The present disclosure relates to information security and communications technologies, and in particular, to a session key negotiation method, apparatus, and system.
A key exchange protocol in the other approaches can ensure that two or more users establish a shared session key in a public network environment by exchanging information. The users participating in communication encrypt communication data using the shared session key to ensure security of network communication. An authentication key exchange protocol is key negotiation with an authentication function, and can authenticate identities of two parties participating in the key negotiation, thereby effectively defending against an attack from a third party.
Currently, a working principle of the authentication key exchange protocol is mainly as follows. For randomly selected a∈Rq, according to R-DLWEq,x, a party A and a party B requiring authentication key negotiation (1) respectively select (sA,eA)←χ and (sB,eB)←χ secretly, (2) respectively calculate bA=agsA+eA and bB=agsB+eB, where bA and bB are public, and (3) respectively calculate sAgbB and sBgbA using respective keys sA and sB. Because sAgbB=sAasB+sAeB≈sAasB≈sBasA+sBeA=sBgbA, sAgbB−sBgbA=sAeB−sBeA. If a difference ∥sAeB−sBeA∥ between the two parties is within a particular range, the two parties may cancel the error, and calculate a common secret sAasB. Because sAasB is related to only the respective keys sA and sB of the two parties, only the party A and the party B know sAasB.
In addition, to cancel the error ∥sAeB−sBeA∥ such that the both parties can correctly recover sAasB, a characteristic function Cha(v) and a modular function Mod2(w,b) are mainly used such that the two parties recover common information sAasB. The characteristic function Cha(v) is defined as follows:
The modular function Mod2(w,b) is defined as follows:
Further, sAasB is recovered bit by bit using the modular function Mod2(w,b). Using one bit as an example, q is an odd prime, and b=Cha(v)∈¢2 is given. For w=v+2e, if an error is e∈¢q, and |e|<q/2, Mod2(v,Cha(v))=Mod2(w,Cha(v)). In other words, when a distance between w and v is within a particular range (w=v+2e), the two parties each may calculate one common secret bit
Mod2(v,Cha(v))=
When q is an odd prime and w,v∈R¢q is given:
1. if Cha(v)=0, a deviation in outputting 0/1 from Mod2(w,Cha(v)) is 1/2|E|; or
2. if Cha(v)=1, a deviation in outputting 0/1 from Mod2(w,Cha(v)) is 1/(|E|−1).
However, a common secret bit
The present disclosure provides a session key negotiation method, apparatus, and system, to resolve problems of heavy traffic and high calculation costs in the other approaches.
A first aspect of the present disclosure provides a session key negotiation method, including receiving, by first user equipment, a long-term public key PA and a temporary public key xA that correspond to second user equipment performing session negotiation with the first user equipment, obtaining, by the first user equipment, a vector σB according to a long-term private key sB and a temporary private key yB that correspond to the first user equipment, the long-term public key PA, and the temporary public key xA, obtaining, by the first user equipment,
where q is an even number and is not equal to 2.
With reference to the first aspect, it may be understood that a manner of obtaining a vector σB may be obtaining, by the first user equipment, the temporary private key yB according to system parameters a and fB using a formula yB=agrB+fB∈Rq, obtaining, by the first user equipment, d and e according to the temporary public key xA corresponding to the second user equipment, the temporary private key yB corresponding to the first user equipment, identity information B corresponding to the first user equipment, and identity information A corresponding to the second user equipment using formulas d=H(xA,B) and e=H(yB,A) respectively, and obtaining, by the first user equipment, σB according to the long-term private key sB and the temporary private key rB that correspond to the first user equipment, the long-term public key PA and the temporary public key xA that correspond to the second user equipment, d, and e using a formula σB=gg(xA+dgPA)g(rB+egsB)∈Rq, where a∈Rq=¢q[ζm], rB←χ, fB←χ, g is a system parameter, and g∈R, R is a cyclotomic ring, and Rq is a quotient ring defined on
and m is a positive integer.
With reference to the first aspect, optionally, the identity information A and B are bit strings representing identity card numbers or fingerprint information.
With reference to the first aspect, it should be noted that the method further includes obtaining, by the first user equipment, a long-term public key PB corresponding to the first user equipment according to s1 and e1 using a formula PB=ags1+e1∈Rq, sending, by the first user equipment, a registration request carrying the long-term public key PB to an authentication center such that when authenticating, according to the registration request, that the long-term public key PB≠0, the authentication center obtains bc, [v]2, and v2 according to s, e, and e′ using formulas bc=ags+e and v=ggbgs+e′, and returns bc and v2 to the first user equipment, and obtaining, by the first user equipment, w according to the received bc and v2 using formulas u=ggbcgs1 and w=rec(u,v2), and sending w to the authentication center such that when authenticating that w=[v]2, the authentication center sends a first certificate CertB to the first user equipment, to certify that the first user equipment owns the long-term public key PB, where s1, e1←χ, s, e, and e′←χ.
