CN102238183B - Method for distributing and verifying system customer keys - Google Patents

Abstract

The invention provides a method for distributing and verifying system client keys. The system comprises a server and clients, wherein each customer is provided with a corresponding client. The method is characterized by comprising the following steps of: grouping the customers by the server; generating a group key for identifying a customer group for every group; storing a plurality of customer keys in a database of the server in advance; and distributing customer keys to clients where the customers are positioned by combining the group key of a group to which the customers belong and the customer keys of all customers in the group, wherein the customer keys are used by the clients to log on the server. In the method, key generation integrates various data, and key distribution and verification are computed by adopting a plurality of function values, so that high complexity and strictness are achieved, and the keys are safer and more reliable.

Description

A kind of system users key distribution and verification method

Technical field

The present invention relates to computer system encryption and checking field, relate in particular to a kind of system users key distribution and verification method.

Background technology

The object of authentication is the client who confirms that current claim is certain identity.In daily life, authentication is unrare, and such as passing through to check the other side's certificate, we generally can be sure of the other side's identity.The method of authentication has a lot, substantially can be divided into: the authentication based on shared key, the authentication based on biological property and the authentication based on public key encryption algorithm.Different auth methods, fail safe also respectively has height.

Most system all adopts the authentication based on shared key, and the authentication based on shared key refers to that server end and client own one or one group of password together.When client need to carry out authentication, client has the equipment of password to submit the password of being owned together by client and server to by input or by keeping.Server is after receiving the password that client submits to, and the password whether password that inspection client submits to is preserved with server end is consistent, if consistent, just judges that client is legitimate client.When if the password that the password that client submits to and server end are preserved is inconsistent, judge authentication failure.But the password when password that client submits in the time of login system is generally all Accreditation System is simple in structure, has lower fail safe, be easy to be obtained by trojan horse program etc., may make the benefit of client suffer damage.The provider of cloud computing service can provide reliable product, service and infrastructure mostly, and the therefore increasing network crime is all to set about from End-Customer.On cloud computing platform, comprise a large amount of clients, if adopt simple shared key encryption mechanism, will reduce significantly the fail safe on cloud platform.

Summary of the invention

Goal of the invention of the present invention is to provide a kind of system users cryptographic key distribution method, by system, in initial condition, is that each client group generates key automatically, and adopts the mechanism of safer method distribution client key.

In order to realize goal of the invention of the present invention, adopt following technical scheme:

A kind of system users cryptographic key distribution method, described system comprises server and client side, each client has the client corresponding with it, server is divided client by group, each group is generated for identifying the group cipher of client group, and pre-storedly in the database of server there are a plurality of client's keys, by the mode of the group cipher of group under client and client's key combination of the affiliated all clients of group, distribute client's key to the client at client place, described client's key is for client game server simultaneously.

As a kind of preferred version, described system generates root key, device keys and access keys when initialization,

Described root key is for super Admin Administration's whole system;

Described device keys is for secondary keeper logon server;

Described access keys is for secondary keeper access client key.

As further preferred version, described root key is kept at root of trust container, and described access keys and device keys are kept in database.

As a kind of preferred version, client is registered activation in server, obtains server and is distributed to a Customer ID and a group cipher SID.

As further preferred version, described group cipher SID is kept at client, visible to client.

As further preferred version, the mode of client's key combination of the described group cipher by group under client and the affiliated all clients of group is distributed client's key and is specially to the client at client place:

Method to i client distribution client key is:

Server builds multinomial A (x) by following formula:

$A\left(x\right)=\underset{m\∈\mathrm{\ψ}}{\mathrm{\Π}}(x-f({\mathrm{SID}}_m,z))$

In formula, the group that ψ is i client place, f (SID _m, the z) value for calculating by hash function, SID _mbe m client's group cipher, z is random number;

Server is client's key K of random extraction from database, by following formula, is built and is obtained multinomial P (x):

P(x)=A(x)+K，

And the multinomial P (x) that structure is obtained and the z client that sends to i client;

I client's client obtains after multinomial P (x) and z, substitution following formula

K'=P(f(SID _i,z))，

Calculate client's key K of client ', and store.

