阅读说明：本技术 一种安全接入网关及身份鉴别方法 (Safety access gateway and identity authentication method ) 是由 屠一凡 纪晨熹 渠海龙 焦雄飞 申鹏 蔡蓬勃 荆鑫 于 2019-09-29 设计创作，主要内容包括：本发明属于网关技术领域,具体涉及一种安全接入网关及身份鉴别方法。所述网关包括：外部主机、密钥主机、隔离主机和内部主机；所述外部主机包括：第一身份认证单元、访问控制单元、协议解析单元、数据安全检查单元和数据摆渡单元；所述隔离主机包括：第二身份认证单元和数据隔离单元；所述内部主机包括：第三身份认证单元和数据传输单元。具有安全性高、效率更高和更为便捷的优点。(The invention belongs to the technical field of gateways, and particularly relates to a security access gateway and an identity authentication method. The gateway includes: the system comprises an external host, a key host, an isolation host and an internal host; the external host includes: the system comprises a first identity authentication unit, an access control unit, a protocol analysis unit, a data security check unit and a data ferrying unit; the isolated host includes: the second identity authentication unit and the data isolation unit; the internal host includes: a third identity authentication unit and a data transmission unit. Has the advantages of high safety, higher efficiency and more convenience.)

1. A secure access gateway, the gateway comprising: the system comprises an external host, a key host, an isolation host and an internal host; the key master includes: the device comprises a random number selection subunit, a base number generation subunit, a pairing logarithm calculation subunit and a parameter setting subunit; the random number selection subunit is configured to select an element from a plurality of elements of the cyclic group S as a random number O; the base number generation subunit is configured to select a subunit according to the random number, and map the random number O using a plurality of mappings according to the selected random number O to calculate a plurality of base numbers O; a pair-number calculating subunit configured to calculate a pair number of pair values between the plurality of base numbers O in the group S as a plurality of pair-number coefficients H; the parameter setting subunit is configured to set the plurality of base numbers O calculated by the base number generation unit and the plurality of pairing logarithm coefficients H calculated by the pairing logarithm calculation unit as keys used for cryptographic operations; the base number generation subunit causes a gaussian sum operator Sj to act on the random number O selected by the random number selection subunit to calculate a plurality of base numbers O ═ Sj (O) of a plurality of arbitrary points on the extended field K, where j is an integer of 2O-l or more and 2O-l or less.

2. The system of claim 1, wherein: the external host includes: the system comprises a first identity authentication unit, an access control unit, a protocol analysis unit, a data security check unit and a data ferrying unit; the key host generates three keys in each operation, and respectively sends the three keys to the external host, the isolation host and the internal host; the first identity authentication subunit generates a password according to the received secret key, and the second identity authentication subunit generates a password according to the received secret key; the third identity authentication subunit generates a password according to the received secret key; the data passing through the gateway firstly reaches an external host, after the data passes through the authentication of the first identity authentication subunit, namely after the password is verified, the access control unit sends the data to the protocol analysis unit, and the protocol analysis unit carries out protocol analysis on the data; the isolated host includes: the second identity authentication unit and the data isolation unit; the internal host includes: a third identity authentication unit and a data transmission unit; the first identity authentication unit is in signal connection with the access control unit; the access control unit is in signal connection with the data security check unit; the data safety inspection unit is in signal connection with the data ferry unit; the data ferry unit is in signal connection with the second identity authentication unit; the second identity authentication unit is in signal connection with a third identity authentication unit; the third identity authentication unit is in signal connection with the data analysis unit; the data security inspection unit performs data security inspection on data; the data subjected to the data security check is sent to the isolated host through the data ferry unit; after receiving the data, the isolation host performs second identity authentication, and if the data does not pass the authentication of the second identity authentication subunit, the isolation host sends the data to the data isolation unit for isolation; if the authentication passes through the authentication of the second identity authentication subunit, data is sent to the internal host; and the internal host carries out third identity authentication on the received data, the third identity authentication unit sends the data to the data transmission unit, and the data transmission unit sends the data.

3. The system of claim 2, wherein the mapping system equations of the plurality of mappings are: x is the number of_n+1＝μx_n(1-x_n) Wherein mu is a control parameter and the value range is 0<μ≤4，x_nis a random number, x, before mapping_n+1is a mapped random number.

4. The system of claim 3, wherein the random number selection subunit selects the random number from a hyperelliptic curve C over a finite field Fp: and selecting a random number O from a plurality of numbers at any point of Y-Xw +1, wherein w is a prime number, w is 2O + l, and a remainder a obtained by dividing the order p by the prime number w is a generator of a multiplication group F of a finite field Fw with the order w.

5. The system of claim 4, wherein said Sj is obtained by the following formula: Wherein P is an operator at a plurality of numbers of the arbitrary point corresponding to the operator on the hyperelliptic curve C in the expanded domain K, and is the w-th power root of I.

6. An identity authentication method based on the system of any one of claims 1 to 5, wherein the method performs the steps of: the data passing through the gateway firstly reaches an external host, after the data passes through the authentication of the first identity authentication subunit, namely after the password is verified, the access control unit sends the data to the protocol analysis unit, and the protocol analysis unit carries out protocol analysis on the data; the data security inspection unit performs data security inspection on the data; the data subjected to the data security check is sent to the isolated host through the data ferry unit; after receiving the data, the isolation host performs second identity authentication, and if the data does not pass the authentication of the second identity authentication subunit, the isolation host sends the data to the data isolation unit for isolation; if the authentication passes through the authentication of the second identity authentication subunit, data is sent to the internal host; and the internal host carries out third identity authentication on the received data, the third identity authentication unit sends the data to the data transmission unit, and the data transmission unit sends the data.

7. the method according to claim 6, wherein the expanded domain K is an algebraic expanded domain obtained by expanding the finite field Fp by 2O, and the discrete logarithm calculating subunit calculates the algebraic expanded domain based on the remainder a; calculating a plurality of discrete logarithms l according to the following formula_κ，Wherein K is an integer of I or more and 2O-l or less, and the discrete logarithms l_κIs an integer of not less than O and not more than 2O-l, saidThe pairing-logarithm calculating subunit calculates a plurality of discrete logarithms l from the discrete-logarithm calculating subunit_κ。

8. The method of claim 7, wherein a plurality of paired logarithmic coefficients H are calculated according to the formula,i is an integer of O or more and 2O-1 or less, the plurality of pairing logarithmic coefficients H is an integer of O or more and r-1 or less, and r is the order of the random number O.

9. the method of claim 8, wherein the sending the data to the data isolation unit for isolation is by: setting a memory space which can be called, and storing data into the memory space.

10. The method of claim 9, wherein the first authentication sub-unit generates a password based on the received key, and wherein the second authentication sub-unit generates a password based on the received key by: the key and a pseudo-random number are symmetrically encrypted, and the result obtained by encryption is used as a password.