Research on User Identity Authentication Based on Two-way Confirmation in Data Transmission

User identity authentication is the foundation of data transmission in the complicated network environment. Moreover, the key issue is the effective identity authentication of both sides in data transmission. An authentication method for user identity based on two-way confirmation in data transmission is proposed in this paper. The public key, private key, information of traditional identity authentication, one-time transmission key, timestamp, authentication lifecycle for timestamp and other authentication elements are constructed. Based on guaranteeing the timeliness of data transmission, the two-way user identity authentication process for sending terminal and receiving terminal is set up through using the information of traditional identity authentication and one-time transmission key.


Introduction
The security of data transmission is the foundation of running the Internet safely.Massive data always flow in the Internet.How to verify the valid identity of data sender and receiver is crucial to keep data transmission in security.It makes authentication technologies for user identities be vitally important [1].In recent years, security events about data transmission broke out frequently, such as data leak of 20 million hotel records.These events were concerned by the society and caused huge economy loss.Overall, the rising severe situation of data transmission security has caused user identity authentication technologies for data transmission be one of hot topics in the field of network security.

Research background
User identity authentication technologies have been widely applied to network areas such as finances [2], emails [3], wireless networks [4], etc.They are critical to verify the valid identity of users in network systems [5].Traditional user identity authentication technologies mostly function based on user names and passwords [6].Currently, identifying codes are adopted to strengthen the security of user identity authentications.However, the authentication method of identifying codes has a few security vulnerabilities because image recognition technologies constantly improved.The following problems exist in traditional identity authentication technologies for network users.First, user names and passwords are easily be intercepted when they are transmitted.Second, it is hard to keep the balance of the confidentiality and usefulness between passwords and identifying codes which are easy cracked by brute force attacks.
Therefore, the transmission security requirements for complicated network environments can't be satisfied anymore by traditional identity authentication technologies.
Hu [7] proposed an authentication architecture for unified identities to centrally and remotely administrate, verify and authorize users.The method of unified management for user information resources resolves the dispersity of users.Zhang et al. [8] proposed a trusted and anonymous authentication protocol.Fake names prestored in mobile terminals are used to hide the real names.Integrity verification is realized through a third authentication center.Li et al. [9] proposed an user authentication model based on dynamic identities which is aimed at remote login environments.The model can verify the real identity when users login remote servers.David et al. [10] proposed an authentication model for multimedia servers and clients based on dynamic identities and developed a medical multimedia system to check the effectiveness of the proposed model.Amin et al. [11] designed an user authentication and key exchange protocol for accessing the remote medical server, which is used to make it safe when doctors share medical services.Existed identity authentication technologies for data transmission highlight the identity validation for data sender, and the authentication for data receivers is ignored, which are considered to be legal by default.However, in the complicated network security environment, unauthorized personnel may design a trap to let network flows be transmitted to some devices, and then the flows could be analyzed, cracked and leaked.
When network data are transmitted in the open network environment, they confronted the dangers which are to be intercepted, modified and faked.The largescale and dynamical network data make the user identity authentication be extremely difficult.Therefore, the user identity authentication for massive data in Internet is one of the key technologies expected to be resolved.
To improve the safety of transmitted data in networks, an authentication method for user identity based on twoway confirmation in data transmission is proposed in this paper.In the following, the architecture and its operational principle of the proposed method are summarized, the authentication elements and process are described in Section III.Section IV concludes this paper.

Authentication method 3.1 Summary of the proposed method
The architecture of the proposed method is shown in Figure 1.The communication operation of the data sender is with respect to the receiver's.The proposed method is summarized in the following.The sender and receiver send data connection information to each other and exchange authentication elements when transmitting data.
The sender begins to communicate with the receiver and creates a data connection when its traditional identity authentication elements are verified by the receiver.It is the single-way authentication of the sender.The sender takes the operations of splitting, encapsulation and sending to transmit data to the receiver.
The receiver takes the operations of receiving, decryption and assembling to recover the original data.When it gets a datum, it uses the one-time transmission key to decrypt the datum.It is the single-way authentication of the receiver.
The authentications of the sender and receiver form the user identity authentication based on two-way confirmation to ensure the data communication be in security.The data connection is kept alive until the data transmission finishes.

Authentication elements
The encryption information of public keys, private keys and time which constitute the authentication elements of the proposed method, is applied to the proposed method to advance the creditability and security of the sender and receiver.The authentication elements are shown in Figure 2.