As a kind of preferred version, described method also comprises the verification method corresponding with distribution method, for the verification method of client, comprises:

(1) checking client provides customer name and password, if coupling is carried out step (2), return to authentication failed information if do not mate;

(2) Customer ID that checking client provides and client's key K of client ', if coupling is carried out step (3), if do not mate, return to authentication failed information;

(3) group cipher that checking client provides, if coupling is by authentication, returns to authentication failed information if do not mate.

As further preferred version, server, in advance to all clients that distributed client's key, obtains its corresponding border weights P by following formula, and deposits database in,

$p_j=k_j\⊕f(k_m,{\mathrm{ID}}_j)$

In formula, P _jbe j client's border weights, K _jbe client's key value of j client, f (K _m, ID _j) value that calculates for hash function, K _mfor client's key value of super keeper, ID _jbe j client's Customer ID,

represent a kind of cryptographic algorithm;

Described step (2) checking Customer ID and client's key K ' comprising:

The Customer ID that server provides according to client and client's key K ', according to following formula, calculate client boundary value p ':

$p^{\′}=k^{\′}\⊕f(k_i,\mathrm{ID});$

F(K _i, ID _j) value that calculates for hash function, K _ifor client's key value of super keeper, in comparing client boundary value p ' and leaving database in, whether corresponding client's border weights P equates, if equate coupling, if unequal, does not mate.

As further preferred version, checking group cipher comprises:

The group cipher that client is provided carries out Hash operation;

Database is carried out to Hash operation with corresponding client's group cipher;

Relatively whether the result of Hash operation equates, if equate coupling, if unequal, does not mate.

Compared with prior art, key of the present invention generates and combines several data, and the distribution of key and checking have adopted a plurality of functional values to calculate, more complicated tight, makes key more safe and reliable.

Accompanying drawing explanation

Fig. 1 is client's key distribution process of the present invention.

Embodiment

Below in conjunction with accompanying drawing, the invention will be further described.

The invention provides a kind of client's key mechanism, comprise the key that how to be distributed to client, and how after client inputs key, to carry out authentication identification, but the present invention does not relate to the generation of key, and the generating mode of key can adopt existing various key generating mode.The present invention includes following feature:

A. the key structure of stratification.

Key Shi You administrative center distributes and generates by algorithm, has stronger difficulty and cracks and fail safe.First by system initialization, generate key at all levels:

Ground floor is root key, only has one, belongs to super keeper, and it need to adopt safest mode to protect as the master key of whole system, therefore puts into root of trust container;

The second layer comprises access keys and device keys, is the key that secondary keeper uses, and secondary keeper specifies and give corresponding authority by super keeper.Device keys is the authentication when logining for secondary keeper, and access keys is for depositing client's key and take out in from database;

The 3rd layer is client's key, by system, by Customer ID and algorithm, is generated, and is distributed to client, can by access keys, carry out access by secondary keeper, for the authentication of client's login.

In whole key manager system, comprise the multiple keys such as device keys, session key, group cipher, client's key.All keys are all produced by system, so we are when system initialization, will produce a large amount of AES keys.

These keys are all stored in raw data base, and root key is kept in root of trust container, and all keys provide in whole system use in service.

B. client's key distribution is machine-processed.

The user of system comprises keeper and client, and client is when becoming system users first, and registration can obtain the Customer ID of oneself, the group cipher SID obtaining by aes algorithm after activating.Each client in group has SID separately, for client Ui, is SID accordingly _i.

In the time of system initialization, just for each cluster has been distributed a group cipher, this is the group cipher distribution of server end.For client, when client enrollment becomes after system users, just to carry out the account of oneself and activate.When activating, system just will be distributed group cipher according to client's role, and autostore is in client, to client, is visible, is stored under fixed schedule.

