主权项 |
1. A method comprising:
finding, at a trusted authority, a non-supersingular curve with an even k for which no distortion map exists, the curve having a base field Fp and an extension field Fp2 and a curve order c.q; generating a master secret s; choosing hash function H1: {0,1}*→E(F p); publishing public parameters; identifying and authenticating an authentication service to the trusted authority; taking, at the trusted authority, an identity IDs of the authentication service as input and mapping the identity IDs to a point, S, on the curve; using, over the extension field Fp2, a second hash function of H2: {0,1}*→E(Fp2) such that S=H2(IDs) so s, a secret number, is a point on the curve E(Fp2); issuing back to the authentication service over a secure network connection the secret number s, parameters of the curve and the H2 hash function along with a location of the public parameters; authenticating, at a client, an identity to the trusted authority; taking, at the trusted authority, a client's identity IDa as input; hashing, at the trusted authority, the identity IDa and mapping to a point A of large prime order on the curve; receiving, at the client, from the trusted authority over the secure network connection A and s, where A=c.H1(IDa) is a point of order q over the base field of the curve E(Fp); taking, at the client, as input a PIN number, α, and calculating αA; producing, at the client, a number (s−α)A; storing, at the client, both (s−α)A and A in a browser storage of the client; using an authentication program at the client to prompt a user of the client for their PIN and their identifier; using, at the client, the authentication program to hash IDa; using, at the client, the hash function H1, and to look up a key/value pair to obtain (s−α)A and A; sending identities IDa and IDs, between the client and authentication service; generating values of x<q at the client and y<q at the authentication service; calculating, at the client, S where S=H2(IDs) and A where A=H1(IDa) to achieve Pa=xA while, at the authentication service, calculating A where A=H1(IDa) and S where S=H2(IDs) to achieve Ps=yS; exchanging Pa and Ps between the client and authentication service; calculating ra=Hq(Pa|Ps) and rs=Hq (Ps|Pa) at the client and the authentication service; calculating, at the client, k=e((x+ra)((s−α)A+αA),rsS+Ps) to obtain K=H3(k) and M=H3(IDa, IDs, K); at the authentication service, calculating k=e(raA+Pa(y+rs)sS) to obtain K=H3(k) and N=H3(IDa, IDs, K); sending, at the client, M over the secure connection to the authentication service; sending N to the client in response to a comparison, N=M, at the authentication service indicating a match; and determining, at the client, that the client and authentication service have successfully mutually authenticated each other and have a mutually agreed upon session key N in response to a comparison of N to M at the client indicating a match. |