Data Sender's Authentication Elements
The authentication elements of the data sender consist of public key, private key, traditional identity authentication information, one-time transmission key, timestamp and authentication lifecycle.
Let the sender's public key be PUK S , private key be PRK S .Both keys form the digital identity information of the sender.PUK S is sent to the data receiver who encrypts transmission data with PUK S .PRK S is only stored in the data sender who decrypts the confidential transmission data with PUK S .
Let the traditional identity authentication information of the sender be A which is shown in Equation (1).
  where, , name password ASCII Character Set  , they are the traditional name and password respectively to be used to log on.
Let the one-time transmission key of the sender be K once which is shown in Equation ( 2).
( ) where, once K ASCII Character Set  .K once can be generated according to the actual situation, for example, randomly or duly.However, it should be strong enough.
Let the timestamp of the sender be T S , which denotes the moment when the sender sends the data to the receiver.Also, it records the beginning moment of the authentication lifecycle.
Let the authentication lifecycle of the sender's timestamp be T L , which denotes the legal time space between when the sender sends and the receiver receives the transmission data.Both the sender and receiver receive transmission data, they compare the timestamp with the current time.If the time space is less than or equal to T L , the transmission data are valid.Or else, the transmission data are invalid and the new data are requested to be sent again.

Data Receiver's Authentication Elements
The authentication elements of the receiver consists of public key, private key, timestamp and one-time transmission key.
Let the receiver's public key be PUK R , private key be PRK R. Both keys form the digital identity information of the receiver.They have the same meanings as the sender's.
Let the timestamp of the receiver be T R , which has the same meaning as the sender's.
The one-time transmission key of the receiver is the same as the sender's.It is received to verify whether the receiver's identity is legal when the sender creates the data connection.The authentication mechanism of the proposed method requires both the sender and receiver to be verified by each other with the one-time transmission key and the traditional identity information.

Authentication process
The authentication process includes 5 stages: data connection, splitting data, encapsulating and sending data, receiving and assembling data, connection close.The stages are described separately in the following.

Data Connection
Let the data connection information of the sender be C S1 , which is shown in Equation ( 3).where, PUK S is the sender's public key, T S is the sender's timestamp, T L is the lifecycle of the timestamp, nN  , N is a natural number set, n denotes the amount of the data to be sent.
After the receiver gets C S1 , it sends its public key and timestamp to the sender.Its public key and timestamp are merged into C R1 , which is shown in Equation ( 4).
where, PUK R is the receiver's public key, T R is the receiver's timestamp, T is the current time.
After the sender gets C R1 , it merges the one-time transmission key and traditional identity authentication information into C S2 and sends C S2 to the receiver.C S2 is shown in Equation ( 5).
After the receiver gets C S2 , it compares the traditional identity authentication information A in C S2 with the receiver's authentication information.If A is verified, the receiver returns a successful information which is C R2 to the sender.C R2 is shown in Equation ( 6).
( ) f is a encryption algorithm with public keys.

Splitting Data
Let the data to be sent be D, which is shown in Equation (7).
According to what the transmission system requires, D is split into n data blocks.Let the ith data block be d i , which is shown in Equation (8).
The data to be sent could be presented as

Encapsulating and Sending Data
The authentication elements are used to pack each split datum into a cryptographic unit.Let the cryptographic unit be d si , which is shown in Equation (9).It is about to be sent to the receiver.
where, ( ) is a symmetric encryption algorithm.If the timestamp of the receiver expires, d si will not be transmit.If the receiver requires to repeat, d si will be sent again.

Receiving and Assembling Data
When the receiver gets a single unit d si it decrypt d si to  ) where, i is the serial number of the unit to be sent again.The receiver sends R in every T L until it receives the correct d si .
After the receiver get the correct d si , it decrypts ( ) once Ki fd .The receiver which is the only valid one and has the one-time transmission key can recover the original data with a normal method.The unique valid receiver receives the one-time transmission key K once when the data connection is created.The invalid The above process represents the single-way authentication for the receiver after the receiver gets a confidential datum unit.The data transmission based on two-way authentication in the proposed method continues if the single-way authentication is passed.
After all transmission data are received, the receiver assembles the data and recovers the original data from the sender.Let the original data be D , which is shown in Equation (11).

Connection Close
When the receiver finishes the data acceptance, it returns a notification message for data connection close to the sender.Let the notification message be C, which is shown in Equation ( 12).
( ) If the authentication lifecycle is satisfied by T R , the sender decrypts the message C with its private key.Then it stop sending data and close the data connection.

Conclusion
The existed single-way authentication in data transmission ensures data sender to be in security to an extent.However it doesn't verify the identity of the data receiver.An authentication method based on two-way confirmation is proposed in this paper to conquer the above vulnerability.The encryption technologies of public keys and symmetric keys are applied to the proposed method.Based on the traditional identity authentication technology, the one-time transmission key is used to verify the receiver.The timestamp mechanism is adopted to ensure transmission data in time.Both the sender and receiver are confirmed by each other with the proposed authentication method to improve the security of data transmission in networks.

Fig. 1 .
Fig. 1.The Architecture of The Proposed Method.
, the receiver sends a repeat requirement R, which is shown in Equation(10).