As shown in Figure 1, when i client applies for key, system can construct a multinomial A (x) by following formula to the ways of distribution of client's key,

$A\left(x\right)=\underset{m\∈\mathrm{\ψ}}{\mathrm{\Π}}(x-f({\mathrm{SID}}_m,z))$

In formula, the group that ψ is i client place, f (SID _m, the z) value for calculating by hash function, SID _mbe m client's group cipher, z is random number;

Π represents even to take advantage of, so A (x) is a plurality of f (SID _m, the z) value for calculating by hash function, SID _mbe m client's group cipher, z is random number.

Then, the KMC on server extracts client's key K from database, calculates P (x)=A (x)+K, and P (x) and z are sent to client, and now P (x) expands into

ax ⁿ+bx ^n-1+cx ^n-2+...+px+q+K，

After i client taken P (x) and z value, it cannot learn the occurrence of q+K, but f (SID, z) substitution formula

$\begin{array}{c}{K}^{\′}=P\left(f({\mathrm{SID}}_i,z)\right)\\ =A\left(f({\mathrm{SID}}_i,z)\right)+K\\ =\underset{m\∈\mathrm{\ψ}}{\mathrm{\Π}}(f({\mathrm{SID}}_i,z)-f({\mathrm{SID}}_m,z))+K\end{array}$

If this client is the group that belongs to correct,

, because Π takes advantage of for connecting,

$\underset{m\∈\mathrm{\ψ}}{\mathrm{\Π}}(f({\mathrm{SID}}_i,z)-f({\mathrm{SID}}_m,z))$ Must equal 0, thus K '=K, and client obtains correct client's key; If this client is not correct group,

,

must be not equal to 0, thereby this client cannot obtain correct client's key.In the correct situation of result of calculation that last resulting value is client's key K of client ', client's key K ', should be P (x), incorrect be P (x)-A (x).

For super keeper, use root key, secondary keeper uses device keys login, storage key to be used for the key of preserving in access database.Keeper and client may include a plurality of layers, are divided into different clusters, for each group, have group cipher separately.When client enrollment becomes after system users, just to carry out the account of oneself and activate.When activating, system just will be distributed client's key according to client's role, and autostore is in client, to client, is visible, is stored under fixed schedule.Because client's key is that all client's keys and group cipher by each cluster calculated jointly, so after having new client enrollment or having client to close account, just there will be the change of client's key.After key changes, just there will be client's login failure, in this case, server end can be issued client by above-mentioned distribution mechanisms by new client's key, replaces original client's key, and client uses new client's key just can again successfully login.

C. client identity authentication mechanism.

Because super keeper is unique in system, thus when using this algorithm, after client enrollment activates successfully, by following formula, obtain its corresponding border (edge) weights P, and deposit database in,

$p_j=k_j\⊕f(k_m,{\mathrm{ID}}_j)$

In formula, P _jbe j client's border weights, K _jbe client's key value of j client, f (K _m, ID _j) value that calculates for hash function, K _mfor client's key value of super keeper, ID _jbe j client's Customer ID, represent a kind of cryptographic algorithm;

After client activates successfully, when login system, system just can be carried out cipher key identity checking.First verify whether customer name all mates with password, and customer name and password are all owned together at server end and client, if coupling, the first step logins successfully.

Next step carries out the checking of key algorithm.Client is by this client's ID and client's key K ' be dealt into the KMC of server, KMC is by the Customer ID providing according to client and client's key K ', according to following formula, calculate client boundary value p ':

$p^{\′}=k^{\′}\⊕f(k_i,\mathrm{ID});$

In comparing client boundary value p ' and leaving database in, whether corresponding client's border weights P equates, if equate coupling, if unequal, does not mate.

