CN102739660A - Key exchange method for single sign on system - Google Patents
Key exchange method for single sign on system Download PDFInfo
- Publication number
- CN102739660A CN102739660A CN2012102003202A CN201210200320A CN102739660A CN 102739660 A CN102739660 A CN 102739660A CN 2012102003202 A CN2012102003202 A CN 2012102003202A CN 201210200320 A CN201210200320 A CN 201210200320A CN 102739660 A CN102739660 A CN 102739660A
- Authority
- CN
- China
- Prior art keywords
- key
- data
- transmit leg
- key exchange
- recipient
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Abstract
The invention discloses a key exchange method for a single sign on system. The method is applied to key exchange between a sending part and a receiving part which are interacted in an identity authenticating request or a service request. By the method, interacted additional information is subjected to HMAC (Hash Message Authentication Code) operation through a key shared between the sending part and the receiving part to acquire second data; the second data and third data which is acquired after the key to be exchanged is displaced or operated are transmitted to the receiving part, and the receiving part performs HMAC operation according to the received first data and the local shared key to acquire the second data; and the receiving part displaces or operates the received second data and the received third data to acquire the key sent by the sending part. The complexity of a key exchange algorithm is reduced, the exchange of a long key is supported while the timeliness of key interaction is ensured, the safety of key exchange is ensured, and the method is applied to key exchange between thin terminals.
Description
Technical field
The present invention relates to a kind of single-node login system, especially a kind of key exchange method of single-node login system.
Background technology
Single-sign-on (Single Sign On): abbreviating SSO as, is one of solution of integrating of at present popular business event.The definition of SSO is in a plurality of application systems, the user only need login the application system that once just can visit all mutual trusts, all will verify the performance loss that identity causes when having avoided service of the each request of user.In order to realize single-sign-on, all application systems are all shared an identity authorization system.If in the whole authentication or service interaction process of single-node login system, the permanent password of long-time or too much use is encrypted message, then causes the key victim to obtain easily, causes the leakage of key.
Existing key exchange method is generally based on the graceful key change in Di Fei-Hull (Diffie – Hellman key exchange; Be called for short " D-H ") agreement; Said D-H agreement is a kind of security protocol, and it can let both sides under the condition that does not have any information of the other side fully, set up a key through dangerous channel.This key can come the encryption communication content as symmetric key in follow-up communication.At application number is CN03116619.9; A kind of key exchange method based on public spoon certificate is disclosed in the Chinese invention patent document of patent name for " a kind of key exchange method based on public spoon certificate "; Its discrete logarithm problem and D-H agreement from the large prime field is aided with the session key exchange method of anti-collision hash function, public spoon certificate and digital signature.This D-H agreement is based on the application of discrete logarithm; But if an algorithm that solves discrete logarithm problem efficiently occurred; So then can be used for simplifying the calculating of a or b; Just can solve the graceful problem in Di Fei-Hull, make the graceful cipher key exchange system in this Di Fei-Hull become dangerous in interior a lot of public spoon cryptographic system.
At application number is CN200610103449.6; Patent name is for disclosing a kind of novel encrypting and decrypting system and key management method of MANET network security protection process in the Chinese invention patent document of " application of a kind of elliptic curve key exchange method in the MANET network "; This method has adopted oval curve cryptography system; But it is very big that oval curve encrypted secret key switching method requires amount of calculation, is not suitable for thin terminal.
Summary of the invention
The technical problem that the present invention will solve is: a kind of key exchange method of single-node login system is provided, this key exchange method to amount of calculation require low and safe.
In order to solve the problems of the technologies described above, the technical scheme that the present invention adopted is:
A kind of key exchange method of single-node login system is applied to the key change between transmit leg and the recipient, has the shared key of shared by both parties between said transmit leg and the recipient, and said key change may further comprise the steps:
Transmit leg carries out the HMAC operation with shared key to first data that will send and obtains second data;
Transmit leg carries out an xor operation to said second data with the key that will send and obtains the 3rd data;
Transmit leg sends to the recipient with first data and the 3rd data;
The recipient carries out the HMAC operation according to first data that receive and local shared key and obtains second data;
The recipient carries out an xor operation to the 3rd data of second data that calculate and reception and obtains the key that transmit leg sends.
Further as preferred embodiment, said first data are to participate in mutual extraneous information in the key exchange process.
Further as preferred embodiment, said transmit leg or recipient are client or server mutual in ID authentication request or the services request.
The invention has the beneficial effects as follows: the key exchange method of single-node login system of the present invention; Be applied to transmit leg mutual in ID authentication request or the services request and the key change between the recipient; The shared key that the inventive method is shared through transmit leg and recipient carries out the HMAC operation to mutual extraneous information and obtains second data; And the result that second data and the key that will exchange are carried out behind the xor operation sends the recipient to, both alleviated the complexity of cipher key interaction algorithm, guaranteeing the ageing exchange of supporting long key down again of cipher key interaction; Guarantee the fail safe that key changes, be applicable to the key change of thin terminal room.