With reference to the first aspect, optionally, the method further includes sending, by the first user equipment, the long-term public key PB, the temporary private key yB, and the semaphore vB of the first user equipment to the second user equipment such that the second user equipment obtains the session key K within a preset error range according to a long-term private key sA and the temporary private key rA that correspond to the second user equipment, the long-term public key PB, the temporary private key yB, and the semaphore vB, where the preset error range is
A second aspect of the present disclosure provides a session key negotiation method, including receiving, by second user equipment, a long-term public key PB, a semaphore vB, and a temporary private key yB that are of first user equipment performing session negotiation with the second user equipment and that are sent by the first user equipment, obtaining, by the second user equipment, a vector σA according to a long-term private key sA and a temporary private key xA that correspond to the second user equipment, the long-term public key PB, and the temporary private key yB, and obtaining, by the second user equipment, a session key K corresponding to the second user equipment within the preset error range according to the vector σA and the semaphore vB using a formula K=rec(σA,vB), where the preset error range is
and q is an even number and is not equal to 2.
With reference to the second aspect, it should be noted that the method further includes the obtaining, by the second user equipment, a vector σA according to a long-term private key sA and a temporary public key xA that correspond to the second user equipment, the long-term public key PB, and the temporary private key yB includes obtaining, by the second user equipment, the temporary public key xA according to system parameters a and fA using a formula xA=agrA+fA∈Rq, obtaining, by the second user equipment, d and e according to the temporary private key xA corresponding to the first user equipment, the temporary private key yB, identity information B corresponding to the first user equipment, and identity information A corresponding to the second user equipment using formulas d=H(xA,B) and e=H(yB,A) respectively, and obtaining, by the second user equipment, the vector σA according to the long-term private key sA corresponding to the second user equipment, the long-term public key PB and the temporary private key yB that correspond to the first user equipment, d, and e using a formula σA=gg(yB+dgPB)g(rA+egsA)∈Rq, where a∈Rq=¢q[ζm], rA←χ, fA←χ, g is a system parameter, and g∈R, R is a cyclotomic ring, and Rq is a quotient ring defined on
and m is a positive integer.
With reference to the second aspect, optionally, the identity information A and B are bit strings representing identity card numbers or fingerprint information.
With reference to the second aspect, it may be understood that the method further includes obtaining, by the second user equipment, a long-term public key PA corresponding to the first user equipment according to s1 and e1 using a formula PA=ags1+e1∈Rq, sending, by the second user equipment, a registration request carrying the long-term public key PA to an authentication center such that when authenticating, according to the registration request, that PA≠0, the authentication center obtains bc, [v]2, and v2 according to s, e, and e′ using formulas bc=ags+e and v=ggbgs+e′, and returns bc and v2 to the second user equipment, and obtaining, by the second user equipment, w according to the received bc and v2 using formulas u=ggbcgs1 and w=rec(u,v2), and sending w to the authentication center such that when authenticating that w=[v]2, the authentication center sends a second certificate CertA to the second user equipment, to certify that the second user equipment owns the long-term public key PA, where s1, e1←χ, s, e, and e′←χ.
A third aspect of the present disclosure provides a session key negotiation apparatus, including a transceiver module configured to receive a long-term public key PA and a temporary public key xA that correspond to second user equipment performing session negotiation with the session key negotiation apparatus, a vector obtaining module configured to obtain a vector σB according to a long-term private key sB and a temporary private key yB that correspond to the session key negotiation apparatus, the long-term public key PA, and the temporary public key xA, a first calculation module configured to obtain
where q is an even number and is not equal to 2.
With reference to the third aspect, it may be understood that the vector obtaining module in the apparatus includes a temporary private key obtaining unit configured to obtain the temporary private key yB according to system parameters a and fB using a formula yB=agrB+fB∈Rq, a calculation unit configured to obtain d and e according to the temporary public key xA corresponding to the second user equipment, the temporary private key yB corresponding to the first user equipment, identity information B corresponding to the session key negotiation apparatus, and identity information A corresponding to the second user equipment using formulas d=H(xA,B) and e=H(yB,A) respectively, and a vector obtaining unit configured to obtain σB according to the long-term private key sB and the temporary private key rB that correspond to the session key negotiation apparatus, the long-term public key PA and the temporary public key xA that correspond to the second user equipment, d, and e using a formula σB=gg(xA+dgPA)g(rB+egsB)∈Rq, where a∈Rq=¢q[ζm], rB←χ, fB←χ, g is a system parameter, and g∈R, R is a cyclotomic ring, and Rq is a quotient ring defined on
and m is a positive integer.