Final step is comparison group cipher, can identify client's group in the time of checking group cipher.In the group cipher value that client is sent and database, group cipher value is carried out respectively Hash operation, and relatively whether two values equate, as equated to pass through, authentication completes, and client can the system of entering carry out associative operation afterwards.

Claims (8)

1. a system users cryptographic key distribution method, described system comprises server and client side, each client has the client corresponding with it, it is characterized in that, server is divided client by group, each group is generated for identifying the group cipher of client group, and pre-storedly in the database of server there are a plurality of client's keys, by the mode of the group cipher of group under client and client's key combination of the affiliated all clients of group, distribute client's key to the client at client place, described client's key is for client game server simultaneously;

Described system generates root key, device keys and access keys when initialization;

Described root key is for super Admin Administration's whole system;

Described device keys is for secondary keeper logon server;

Described access keys is for secondary keeper access client key.

2. client's cryptographic key distribution method according to claim 1, is characterized in that, described root key is kept at root of trust container, and described access keys and device keys are kept in database.

3. client's cryptographic key distribution method according to claim 1, is characterized in that, client is registered activation in server, obtains server and is distributed to a Customer ID and a group cipher SID.

4. client's cryptographic key distribution method according to claim 3, is characterized in that, described group cipher SID is kept at client, visible to client.

5. client's cryptographic key distribution method according to claim 3, is characterized in that, the mode of client's key combination of the described group cipher by group under client and the affiliated all clients of group is distributed client's key and is specially to the client at client place:

Method to i client distribution client key is:

Server builds multinomial A (x) by following formula:

$A\left(x\right)=\underset{m\∈\mathrm{\ψ}}{\mathrm{\Π}}(x-f({\mathrm{SID}}_m,z)),$

In formula, the group that ψ is i client place, f (SID _m, the z) value for calculating by hash function, SID _mbe m client's group cipher, z is random number;

Server is client's key K of random extraction from database, by following formula, is built and is obtained multinomial P (x):

P(x)=A(x)+P，

And the multinomial P (x) that structure is obtained and the z client that sends to i client;

I client's client obtains after multinomial P (x) and z, substitution following formula

K'=P(f(SID _i,z)),

Calculate client's key K of client ', and store.

6. client's cryptographic key distribution method according to claim 1, is characterized in that, described method also comprises the verification method corresponding with distribution method, for the verification method of client, comprises:

(1) checking client provides customer name and password, if coupling is carried out step (2), return to authentication failed information if do not mate;

(2) Customer ID that checking client provides and client's key K of client ', if coupling is carried out step (3), if do not mate, return to authentication failed information;

(3) group cipher that checking client provides, if coupling is by authentication, returns to authentication failed information if do not mate.

7. client's cryptographic key distribution method according to claim 6, is characterized in that, server, in advance to all clients that distributed client's key, obtains its corresponding border weights P by following formula, and deposits database in,

$p_j=k_j\⊕f(k_m,{\mathrm{ID}}_j)$

In formula, P _jbe j client's border weights, K _jbe client's key value of j client, f (K _m, ID _j) value that calculates for hash function, K _mfor client's key value of super keeper, ID _jbe j client's Customer ID,

represent a kind of cryptographic algorithm;

Described step (2) checking Customer ID and client's key K ' comprising:

The Customer ID that server provides according to client and client's key K ', according to following formula, calculate client boundary value p ':

$p^{\′}=k^{\′}\⊕f(k_i,\mathrm{ID});$

F(K _i, ID _j) be the value that hash function calculates, client's key value that Ki is super keeper, in comparing client boundary value p ' and leaving database in, whether corresponding client's border weights P equates, if equate coupling, if unequal, does not mate.

8. client's cryptographic key distribution method according to claim 6, is characterized in that, checking group cipher comprises:

The group cipher that client is provided carries out Hash operation;

Database is carried out to Hash operation with corresponding client's group cipher;

Relatively whether the result of Hash operation equates, if equate coupling, if unequal, does not mate.

Images