Shulou(Shulou.com)06/01 Report--

In the information world under the network environment, identity is a kind of identity which is different from other individuals. In order to be different from other individuals, identity must be unique. Of course, there is a range of uniqueness, such as a phone number, which is unique in an area. If you consider multiple areas, there may be the same number, but as long as you add an area code segment, it can be distinguished uniquely. Identity in the network environment can be used not only to identify a person, but also to identify a machine, an object, or even a virtual thing (such as process, conversation process, etc.). Therefore, identity in the network environment is a string that is only used to identify things, things and people within a certain range.

I. Overview of identity authentication

Authentication under the network environment is not the qualification examination of something, but the confirmation of the authenticity of things. Taken together, identity authentication is to identify who the individual is at the other end of the communication process (people, things, virtual processes).

So, how do you know who the other end of the communication is? Usually, communication protocols require communicators to transmit identity information, but this identity information is only used for identification and can not guarantee that the information is true, because the identity information can be maliciously tampered with in the process of transmission. So, how can we prevent identity information from being maliciously tampered with in the process of transmission? In fact, it is impossible to completely put an end to malicious tampering, especially the information transmitted on the public network (such as the Internet). What can be done is that after the identity information has been maliciously tampered with, the receiver can easily detect it.

To identify the true and false, we must first "know" the true identity. The identity transmitted through the network may be the identity of strangers, how to judge whether it is true or false? A point needs to be made here: in order to identify the true and false, there must be trust. In the network environment, trust is not the recognition of the reliability of a person, but shows that he has mastered the important secret information of the authenticated person, such as key information. Suppose that An and B have a confident shared key, and no matter how the shared key is established, mutual trust is established between them. If An is sure of holding B's public key, it can also be said that A has established trust with B, but it does not mean that B has established trust with A. From the above discussion, it is not difficult to see that in the absence of a trust basis, new trust cannot be established through the network, otherwise it will be unreliable.

Second, identity authentication mechanism

The purpose of identity authentication is to identify the true identity of the other end of the communication and to prevent forgery and counterfeiting. The main technical methods of identity authentication are cryptography, including symmetric encryption algorithm, public key cryptographic algorithm, digital signature algorithm and so on.

Symmetric encryption algorithm is a transformation process based on Shannon theory, in which a key and a data are fully confused and scrambled, so that illegal users can not get the original data information without knowing the key. Of course, an encryption algorithm is almost always accompanied by a corresponding decryption algorithm and executed with the participation of a symmetric key. Typical symmetric encryption algorithms include DES and AES.

The public key cryptographic algorithm requires two keys and two algorithms: one is the public key to encrypt the message, and the other is the private key (private key) to decrypt the encrypted message. According to the name, the public key is a public key, while the private key can only be held by legitimate users. Typical public key cryptographic algorithms include RSA public key cryptographic algorithm and digital signature standard DSS.

Digital signature is actually an application of public key cryptography. its working principle is that the user uses his own private key to sign a message, and the verifier uses the signer's public key to verify it. This realizes the function that only the person with the legitimate private key can produce the digital signature (unforgeability) and the public who gets the user's public key can authenticate (verifiability).

According to the object of identity authentication, the authentication means are also different, but there are many different methods for each identity authentication. If the authenticated object is a person, there are three types of information that can be used for authentication: (1) what you know (what you know), this kind of information is usually understood as a password; (2) what you have (what you have), such information includes password book, password card, dynamic password generator, U shield, etc.; (3) you bring your own (what you are), this kind of information includes fingerprint, iris, handwriting, voice features, etc. In general, the authentication of a person requires only one type of information, such as password (often used to log on to a website), fingerprint (commonly used to log on to a computer and access control device), and U shield (often used in network financial business). And the user's identity information is the user's account name. In some special application areas, such as involving capital transactions, authentication may also adopt more methods, such as the use of passwords while using U shield, this kind of authentication is called multi-factor authentication.

If the authenticated object is a general device, the "challenge-response" mechanism is usually used, that is, the authenticator initiates a challenge, the authenticated person responds, and the authenticator checks the response, and if it meets the requirements, it passes the authentication; otherwise refuse. Authentication in mobile communication system is a typical authentication for devices, where the device identification is a phone card (SIM card or USIM card), and the authentication process is different according to different networks. For example, GSM network and 3G network are very different, and LTE network is very different from the former two networks, but they all use the "challenge-response" mechanism.

In the application environment of the Internet of things, some sensing terminal nodes have limited resources, including computing resources, storage resources and communication resources, so it may cost a lot to implement the "challenge-response" mechanism. In this case, lightweight authentication is required. In order to distinguish between the authentication of people and the authentication of equipment, this lightweight authentication is called object authentication. In fact, the authentication of things is not very strict, because in terms of specific technology, it is the authentication of data sources.

Third, the certification of "people"

When people carry out some activities on the network, they usually need to log in to a business platform, and then need to carry out identity authentication. Identity authentication is mainly achieved through one or a combination of the following three basic ways: what you know, knowledge that individuals know or master, such as passwords; what you have, things that individuals own, such as × ×, passports, credit cards, keys or certificates, etc.; personal characteristics (what you are), personal biological characteristics, such as fingerprints, palmprints, voice prints, face shape, DNA, retina and so on.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.