With reference to the third aspect, it may be pointed out that the apparatus further includes a long-term public key obtaining module configured to obtain a long-term public key PB corresponding to the session key negotiation apparatus according to s1 and e1 using a formula PB=ags1+e1∈Rq, where the transceiver module is further configured to send a registration request carrying the long-term public key PB to an authentication center such that when authenticating, according to the registration request, that the long-term public key PB≠0, the authentication center obtains bc, [v]2, and v2 according to s, e, and e′ using formulas bc=ags+e and v=ggbgs+e′, and returns bc and v2 to the session key negotiation apparatus, and a second calculation module configured to obtain w according to the received bc and v2 using formulas u=ggbcgs1 and w=rec(u,v2), where the transceiver module is further configured to send w to the authentication center such that when authenticating that w=[v]2, the authentication center sends a first certificate CertB to the session key negotiation apparatus, to certify that the session key negotiation apparatus owns the long-term public key PB, where s1, e1←χ, s, e, and e′←χ.
With reference to the third aspect, optionally, the transceiver module is further configured to send the long-term public key PB, the temporary private key yB, and the semaphore vB of the session key negotiation apparatus to the second user equipment such that the second user equipment obtains the session key K within a preset error range according to a long-term private key sA and the temporary private key rA that correspond to the second user equipment, the long-term public key PB, the temporary private key yB, and the semaphore vB, where the preset error range is
A fourth aspect of the present disclosure provides a session key negotiation apparatus, including a transceiver module configured to receive a long-term public key PB, a semaphore vB, and a temporary private key yB that are of first user equipment performing session negotiation with the session key negotiation apparatus and that are sent by the first user equipment, a vector obtaining module configured to obtain a vector σA according to a long-term private key sA and a temporary private key xA that correspond to the session key negotiation apparatus, the long-term public key PB, and the temporary private key yB, and a session key obtaining module configured to obtain a session key K corresponding to the session key negotiation apparatus within the preset error range according to the vector σA and the semaphore vB using a formula K=rec(σA,vB), where the preset error range is
and q is an even number and is not equal to 2.
With reference to the fourth aspect, it may be pointed out that the vector obtaining module in the apparatus includes a temporary private key obtaining unit configured to obtain a temporary public xA according to system parameters a and fA using a formula xA=agrA+fA∈Rq, a calculation unit configured to obtain d and e according to the long-term public key PB and the temporary public key xA that correspond to the first user equipment, the temporary private key yB, identity information B corresponding to the first user equipment, and identity information A corresponding to the session key negotiation apparatus using formulas d=H(xA,B) and e=H(yB,A) respectively, and a vector obtaining unit configured to obtain the vector σA according to the long-term private key sA corresponding to the session key negotiation apparatus, the long-term public key PB and the temporary private key yB that correspond to the first user equipment, d, and e using a formula σA=gg(yB+dgPB)g(rA+egsA)∈R, where a∈Rq=¢q[ζm], rA←χ, fA←χ, g is a system parameter, and g∈R, R is a cyclotomic ring, and Rq is a quotient ring defined on
and m is a positive integer.
With reference to the fourth aspect, optionally, the apparatus further includes a long-term public key obtaining module configured to obtain a long-term public key PA corresponding to the second user equipment according to s1 and e1 using a formula PA=ags1+e1∈Rq, where the transceiver module is further configured to send a registration request carrying the long-term public key PA to an authentication center such that when authenticating, according to the registration request, that PA≠0, the authentication center obtains bc, [v]2, and v2 according to s, e, and e′ using formulas bc=ags+e and v=ggbgs+e′, and returns bc and v2 to the session key negotiation apparatus, and a calculation module configured to obtain w according to the received bc and v2 using formulas u=ggbcgs1 and w=rec(u,v2), where the transceiver module is further configured to send w to the authentication center such that when authenticating that w=[v]2, the authentication center sends a second certificate CertA to the session key negotiation apparatus, to certify that the session key negotiation apparatus owns the long-term public key PA, where s1, e1←χ, s, e, and e′←χ.
A fifth aspect of the present disclosure provides a session key negotiation system, including first user equipment and second user equipment that performs session negotiation with the first user equipment, where the first user equipment is the session key negotiation apparatus described in the third aspect, and the second user equipment is the session key negotiation apparatus described in the fourth aspect.
With reference to the fifth aspect, it may be understood that the first user equipment and the second user equipment in the system are in a distributed network environment.
In the session key negotiation method, apparatus, and system in the embodiments of the present disclosure, the first user equipment obtains the vector σB according to the long-term private key sB and the temporary private key yB that correspond to the first user equipment and the received long-term public key PA and temporary public key xA that correspond to the second user equipment performing session negotiation with the first user equipment, obtains the semaphore vB according to the vector σB using a randomized function and a cross-rounding function, and calculates and obtains the session key K according to the semaphore vB using a modulo-2 rounding function. If x∈¢q is randomly uniform, the modulo-2 rounding function [x]2 is uniformly distributed on ¢2, thereby effectively ensuring security of the session key. In addition, because q is an even number, the problems in the other approaches that the traffic and calculation costs are increased are further effectively resolved.
