Anonymity authentication method in multi-server environments

摘要

An anonymity authentication method in multi-server environments is provided. When a user switches between various remote servers, it is not necessary to perform many times of complicated verification procedures, only a set of user identity and password is required for switching between the different remote servers. Moreover, the operation of the transmitted messages uses only hash function and XOR operator, and a random number is also applied thereto. Therefore, the anonymity authentication method of the present disclosure has high computational efficiency and high security.

主权项

1. An anonymity authentication method in multi-server environments comprising:
a registration procedure for registering a user to a registration center, the registration procedure comprising:
in the user:
choosing an user identity (user ID), a password and randomly choosing a random number by the user;performing an XOR operation to the random number and the password chosen by the user, and then performing a hash operation for generating a first hash value;transmitting the user identity and the first hash value to the registration center by the user for performing the registration procedure;in the registration center:
performing a hash operation to the first hash value for generating a second hash value;performing a string concatenation to a master key and a secret number chosen by the registration center, and then performing a hash operation, and then performing a string concatenation with the second hash value, and finally performing a hash operation for generating a third hash value;performing an XOR operation to the third hash value and the first hash value for generating first output value;performing a hash operation to the user identity and the master key for generating a fourth hash value;performing a string concatenation operation to the user identity and the first hash value, then performing a hash operation, and then performing an XOR operation with the fourth hash value for generating a second output value;performing a hash operation to the fourth hash value for generating a fifth hash value;performing a hash operation to the secret number for generating a sixth hash value;the registration center transmitting the second output value, the first output value, the fifth hash value, a one-way hash value and the sixth hash value to a smart card of the user;the user inputting the random number to the smart card, and the smart card containing the second output value, the first output value, the fifth hash value, the random number, the one-way hash value and the sixth hash value; a login procedure for the user to login to a remote server, the login procedure comprising:
the user inputting the user identity and the password chosen by the user to the smart card;at the smart card:performing an XOR operation and then a hash operation to the random number and the password, then performing a string concatenation operation with the user identity, then performing a hash operation, and then performing an XOR operation with the second output value for generating a third output value;performing a hash operation to the third output value for generating a seventh hash value;comparing the seventh hash value with the fifth hash value, if the seventh hash value is equal to the fifth hash value, the user is authenticated, if the seventh hash value is not equal to the fifth hash value, the smart card rejects the login procedure, if the seventh hash value is equal to the fifth hash value, then at the smart card:generating a user nonce;performing an XOR operation to the first hash value and the first output value for generating a fourth output value;performing a hash operation to the first hash value for generating an eighth hash value;performing a string concatenation operation and then a hash operation to the sixth hash value, the user nonce and a remote server identity, and then performing an XOR operation with the eighth hash value for generating a fifth output value;performing a string concatenation operation and then a hash operation to the third output value, the fourth output value and the user nonce, and then performing an XOR operation with the first hash value for generating a dynamic user identity;performing a hash operation to the remote server identity, the user nonce and the fourth output value, and then performing an XOR operation with the third output value for generating a sixth output value;performing a string concatenation operation and then a hash operation to the first output value, the fourth output value and the user nonce for generating a ninth hash value;issuing a first parameter set to the remote server by the user, wherein the first parameter set comprises the dynamic user identity, the fifth output value, the sixth output value, the ninth hash value and the user nonce; a verification procedure for performing a mutual authentication between the user and the remote server, comprising:
receiving the first parameter set by the remote server;in the remote server:performing an string concatenation operation and then a hash operation to the sixth hash value, the user nonce and the remote server identity, and then performing an XOR operation with the fifth output value for generating a seventh output value;performing a string concatenation operation and then a hash operation to the master key and the secret number selected by the registration center, and then performing a string concatenation operation with the seventh output value, and then performing a hash operation for generating a tenth hash value;performing a string concatenation operation and then a hash operation to the tenth hash value, the user nonce and the remote server identity, and then performing an XOR operation with the sixth output value for generating an eighth output value;performing a string concatenation operation and then a hash operation to the eighth output value, the tenth hash value and the user nonce, and then performing an XOR operation with the dynamic user identity for generating a eleventh hash value;performing an XOR operation to the eleventh hash value and the tenth hash value for generating a ninth output value;performing a string concatenation operation and then a hash operation to the ninth output value, the tenth hash value and the user nonce for generating a twelfth hash value;comparing the twelfth hash value with the ninth hash value, if the twelfth hash value is not equal to the ninth hash value, the remote server rejects the login procedure, if the twelfth hash value is equal to the ninth hash value, then performing the following procedures:generating a remote server nonce by the remote server, and performing a string concatenation operation and then a hash operation to the ninth output value, the user nonce, the tenth hash value and the remote server identity for generating a thirteenth hash value;transmitting a second parameter set to the user by the remote server, wherein the second parameter set comprises the thirteenth hash value and the remote server nonce;after receiving the second parameter set, the user performing the following procedures for authenticating the remote server:performing a string concatenation operation and then a hash operation to the first output value, the user nonce, the fourth output value and the remote server identity for generating a fourteenth hash value;comparing the fourteenth hash value with the thirteenth hash value, if the fourteenth hash value is not equal to the thirteenth hash value, the user rejects to receive the second parameter set, if the fourteenth hash value is equal to the thirteenth hash value, the remote server identity is authenticated, and then performing the following procedures:performing, a string concatenation operation and then a hash operation to the first output value, the remote server nonce, the fourth output value and the remote server identity for generating a fifteenth hash value;transmitting a third parameter set to the remote server by the user, wherein the third parameter set comprises the fifteenth hash value;after receiving the third parameter set by the remote server, the remote server performing the following procedures for authenticating the user:performing a string concatenation operation and then a hash operation to the ninth output value, the remote server nonce, the tenth hash value and the remote server identity for generating a sixteenth hash value;comparing the sixteenth hash value with the fifteenth hash value, if the sixteenth hash value is not equal to the fifteenth hash value, the remote server rejects to receive the third parameter set, and terminates a session between the remote server and the user; if the sixteenth hash value is equal to the fifteenth hash value, the user is authenticated;after finishing the mutual verification procedure between the user and the remote server, a session key is established between the user and the remote server, wherein the session key of the remote server is obtained by performing a string concatenation operation and then a hash operation to the ninth output value, the user nonce, the remote server nonce, the tenth hash value and the remote server identity; and the session of the user is obtained by performing a string concatenation operation and then a hash operation to the first output value, the user nonce, the remote server nonce, the fourth output value and the remote server identity.