Single sign-on authentication method based on inadvertent pseudo-random function and signcryption

Abstract

The invention belongs to the technical field of information security, and discloses a single sign-on (SSO) authentication system and method based on an inadvertent pseudorandom function (OPRF) and signcryption. The single sign-on authentication method includes a system initialization parameter stage, a user / service provider (SP) registration stage, an information retrieval stage and a user and SPbidirectional authentication stage. According to the invention, the OPRF and the signcryption scheme are combined, i.e., the OPRF value is obtained by blinding the password of the user through the OPRF and is used for encrypting the signcryption private key of the user, and the ciphertext is stored in the storage provider end. Before login, the user recovers the OPRF value and decrypts the retrieved ciphertext to obtain the signcryption private key, thereby realizing bidirectional authentication with the SP. The invention provides a security enhancement function for password leakage threats, an SP does not store a password or a password derivative value, a client accidentally leaks the password, and an enemy cannot counterfeit the password as the SP to deceive a user. According to the invention, common attacks in an SSO authentication system can be resisted and bidirectional authentication can be completed efficiently.

Description

technical field [0001] The invention belongs to the technical field of information security, and in particular relates to a single sign-on authentication system and method based on inadvertent pseudo-random function and signcryption. Background technique [0002] At present, new services emerge one after another on the Internet, giving birth to a variety of service providers, providing a wealth of network services in the fields of entertainment, commerce, transportation, and medical care. However, network attacks widely exist in open communication channels, so how to ensure the legitimacy of the identity of the communication entity, realize secure data access control, and ensure the availability of services at the same time has become one of the severe challenges facing the current multi-service provider network environment . [0003] Lamport proposed a password-based authentication protocol suitable for client / server architecture to achieve identity authentication between ...

AI Technical Summary

Problems solved by technology

However, the focus of SPA is to implement authentication rather than authenticated key exchange, which means that the security guarantee of subsequent sessions relies on existing encryption infrastructure, such as the secure channel protocol SSL or TLS, that is, SPA cannot be deployed independently, thus increasing the The complexity of solution deployment increases deployment costs, and SPA only implements one-way authentication from users to SPs, so it cannot provide the ability to resist KCI attacks

[0007] To sum up, the problems existing in the existing technology are: either the scheme has a password verifier, and the adversary can easily implement offline dictionary attacks and insider attacks; or the scheme does not implement two-way authentication and key agreement, relying on encryption foundations such as TLS / SSL Facilities cannot be deployed independently; or the solution cannot provide properties against KCI attacks

[0014] In short, the difficulty of SSO protocol design lies in how to combine the password with the private key to prevent brute force cracking. For example, the AUMA scheme, which calculates the password and private key through a simple hash calculation to obtain a derivative value, and stores the derivative value in a file that can be cracked by the adversary. In the smart card, it is very easy to lead to offline dictionary guessing attack

Images