To describe the technical solutions in the embodiments of the present disclosure more clearly, the following briefly describes the accompanying drawings required for describing the embodiments or the other approaches. The accompanying drawings in the following description show some embodiments of the present disclosure, and persons of ordinary skill in the art may still derive other drawings from these accompanying drawings without creative efforts.
To make the objectives, technical solutions, and advantages of the embodiments of the present disclosure clearer, the following clearly describes the technical solutions in the embodiments of the present disclosure with reference to the accompanying drawings in the embodiments of the present disclosure. The described embodiments are some but not all of the embodiments of the present disclosure. All other embodiments obtained by persons of ordinary skill in the art based on the embodiments of the present disclosure without creative efforts shall fall within the protection scope of the present disclosure.
In the present disclosure, a current protocol is constructed on a quotient ring Rq of a cyclotomic ring
System parameters are further descxribed as follows: m is a positive integer, and describes a regulation of the m-order cyclotomic ring
and a degree of Φm(x) is n=φ(m), q is an odd prime: qcd(q,m)=1, g=Πp(1−zp), and p traverses all odd primes that can be exactly divided by m, [ψ] is discrete Gaussian distribution on an algebraic number field K, and
H(⋅):{0,1}*→R: any string is mapped to an element that satisfies the discrete Gaussian distribution χ=[ψ] and that is located on R=¢[ζm], and a∈Rq=¢q[ζm] a global public parameter.
In addition, each of the first user equipment 11 and the second user equipment 12 is identified using a pair of a long-term public key and a long-term private key. A generation manner is simply described as follows. Using the second user equipment 12 as an example, the second user equipment 12 samples sA←χ and eA←χ, where eA is a noise vector, and uses sA∈Rq as a long-term private key of the second user equipment, calculates PA=a·sA+eA∈Rq, and uses PA=a·sA+eA∈Rq as a long-term public key of the second user equipment. It is assumed that a session key K to be negotiated about between the first user equipment 11 and the second user equipment 12 may be K=SKAB.
Step 101. First user equipment receives a long-term public key PA and a temporary public key xA that correspond to second user equipment performing session negotiation with the first user equipment.
Step 102. The first user equipment obtains a vector σB according to a long-term private key sB and a temporary private key yB that correspond to the first user equipment, the long-term public key PA, and the temporary public key xA.
In this embodiment, session key negotiation between the first user equipment and the second user equipment is performed in a distributed network environment.
Step 103. The first user equipment obtains
B
=dbl(σB) (1)
In this embodiment, dbl represents a randomized function.
Step 104. The first user equipment obtains a semaphore vB according to
vB=
In this embodiment, vB is a “semaphore” obtained after
With reference to definitions of the following modulo-2 rounding function and cross-rounding function, a relationship between an interval of x∈¢q and a value of x2 is as follows:
In addition, for an even number q, if x∈¢q is randomly uniform, and x2 is given, [x]2 is evenly distributed on ¢2={0,1}. That is, for evenly distributed x∈¢q, x2=b is given. In this case, a probability of [x]2=b and a probability of [x]2=1−b are both 1/2. That is, x2=b is given, if x∈¢q is not leaked, [x]2 is secure in terms of information theory.
Step 105. The first user equipment obtaining a session key K according to the semaphore vB using a formula (3):
Furthermore, the q is an even number and is not equal to 2.
In this embodiment, a modulo-2 rounding function [ ]2: ¢q→¢2 is defined as
For x∈¢q, an absolute minimum complete residue system
of ¢q is used, and q is an even number and is not 2:
(1). I0={0,1,2,L,[q/4]−1}, I1={−[q/4],L,−1}mod q, and I0UI1 enables [x]2=0; and
(2).
includes all elements that enable [x]2=1.
In this embodiment, the first user equipment obtains the vector σB according to the long-term private key sB and the temporary private key yB that correspond to the first user equipment and the received long-term public key PA and temporary public key xA that correspond to the second user equipment performing session negotiation with the first user equipment, obtains the semaphore vB according to the vector σB using the randomized function and the cross-rounding function, and obtains the session key K according to the semaphore vB using the modulo-2 rounding function. Because x∈¢q is randomly uniform, the modulo-2 rounding function [x]2 is uniformly distributed on ¢2, thereby effectively ensuring security of the session key. In addition, because q is an even number, problems in the other approaches that traffic and calculation costs are increased are further effectively resolved.
