the server for decrypting received information.

3. The method of claim 2, wherein in the step B, the user generates a pair of public and private keys (pk _c,sk_c)←PKE.KeyGen(1^λ) by using a key generation algorithm of the public key, samples w≡sample (W) of the user's own biometric feature, hashes the biometric authentication factor W to obtain h _w + (W), and sends id _c、H_w and pk _c to the server for storage, and simultaneously, the user stores another private key authentication factor sk _c, wherein id _c represents an identity identifier of the user, W represents a biometric authentication factor of the user, h _w represents a hashed value obtained by hashing the biometric authentication factor W, pk _c represents a public key generated by the user, and sk _c represents a private key authentication factor generated by the user.

4. A method according to claim 3, wherein the private key authentication factor is stored securely by the user, only the user knowing its value and not available to others.

5. A method according to claim 3, wherein the biometric authentication factor of the user is one or any combination of the following: the face image of the user, the fingerprint of the user and the iris of the user.

6. A method according to claim 3, wherein in the step C, the user requests a service from a server, the server obtains (id _c,h_w,pk_c) a challenge number r from a database, encrypts with the public key of the user to obtain a ciphertext C _r and sends the ciphertext C _r to the user, and the user decrypts the ciphertext C _r with a private key authentication factor to obtain r ', samples the user's own biological source to obtain a biological authentication factor w ', encrypts (H (w')+r) with the public key of the server to obtain a ciphertext C _w, and sends the ciphertext C5734 to the server, and the server decrypts C _w to obtain plaintext M, calculates b=rpph.eval (H, H _w, M-r) with a hash function RPPH with a robust preserving predicate relation to obtain the authentication result b.

7. The method of claim 6, wherein if b = 1, the authentication passes, otherwise the authentication fails.

8. The method of claim 6, wherein said step C further comprises the steps of:

9. A two-factor authentication system, comprising:

A memory for storing computer executable instructions; and

A processor for implementing the steps in the method of any one of claims 1 to 8 when executing the computer executable instructions.

10. A computer readable storage medium having stored therein computer executable instructions which when executed by a processor implement the steps of the method of any of claims 1 to 8.