Secure communication authentication method and system in distributed environment

1 . A secure communication authentication method in a distributed environment, a user performs an identity authentication using a zero-knowledge proof approach, the method comprising the steps of: (1) sending by a user an identity certification request KRB_AS_REQ to an authentication server (AS) among Kerberos servers, and after received the request, verifying by the AS a user identity; (2) after the user identity certification is passed, sending by the AS, to the user, a ticket and an authentication code conforming to the user identity, the ticket comprising an AIK certificate generated by means of combination of the Kerberos server and a zero-knowledge proof; (3) when the user needs to perform remote certification with a remote certification server, carrying out by the user a session with a ticket granting server (TGS) by using the ticket and the authentication code, so as to obtain a ticket for communicating with an application server; and (4) completing by the user the remote certification with the remote certification server. 2 . A secure communication authentication method in a distributed environment of claim 1 , wherein in the step (2), a method of generating the AIK certificate by means of combination of the Kerberos server and a zero-knowledge proof comprises the step of: 1) encapsulating by a user the KRB_AS_REQ message; 2) after the AS among the Kerberos servers received the KRB_AS_REQ message and before the TGS ticket is issued, authenticating by the AS the user's identity, and performing by a trusted platform a zero-knowledge protocol authentication with a trusted third party; 3) after received the message from the AS, sending by the user to the TGS a KRB_TGS_REQ message; and 4) after legality of the KRB_TGS_REQ message is successfully verified, starting by the TGS to assemble the KRB_TGS_REP message. 3 . A secure communication authentication method in a distributed environment of claim 2 , wherein in the step 1), in encapsulating by the user the KRB_AS_REQ message, a predefined block is replaced with the following message: E(PUAS,KC,AS)∥pk∥vk, where KC, AS are generated by the user and a session key of the AS is encrypted by using the public key PUAS of the AS, the message has a format of: Option∥IDC∥Realmc∥IDTGS∥Times∥Nounce1∥E(PUAS,KC,AS)∥pk∥vk Where, pk=E(AIKpub, EKpub), e1,e2, . . . , ek is an output of a harsh function selected by the system with an input as follows: Option∥IDC∥Realmc∥IDTGS∥Times∥Nounce1∥E(PUAS,KC,AS)∥pk. 4 . A secure communication authentication method in a distributed environment of claim 2 , wherein in the step 2), a method of authenticating by the AS the user's identity comprises: firstly, generating e1, e2, . . . , ek by using the same algorithm as the user; secondly, extracting by the AS corresponding verification information of the user's identify v1, v2, . . . , vk from its own database; thirdly, checking by the AS whether the KRB_AS_REQ message transmitted thereto meets the following equation: p   k = ± v   k 2  ∏ e f = 1   v j  ( mod   n ) After the user identify authentication is passed, the trusted platform represents the certificate by using zk=E(AIKpub, ω), where ω indicating a collection of endorsement certificate, platform certificate, acknowledgement certificate and verification certificate, and the endorsement certificate does not contain endorsement public key. 5 . A secure communication authentication method in a distributed environment of claim 2 , wherein in the step 3), the user also sends an authentication code Authenticatorc, this message contains a user's identifier ID, a network address and a timestamp, and is encrypted by using the session key with the TGS, and the session key indicates Kc, tgs obtained in the stage of AS information exchange, and as compared with lifetime of the TGS ticket, the authentication code has a shorter lifetime and can be used only one time. 6 . A secure communication authentication method in a distributed environment of claim 5 , wherein in the step 4), a method of assembling by the TGS the KRB_TGS_REP message comprises the step of: Firstly, determining by a Kerberos server a property of an application server ticket to be sent to the user based on the message and received TGS ticket; next, encrypting the ticket by using the corresponding application server key extracted from a user password database so as to generate a ticket for the application server; wherein the ciphertext portion of the KRB_TGS_REP message uses the same session key Kc, tgs as the AS message exchange, and the session key Kc, v used in the message exchange of the application server is also distributed in the stage of TGS information exchange, both the user and the application server can obtain the session key from the corresponding domains; wherein the KRB_TGS_REP message has a format as follows: realmc∥IDc∥Ticketv∥E(Kc,tgs,[Kc,v∥Times∥Nounce2∥Realmv∥IDv]) where, Ticketv=E(Kv,[Flags∥Kc,v∥Realmc∥IDc∥ADc∥Times]). 7 . A secure communication authentication system in a distributed environment, comprising: user platform, the user platform indicates a client required to perform an AIK certificate authentication; Kerberos server including an authentication server (AS) and a ticket granting server (TGS), the authentication server (AS) for checking whether the property information provided by the user platform is in a safety valve, and for signing and issuing a TGS ticket and AIK certificate associated therewith to the user platform in the safety valve, and the ticket granting server (TGS) for checking whether the TGS ticket hold by the user platform is expired and for issuing a communicative application service ticket to the legal user platform; and remote certification server for checking the AIK certificate and application service ticket when the user platform holding the application service ticket is communicating with the remote certification server, and if they are legal, then performing the application service with the user platform; wherein the user platform, Kerberos server and remote certification server are connected with each other via internet. 8 . A secure communication authentication system in a distributed environment of claim 7 , wherein the user platform includes the following modules: secure chip TPM/TCM for recording the metric values of the syste