The following describes, in detail using several specific embodiments, the technical solution of the method embodiment shown in
Step 201. Perform the following operation according to system parameters a and fB using a formula (4): obtaining the temporary private key yB.
y
B
=agr
B
+f
B
∈R
q (4)
Step 202. Perform the following operation according to the temporary public key xA corresponding to the second user equipment, the temporary private key yB corresponding to the first user equipment, identity information B corresponding to the first user equipment, and identity information A corresponding to the second user equipment using formulas (5) and (6): respectively obtaining d and e.
d=H(xA,B) (15)
e=H(yB,A) (16)
In this embodiment, each of the identity information A and the identity information B may represent a bit string that is coded as 0 and 1 by an authentication center, such as an identity card number or fingerprint information.
Step 203. Perform the following operation according to the long-term private key sB and the temporary private key rB that correspond to the first user equipment, the long-term public key PA and the temporary public key xA that correspond to the second user equipment, d, and e using a formula (7): obtaining σB.
σB=gg(xA+dgPA)g(rB+egsB)∈Rq (7)
Furthermore, a∈Rq=¢q[ζm], rB←χ, fB←χ, g is a system parameter, and g∈R, R is a cyclotomic ring, and Rq is a quotient ring defined on
In addition, m is a positive integer, and describes a regulation of the m-order cyclotomic ring
and a degree of Φm(x) and n=φ(m). gcd(q,m)=1, g=Πp(1−ζp), and p traverses all odd primes that can be exactly divided by m. [ψ] is discrete Gaussian distribution on an algebraic number field K, and
H(·):{0,1}*→R represents that any string is mapped to an element that satisfies the discrete Gaussian distribution χ=[ψ] and that is located on R=¢[ζm]. a∈Rq=¢q[ζm] represents a global public parameter.
In this embodiment, in a case of a general cyclotomic polynomial ring, a decoding basis (a dual of a conjugate of a powerful basis) is used to represent an element on a ring R and is used for calculation such that a relatively small element representation and calculation cost can be obtained.
Step 301. The first user equipment performs the following operation according to s1 and e1 using a formula (8): obtaining a long-term public key PB corresponding to the first user equipment.
P
B
=ags
1
+e
1
∈R
q (8)
Step 302. The first user equipment sends a registration request carrying the long-term public key PB to the authentication center such that when authenticating, according to the registration request, that the long-term public key PB≠0, the authentication center performs the following operations according to s, e, and e′ using formulas (9) and (10): obtaining bc, [v]2, and v2, and returning bc and v2 to the first user equipment.
b
c
=ags+e (9)
v=ggbgs+e′ (10)
Step 303. The first user equipment performs the following operations according to the received bc and v2 using formulas (11) and (12): obtaining w, and sending w to the authentication center such that when authenticating that w=[v]2, the authentication center sends a first certificate CertB to the first user equipment, to certify that the first user equipment owns the long-term public key PB.
u=ggbcgs1 (11)
w=rec(u,v2) (12)
s1, e1←χ, s, e, and e′←χ.
Because long-term public keys of two user equipments performing negotiation can be authenticated, it is ensured that the second user equipment determines that it is the first user equipment that performs key negotiation with the second user equipment, thereby ensuring security of key negotiation.
Still further, after step 105, the method may further include the following step.
Step 304. The first user equipment sends the long-term public key PB, the temporary private key yB, and the semaphore vB of the first user equipment to the second user equipment such that the second user equipment obtains the session key K within a preset error range according to a long-term private key sA and the temporary private key rA that correspond to the second user equipment, the long-term public key PB, the temporary private key yB, and the semaphore vB.
The preset error range is
Step 401. Second user equipment receives a long-term public key PB, a semaphore vB, and a temporary private key yB that are of first user equipment performing session negotiation with the second user equipment and that are sent by the first user equipment.
In this embodiment, session key negotiation between the first user equipment and the second user equipment is performed in a distributed network environment. The first user equipment may perform the technical solution of the method shown in any one of
Step 402. The second user equipment obtains a vector σA according to a long-term private key sA and a temporary private key xA that correspond to the second user equipment, the long-term public key PB, and the temporary private key yB.
Step 403. The second user equipment performs the following operation within a preset error range according to the vector σA and the semaphore vB using a formula (13): obtaining a session key K corresponding to the second user equipment.
K=rec(σA,vB) (13)
The preset error range is
and q is an even number and is not equal to 2.
In this embodiment, the first user equipment participating in the key negotiation publicly transmits the long-term public key PB, the semaphore vB, and the temporary private key yB, and the second user equipment participating in the key negotiation receives the long-term public key PB, the semaphore vB, and the temporary private key yB, and obtains the session key K corresponding to the second user equipment using the formula K=rec(σA,vB) according to the vector σA calculated and obtained according to its own long-term private key sA and temporary private key xA such that two parties of the key negotiation obtain the key K that is evenly distributed on {0,1} in terms of information theory, thereby ensuring security of the session key. In addition, because q is an even number, the problems in the other approaches that traffic and calculation costs are increased are further effectively resolved.