Description of drawings
Be described further below in conjunction with the accompanying drawing specific embodiments of the invention:
Fig. 1 is the flow chart of steps of the key exchange method of single-node login system of the present invention.
Embodiment
With reference to Fig. 1, a kind of key exchange method of single-node login system is applied to the key change between transmit leg and the recipient, and said transmit leg or recipient are client or server mutual in ID authentication request or the services request.For example when transmit leg was client, the recipient was a server; When transmit leg was server, the recipient was a client.The shared key of sharing between said transmit leg and the recipient is sharekey.Said key change may further comprise the steps:
Transmit leg carries out the HMAC operation with shared key sharekey to the first data content that will send and obtains the second data H (sharekey; Content); (sharekey is that expression is a key with sharekey content) to said H, and message content is carried out the HMAC operation;
(sharekey content) carries out an xor operation ⊕ with the key exchangkey that will send and obtains the 3rd data H (sharekey, content) ⊕ exchangdkey transmit leg to the said second data H;
Transmit leg with the first data content and the 3rd data H (sharekey, content) ⊕ exchangdkey sends to the recipient;
The recipient according to first data content that receives and local shared key sharekey carry out the HMAC operation obtain the second data H (sharekey, content);
(sharekey, content) (sharekey, content) ⊕ exchangdkey carries out an xor operation and obtains the key exchangkey that transmit leg sends the recipient with the 3rd data H that receives to the second data H that calculates.Said process is following:
H(sharekey,?content)?⊕(H(sharekey,?content)?⊕exchangdkey)?→?exchangekey。
After said exchangkey is meant and is created or learnt by a side, exchange or pass to an other side's key; Said content is meant the mutual extraneous information of participation in whole key exchange process; If among the content partial information being arranged is known (being labeled as share_content); The data that so above transmit leg sends also can be expressed as " partial_content, share_content_tips, H (sharekey; partial_content+share_content) ⊕ exchangdkey "; Wherein share_content_tips is the relevant information of the shared message of indicating to use, and how "+" expression and operation are organized and can be decided as the case may be with the information on the operation left side and the right.
More than be that preferable enforcement of the present invention is specified; But the invention is not limited to said embodiment; Those of ordinary skill in the art can also make all equivalent variations or replacement under the prerequisite of spirit of the present invention, distortion that these are equal to or replacement all are included in the application's claim institute restricted portion.
Claims (3)
1. the key exchange method of a single-node login system is applied to the key change between transmit leg and the recipient, has the shared key of shared by both parties between said transmit leg and the recipient, it is characterized in that said key change may further comprise the steps:
Transmit leg carries out the HMAC operation with shared key to first data that will send and obtains second data;
Transmit leg carries out an xor operation to said second data with the key that will send and obtains the 3rd data;
Transmit leg sends to the recipient with first data and the 3rd data;
The recipient carries out the HMAC operation according to first data that receive and local shared key and obtains second data;
The recipient carries out an xor operation to the 3rd data of second data that calculate and reception and obtains the key that transmit leg sends.
2. the key exchange method of a kind of single-node login system according to claim 1 is characterized in that: said first data are to participate in mutual extraneous information in the key exchange process.
3. the key exchange method of a kind of single-node login system according to claim 1 is characterized in that: said transmit leg or recipient are mutual client or server in ID authentication request or the services request.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210200320.2A CN102739660B (en) | 2012-06-16 | 2012-06-16 | Key exchange method for single sign on system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210200320.2A CN102739660B (en) | 2012-06-16 | 2012-06-16 | Key exchange method for single sign on system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN102739660A true CN102739660A (en) | 2012-10-17 |
| CN102739660B CN102739660B (en) | 2015-07-08 |
Family
ID=46994444
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201210200320.2A Active CN102739660B (en) | 2012-06-16 | 2012-06-16 | Key exchange method for single sign on system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102739660B (en) |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2015113485A1 (en) * | 2014-01-28 | 2015-08-06 | 西安西电捷通无线网络通信股份有限公司 | Entity identification method, apparatus and system |
| CN107995214A (en) * | 2017-12-19 | 2018-05-04 | 深圳市创梦天地科技股份有限公司 | A kind of Website logging method and relevant device |
| CN110995703A (en) * | 2019-12-03 | 2020-04-10 | 望海康信(北京)科技股份公司 | Service processing request processing method and device, and electronic device |