Step 501. The second user equipment performs the following operation according to system parameters a and fA using a formula (14): obtaining the temporary public key xA.
x
A
=agr
A
+f
A
∈R
q (14)
Step 502. The second user equipment performs the following operation according to the temporary private key xA corresponding to the first user equipment, the temporary private key yB, identity information B corresponding to the first user equipment, and identity information A corresponding to the second user equipment using formulas (15) and (16): respectively obtaining d and e.
d=H(xA,B) (15)
e=H(yB,A) (16)
Step 503. The second user equipment performs the following operation according to the long-term private key sA corresponding to the second user equipment, the long-term public key PB and the temporary private key yB that correspond to the first user equipment, d, and e using a formula (17): obtaining the vector σA.
σA=gg(yB+dgPB)g(rA+egsA)∈Rq (17)
Furthermore a∈Rq=¢q[ζm], rA←χ, fA←χ, g is a system parameter, and g∈R, R is a cyclotomic ring, and Rq is a quotient ring defined on
and m is a positive integer.
In this embodiment, in a case of a general cyclotomic polynomial ring, a decoding basis (a dual of a conjugate of a powerful basis) is used to represent an element on a ring R and is used for calculation such that a relatively small element representation and calculation cost can be obtained.
Step 601. The second user equipment performs the following operation according to s1 and e1 using a formula (18): obtaining a long-term public key PA corresponding to the second user equipment.
P
A
=ags
1
+e
1
∈R
q (18)
Step 602. The second user equipment sends a registration request carrying the long-term public key PA to an authentication center such that when authenticating, according to the registration request, that PA≠0, the authentication center performs the following operations according to s, e, and e′ using formulas (19) and (20) obtaining bc, [v]2, and v2, and returning bc and v2 to the second user equipment.
b
c
=ags+e (19)
v=ggbgs+e′ (20)
Step 603. The second user equipment performs the following operation according to the received bc and v2 using formulas (21) and (22): obtaining w, and sending w to the authentication center such that when authenticating that w=[v]2, the authentication center sends a second certificate CertA to the second user equipment, to certify that the second user equipment owns the long-term public key PA.
u=ggbcgs1 (21)
w=rec(u,v2) (22)
Further, s1, e1←χ, s, e, and e′←χ.
In this embodiment, because long-term public keys of two user equipments performing negotiation can be authenticated, it is ensured that the first user equipment determines that it is the second user equipment that performs key negotiation with the first user equipment, thereby ensuring security of key negotiation.
where q is an even number and is not equal to 2.
The apparatus in this embodiment may be the first user equipment, and is configured to perform the technical solution of the method embodiment shown in
a∈Rq=¢q[ζm], rB←χ, fB←χ, g is a system parameter, and g∈R, R is a cyclotomic ring, and Rq is a quotient ring defined on
and m is a positive integer.
The apparatus in this embodiment may be configured to perform the technical solution of the method embodiment shown in
Further, the transceiver module 21 is further configured to send the long-term public key PB, the temporary private key yB, and the semaphore vB of the session key negotiation apparatus to the second user equipment such that the second user equipment obtains the session key K within a preset error range according to a long-term private key sA and the temporary private key rA that correspond to the second user equipment, the long-term public key PB, the temporary private key yB, and the semaphore vB.
The preset error range is
The apparatus in this embodiment may be configured to perform the technical solution of the method embodiment shown in
The preset error range is
and q is an even number and is not equal to 2.
The apparatus in this embodiment may be the second user equipment, and is configured to perform the technical solution of the method embodiment shown in
and m is a positive integer.
The apparatus in this embodiment may be configured to perform the technical solution of the method embodiment shown in
The apparatus in this embodiment may be configured to perform the technical solution of the method embodiment shown in
The present disclosure further provides a session key negotiation system. The system includes first user equipment and second user equipment that performs session negotiation with the first user equipment. The first user equipment is configured to perform the technical solutions of the method embodiment shown in any one of
The present disclosure further provides a session key negotiation apparatus. The apparatus includes a processor, a memory, and a communications interface. The memory is configured to store executable program code. The processor reads the executable program code stored in the memory, to run a program corresponding to the executable program code.
The communications interface receives a long-term public key PA and a temporary public key xA that correspond to second user equipment performing session negotiation with the session key negotiation apparatus.
The processor obtains a vector σB according to a long-term private key sB and a temporary private key yB that correspond to the session key negotiation apparatus, the long-term public key PA, and the temporary public key xA, obtains
where q is an even number and is not equal to 2.
In this embodiment, the session key negotiation apparatus is the first user equipment, and is configured to perform the technical solution of the method embodiment shown in any one of
The present disclosure further provides a session key negotiation apparatus. The apparatus includes a processor, a memory, and a communications interface. The memory is configured to store executable program code. The processor reads the executable program code stored in the memory, to run a program corresponding to the executable program code.
The communications interface receives a long-term public key PB, a semaphore vB, and a temporary private key yB that are of first user equipment performing session negotiation with the session key negotiation apparatus and that are sent by the first user equipment.
The processor obtains a vector σA according to a long-term private key sA and a temporary private key xA that correspond to the session key negotiation apparatus, the long-term public key PB, and the temporary private key yB, and obtains a session key K corresponding to the session key negotiation apparatus within a preset error range according to the vector σA and the semaphore vB using a formula K=rec(σA,vB), where the preset error range is
and q is an even number and is not equal to 2.
In this embodiment, the session key negotiation apparatus is the second user equipment, and is configured to perform the technical solution of the method embodiment shown in any one of
The user equipment may be a terminal device, such as a mobile phone, a tablet computer, a notebook computer, a ultra-mobile personal computer (UMPC), a netbook, or a personal digital assistant (PDA). This embodiment of the present disclosure is described using an example in which the user equipment is a mobile phone.
As shown in
The following further describes, with reference to
The RF circuit 1520 may be configured to receive and send signals during an information receiving and sending process or a call process. Particularly, the RF circuit 1520 receives downlink information from a base station, then sends the downlink information to the processor 1580 for processing, and sends uplink data to the base station. Generally, the RF circuit includes but is not limited to an antenna, at least one amplifier, a transceiver, a coupler, a low noise amplifier (LNA), and a duplexer. In addition, the RF circuit 1520 may further communicate with a network and another device by means of wireless communication. The wireless communication may comply with any communication standard or protocol, including but not limited to Global System for Mobile Communications (GSM), General Packet Radio Service (GPRS), Code Division Multiple Access (CDMA), Wideband CDMA (WCDMA), Long Term Evolution (LTE), e-mail, and short messaging service (SMS).
The memory 1530 may be configured to store a software program and a module, and the processor 1580 runs the software program and the module that are stored in the memory 1530, to perform various function applications and data processing of the mobile phone 1500. The memory 1530 may mainly include a program storage area and a data storage area. The program storage area may store an operating system, an application required by at least one function (such as a sound playback function and an image play function), and the like. The data storage area may store data (such as audio data, image data, and an address book) created according to use of the mobile phone 1500. In addition, the memory 1530 may include a high-speed random access memory, and may further include a non-volatile memory, for example, at least one magnetic disk storage device, a flash memory, or another volatile solid state storage device.
The input unit 1540 may be configured to receive input digit or character information, and generate keyboard signal input related to user settings and function control of the mobile phone 1500 Further, the input unit 1540 may include a touchscreen 1541 and an input device 1542. The touchscreen 1541, also referred to as a touch panel, may collect a touch operation (such as an operation of a user on or near the touchscreen 1541 using any suitable object or accessory such as a finger or a stylus) of a user on or near the touchscreen, and drive a corresponding connection apparatus according to a preset program. Optionally, the touchscreen 1541 may include a touch detection apparatus and a touch controller. The touch detection apparatus detects a touch position of the user, detects a signal generated by the touch operation, and sends the signal to the touch controller. The touch controller receives touch information from the touch detection apparatus, converts the touch information into touch point coordinates, and sends the touch point coordinates to the processor 1580. Moreover, the touch controller can receive a command from the processor 1580, and executes the command. In addition, the touchscreen 1541 may be a resistive touchscreen, a capacitive touchscreen, an infrared touchscreen, a surface wave sound touchscreen, or the like. In addition to the touchscreen 1541, the input unit 1540 may further include the input device 1542. Further, the input device 1542 may include but is not limited to one or more of a physical keyboard, a function key (such as a volume control key or a power switch key), a track ball, a mouse, or a joystick.
The display unit 1550 may be configured to display information entered by the user or information provided for the user, and various menus of the mobile phone 1500. The display unit 1550 may include a display panel 1551. Optionally, the display panel 1551 may be configured using a liquid crystal display (LCD), an organic light-emitting diode (OLED), or the like. Further, the 1541 may cover the display panel 1551. After detecting a touch operation on or near the touchscreen 1541, the touchscreen 1541 sends the touch operation to the processor 580, to determine a type of a touch event. Then, the processor 1580 provides corresponding visual output on the display panel 1551 according to the type of the touch event. Although in
The gravity sensor 1560 may detect magnitude of acceleration of the mobile phone in various directions (generally on three axes), may detect magnitude and a direction of gravity when static, and may be applied to an application that recognizes an attitude (for example, switching between landscape orientation and portrait orientation, a related game, and magnetometer attitude calibration) of the mobile phone, a function related to vibration recognition (such as a pedometer and a knock), and the like.
The mobile phone 1500 may include another sensor, for example, an optical sensor. Further, the optical sensor may include an ambient light sensor and an optical proximity sensor. The ambient light sensor may adjust luminance of the display panel 1541 according to brightness of the ambient light. The optical proximity sensor may detect whether an object approaches or touches the mobile phone, and may switch off the display panel 1541 and/or backlight when the mobile phone 1500 is moved to the ear. Another sensor, such as a gyroscope, a barometer, a hygrometer, a thermometer, or an infrared sensor, may be configured in the mobile phone 1500, and details are not described herein again.
The audio frequency circuit 1570, a loudspeaker 1571, and a microphone 1572 may provide an audio interface between the user and the mobile phone 1500. The audio frequency circuit 1570 may convert received audio data into an electrical signal, and transmits the electrical signal to the loudspeaker 1571. The loudspeaker converts the electrical signal into a sound signal and outputs the sound signal. In another aspect, the microphone 1572 converts a collected sound signal into an electrical signal, the audio frequency circuit 1570 receives the electrical signal and converts the electrical signal into audio data, and outputs the audio data to the RF circuit 1520 such that the RF circuit 1520 sends the audio data to another mobile phone, or transmits the audio data to the memory 1530 for further processing.
The processor 1580 is a control center of the mobile phone 1500, connects all parts of the mobile phone using various interfaces and lines, and performs various functions of the mobile phone 1500 and processes data by running or performing the software program and/or the module that are/is stored in the memory 1530 and invoking data stored in the memory 1530, to perform overall monitoring on the mobile phone. Optionally, the processor 1580 may include one or more processing units. Preferably, the processor 1580 may integrate an application processor and a modem processor. The application processor mainly processes an operating system, a user interface, an application program, and the like. The modem processor mainly processes radio communication. It may be understood that the modem processor may not be integrated into the processor 1580.
The mobile phone 1500 further includes a power supply 1590 (for example, a battery) that supplies power to the components. Preferably, the power supply may connect to the processor 1580 logically using a power management system, to manage functions such as charging, discharging, and power consumption management using the power management system.
Although not shown, the mobile phone 1500 may further include a WI-FI module, a BLUETOOTH module, and the like. Details are not described herein.
In this embodiment of the present disclosure, the memory 1530 is further configured to store executable program code. The input unit 1540 is further configured to receive a long-term public key PA and a temporary public key xA that correspond to second user equipment performing session negotiation with the session key negotiation apparatus. The processor 1580 is further configured to obtain a vector σB according to a long-term private key sB and a temporary private key yB that correspond to the session key negotiation apparatus, the long-term public key PA, and the temporary public key xA, obtain
where q is an even number and is not equal to 2.
Alternatively, in this embodiment of the present disclosure, the memory 1530 is further configured to store executable program code. The input unit 1540 is further configured to receive a long-term public key PB, a semaphore vB, and a temporary private key yB that are of first user equipment performing session negotiation with the session key negotiation apparatus and that are sent by the first user equipment. The processor 1580 is further configured to obtain a vector σA according to a long-term private key sA and a temporary private key xA that correspond to the session key negotiation apparatus, the long-term public key PB, and the temporary private key yB, and obtain a session key K corresponding to the session key negotiation apparatus within a preset error range according to the vector σA and the semaphore vB using a formula K=rec(σA,vB), where the preset error range is
and q is an even number and is not equal to 2.
Persons of ordinary skill in the art may understand that all or some of the steps of the method embodiments may be implemented by a program instructing relevant hardware. The program may be stored in a computer-readable storage medium. When the program runs, the steps of the method embodiments are performed. The foregoing storage medium includes any medium that can store program code, such as a read-only memory (ROM), a random access memory (RAM), a magnetic disk, or an optical disc.
Finally, it should be noted that the foregoing embodiments are merely intended for describing the technical solutions of the present disclosure, but not for limiting the present disclosure. Although the present disclosure is described in detail with reference to the foregoing embodiments, persons of ordinary skill in the art should understand that they may still make modifications to the technical solutions described in the foregoing embodiments or make equivalent replacements to some or all technical features thereof, without departing from the scope of the technical solutions of the embodiments of the present disclosure.
Number | Date | Country | Kind |
---|---|---|---|
201610079672.5 | Feb 2016 | CN | national |
This application is a continuation of International Patent Application No. PCT/CN2017/070797 filed on Jan. 10, 2017, which claims priority to Chinese Patent Application No. 201610079672.5 filed on Feb. 4, 2016. The disclosures of the aforementioned applications are hereby incorporated by reference in their entireties.
Number | Date | Country | |
---|---|---|---|
Parent | PCT/CN2017/070797 | Jan 2017 | US |
Child | 16055660 | US |