| CN115118454A (en) * | 2022-05-25 | 2022-09-27 | 四川中电启明星信息技术有限公司 | Cascade authentication system and method based on mobile application |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1832397A (en) * | 2005-11-28 | 2006-09-13 | 北京浦奥得数码技术有限公司 | Authorization key, consultation and update method based on common key credentials between interface of electronic equipment |
| US20070022058A1 (en) * | 2002-08-08 | 2007-01-25 | Fujitsu Limited | Wireless computer wallet for physical point of sale (POS) transactions |
| CN102239654A (en) * | 2009-08-14 | 2011-11-09 | 华为技术有限公司 | Authentication method and apparatus for passive optical network device |
| CN102239661A (en) * | 2009-08-14 | 2011-11-09 | 华为技术有限公司 | Method and device for exchanging key |
-
2012
- 2012-06-16 CN CN201210200320.2A patent/CN102739660B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20070022058A1 (en) * | 2002-08-08 | 2007-01-25 | Fujitsu Limited | Wireless computer wallet for physical point of sale (POS) transactions |
| CN1832397A (en) * | 2005-11-28 | 2006-09-13 | 北京浦奥得数码技术有限公司 | Authorization key, consultation and update method based on common key credentials between interface of electronic equipment |
| CN1832397B (en) * | 2005-11-28 | 2010-09-29 | 四川长虹电器股份有限公司 | Authorization key, consultation and update method based on common key credentials between interface of electronic equipment |
| CN102239654A (en) * | 2009-08-14 | 2011-11-09 | 华为技术有限公司 | Authentication method and apparatus for passive optical network device |
| CN102239661A (en) * | 2009-08-14 | 2011-11-09 | 华为技术有限公司 | Method and device for exchanging key |
Cited By (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2015113485A1 (en) * | 2014-01-28 | 2015-08-06 | 西安西电捷通无线网络通信股份有限公司 | Entity identification method, apparatus and system |
| JP2017506455A (en) * | 2014-01-28 | 2017-03-02 | 西安西▲電▼捷通▲無▼綫▲網▼絡通信股▲分▼有限公司China Iwncomm Co., Ltd. | Entity identification method, apparatus and system |
| US9860070B2 (en) | 2014-01-28 | 2018-01-02 | China Iwncomm Co., Ltd | Entity identification method, apparatus and system |
| CN107995214A (en) * | 2017-12-19 | 2018-05-04 | 深圳市创梦天地科技股份有限公司 | A kind of Website logging method and relevant device |
| CN110995703A (en) * | 2019-12-03 | 2020-04-10 | 望海康信(北京)科技股份公司 | Service processing request processing method and device, and electronic device |
| CN110995703B (en) * | 2019-12-03 | 2021-09-17 | 望海康信(北京)科技股份公司 | Service processing request processing method and device, and electronic device |
| CN115118454A (en) * | 2022-05-25 | 2022-09-27 | 四川中电启明星信息技术有限公司 | Cascade authentication system and method based on mobile application |
| CN115118454B (en) * | 2022-05-25 | 2023-06-30 | 四川中电启明星信息技术有限公司 | Cascade authentication system and authentication method based on mobile application |
Also Published As
| Publication number | Publication date |
|---|---|
| CN102739660B (en) | 2015-07-08 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Li et al. | Group-based authentication and key agreement with dynamic policy updating for MTC in LTE-A networks | |
| US9313033B2 (en) | Derived certificate based on changing identity | |
| CN107947913B (en) | Anonymous authentication method and system based on identity | |
| CN111052672B (en) | Secure key transfer protocol without certificate or pre-shared symmetric key | |
| EP2984782B1 (en) | Method and system for accessing device by a user | |
| CN104506534A (en) | Safety communication secret key negotiation interaction scheme | |
| CN102547688B (en) | Virtual-dedicated-channel-based establishment method for high-credibility mobile security communication channel | |
| CN104754581A (en) | Public key password system based LTE wireless network security certification system | |
| CN104901935A (en) | Bilateral authentication and data interaction security protection method based on CPK (Combined Public Key Cryptosystem) | |
| CN110087240B (en) | Wireless network security data transmission method and system based on WPA2-PSK mode | |
| CN111953479B (en) | Data processing method and device | |
| CN103118363A (en) | Method, system, terminal device and platform device of secret information transmission | |
| CN102111273A (en) | Pre-sharing-based secure data transmission method for electric load management system | |
| CN105577377A (en) | Identity-based authentication method and identity-based authentication system with secret key negotiation | |
| CN111416712B (en) | Quantum secret communication identity authentication system and method based on multiple mobile devices | |
| CN108259486B (en) | End-to-end key exchange method based on certificate | |
| Niu et al. | A novel user authentication scheme with anonymity for wireless communications | |
| CN102739660B (en) | Key exchange method for single sign on system | |
| CN105162585A (en) | Efficient privacy protecting session key agreement method | |
| CN102006298A (en) | Method and device for realizing load sharing of access gateway | |
| CN107104888B (en) | Safe instant messaging method | |
| KR100456624B1 (en) | Authentication and key agreement scheme for mobile network | |
| CN113014376B (en) | Method for safety authentication between user and server | |
| CN106789026A (en) | CDN server and its with client connection method, private key server and system | |
| EP2600647B1 (en) | Derived certificate based on changing identity |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant |